Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RFID In Government Issued ID?

kdawson posted more than 7 years ago | from the your-RF-papers-please dept.

89

RFID! writes, "The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on using RFID in government-mandated identity cards and documents (PDF link). But this met with some consternation among the DHS bureaus that plan to use RFID in this way and the businesses eager to sell the technology to the government, and now a vote on the report has been delayed until December."

cancel ×

89 comments

Sorry! There are no comments related to the filter you selected.

It was only a matter of time (4, Interesting)

PixieDust (971386) | more than 7 years ago | (#16572230)

While I can see plenty of good, legitimate, wholesome uses for this, personally I think it opens the foor for too much. Though the same could be said of the current Bar Codes and Magnetic Stripes, they're not actually just sitting there broadcasting.

Personally I don't like the idea of RFID tags in much of anything. Too many things being tracked. When you see just how much information Corporate America has on it's customers, it makes you shudder thinking about how much the Government must have on you. It is odd, however, to note that occasionally the Industrial Espionage works better than the US Government's does.

C.f. Hollerith Cards (5, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#16572464)

RFID is a great technology in its place.

I've seen some automated warehouse and inventory-management systems that depend on RFID tags, and (if you're into this kind of stuff) they're the slickest thing you've ever seen. If your full supply chain uses tags, then there's no manual inventorying; as stuff gets unloaded from the trucks at a loading dock (by the pallet-full -- scanners can 'talk' to tens or hundreds of tags at once), it gets noted. When it gets put on a shelf, it gets noted. When an order comes in, the system knows whether it's in stock, and where's it's located. The picker (guys who pull individual items from warehouse shelves) can follow a wrist-mounted computer right to the location, and scan it as they pick it up. As orders get loaded on a truck to go out, they get scanned again at the dock doors. At every step in your supply chain, you can do this.

It's not quite a fully-automated warehouse, but it's pretty close. If you've ever worked in industry or retail, you can appreciate the beauty of such a system. All that real-time data; I won't say there's "no limit" to what you can do, because I don't want to start sounding like an ad, but there's a lot.

So really, don't blame the technology here. The gear is really good. The problem is that a lot of contractors, who want to make a few bucks from Uncle Sam, have convinced some govvies that this sort of data flow -- which is great when you're talking about cases of Rice Krispies or DVD players -- would be nice to have on all of us. The problem with "RFID" as people have come to think of it, is totally a social one. If you could somehow 'uninvent' RFID, put the genie back in the bottle, it wouldn't fix the real issue: that our government is currently obsessed with reaching down into the personal lives of individual citizens, either by accident or by design. A government which took more of an interest in privacy concerns, probably wouldn't think that embedding RFID tags in passports and drivers licenses would be a good idea. That they do, is indicative of a problem in government, not in the tags.

An apt analogy would be Hollerith card sorters and other indexing machines, in the early part of last century. They let people do all sorts of rapid data analysis and were indispensable to industry and government for countless projects. Yet they were also used by the Nazis, to greater or lesser effect depending on who you choose to believe. That a particular technology was used reprehensibly isn't necessarily a valid criticism of the technology itself; virtually anything can be perverted for ill uses.

So in short, don't blame RFID in general. It's a great technology, when used correctly, and its potential for abuse isn't any greater than similarly revolutionary systems were in their day.

Godwin bingo (0)

Anonymous Coward | more than 7 years ago | (#16574980)

I win!

Re:It was only a matter of time (1)

skarphace (812333) | more than 7 years ago | (#16576560)

Though the same could be said of the current Bar Codes and Magnetic Stripes, they're not actually just sitting there broadcasting.
RFID tags do not broadcast. In fact, they are totally passive and have no power source. They react to broadcasted signals from an RFID reader and then it returns a processed signal from what it recieves.

Sorry, I explained that a little weird.

Re:It was only a matter of time (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16577426)

That's a silly distinction, like saying office windows don't shine -- it's the sun.

RFID's receive a signal and then spit it back out again, "casting" the signal in a "broad" manner.

Re:It was only a matter of time (1)

wtansill (576643) | more than 7 years ago | (#16577082)

When you see just how much information Corporate America has on it's customers, it makes you shudder thinking about how much the Government must have on you. It is odd, however, to note that occasionally the Industrial Espionage works better than the US Government's does.
Of course now that I want to be clever I cannot find the reference, but there was a discussion about how the political parties track and segment their various constituencies. The number quoted (which I cannot verify) was that they have roughly 17,000 data points on each registered voter...

Re:It was only a matter of time (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16577276)

how much the Government must have on you

I love the two ways that statement can be read. Keyword: "must".

