Slashdot Mirror
Privacy Threat in New RFID Travel Cards?
DemolitionX9 writes to tell us ZDNet has an interesting article rehashing the problems with privacy in future RFID-equipped travel documents and ID. The piece focuses on a recent speech given by Jim Williams, director of the Department of Homeland Security's US-VISIT program. From the article: "Many of the privacy worries center on whether RFID tags--typically minuscule chips with an antenna a few inches long that can transmit a unique ID number--can be read from afar. If the range is a few inches, the privacy concerns are reduced. But at ranges of 30 feet, the tags could theoretically be read by hidden sensors alongside the road, in the mall or in the hands of criminals hoping to identify someone on the street by his or her ID number."
..think of how this will protect your FREEDOM! and LIBERTY!
Starsucks
...What is to stop someone from "accidentally" bumping into you with their scanner in their pocket?
I don't preview or spellcheck.
I did this today and it made me insanely happy for about 15 seconds.
Find a BT landline phone. Send a text message to it reading "The time space continuum is about to collapse." Wait by the phone. A few seconds later it will ring - and Tom Baker will read your message out to you!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
- Capture your data.
- Encode to my chip.
- Now I'm you, I can:
- Travel as you.
- Commit various offences as you
- Do whatever I want as you, and hell, the computer can't be wrong.
- (mandatory) PROFIT!
But I'm sure more devious plots will come to other people's minds...If you think imaginary property and real property are the same, when does your house become public domain?
Set off a Bomb when person id code 46465456456489715678984 walks by
Imagine that these ids can be read from a distance. Now suppose a chain of stores, say some clothing stores, installs sensors and begins reading these tags. You sign up for their "monthly mailing list", and now they know who you are and what your unique ID is.
After a trip, you get an email/letter saying, "Thanks for visiting our [exotic destination] location. We hope you enjoyed your trip". Okay, not terrible, but I don't really want clothing stores knowing where I take my vacations.
Now, substitute that store with your employer, and your vacation destination with a labour lawyer. All of a sudden you employer knows you've been talking to a labour lawyer.
There are definitely worse scenarios, if you let your imagination run a little
There is off the shelf hardware that will allow you to read RFID tags (with varying levels of reliability) from ranges in excess of thirty feet. A collection of RFID tags produces a sort of constellation even if they are not unique. For instance, the guy who has the bottle of scope mouthwash, the bag of fritos flamin' hot, and the #2 philips screwdriver at this intersection is probably the same guy who has the same stuff at the next intersection. This allows you to positively track someone based on checkpoints, even without a unique RFID like your passport will be. Furthermore, even if some of the tags don't scan properly, the percentage similarity can be compared from point to point and you can get a fairly positive match anyway.
With Unique tags, then you don't need to go even that far, of course.
If you cannot imagine why this is a bad thing, then truly, you should read 1984.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"Ground Beef a L'amerique".
Ingredients:
1 Terrorist.
1 RFID reader.
1 Pringles can.
1 Blasting cap.
1 Pound of boom-boom stuff.
Assemble recipe. Bake in broad daylight on side of road until American tour bus comes by.
The condition that makes RFID tags in any capacity (not just long range ones) unsafe and irresponsible is the insecurity of identification systems in the government/big business system. As things are now, Social Security numbers and other forms of identification can be used against the holder to steal money from them. Credit card companies are getting worse and worse, and they are not held back by bought and paid for congress.
RFID is bad because it makes the job of criminals much easier, and there has been no boost in security from other areas. There is another aspect of this which is slightly more controversial: prosecution based on RFID.
The bottom line is, no machine will be as efficient and accurate at identifying what happens at a crime scene. With the use of RFID scanners you could "confirm" that John Doe was the man who broke into a jewelry shop... when in fact is was John h4x0r. Currently, the competency of courts when dealing with issues of advanced technology is a shame to the US, and with this kind of power of evidence things will only get worse.
With these two major issues raised, I ask what advantages does having personal RFIDs bring to the table? The purposes that justify checking identification now are mostly childish, and wouldn't stop any truly purposed criminal. This question is just another one of those situations where benefit/loss is so bad that it begs the question of whose side its supporters are on.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
In other news, walking around with a bizzare skin disorder that makes microscopic copies of your passport flake off and fall on the ground may be a risk to your identity.
(I choose such an odd analogy because rfid readers are about as hard to obtain as microscopes. Not everyone will have one on them but it's not exactly mil-spec hardware)
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
Person id code 46465456456489715678984 has very vocally expressed negative opionions about us, let's stage a little accident for him.
Please hurry the development of space tech so I can move to another planet, should it be necessary.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
And yes, some terrorist groups do have the capability to build custom electronics. You can see examples of IRA custom circuit boards in the Imperial War Museum, London.
How is this any different from someone stealing your passport now?
RTFA.
The 96 digit number would be a key into a database, which would "automatically display the cardholder's picture and other biographic information on the border agent's computer screen."
