Saturday, January 19, 2008

Footnote to the preceding

Updated Something I wanted to include but which didn't comfortably fit. RFID (Radio Frequency ID) chips, known as "tags," are tiny computer chips containing information about whatever it is they're attached to. There are two sorts: One is a passive kind that reacts to a scanner by emitting its information, using power provided by the scanning beam. The active, or "always-on," type has its own power source and broadcasts the information, enabling the scanner to be further away.

All US passports issued after January 1, 2008 contain always-on RFID chips. These chips contain information about you and what's on your passport. A few years ago, when this was first being pushed, I quoted security expert Bruce Schneier, who wrote:
Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily--and surreptitiously--pick Americans or nationals of other participating countries out of a crowd.

In tests, RFID chips have been read by receivers 20 meters away.
What's more, as the folks at Ars Technica noted back in March 2006, contrary to the prevailing assumption, the chips are potentially vulnerable to viruses. A research team had developed a method which used a maliciously-designed tag, which infected a scanner that read it. The scanner then infects other tags.

So whether the use of such chips in passports is an outgrowth of a sinister Big Brother plan or simple incompetence intended to make it easier for a customs agent to read a passport's RFID without having to bother making sure it's close to the scanner, this still seems like a really, really bad idea.

Fortunately, the tags being used in passports are an improvement over those originally proposed: The info on the tag is encrypted and because of shielding, the tag can't be read if the passport is closed. While that reduces the risk of your information being stolen, it does not eliminate it and in fact undermines the very basis for the tags as opposed to a smart-card system, where there is direct contact between the tag and the reader (as, for example, when you swipe a credit card): The tags were supposed to speed processing by allowing passports to just be waved at a scanner, but if each passport now must be individually opened and the data decrypted, it's hard to see the gain.

If broadcasting your personal info disturbs you, there is something you can do about it, says Wired from a year ago:
1) RFID-tagged passports have a distinctive logo on the front cover; the chip is embedded in the back.

2) Sorry, “accidentally” leaving your passport in the jeans you just put in the washer won’t work. You’re more likely to ruin the passport itself than the chip.

3) Forget about nuking it in the microwave – the chip could burst into flames, leaving telltale scorch marks. Besides, have you ever smelled burnt passport?

4) The best approach? Hammer time. Hitting the chip with a blunt, hard object should disable it. A nonworking RFID doesn’t invalidate the passport, so you can still use it.
On the other hand, messing with a passport carries a penalty of up to 25 years in prison. If you find that a deterrent, a better choice might be to investigate the RFID Guardian Project, which is working on a system where the tags wouldn't work unless turned on by the passport holder. You might also want to check out the Electronic Privacy Information Center (EPIC) and its page on RFID to keep up with news about the wider privacy implications of RFIDs as used by the government and, much more widely, by private corporations.

Updated to correct numerous typos, grammatical errors, and unclear passages. It seems I was a lot more tired than I realized when I wrote this.

No comments:

// I Support The Occupy Movement : banner and script by @jeffcouturer / (v1.2) document.write('
I support the OCCUPY movement
');function occupySwap(whichState){if(whichState==1){document.getElementById('occupyimg').src=""}else{document.getElementById('occupyimg').src=""}} document.write('');