Re:It was only a matter of time (1)

drjzzz (150299) | more than 7 years ago | (#16580080)

Lots? (just guessing...)
As we've seen repeatedly, the amount of information is not nearly as important as its organization. "The" government (US Federal?, state?, local? combination?) is justifiably ridiculed for its inability to organize information. Call 'em "silos" (databases) or "stovepipes" (access). The US Federal government has focused on integrating disparate information without notable success. I think this is a good thing, since their identifications of evildoers rarely withstands the tests provided by those nettlesome, centuries-old, protections of civil liberties such as habeas corpus.

Re:It was only a matter of time (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16580318)

I meant it as:

Citizen: Crap! The government must have enough information to bury me!
Government: We must have this information to control the People.

stating the obvious (3, Interesting)

frovingslosh (582462) | more than 7 years ago | (#16572232)

They did a study to support their decision, they didn't get the result they wanted, so they are delaying the vote (can't have it now right before the election) and then will decide to do exactly what they want to do in spite of the study. Nothing to see here, business as usual, move on, don't protest or risk arrest.

Re:stating the obvious (1)

budgenator (254554) | more than 7 years ago | (#16577348)

Oh they got the results they wanted all right
RFID is particularly useful where it can be embedded within an object, such as a shipping container. ... Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low. But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security. Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior.

These types of uses are still being explored and remain difficult to predict. For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings. When DHS does choose to use RFID to identify and track individuals, we
recommend the implementation of the specific security and privacy safeguards described herein.

I read this as saying that when the technology improves to the point where a chip can be challenged and only reply to a cryptographicaly correct handshaking protocol and replies in a encrypted form; It's a done deal, especialy if they can figure out a way to convince people to have them implanted inside them. We just had our dog chipped!

hmm (2, Funny)

User 956 (568564) | more than 7 years ago | (#16572254)

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on RFID

That sounds like it would have shocking results.

Shocking? (2, Funny)

Kadin2048 (468275) | more than 7 years ago | (#16572506)

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on RFID
That sounds like it would have shocking results.
Depends on whether their cold water was taken with a grain of salt...

Pwnership Society (3, Funny)

Doc Ruby (173196) | more than 7 years ago | (#16572258)

So what? All the reports came back "DON'T INVADE IRAQ" and "DON'T MESS WITH TERRY SCHIAVO'S ANIMATED CORPSE" and "THE LEVEES WILL BREAK" and "FOLEY IS A CHILD MOLESTER" and...

Our Republican government is visionary. They're not distracted by polls [msn.com] or mere facts from government agencies... Republicans know government doesn't work, and they'll prove it to you every chance they get.

So welcome our Republican overlords, and their shiny new RFID IDs. Why should identity theft be limited to a few thousand wired Americans each day, when Republicans can bring us a Pwnership society?

Re:Pwnership Society (1)

Shut the fuck up! (572058) | more than 7 years ago | (#16572286)

You must be one miserable fuck in real life.

Re:Pwnership Society (-1, Flamebait)

Doc Ruby (173196) | more than 7 years ago | (#16572364)

Shut the fuck up!

What the fuck would you know about real life? I'm your only connection to it.

Re:Pwnership Society (0)

Anonymous Coward | more than 7 years ago | (#16572692)

Just followed some troll to anti-slash, seems like you're a popular guy there, congratulations. You should take it as a compliment, you're comments are what these losers want to silence the most.

Re:Pwnership Society (-1, Flamebait)

Doc Ruby (173196) | more than 7 years ago | (#16577468)

What a hilarious site. Just like the actual jihadists they copycat, they demand actions of righteousness from the "government" of Slashdot, and vow to bomb the people of Slashdot until the government starts caring. And like actual jihadists, they explode themselves in the process. And their leaders employ a system to send naive people to the targets they choose, while the leaders rest comfortably anonymous behind a superficial ideology.

We've found Osama.

Re:Pwnership Society (0, Offtopic)

Doc Ruby (173196) | more than 7 years ago | (#16577326)

Moderation -2
    50% Flamebait
    50% Offtopic

"Shut the fuck up!" is their UserID. And my post wasn't "Flamebait", it's a FLAME. This mod system is a joke.

Re:Pwnership Society (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16577528)

Our Slashdot userbase is visionary. They're not distracted by explanations or mere facts from other members... Slashdotters know moderation doesn't work, and they'll prove it to you every chance they get.

!include <sarcasm.h> (4, Funny)

HoosierPeschke (887362) | more than 7 years ago | (#16572276)

Boy, what will win, businesses pushing an underdeveloped technology or the sense of rights and privacy we as human beings have come to know and love.

