April 23, 2007 4:18 PM PDT
Canada, Mexico travel cards under privacy attack
- Related Stories
Homeland Security dismisses Real ID privacy worriesMarch 21, 2007
Researchers: E-passports pose security riskAugust 5, 2006
Tech industry attacks state anti-RFID lawsApril 19, 2006
New RFID travel cards could pose privacy threatApril 18, 2006
At a Monday workshop here, privacy advocates said they were puzzled that come summertime, the U.S. Department of State, in consultation with the Department of Homeland Security, still hopes to begin issuing so-called "passport cards" embedded with radio frequency identification (RFID) chips whose data can be skimmed by readers up to at least 20 feet away.
The technology, which is similar to the passes read by highway tollbooths, is already being used in other U.S. immigration documents and programs, but that doesn't make it any less troublesome, critics said at the first day of an identification workshop hosted by the Federal Trade Commission.
The decision to use such chips in the new passes nonetheless "should be reconsidered," said Neville Pattinson, a vice president with Gemalto North America, which makes microprocessor chips for so-called "smart cards" that are capable of more sophisticated privacy protections. Pattinson, who also serves on a committee that advises Homeland Security on data privacy and security issues, said the vast majority of some 4,000 public comments that have been submitted in relation to an ongoing rulemaking proceeding about the passes frowned upon the approach.
"Reckless" is the only way to describe the government's inclination to use a form of RFID designed by the Massachusetts Institute of Technology and industry partners "to track items in warehouses," said Ari Schwartz, deputy director of the Center for Democracy and Technology. "It was not created for tracking people, and now we're using it in this way that is a potentially very big risk."
The passport cards are billed as a response to widespread demand for a lower-cost passport alternative from people who live in border communities and, like all Americans, are expected to be required to begin showing passports at land and sea border crossings beginning next year. (Similar requirements for air travel took effect earlier this year.)
The document would be valid for a 10-year period and would require the same application process as a normal passport, but it would physically resemble a credit card rather than a traditional book-format passport.
The idea behind the longer-range read zone for the cards is to let information be extracted from all of the cards in a particular vehicle at once and displayed on a border patrol officer's computer screen before the cardholder's vehicle reaches the checkpoint. The government says this will speed up the screening process.
In their most recent draft rules issued in October (PDF), government officials said they're leaning against using a chip that could be read from only a few inches away because it would require vehicles to slow down and hold out cards one at a time for scanning. It was unclear when the final rules would be released.
Patty Cogswell, acting associate director for Homeland Security's Screening Coordination Office, downplayed the privacy risks. She said the government intends to issue the cards in a sleeve that would block data from being read off the chip. Beyond that, the data that would be read from an exposed card would only be a single number "that doesn't mean anything."
"It's not a number that can be generated from anything specific; it's truly a random number issued by our system," Cogswell said.
CDT's Schwartz said he wasn't consoled by the fact that the number would be randomly generated because it would ultimately be tied to an individual and used as an identifier.
"The only positive thing that could possibly be said about the pass cards is that it is a voluntary system," he said.
7 commentsJoin the conversation! Add your comment