RFID Passport Tags Save Time, Risk Privacy

By Jeff Goldman

August 18, 2009

The required presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is secure–and that the resulting efficiency at land borders is worth the risk.

The presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is safe–and that the efficiency it adds at land borders is worth the risk.

In January of this year, researcher Chris Paget drove through the streets of San Francisco scanning the RFID tags embedded in the passport cards and enhanced drivers licenses (EDLs) supported by the Western Hemisphere Travel Initiative (WHTI), in order to demonstrate the lack of security inherent in the devices.

Paget’s demonstration raised a number of questions about the technology behind passport cards and the security with which they’ve been deployed.By the time WHTI went into effect on June 1^st of this year, requiring Americans to present passport books, passport cards, or EDLs when crossing land borders into the United States, over a million RFID-enhanced passport cards had already been issued. While WHTI itself isn’t new, its implementation for land borders was delayed two years ago in order to allow for further testing of passport card technology.

It’s important to note that there’s a key difference between e-passports (passport books) and passport cards. While passport cards use vicinity RFID (EPC Gen 2) technology, which can be read at distances of up to 30 feet, e-passports use ISO 14443 contactless smart card tech with a read range of a few inches. To compensate for their readibility (and therefore hackability) at a distance, passport cards only transmit an ID number that relates back to information stored in a secure central database, while e-passports store and transmit much more detailed information about the passport holder.

According to Randy Vanderhoof, executive director of the Smart Card Alliance, that difference was key to the selection of the two technologies. “The electronic passport was built knowing that it was going to store secure information like a person’s name, city of issuance, passport number, image of the person… and therefore they chose a more secure chip technology to protect that information—whereas the passport card was designed to be a static identifier to a central database, with no personal information stored in the chip itself,” he says.

As a result, Vanderhoof says, the only data that Paget was able to gather in his demonstration was that relatively anonymous static identifier.

But Vanderhoof says there is still reason for concern, simply because that identifier can allow a card to be tracked. “As a cardholder, I’m not comfortable knowing that someone can read my whereabouts from a distance without me knowing about it… that threat doesn’t exist with an electronic passport,” he says.

Near and far

Vanderhoof contends that the government’s decision to use the longer-range EPC Gen 2 technology in passport cards was a mistake. “The decision to trade speed over security and privacy, I think, was a poor decision on the part of the program managers under WHTI—but they repeatedly defended the decision because of the traffic flows through the land borders and the fact that they needed something that could be read from great distances,” he says.

However, Vanderhoof says EPC Gen 2 technology doesn’t actually improve traffic flow at all. “The queuing process that takes place at these border points still requires the individuals to come to a complete stop—and therefore, you’re not gaining any time by reading the card 30 feet away from them coming to a complete stop, versus coming to a complete stop and then reading the card,” he says. “So you gained nothing from a speed standpoint, and all you did was open up the possibility for these other misuses of the technology.”

Still, Paul Hunter, technical lead for the Western Hemisphere Travel Initiative at U.S. Customs and Border Protection, insists that the time savings provided by the passport cards are considerable. “We can actually read the documents as they’re approaching the booth…which means, instead of handing a document to an officer and him swiping it or manually typing in data, the data’s already there, and now he can focus on the person, and he can focus on the conveyance…it saves six to eight seconds per person,” he says.

And at a land border, Hunter says, time is of the essence. “We’re talking over 100 million crossings a year,” he says. “Those six to eight seconds actually are very significant. We’ve done time and motion studies where we’ve actually measured the time it takes to take the document, to bring it into the booth, to either manually type or swipe and then wait for the results—and if you eliminate all that, you are actually on average saving between six to eight seconds.”

Established technology

What’s more, Hunter says, the same technology has already been in use for over ten years in the government’s SENTRI and NEXUS trusted traveler programs. “And we have not had one reported incident of somebody skimming that data and using it for nefarious purposes…the reality is, it’s just a number,” he says. “And we further mitigate that by making sure the data that’s associated with that is in a secure back-end database.”

Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern. “Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with the Department of Homeland Security,” he says.

But Paget himself, now president and CTO of the security research firm H4RDW4RE, says that ID number shouldn’t be so easily accessible. “You shouldn’t necessarily think of it as low-risk just because it’s a number,” he says. “Your social security number is just a number. Your credit card number is just a number. It’s the meaning that’s attached to those numbers that makes it risky—and in this instance, it’s an identifier for a person, so any time you see that identifier, you can be certain that you’re seeing that same person.”

One possible solution, Paget says, would be to add an on/off switch to the passport card, as has been suggested by Dr. Ann Cavoukian, Information and Privacy Commissioner for the Canadian province of Ontario. Paget says it’s simply a matter of adding “a button on the card that you have to physically squeeze to turn the tag on, at which point it can be read—so it completely negates the need for shielding…because the tag is off until you actually want it to be turned on.”

The larger point, Paget says, is that RFID needs to be approached with the same caution as the Internet—both, essentially, are simply untrusted networks that move bits of data from point a to point b. “There’s no reason why RFID cannot have equivalent security to something like SSH or SSL that we use on the Internet all the time…I’m certainly not against RFID as a technology: I think it’s got great potential, but there needs to be a lot more security involved in the design of the systems,” he says.