Passport to Success

By Ari Juels

Companies can learn from problems encountered by the U.S. State Department when it announced plans to introduce RFID-enabled passports.

  • TAGS

The U.S. State Department recently responded to pressure from privacy advocates and announced it was considering additional security measures to prevent the unauthorized reading of radio frequency identification transponders, which it plans to embed in new passports starting this fall. While the use of RFID in government-issued documents is fundamentally different from the use of RFID in loyalty cards and other private-sector applications, the State Department’s experience offers a lesson for companies planning to use RFID in a consumer setting.

The State Department plans to add RFID transponders to passports to store and quickly retrieve biometric data-facial recognition information about the document holder-and based its plan on a recommendation made by the International Civil Aviation Organization (ICAO). The ICAO recommends the use of a 13.56 MHz transponder that conforms to the ISO 14443 Type A and B standards, which call for the transmission between the tag and reader to be encrypted.

The chip in the transponder would store the passport holder’s photo encoded with biometric data, which would be compared with a photo taken at the immigration counter to confirm the identity of the holder. The person’s name and other information printed in the passport would also be stored, unencrypted, on the chip. To protect against someone “skimming” this data-reading it without the passport holder’s knowledge-the State Department planned to weave metal fibers into the passport’s cover, which would prevent the tag from being read when the passport was closed.

The State Department said that encrypting the data on the tag wasn’t necessary, would slow down the transfer of data (and immigration lines) and would make it harder for countries around the world to adopt the technology. It felt that the tag’s 10-cm (4-inch) read range would prevent anyone from reading the tag surreptitiously.

Others didn’t agree, including the American Civil Liberties Union and the Association of Corporate Travel Executives (ACTE). Bill Scannell, an international publicist and privacy advocate based in Washington, D.C., put up a Web site called RFID Kills, which argues that terrorists could use the RFID tags to identify and kidnap American citizens traveling abroad.

“We’re looking at a variety of additional security measures that go beyond those called for by ICAO,” says Kelly Shannon, a spokesperson for the State Department’s Bureau of Consular Affairs. “No decisions have been made at this point.”

One way to prevent skimming is to use “basic access control,” a technique that some European countries are incorporating into the RFID-enabled passports they plan to introduce. With basic access control, the passport is placed under a scanner that reads data in a “machine-readable zone” on the photo page of the passport. Today, this calls up the information stored on a computer. With RFID-enabled passports, reading the machine-readable zone would also instruct the computer to create a unique key to unlock the RFID tag so the biometric and personal data could be read.

If biometric data becomes a standard feature in passports, it could make it tougher for terrorists and criminals to travel between countries. But some privacy advocates think using RFID to store the biometric data could do more harm than good. Beth Givens, founder and director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, believes RFID should never be used in government-issued identity documents for two reasons: The individual has no choice about whether to use the ID. And even if the data on the tag is encrypted, it is still a unique number that can be used to identify a person.

How? Let’s say a member of Amnesty International tries to meet secretly with a political dissident being monitored by the government of a foreign country. The passport’s encrypted data could be read by a high-powered reader from across the street. The government could also scan people at the airport, look for the same encrypted information and arrest the person holding a passport that matches the signal picked up when the person visited the dissident.

“I don’t buy the argument that it’s just a bunch of nonsense numbers,” says Givens. “It’s a unique bunch of nonsense numbers, and even if it doesn’t have your name in it, it could be linked to you when you pass through chokepoints, such as an airport.”

The same privacy issues relate to RFID-enabled cards, key fobs or other devices used for tracking customer loyalty or as a payment system. Companies introducing RFID devices for these purposes should follow these steps to protect consumer privacy.

Step 1: Don’t store personally identifiable information on the tag. Instead, use a serial number that is encrypted on the tag, and encrypt the communication between the tag and reader.

Step 2: Follow the same fair information practices used by retailers introducing products with RFID tags (see Privacy and Profits). In particular, educate consumers about the capabilities of the RFID-enabled card and let them know which information will be stored on the tag, what information will be collected from the tag and how that information will be used.

Step 3: Since encryption alone won’t prevent criticism from those concerned about the potential to abuse RFID technologies, companies should also offer consumers the option of using loyalty cards without an RFID tag. That way, if customers are concerned about potential abuses, they can choose to participate in loyalty programs without using RFID devices.