Re:!include [OT] (1)

HoosierPeschke (887362) | more than 7 years ago | (#16572304)

Replace !include with #include...

Re:!include [OT] (1)

hdparm (575302) | more than 7 years ago | (#16573226)

Wouldn't it be quicker to just replace ! with #?

Re:!include [OT] (1)

HoosierPeschke (887362) | more than 7 years ago | (#16574142)

Yeah, good grief 0200 in the morning is NOT good to me...

Re:!include [OT] (1)

budgenator (254554) | more than 7 years ago | (#16577584)

I think you posted that on the wrong forum; but it was not only appropos but deep!

Re:!include (0)

Anonymous Coward | more than 7 years ago | (#16573168)

Business, of course. Money always wins. Any other questions?

Here's the reason Cato doesn't like RFID (4, Insightful)

maynard (3337) | more than 7 years ago | (#16572278)

From Jim Harper's blog post:

RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards - indeed it has greater security weaknesses than alternatives. And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card. This is what takes up all the time in the process of identifying someone.


He's saying it isn't any better than other card systems, and it doesn't solve the principal security problem - that of identifying the owner. I bet, however, that if one were to somehow solve the confirmation of identity issue - such as by injecting or surgically implanting and RFID chip - he might change his mind.

I think one could argue that Mr. Harper doesn't oppose RFID as much as he finds it impotent.

Re:Here's the reason Cato doesn't like RFID (2, Insightful)

CortoMaltese (828267) | more than 7 years ago | (#16573738)

All of the biometric passports and electronic identity cards use the same technology, namely smart cards [wikipedia.org] , i.e. tamper resistant integrated circuit cards. There are contact and contactless cards, the latter of which are often referred to as RFID cards. Note that RFID smart cards have next to nothing to do with RFID tags. Smart cards have a processor, persistent and volatile memory, often cryptoprocessors and many kinds of shields for tamper resistance. Hacking them is quite difficult.

Contactless cards offer significantly faster communication speeds than contact cards and also the option to pick one card from many cards within the range of the reader.

What comes to security, there are two main vulnerabilities in contactless cards: eavesdropping and accessing the card without holder's knowledge is easier than in contact cards. In both points, the vulnerabilities can be overcome with protocol design. The card need not broadcast anything without setting up a secure channel and requiring holder verification (e.g. PIN). This is really not a fault in the technology itself, but rather in how it is applied.

Re:Here's the reason Cato doesn't like RFID (1)

badfish99 (826052) | more than 7 years ago | (#16574724)

So what if the technology could have been made safe and secure? The whole problem is that it wasn't made secure, and now we're stuck with a spec for RFID passports that is reducing border security instead of increasing it.

Re:Here's the reason Cato doesn't like RFID (1)

CortoMaltese (828267) | more than 7 years ago | (#16575122)

Yes, it is a shame that we have a spec that allows skimming, eavesdropping and cloning of electronic passports. However, instead of bashing the technology (contactless/RFID smart cards) we should bash the application (ICAO specs).

To be pedantic, the vulnerabilities of the passports are mostly privacy and safety concerns for their individual holders. And I'm not saying that this is a minor issue. It's not. But the passports do increase border security. It is possible to clone the chip (due to protocol vulnerability) but it is very difficult to forge the chip because the data, including face image, is digitally signed.

Due to the above mentioned vulnerabilities, the EU is going to mandate use of advanced secure mechanisms (that avoid the vulnerabilities) for electronic passports that contain other biometric data than the face image.

Re:Here's the reason Cato doesn't like RFID (1)

enbody (472304) | more than 7 years ago | (#16576362)

What comes to security, there are two main vulnerabilities in contactless cards: eavesdropping and accessing the card without holder's knowledge is easier than in contact cards.

Yes and no. Contactless cards get their power from the radio waves (the "R" of RFID) which provides very little power over the expected time period within range. For that reason, they cannot do much processing, e.g. good cryptography. (See http://en.wikipedia.org/wiki/Speedpass [wikipedia.org] for information about cracking RFID encryption.) There exist RFID devices with batteries (e.g. IPASS toll payment in Chicago, IL, USA and similar), but are generally too thick to fit in your wallet.

The common fallacy of RFID discussions is to confuse "passive" devices which depend on radio waves for power and "active" devices which have a power source but are activated by radio waves. People often talk about the capabilities of active devices in the context of passive devices without realizing that passive devices don't have enough power to do much of anything.

