RFID passports

Thanks, Edward, any guess what we will have to pay for (the privilege of
being globally tracked by these) new passports?

CC

================================================== ========

On Sun, 30 Oct 2005 17:14:53 -0000, Edward Hasbrouck wrote:

[Originally posted elsewhere, but I thought it
would also be of interest to this group.
Feedback welcomed here or in my blog. FWIW,
Norway this month began issuing _unencrypted_
RFID passports, so it isn't _just_ the USA.]

This column with links:
http://hasbrouck.org/blog/archives/000869.html

===============================================

Just when the families on the reality-TV show about
travel around the world, "The Amazing Race 8", finally
left the USA in tonight's episode, the USA Department
of State today took the latest in its recent series of
regulatory actions to make it more difficult for other
families like them to take that first step across the
borders of the USA, and less likely that they ever
will.

Under a final rule published today (70 Federal
Register 61553-61555) and effective immediately,
secretly and remotely readable RFID chips will be
embedded in all USA passports:

[T]he first issuance to the American traveling
public [is] slated for early 2006. By October
2006, all U.S. passports, with the exception
of a small number of emergency passports
issued
by U.S. embassies or consulates, will be
electronic passports.

The Passport Office's attempt to sell its critics on
the "e-passport" scheme was an unsuccessful fiasco ,
and public comments on the proposal were
overwhelmingly negative:

We received a total of 2,335 comments on the
introduction of the electronic passport....
Specifically, concerns focused as follows:
2019
comments listed security and/or privacy; 171
listed general objections to use of the data
chip and/or the use of RFID; 85 listed general
objections to use of the electronic passport;
52 listed general technology concerns; and 8
listed religious concerns. Overall,
approximately 1% of the comments were
positive,
98.5% were negative, and .5% were neither
negative nor positive.

As had been rumored (leaked?) over the summer, the
State Department has made some changed to its original
plan. Most of the data on the RFID chip in the
passport (except, crucially, a fixed globally unique
serial number) will be encrypted to reduce the risk of
identity theft or passport cloning, and "anti-skimming
material" (presumably a layer of metal foil or mesh)
will be laminated into the passport cover to reduce
the risk of surreptitious reading (except, crucially,
whenever the passport is opened for even the briefest
and most cursory visual inspection).

Those changes might be sufficient to assuage those
people whose primary concerns were about the ways RFID
passports would facilitate identity theft, fraud,
terrorism, passport forgery, smuggling, and other
crimes.

But as I've previously reported, those changes fail to
address the use of RFID passports for commercial and
government surveillance: transaction and position
logging, data aggregation, and data mining.

Each RFID chip has to broadcast a unique
identification number, in the clear (unencrypted), in
response to a query from any reader. (Readers are
cheap and widely available, and will get cheaper.)
This number is used to initiate communications with
the reader, and to manage "collisions" if multiple
chips are within range of, and replying to, the same
(or another) reader.

The single change to the RFID passport plan that would
make the most difference -- dramatically reducing the
usability of RFID passports for commercial or
government surveillance , while having no effect at
all on their use for security purposes -- would be to
have the chips to generate and use a different random
collision avoidance and session initiation ID in
response to each reader query, instead of a serial
number fixed for the life of the chip and the
passport.

(Under another part of the RFID passport regulations
finalized last month, you'll have to get your passport
replaced if the RFID chip fails -- at your expense, if
you have deliberately disabled the chip.)

As I understand it, there is no technical obstacle to
using a dynamic, random (or at past pseudo-random)
session ID. The only reason to use a static serial
number, as the USA has deliberately chosen to do, is
to facilitate the use of RFID passports as part of the
travel panopticon of surveillance.

If the regulations published today are put into effect
without further change (as they likely will be unless
they are successfully challenged in court), the serial
number of the RFID chip in your passport will become
the international analogue of your Social Security
account number: the globally unique personal
identification number through which every transaction
or event with which it is linked can be positively
correlated and compiled into a personal travel history
maintained by government(s), or added to the
multi-purpose dossier and profile maintained by data
aggregators like Choicepoint and Acxiom (and available
to anyone willing to pay for it, or to the USA
government under the USA Patriot Act provisions for
secret demands for commercial records).

The government's plans were set back a year by massive
public protest, but this time I think the proposed
schedule for beginning to issue at least some RFID
passports is real. Barring a successful lawsuit, after
the start of 2006, you won't be able to tell when you
apply for a new passport whether it will be one of the
first ones with an RFID chip.

All you can do to protect yourself is to get a new
passport now that will remain valid for the next 10
years. (There's no plan to invalidate existing
non-RFID passports until they expire.) You can apply
for a new or replacement passport at any time, for any
reason, even if your current passport still has
several years of validity.

Given that the use as a session initiation and
collision avoidance key of a serial number fixed for
the life of the chip does not even arguably serve any
security purpose, the only reason for the government's
choice is to facilitate surveillance. And border
guards will be able (regardless of which type of
session ID is used) to capture and decrypt the
entirety of the personal data on the passport and the
chip, including a digital photo. So the only possible
reason not to use a different ID number for each
"reading" of the chip is to facilitate use of the
fixed ID number by entities other than governments, at
places other than borders. In other words, this part
of the scheme is being forced on us by the USA
government solely to make it possible for data
aggregators and data miners to track our movements and
activities, for their profit. And we'll be required to
bear the cost through increased passport fees.