The agent sees the person who is using the card doesn't match the stored information, and hauls you in.
Finally, according to the TFA, "They're also exploring using a card that would have to be activated by the user, through a fingerprint or some other biometric method, before any information could be read remotely."
Unless the Feds are going to come up with an air-tight encryption scheme, this is a recipe for disaster. This isn't like the EZPass I have on my car, which is only linked to my account and determines if I have enough to pay the toll. These chips will potentially carry a lot of personal and very useful information, especially if you're a crook looking to use somebody's id to get across the border or to create fake identity documents for sale.
Frankly, this whole idea is mainly a panacea. If it works, the bad guys will simply sneak across the thousands of miles of undefended and unmonitored border we have in the US. Others will start turning innocent people into mules by swiping their identities and using them to get things across. Instead of making the borders of this nation more secure, the government is creating even more insidious ways for someone to come into this country. I think it's time to go back to the drawing board.
GetOuttaMySpace - The Anti-Social Network
Could more powerful or modified scanners be used to read the RFID chips only designed to be read from a short distance?
;)
IANARFIDE (I Am Not An RFID Engineer)
Why not put a switch in the antenna's path? To use the card, you have to push a contact button to turn it on? That would stop passive scanning, right?
Weaselmancer
rediculous.
The U.S. gov't will start issuing RFID-equipped passports this fall. How long until we see the first U.S.-citizen-triggered bomb?
Mastercard and their PAYPASS cards? https://mbe2stl101.mastercard.net/hsm2stl101/publi c/login/ebusiness/mobile_commerce/paypass/index.js p/
Its RF also .. The range is about 2 inches... Im able to pull up to a gas pump, swipe my wallet next to the scanner and off im go. heres the documentation on their stuff https://mbe2stl101.mastercard.net/hsm2stl101/publi c/login/ebusiness/mobile_commerce/paypass/document ation/index.jsp/
-- I Dont Deserve A Sig I Have Bad Karma
Remember this gadget?
Who says there won't be a RFID-Sniper in the future?
If RFID cards become pervasive, a gray market in matching serial numbers to real IDs will pop up just like there's currently a market among spammers for e-mail addresses. Any unscrupulous merchant with an RFID reader could harvest positive IDs from their customers at the checkout counter.
The key difference with SSNs is that you can't read them remotely from everyone who walks by.
So, imho, it is different due to the perceived infallibility of computer reports (which is a joke, since all those same people who claim it must be true 'cause the computer said so, also say their computer crashes all the time)
So I guess where I'm going with this is that if I can forge your chip, I can then move about leaving *your* electronic trail behind. Then when something goes bad the cops show up at your house, not mine.
I guess it's kinda like being able to scan and replicate your DNA from 30 ft. If I can then leave it somewhere you *will* be convicted...they won't even talk to me: I wasn't there.
If you think imaginary property and real property are the same, when does your house become public domain?
Let's clear a few things up, because there is a little FUD here... IANAL, but I am in the RFID business for commercial use (inventory management and the like)
1. RDID tags come in a HUGE variety of types. You have to choose the right tag for the job. For example, is the item liquid? Is it metal? Is it a large crate? A small one? Etc. My guess is for a passport, the RFID tag would be a very short range (2-3" read type).
2. There are active (like those attached to your toll tags, or to large pallats & containers). These have batteries in them. A passport won't have a battery in it.
3. There are passive tags. These get charged by the antenna, that makes the circuit work. Think crystal radio here... same sort of concept. It charges the circuit, then the reader reads the tag.
4. The tags generally (although they can) carry only a serial or lookup number. NOT specific information. The more info, the more expensive the tag. Some newer tags CAN carry things (like product expiriation dates, inventory dates, etc.)
5. There are tags that can be both programmed and are read only. Depends on the type of tag. Both active and passive tags can do this. This means the reader can also program the tag.
6. Readers are NOT hard to get. It's a commerical device. However, in most cases, the reader is specific to the tag type. There are SOME standards coming out now with the gen2 tags, but they are not in wide deployment. The readers are NOT CHEAP.
So, here's my guess of what they would (or SHOULD) do:
--very short range passive tag (would require the passport to nearly touch the reader)
--Read only tag
--Tag would only contain some sort of authentication string that would be read, decrypted, and authenticated to see if passport is real.
--Tag would contain some sort of lookup string, which would be read, then queried on the backend systems to make sure the tag matches what's on the passport.
ALL this can be done with protection of privacy, IF DONE RIGHT! It's being done today, specifically in the pharma industry.
At defcon 2005 some guys set a record for reading passive tags at 69 feet. With pics :)
Your sig(k) has been stolen. There is a puff of smoke!
How is this any different from someone stealing your passport now?
Because it's not even necessary to steal your passport, it's not even necessary to touch it. You can walk past someone at 25 feet and copy it. If you have an ordinary passport and keep it in a safe place all the time you can be pretty sure no one takes it without you knowing and if they steal it, you might notice it's missing.