Re:Here's the reason Cato doesn't like RFID (1)

CortoMaltese (828267) | more than 7 years ago | (#16584630)

Contactless smart cards can do just as much processing as contact cards, also in terms of cryptography (e.g. use of 2048 bit RSA keys is reasonable). The Speedpass you refer to uses a different technology, as explained in the Wikipedia article. This is the common fallacy of confusing RFID tag or transponder technology with contactless smart card technology.

Contactless (or RFID, if you prefer) smart cards are passive in the sense that they don't have a power supply. Due to the power consumption, the operating range from the reader is quite limited, usually less than 10 cm (4 inches). Look up ISO 14443 [wikipedia.org] for more info.

RTFM idiot (0)

Anonymous Coward | more than 7 years ago | (#16577130)

an RFID chip is still a small, easily removed item that could be swapped between individuals. It's probably easier to change out an implanted RFID chip than your social security number.

The main thrust of the article (if you ignore the privacy discussions as anybody reading the article to decide whether it should affect the upcoming government ID cards) is that posession of an RFID stinks as an identification method because it's easily swapped among individuals no matter how you implement it whereas biometrics are far better precisely because if you follow best practices in implementing their use for identification they're extremely hard to change much less fake.

That's exactly the same reason that use of biometrics for identification should raise much larger privacy concerns.

Re:RTFM idiot (1)

maynard (3337) | more than 7 years ago | (#16577360)

You appear to have missed that I quoted from the article in question. I read it. My only point is that surgically implanting an RFID chip would appear to meet the author's requirements based upon his argument. IOW: his argument is not based on privacy policy, but that there are better technical alternatives to RFID.

Re:RTFM idiot (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16577708)

That's exactly the same reason that use of biometrics for identification should raise much larger privacy concerns.

They probably asked for something so heinous so that it would draw everyone's fire. Then, when they roll out their real plan (arm barcodes) it doesn't seem so bad in comparison.

Re:Here's the reason Cato doesn't like RFID (1)

Seth Cohn (24111) | more than 7 years ago | (#16579460)

I won't put words into Jim's mouth, but having met him and discussed REAL ID and RFID with him, you're wrong. See his book for his own views.

Re:Here's the reason Cato doesn't like RFID (1)

maynard (3337) | more than 7 years ago | (#16579634)

Well that may be true. I'm going with the argument presented in his blog entry and linked within the story submission. Do you know of anything online of his that makes a more general argument in support of electronic privacy, rather than simply the efficacy of RFID security?

Re:Here's the reason Cato doesn't like RFID (1)

Seth Cohn (24111) | more than 7 years ago | (#16579906)

Jim was editor of Privacilla.org (now defunct, see wayback:
http://web.archive.org/web/20050306022005/http://w ww.privacilla.org/index.html [archive.org] )

It was "a web-based think tank that takes a free-market, pro-technology approach to privacy policy."

He's also author of "Identity Crisis: How Identification is Overused and Misunderstood"
Search inside it at Amazon.

Also, google is your friend... lots of stuff. Not sure exactly what you are looking for.

Re:Here's the reason Cato doesn't like RFID (1)

JimBobJoe (2758) | more than 7 years ago | (#16580328)

I think one could argue that Mr. Harper doesn't oppose RFID as much as he finds it impotent.

Though I've only met him once, and haven't read fully his book Identity Crisis [amazon.com] I think he is very anti-RFID but chose only to discuss the issue in the context of how well it works for that particular blog entry.

I believe him to be very pro-privacy and civil liberties, but he often chooses to argue against a system on efficacy grounds instead of invoking philosophical arguments.

If you needed another reason to clean house(s).... (3, Insightful)

guisar (69737) | more than 7 years ago | (#16572282)

Here it is. There's only one way to stop the madness- a clean sweep! So mark Nov 7th on your calendar and make sure to read the manual for the automated voting machine and of course, bring your ID. For your safety and convenience there's no need to stick it a slot or show it to the attendent; just pass it it by this handy reader.... We know who you are.

Re:If you needed another reason to clean house(s). (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16577874)

Hey, if you start two days early you get to use knives and fancy kar-ah-tee.

Question (1)

Neitokun (882224) | more than 7 years ago | (#16572284)

Didn't the guys at Defcon read RFID from like, 60 feet away? And isn't it easy to clone RFID?

Re:Question (0)

Anonymous Coward | more than 7 years ago | (#16573126)

You can circumvent the remote cloning danger if you use encryption challenge response, like a digital signature. The chip would not broadcast its entire content, just the calculated response. There goes the speed advantage. And all other problems still exist.

To your government, the abilitiy to track your every move is a feature, not a bug.

