Today is Comment Deadline for RFID-Chip Passports

An anonymous reader writes "Today is the deadline for submitting comments to the State Department concerning the use of RFID chips in passports. These devices would store in digital form all the information currently on a passport as well as a digital copy of the passport picture. This information could then be read by an RFID reader presumably being operated by port of entry personnel. However, these devices could feasibly be read by anyone, including those with malicious intent. The use of RFID chips in passports is a bad idea for many more reasons than can be listed here. If you haven't yet, send your comments to the State Department. You can email them directly at PassportRules@state.gov with the subject 'RIN 1400-AB93' or go to rfidkills.com for more information and an online submittal form. ... It's also being covered on Wired." Here's the proposed rule itself (PDF).

Re:Why must they emit?

[0x461FAB0BD7D2]

Exactly. We have something like that in Hong Kong already: Smart Identity Card

It is an identity card, on a MULTOS 4.06 operating system that supports the ISO7816 standard.

An RFID-based system is not much more useful than a Smart card.

Re:How to kill your passport & other questions

[j-turkey]

Supposedly, putting an RFID tag in a microwave will kill it (make it no longer workable). This is an easy fix for those who don't want people nearby to read their passport info.

According to the proposal:

Damaged, Defective or Otherwise Nonfunctioning Electronic Chip

Section 51.6 of Title 22, Code of Federal Regulations (CFR), governs the validity of damaged United States passports. This rule would amend 51.6 by adding new language providing that a damaged, defective, or otherwise nonfunctioning electronic chip may be grounds for invalidating a United States passport. A passport with an intact data page but a nonfunctioning electronic chip would still be used as a travel document. However, detected attempts to alter chip data or to substitute a different electronic chip would result in invalidation.

That sort of answers a few of your questions (although it's sort of an ambigous answer -- disabling the RFID is grounds for invalidation, but you can travel without the RFID? I don't get it). Have you submitted your comments yet?

Re:How to kill your passport & other questions

[swillden]

Note that these are just my guesses, but I work with smart cards (contact and contactless) for a living, so they're fairly educated guesses.

What do I gain, as a passport user, by having mine working?

In the abstract, you gain higher assurance that no one is using a forged passport in your name, and that no one who finds your passport can pretend to be you (by grafting their own photo onto it, for example). In theory the higher assurance that passports are not forgeable and are more tightly bound to their legitimate owners also provides some measure of additional security (that's a pretty tenuous theory, though, just loaded with handwaving).

Keep in mind, though, that the real point isn't to benefit you, the point is to benefit customs and immigration officials.

From a practical perspective, turn your question around: What will it cost you if your chip isn't working? You'll go into the "exception" process for greater scrutiny. That's why you'll want your chip to be working.

What prevents someone from putting a fake RFID tag in/on my passport, thus making it seem like I'm engaging in high-tech forgery?

Depends on how the passport is implemented (note that this is *not* an RFID tag we're talking about, it's a contactless smart card -- there's a big difference). If proper security is implemented, then the fake will be obviously a fake. It will probably interfere with the operation of the real chip, so you'll get pulled aside, your passport will be examined closely and you'll get to answer some questions. Unless there's something else wrong, it'll end there, as far as you're concerned. They'll want to look into who did that to your passport.

What benefits come from an RFID-based reading of the thing, vs. some kind of contact-based smart card that clearly shows when it's being read (you have to make physical contact with the device)?

See my post here

What's to stop the authorities from putting RFID readers throughout the airport and tracking where specific people walk?

Depends on the passport design. Some nations are considering putting electromagnetic shielding in the passport covers so that the chip can only be activated when the booklet is open. Beyond that, range is a serious problem. The chips are powered by the reader, so the power delivered drops off with the cube of distance, both ways. Even if you make a boosted reader (with a directional antenna) that can power a chip at long range, the chip will still transmit at very low power -- low enough that beyond a couple of feet it will be nigh impossible to pick the transmissions out of the background. The nominal operating range of these devices is about 1 cm. You can extend that by one order of magnitude, fairly easily, especially if you don't need high reliability, but wo orders of magnitude gets to be really, really hard. I'm not an EM guy, but this is what I'm told by people who are deeply into this stuff.

Why not put rfid tags on boarding passes instead, so that to go from the counter to the plane you have to walk past numerous RFID readers and it keeps track that you didn't miss a checkpoint, etc.

With real RFIDs, rather than contactless smart cards, you could do that. They require less power to activate and transmit stronger signals, so that they can be used at longer ranges. They don't have the cryptographic capabities, though, or the volume of storage required for this passport application.

Won't my address and phone number be on this? What if I'm a single female concerned with personal security? Some schmo could stalk an airport, find me, strike up a conversation, and then get home before me since they know I'm not home?

Again, depends on the security model implemented. The schmoe in question would have to get his reader within a few inches of your passport, your passport would have to be unshielded, and you