Apr 26, 2005This article was originally published by RFID Update.
April 26, 2005—The U.S. government appears to have abruptly changed direction with regard to RFID passports for American citizens. Wired News reports that Frank Moss, the U.S. State Department's deputy assistant secretary for passport services, has changed his mind about how secure the current proposal is. In addition to the vocal push-back from privacy advocates and computer security professionals, the State Department reportedly received over 2,400 reponses to its solicitation for comments on the proposal. Now, apparently, the department has acknowledged what many critics were saying all along: the proposed RFID tagging solution would allow for tag data to be read from distances much further than 10 centimeters. That the original proposal did not provide for encryption of the RFID tag data means that sensitive personal information could be surreptiously "skimmed" from distances as far as 30 feet (according to one report).
So now the State Department is considering a technological solution called Basic Access Control (BAC) that a handful of European governments have endorsed all along. BAC (.pdf specification) is a system in which the RFID tag data is encrypted using a special key encoded in the machine-readable text found under the passport photo. The tag data can only be read when the passport is opened and placed against a scanner that reads the text, extracts the key, and decrypts the tag data. Thus, BAC is a multi-step process that protects remote reading of the tag information; a would-be snooper would have to be in physical possesion of the passport to unlock its contents.
The State Department's about-face represents a major turning point in the controversy that has attracted the attention of names like American Civil Liberties Union, Electronic Frontier Foundation, and even Phil Zimmermann, the computer security luminary and inventor of the PGP encryption system. The question is why the government changed its mind now, given that the privacy and security criticisms have been made loudly for months. Was it the 2,400 responses from the public? Or perhaps the live demonstration last week at the Computers, Freedom and Privacy conference in Seattle of a passport RFID chip being read from a distance of three feet away? Whatever the reason, the RFID industry would be wise to note this coup by the initiative's opponents. Those worried about RFID's potentially negative implications for privacy have demonstrated a strong willingness and ability to organize and affect change, and it is now clearer than ever that their concerns will have to be addressed.
Wired News has more
