Such watchdog organizations are vitally important for making sure that the secure-identity programs now emerging from many governments are ones we can all live with. I am staunchly in favor of holding every government security program to unyielding standards of efficiency, effectiveness and privacy.
Conversely, I am staunchly in disfavor of alarmist, pudding-headed and just plain wrong writing on the topic. Unfortunately this particular EPIC report stands proudly in the latter camp.
EPIC focuses on four specific technologies for criticism: radio frequency identification technology, Bluetooth wireless, biometrics and PIN backup. It gets all four humorously wrong.
Much of the text deals with RFID and Bluetooth. The criticism, in a nutshell, is that both RFID and Bluetooth can be remotely intercepted by unauthorized readers, posing both privacy ("Hey--that guy's an American, let's sell him something!") and security ("No, let's kidnap him!") problems.
Indeed, an ID card that uses RFID and Bluetooth is a really bad idea. Fortunately, the Access Card program, or DAC, is not such a card.
Instead of RFID, the DAC uses a standard called ISO/14443 for wireless communication between the card and reader. RFID and ISO/14443 are totally distinct technologies, and ISO/14443 is much harder to snoop. RFID is unencrypted and meant for inventory scanning at a distance of several feet. ISO/14443 is usually encrypted and has a read range of a few inches or less.
There are certainly vulnerabilities in ISO/14443, but they are much less severe than the ones in RFID, and it's either lazy or dishonest to conflate the two. The real long-term solution is to move to contactless cards with strong cryptography. These are already available in the market and will replace the current generation of ISO/14443 cards over the next few years.
EPIC has confused RFID and ISO/14443; that's annoying but perhaps forgivable. What about Bluetooth problems? Crazy talk. The DAC does not use Bluetooth. The DAC does not use anything remotely resembling Bluetooth. As far as I know, no ID card uses Bluetooth, because it is neither possible nor desirable to put a protocol designed to let cell phones talk to PCs and peripherals onto a passively powered card. Bluetooth and access cards are completely orthogonal--like life insurance and whales.
Wading into biometrics, the criticism becomes less surreal but no more valid. EPIC rehashes the standard argument that fingerprint biometrics let in too many bad guys and keep too many good guys
Page 1 | 2