Re:Question (1)

toddhisattva (127032) | more than 7 years ago | (#16581946)

"Didn't the guys at Defcon read RFID from like, 60 feet away? And isn't it easy to clone RFID?"

The distance you can read RFID depends on the implementation and conditions. Some are designed to be read at such distances, even when they're tracking metal or liquid products.

Some RFID is easy to clone, others are designed to be hard to clone. Easier to mimic the signal than copy the device itself, and there may be features of the signal that prohibit easy replication (beyond this guess, my knowledge of the field is the same as David Letterman's: them bats is smart, they use radar!).

Full disclosure: I think I own stock in some RFID company or other, and/or know people who do.

Ouch (5, Informative)

TubeSteak (669689) | more than 7 years ago | (#16572320)

This report does more than just "pour cold water" on RFIDs

From the Executive Summary:

"There appear to be specific, narrowly defined situations in which RFID is appropriate for human identification. Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low.

But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security."

"no commensurate benefit for national security"
Translation: This will not protect you from the terrorists.
And really, isn't that
A) the big goal of all these changes?
B) how everyone is justifying their budget?

Stop hating freedom. (1)

DarthBibble (1015727) | more than 7 years ago | (#16572362)

Obviously, questioning the government will help the terrorists much more than lies and stupidity inside the government.

Re:Stop hating freedom. (1)

steveg (55825) | more than 7 years ago | (#16585286)

What's scary about this statement is that I can't tell if it's tongue in cheek or not.

It's not an uncommon attitude.

Re:Ouch (1)

HoosierPeschke (887362) | more than 7 years ago | (#16572382)

"no commensurate benefit for national security" Translation: This will not protect you from the terrorists. And really, isn't that A) the big goal of all these changes? B) how everyone is justifying their budget?

There *is* no benefit for national security, you'd think that blatently broadcasting information for ease of identification would've been the first clue this might be bad. I'm thinking this relates to a word that starts with $.

Re:Ouch (1)

Neitokun (882224) | more than 7 years ago | (#16572414)

> I'm thinking this relates to a word that starts with $. How would money effect this? There's no money to really be made, and I can't think of a special interest that would pay for RFID for any reason.

Re:Ouch (1)

HoosierPeschke (887362) | more than 7 years ago | (#16572474)

The businesses that make the RFID tags would be greatly appreciative of such a government contract. They may not be major players in the political "donation" arena but it would be a huge payout if RFID tags had to accompany every document and special interest the DHS thought would require one.

That's just the tinfoil talking though =)

Re:Ouch (1)

BiggerIsBetter (682164) | more than 7 years ago | (#16574480)

Why does TubeSteak hate America?

Re:Ouch (1)

budgenator (254554) | more than 7 years ago | (#16577952)

This will not protect you from the terrorists. because it can be snooped, cloned will answer to anybody, can be left at home, can be traded with somebody else's. Make it cyrptographicaly secure and implanted into the body Muhahahaha ....

Re:Ouch (1)

DragonWriter (970822) | more than 7 years ago | (#16580612)

Translation: This will not protect you from the terrorists. And really, isn't that A) the big goal of all these changes? No, the big goal is handouts of public money to corporate supporters of the political leadership, which is why this report didn't put an end to the whole idea.
B) how everyone is justifying their budget?
Yeah, which is why they are now taking more time to figure out a way to reconcile their justifications so they can go ahead with the handouts.

Two Thoughts (1)

mac_mcgrew (1007583) | more than 7 years ago | (#16572536)

1. This will probably make it through in a horribly mangled revision of the original proposal. Most likely it will take ten years to implement, will cost ten times as much as was proposed, and will be ten times less effective as a security measure than it already isn't.

2. To the conspiracy know-it-all types that are sure to flood this one, if you've ever worked in government intelligence for any length of time, you'd realize how much time you're wasting with the big brother fantasies. Google's the one to watch out for. Or, rather, they're the ones watching you.

Summary of TFA (3, Funny)

Harmonious Botch (921977) | more than 7 years ago | (#16572566)

For those who didn't want to read it, it says that too many senators objected to being RFID'ed. Particularly Mr.Foley, who is trying to turn a new page in his life.

RFID is only a supplemental technology (5, Interesting)

unPlugged-2.0 (947200) | more than 7 years ago | (#16572718)

As someone who works with RFID regularly the report does not surprise me.

The biggest problem with RFID is that too many industries (government included) are implementing it because it is a neat technology. In reality it is great for some things but not so good for others.

I do think that RFID will eventually be good for adding more information and for use as human id's but only with a supplementatl verification system like BioMetrics.