Besides, if the RFID card is designed to be readable at 25 feet, it's probably possible to do so at a much longer distance using special equipment.
Lots of ways, most immediately comes to mind:
1. Capture your data.
2. Encode to my chip.
3. Now I'm you, I can:
4.
* Travel as you.
* Commit various offences as you
* Do whatever I want as you, and hell, the computer can't be wrong.
5. (mandatory) PROFIT!
Kinda like when an illegal alien decides to use a stolen SSN?
(I was buying a car last week and two Hispanic gentlemen where attempting to finance a truck, and I overheard the lady doing the loan paper say something about how the SSN had been used on another account with different info already.)
Don't take life so seriously. No one makes it out alive.
One potential threat for American travellers carrying this kind of chip is a sniffer weapon. The hi-tech version is an RFID sensitive smart missile and the dumber version is an IED in Cairo that sits and waits for Joe Sixpack to walk by. If you think I'm full of it, the Russians used a cell-phone sniffing missile to kill a Chechen general. For US RFID passports in other countries, all the munition needs to do is detect the chip's presense.
I want my "papers" to stay paper, please. Bar code them or whatever, but don't delibrately make it prone to identity theft, hacking or IEDs.
Josh
gigantino.tv - Heavy but weighs nothing.
You'd also have to have the same finger prints and iris geometry...and that isn't on the card.
You didn't RTFA. The whole point of this card is so that people don't have to open their car windows or slow down at border crossings because the current border crossings interfere with commerce.
When cars are moving past the checkpoint at 30-60mph, which of the machines there are going to check finger prints and iris geometry again?
Regards,
Ross
If you've done nothing wrong you have nothing to fear This wonderful new technology will enable us, your benign and caring government to protect you from identity theft/terrorists/child molestors Unfortunately, its not really effective if those pesky terrorists/id thieves/child molestors can simply chose not to carry any RFID tags.. so of course you won't mind if we embed this RFID tag in your baby's cranium while its still soft ? Its for your protection.
Security and convience don't exist in the same sentence or device. You can't have one without the other.
I don't see the difference with long lasting...a chip is a chip. For that matter, why can't a magnetic strip be used since it's supposedly just holding a unique number that is used to contact a database anyway?
So you're going to tell me that a radio signal is more reliable than a direct connect? I want some of what you're smoking.
Perhaps we're asking the wrong questions. The various faults of remotely read RFID-like devices used as ID's have been beaten like a dead horse over the last few months; RFIDs are sorely wanting. If the intent is only to provide a mechanism to ease border crossings; even it's pretty iffy - there are too many competing methods that are more secure, and less expensive to implement.
If, however, your goal is not to provide a fool-proof form of Passport, but rather to normalize the use of a remotely (and covertly) polled identification device in the general population, then it works well. Regardless of their potential usefulness and the presumably good intentions of the developers, they are the perfect tool of an authoritarian government. As such, we use them at our peril; it doesn't require much imagination to think of ways such things could be used to monitor and shape the behaviour of a given citizenry. And no this is not anti-GOP rant. In this case the party lines are more like the incumbents vs. the rest of us.
DMV agent: Oho, it appears you were in close proximity to a known radical several times last year. It also looks like you were in a bookstore looking at political titles no less than 20 times! Your travel license (ex-drivers license?) is now restricted to areas that are safer, to protect you from dangerous ideas. Deviations will be noted. Anomalous sequencing of scans will be noted. (Ain't computers grand?) Anomalous lack of registrations will be noted (foil pockets - forbidden). We have to keep a look out for dangerous people seeking to harm the American People's children!
I'm guessing it'll be like a toll booth change bucket; just toss your finger and your eyeball into the basket and you're off!
How you detach those components and grow them back later is your problem.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Nearly everyone (who was white) was waved through. Canadian border was just as bad. Oddly, it was quite an ordeal to get into Canada, but coming back they just waved me through.
I've always had the situation when going into the US, they ask if I have and fresh fruit/vegetables or meats to declare. However, when I go into Canada, I'm always asked if I have any firearms or weapons to declare.
Live forever, or die trying.
This ability would make it well worth these RFID ids being mandated.
Or, as the pedophile official in DHS might say, "Think of the children, 'cause I sure do!"
Similar to the upcoming US election results
They seem to suggest that they only want it so that they can identify people stopped at border checkpoints.
Free Software: Like love, it grows best when given away.
Not only that, this is discussing doing that while the RFID equipped form is in the possession of the person in a moving car...
A couple of inches? Yeah, right.
--
Tomas
From the article:
RFID chips are already going to appear in U.S. passports starting in October 2006, the Bush administration ruled last October.
a) That's gonna seriously screw up some american tourist's habit of wearing maple leaf emblems on their clothing/backpacks so they can claim to be Canadian.
b) Congrats - you just enabled every wanna-be terrorist to be able to track down and find an american in any crowd. Gonna make it much easier to figure out which foreign tourists you want to kidnap, don't you think?