It sounded like the most paranoid conspiracy theory of all: The government planned to make citizens carry radio transmitters that would broadcast their personal information to every cop, marketer, and voyeur within radio range. For once, the paranoia was justified and the theory (though hatched more out of stupidity than conspiracy) correct.
The original plan was to embed Radio Frequency Identification (RFID) chips inside all U.S. passports and pressure the International Civil Aviation Organization (ICAO), the United Nations agency responsible for passports, to ensure that other countries do the same. After heavy criticism from privacy campaigners and travel industry lobbyists, the passports were modified to include limited privacy safeguards. The saga is a cautionary tale for any IT architect investing in RFID, though a proposed extension to driver's licenses shows that the government hasn't learned from its own mistakes.
Pieces of paper or plastic are relatively easy to counterfeit, so most can be made more secure by adding a digital signature. This could in principle be included as scannable text or a bar code, but digitized photo IDs require several kilobytes, and the most convenient way to store that is on a small chip. On its own, this is a good idea: Provided that the issuer's private signature key isn't compromised, it really does help reduce counterfeiting, which is why banks are adding chips to credit and debit cards.
Unfortunately, the passport plan specifies RFID, not regular smartcards. Whereas a standard smartcard must physically touch a reader, RFID chips (or "contactless smartcards," as the industry is rebranding them) can be scanned at a distance. Exactly how distant is controversial: The ICAO says four inches, its critics a hundred feet.
Both claims are accurate because they refer to different things. Passports don't include batteries, so their chips need to draw energy from the reader's magnetic field. Beaming power more than a few inches isn't practical, which rules out some of the scarier scenarios envisioned by critics. The police can't set up a big receiver to identify everyone in a group, and terrorists can't program a bomb to detect people of a particular nationality. However, electronic pickpockets can scan us individually if they get close enough--not difficult in a crowded public area.
Worse, the tag still transmits a radio signal when powered by a reader, and radio signals leak way beyond their intended range. An identity thief could sit in any airport's international terminal, secretly targeting a directional antenna at the check-in counter.
THE NAME OF THE BEAST
The ICAO specification for Machine Readable Travel Documents (MRTD) includes no mandatory security. Encryption is optional and requires that the DES key actually be printed inside the passport. For privacy, it simply states that governments may "consider giving holders the advice to keep their MRTD in a metal jacket."
The United States spurned encryption, but adopted metal jackets as official policy. The RFID tag is shielded from snoopers by a thin Faraday cage within the passport cover. However, the shield doesn't protect against eavesdropping when the passport is open and being read legitimately (the airport identity thief), and it's only convenient because passports happen to be booklet-shaped. Driver's licenses and corporate ID cards aren't.
Last month, the REAL ID Act became law, requiring the Department of Homeland Security to set federal standards for driver's licenses. REAL ID doesn't mention RFID by name, but it does demand that by 2008 all driver's licenses be "machine readable"--the same phrase that the ICAO uses as a euphemism for RFID.
Enterprise RFID systems suffer from the same privacy problems. For pallets in a warehouse, this may not matter. For access control cards carried by people, it does. A security system based on unencrypted RFID will make you less secure, not more.
Respond to Chief Technology Editor Andy Dornan at http://wires.networkmagazine.com.