But even just RFID alone is in no way less secure than printing a number on your passport that uniquely identifies you. I think that your passport number is a much easier counterfeit target than a chip in your passport.

If you just clone the chip it is very unlikely that customs will only want to check your chip and not the rest of your passport or your picture.

Re:RFID is only a supplemental technology (1)

scoot80 (1017822) | more than 7 years ago | (#16572878)

I agree with you. I've done a few electronics designs with RFID, and it has its place. I would not use it as a secure storage. We used it in an educational toy to identify different items - far from hackproof.

Re:RFID is only a supplemental technology (1)

mbessey (304651) | more than 7 years ago | (#16572948)

But even just RFID alone is in no way less secure than printing a number on your passport that uniquely identifies you.

That's a really strange thing to say. Here's short list of potential security problems an RFID presents that a printed number doesn't, off the top of my head:

1. Your RFID chip can be read & potentially copied without your peremission, or even your being aware of it.
2. An RFID-enabled ID allows anyone to build an "American Detector" that's 100% reliable, and works from a distance. This is a special case of #1, but a particularly worrisome one.
3. Someone can "invalidate" your passport remotely, by burning out the chip with high-powered RF. How do you convince the Homeland Security folks that you really DO have a valid passport, despite the fact that the "secure" chip is apparently missing?
4. The government or even private agencies can use the RFID to track you, at least in terms of entering or leaving a particular area, again without your knowledge.
5. Given that the RFID chip allows you to be "authenticated" easier, does that imply that the rest of the passport will be looked at LESS carefully?

-Mark

Re:RFID is only a supplemental technology (1, Informative)

Anonymous Coward | more than 7 years ago | (#16573056)

3. Someone can "invalidate" your passport remotely, by burning out the chip with high-powered RF. How do you convince the Homeland Security folks that you really DO have a valid passport, despite the fact that the "secure" chip is apparently missing?

From the State Department E-Passport FAQ (http://travel.state.gov/passport/eppt/eppt_2788.h tml)

"What will happen if my Electronic passport fails at a port-of-entry?

The chip in the passport is just one of the many security features of the new passport. If the chip fails, the passport remains a valid travel document until its expiration date. The bearer will continue to processed by the port-of-entry officer as if he/she had a passport without a chip."

Re:RFID is only a supplemental technology (1)

badfish99 (826052) | more than 7 years ago | (#16574778)

So, given that the chips are actually a risk to security, it would be helpful to US border security if we all just fried our passports in the microwave oven. Right?

Re:RFID is only a supplemental technology (1)

Vengeance (46019) | more than 7 years ago | (#16575558)

It's not just helpful, it's our duty as citizens.

Re:RFID is only a supplemental technology (1)

jibjibjib (889679) | more than 7 years ago | (#16574912)

3. Someone can "invalidate" your passport remotely, by burning out the chip with high-powered RF. How do you convince the Homeland Security folks that you really DO have a valid passport, despite the fact that the "secure" chip is apparently missing?

I doubt you ever complained that magnetic stripe cards could be erased remotely by EMP, or that your mobile phone could be fried remotely by high-powered microwaves.

Go ahead and try... (1)

mbessey (304651) | more than 7 years ago | (#16584530)

I'd really like to see someone build a (portable!) device that can erase a mag-stripe card at more than a foot or so of distance. The kind of magnetic field that you'd have to generate to wipe a mag-stripe card from a distance would probably violently attract every piece of loose iron in the vicinity, as well.

As far as the phone goes, I'd be pretty peeved if someone fried it with microwaves, but there's probably at least some protection built into the phone - otherwise, walking directly by a cell tower might damage your phone. Additionally, I don't depend on my phone to identify myself.

-Mark

Re:RFID is only a supplemental technology (1)

rampant poodle (258173) | more than 7 years ago | (#16575672)

Item 5 is seldom discussed but significant. Of course it also applies to any machine readable, "easier to use", identification document. Security personnel get used to swiping the card, hearing a "happy sound", and handing the document back. Actual comparison of the individual and the photo is cursory at best. This one is fresh in my mind as one of our techs who has moved on to bigger and better things came back for a visit. He repeatedly passed through security using his girlfriend's ID Card. (2D barcode rather than RFID. Results would be the same.)

Re:RFID is only a supplemental technology (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16577976)

An RFID-enabled ID allows anyone to build an "American Detector"

Would would our citizens even be travelling to other lands where this would be an issue? Do they perhaps... hate America?.