Why would the State Department go out of its way to
give businesses a tool for tracking and compiling
dossiers about us? Presumably, the government hoped
that doing this would get the "buy-in" of the travel
industry (and perhaps) others) for the RFID passport
plan. It will probably work: the travel industry is
eager for "location-based" marketing data and customer
profiling as well as business process automation, and
this will enable commercial users of RFID passport
data to blame the government, instead of having to
justify their data demands to their customers.

Already, casinos use RFID frequent gambler "loyalty"
cards not just to log the time, place, and amount of
each bet, but to analyze the patterns of movement of
gamblers on the casino floor and throughout their
casino/hotel/restaurant/entertainment/resort
complexes, recording in individual logs and profiles
such things as when and how often gamblers leave the
betting (spending) areas, and where they go: to their
hotel room (perhaps to sleep, i.e. rest up to be ready
for more gambling), to a restaurant to eat (refuel for
more gambling), etc. Theme parks -- where all visitors
can be required to carry admission tickets or badges
with RFID chips -- are beginning to do the same.
Unique fixed ID numbers in RFID chips in passports
will make this possible for all businesses on a global
scale.

The problem with Social Security account numbers has
little to do with how they are used by the Social
Security Administration, and everything to do with how
they are used for data aggregation by other, mainly
commercial entities. The same is largely true of RFID
passports, although the potential for direct abuse by
governments remains higher for RFID passports than for
Social Security account numbers.

The State Department has failed to conduct the Privacy
Impact Assessment which, as EFF and others have noted,
is required before the proposed rules can take
effect. And its limited analysis and response to the
comments on the proposal is based on the fundamentally
false claims that:

It will not permit "tracking" of individuals.
It will only permit governmental authorities
to know that an individual has arrived at a
port of entry.

Both of these last two sentences are lies, and the
State Department knows it. The root of the problem is
the continued refusal of the State Department to admit
-- even when I directly confronted the head of the
Passport Office, Frank Moss, with this question at CFP
-- that passports are ever inspected by anyone other
than government authorities, or anywhere other than at
government border-crossing checkpoints ("ports of
entry").

In fact, most passport checks are made by commercial
entities, for commercial purposes, at commercial
facilities, and are required as a condition of
commercial transactions. Passports have to be opened
for inspection by airlines, airport security
(sometimes they work for and are regulated by the
government, sometimes not), banks, currency-exchange
offices, hotels, duty-free stores, and other
businesses.

Unless you want to travel without ever changing money,
staying in a hotel, or using mass transportation
(passports -- or national ID credentials of the
country, which foreign travellers don't have -- are
routinely required for travel by bus, train, and
ferry, increasingly in the USA as they have been for
years in many other countries), it's impossible to
travel around the world without leaving a trail of
times, places, and purposes for which your passport
has been displayed.

With an RFID passport that responds to any query from
any reader with an unencrypted static ID number,
you'll have to assume that whenever you open your
passport, even momentarily, your position, the date
and time, the nature of the facility or reason for the
passport check, and the details of any associated
transaction will be entered in your permanent file.

Of course that could be done manually with a non-RFID
passport, but it would be slow and costly for the
business, and you'd probably know it was happening.
With an RFID passport, what seems to be a cursory
glance at a passport by a bored and inattentive person
at a doorway could in really also include the
invisible capture of the chip ID number and logging of
the event in a central file (to which, in the USA, you
yourself have no right of access) of information about
you available for sale to all comers, and available to
the government for the asking.

"Social network analysis" of that file, in conjunction
with others, will enable commercial or government data
miners to identify those with whom you associate and
the nature of your relationships:

Hmmm. These two people showed their passports
to enter this duty-free shop at Heathrow
Airport 30 seconds apart in 2007, and to get
on the same sailing of a ferry from Hong Kong
to Guangzhou three years later. That's
probably not a coincidence. If one of them is
a
suspect, the other one probably should be too.
If one of them showed their passport at a
money-changers in Maputo in May to convert
Mozambican Metacias to South African Rand,
there's a good chance the other one of
them was nearby. Let's investigate them
further.

Similar concerns have also been raised in Australia,
where the first Australian passport with an RFID chip
was issued today to the Foreign Affairs Minister,
Alexander Downer.

It's especially problematic that this is happening at
the same time that the USA is beginning to require
passports, both for USA citizens and visitors, for
everyone crossing the borders of the USA including
travellers to and from Canada, Mexico, and some
Caribbean and Central American countries where
passports haven't previously been required.

Along with the abolition of all provisions for transit
of the USA without a visa (citizens of all Latin
American countries need to pay US$100 and go through
an elaborate visa application process just to change
planes in the USA en route to or from Europe or Asia),
the new rules will further discourage visitation to
the USA from Mexico, Canada, and other countries, as
well as travel to those countries by USA citizens who
don't yet have passports. The USA is seeking comments
through next Monday, 31 October 2005 on how much this
will cost, but the total value of the lost spending by
border crossers will be at least in the billions of
U.S. dollars a year, possibly tens of billions.

Welcome to America. "Your papers, please."

----------------
Edward Hasbrouck

http://hasbrouck.org

"The Practical Nomad: How to Travel Around the World"
(3rd edition, 2004)
"The Practical Nomad Guide to the Online Travel Marketplace"
http://www.practicalnomad.com