Would you use RFID prepaid cards? (1)

TheVelvetFlamebait (986083) | more than 7 years ago | (#16575060)

Not strictly on topic here, but I want to pose a question. I realise that many /.ers dislike the privacy issues (as I do to), but I also like the idea of RFID-supported checkout-less shopping. Y'know, where people pick up their goods and just walk out the door, with the money charged to your account. Would you go for a RFID prepaid card that stores nothing but the account number and possibly balance? Would you trust a company who claimed something like this to store only this information, and not shopping habits, etc? Is there something I'm missing that could turn this into a very bad idea?

Re:RFID is only a supplemental technology (1)

maxume (22995) | more than 7 years ago | (#16575804)

Smart chips, combined with proper key management, give you the ability to put encrypted and signed information on a card, making it much more difficult to create/obtain a fraudulent card; you need access to the authentic keys to do so.

RFID simply makes it easier to read that information than with a contact based system. For something like a passport, which someone who uses it a lot might use twice a day, it offers basically no advantage, with the disadvantage that someone can try to talk to the card without you knowing about it.

Biometrics serve to tie the holder of the identification to the identification, but they do nothing to ensure that the identification is authentic. They work well with signed, encrypted data storage though.

It scares me when identification systems drift away from simple trust proxies into you-are-the-card territory. If a person matches an id and you can validate that id, you know two things: they managed to obtain it, and you can trust that they are the person on the id to the extent that you trust the authority that issued the id. If the issuing authority sprays cards out to anybody who asks for one, it doesn't matter how good the security features and authentication mechanism are, the card is only as good as the work they do to establish identity in the first place.

Re:RFID is only a supplemental technology (1)

enbody (472304) | more than 7 years ago | (#16576616)

Smart chips, combined with proper key management, give you the ability to put encrypted and signed information on a card, making it much more difficult to create/obtain a fraudulent card; you need access to the authentic keys to do so.

Correct, but...
One can clone that information. You say, but then the RFID information doesn't match the non-RFID information.
Correct, but ...
In many applications that doesn't matter. For example, it would still work fine for people-less transactions such as Mobil Speedpass for gas and food purchases or to take a car with a passive RFID "key." Even transactions with people often fail because the "OK beep" when passing security is sufficient without bothering to verify RFID information with the non-RFID information such as photo (see posting about first-hand experiences with this effect elsewhere).

Re:RFID is only a supplemental technology (1)

maxume (22995) | more than 7 years ago | (#16577444)

So what's your point? Exclusive of RFID, smart chips, used properly, make id cards better. Cloning is certainly a problem, but it doesn't make the addition of smart chips a bad idea, it is just something that needs to be accounted for in the overall process.

To be clear, my thinking is that there is no reason to use RFID in situations where security and identity are an issue, and that there are reasons not to use it. For tracking things, it's great.

The psychological issue of the 'ok beep' that you bring up is a problem, but the human element is always a problem; a locked door is only as good as the lock *and* the security of the keys. More complicated situations get worse, faster. I liked the part of Men in Black II where they re-enter their headquarters, and the doorman is just sitting there doing nothing and mumbles "About time" or some such thing; it's great security, he knows who is supposed to be there, who isn't, and what to do about each, and he is trusted to carry things out.

I'm not sure how to respond to "see posting about first-hand experiences with this effect elsewhere", as I don't see anything. Am I supposed to go look around myself?

Next, babies will be microchipped... (2, Insightful)

AriaStar (964558) | more than 7 years ago | (#16572820)

...before leaving the hospital. I foresee this happening in the next 20 years, if not sooner.

Yeah... (1)

rlazarus (1002774) | more than 7 years ago | (#16572884)

... but will they run Linux?

EMP (2, Funny)

splutty (43475) | more than 7 years ago | (#16573662)

This is why you need to EMP your newborn as soon as possible, just to be sure...

Re:EMP (1)

voice_of_all_reason (926702) | more than 7 years ago | (#16578108)

Just send up a bunch of satellites that re-image the earth every few months or so.

Oh, and call me Plissken.

Re:Next, babies will be microchipped... (1)

KORfan (524397) | more than 7 years ago | (#16585854)

It would help fight kidnapping and the slave trade, that's for sure. It'd help find runaways as well. Not that it's a good idea and I sure wouldn't want it, but it would help in those areas.

Tr0Ll (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16573044)

list of other And some of the AAshowles, as they

Er, oh (1)

oGMo (379) | more than 7 years ago | (#16573136)

OK so surely I'm not the only one who saw "RFID In Government Issued IDs?" then had my eyes skip to "poured cold water on using RFID in government-mandated identity cards and documents" and figured they discovered covert RFID tags in paper IDs by getting them wet?

Re:Er, oh (1)

scoot80 (1017822) | more than 7 years ago | (#16573218)

Why did that make me think of a wet tshirt competition.. pour cold water and magically discover nipples!

Re:Er, oh (1)

budgenator (254554) | more than 7 years ago | (#16578096)

how about Arnie wrapping his head in a wet towel and pulling a ping-pong ball out of his nose?

if we must... but then no exceptions (1)

l3v1 (787564) | more than 7 years ago | (#16573512)

I don't like this idea, as I don't like many ideas that popped up and slowly turn into reality during the last few years. But if they will introduce this, then I would demand full and total use, with no exceptions. What I mean is, no government official, no agency member, no police people, no soldiers, etc. without such IDs. And if they record, then record everything. If they want us/you followed and tracked, they also shall be followed and tracked, and more so, since they have much more power to eventually misuse than the people which they try to shackle. When they introduce such measures, they should be the first to experience it.

rfid ids? (0)

Anonymous Coward | more than 7 years ago | (#16573644)

a wallet or purse is easy to make/modify so that no rfid signals could pass through them... then no one can read them unless you want them to

Re:rfid ids? (0)

Anonymous Coward | more than 7 years ago | (#16575430)

no longer do we have the fun of people with tin foil hats, now it will be people with tin foil wallets/purses .

Only difference being one can prove that their paranoia is justified.

Helping the terrorists - class act (1)

Anonymous Coward | more than 7 years ago | (#16574536)

You can't but admire the serious amount of effort that is being put into helping terrorists specifically target US citizens. All they need to buy now is (increasingly cheaper) RFID readers and then design bombs that only go off if sufficiently large quantities of US passports have gathered in the proximity. Extra bonus for an extra pile of RFID enabled documents because someone carrying, say, high level Gov document must be worth extra points.

RFID's ONLY benefit over a stupid 2D barcode (which is easy to print and cheap to read) is the ability to be read from a distance, and that's also it's big risk. It's got NIL value in passports when it comes to safety over a barcode (as you can clone RFIDs) but because it's sexy everyone suddenly has to have it.

And, of course, once the bad-guys-du-jour (terrorists, commies, child molesters, people that do strange things with furry animals etc) narrow their focus you will need to hand over a new chunk of privacy to make sure the Government can keep you 'safe' again. Not that there's much of it left anyway..

Doesn't anyone in those departments actually THINK anymore? Has that been outlawed when I wasn't looking? Was that too slipped in as an amendment to an entirely unrelated act?

Sjeez. /rant

And RFID Passports in the USA a Reality Now... (3, Informative)

Lord Satri (609291) | more than 7 years ago | (#16574942)

Other RFID stories right here [slashgeo.org] . And let's not forget RFID Passports in the USA a Reality Now [slashgeo.org] :
"Following this previous story [slashgeo.org] , we learn from the Washington Post RFID chips in US passports are now confirmed [washingtonpost.com] . From the article: "Passports will come with a shielded cover, making it much harder to read the chip when the passport is closed. And there are now access-control and encryption mechanisms, making it much harder for an unauthorized reader to collect, understand and alter the data. [...] The Colorado passport office is already issuing RFID passports, and the State Department expects all U.S. passport offices to be doing so by the end of the year.""

Re:And RFID Passports in the USA a Reality Now... (1)

molo (94384) | more than 7 years ago | (#16576940)

Okay, so my wife got a new passport after changing her name. How does one go about checking to see if a new passport includes RFID? X-ray it? Then once it is identified, how can we defeat the RFID? Does throwing it in the microwave really work?

-molo

Re:And RFID Passports in the USA a Reality Now... (1)

Lord Satri (609291) | more than 7 years ago | (#16586820)

"How does one go about checking to see if a new passport includes RFID? X-ray it?"

I guess you would 'see' the chip. They're not that small!

"Then once it is identified, how can we defeat the RFID? Does throwing it in the microwave really work?"

I don't know. But I would not mess with it. If they figure out you tried to mess with with, they'll only give you trouble...

Re:And RFID Passports in the USA a Reality Now... (0)

Anonymous Coward | more than 7 years ago | (#16610102)

"how can we defeat the RFID?"

Wrap it in aluminum foil!!

We still don't have it in Brazil... (0)

Anonymous Coward | more than 7 years ago | (#16575802)

... but i think that may change soon. A friend of mine wrote an essay [blogspot.com] that says that maybe public pressure will force the government to adopt RFID at least for passports.

The reason? To make easier to obtain visa to the US.

)goat (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16575860)

the project to AL KNOW WE WANT.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?