“…Conspiracy theorists and civil libertarians, fear not. The U.S. government will not use radio-frequency identification tags in the passports it issues to millions of Americans in the coming years. Instead, the government will use ‘contactless chips.’…”
RFID Cards Get Spin Treatment
By Mark Baard
As posted at Wired News
Conspiracy theorists and civil libertarians, fear not. The U.S. government will not use radio-frequency identification tags in the passports it issues to millions of Americans in the coming years.
Instead, the government will use “contactless chips.”
The distinction is part of an effort by the Department of Homeland Security and one of its RFID suppliers, Philips Semiconductors, to brand RFID tags in identification documents as “proximity chips,” “contactless chips” or “contactless integrated circuits” — anything but “RFID.”
The Homeland Security Department is playing word games to dodge the privacy debate raging over RFID tags, which will eventually replace bar-code labels on consumer goods, said privacy rights advocates this week.
An RFID tag is a microchip attached to an antenna, which transmits unique information to a reader device that can be anywhere from a few inches to several feet away. The technology, with its many names (“contactless chips” has been around for some time), is used in security access cards, E-ZPass automatic toll-paying devices and ski-lift tickets.
Computer scientists and data-encryption experts, the editors of an RFID industry journal — even the makers of the contactless chips themselves — all agree that the Homeland Security Department is using RFID technology.
But the Homeland Security Department is very carefully avoiding use of the term “RFID.” The department, along with Philips, is also backing a trade group that is branding ID documents with RFID tags as “contactless smartcards.”
“We’d prefer,” said Joseph Broghamer, Homeland Security’s director of authentication technologies, “that the terms ‘RFID,’ or even ‘RF,’ not be used at all (when referring to the RFID-tagged smartcards). Let’s get ‘RF’ out of it altogether.”
The Homeland Security Department this spring will begin issuing RFID-tagged employee ID cards (which include fingerprint records) to tens of thousands of its employees. Homeland Security’s employee ID card has “contactless” technology to speed workers’ access to secure areas, said Broghamer. He also wants to replace conventional reader devices, because their metal contacts break down after repeated use.
The department is also evaluating technology pitches from several RFID tag manufacturers, including Philips, for an RFID-tagged passport containing biometric data. The government’s plan will earn billions of dollars for the RFID suppliers while helping security officials track individuals more effectively by detecting their ID documents’ radio signals in airport terminals, or wherever reader devices are present.
The Homeland Security Department and Philips said they worry that the public will confuse the RFID tags in ID documents with those used by retailers, such as report, to track consumer goods. Contactless chips, said Broghamer, are more sophisticated than retail RFID tags, because they can carry more information and can better protect sensitive personal information.
But there is another problem with the “RFID” name: Many people associate the term with radio chips “that blab personal information indiscriminately” to any reader device, said Lee Tien, senior staff attorney at the Electronic Frontier Foundation.
That is why Homeland Security is engaging in doublespeak, to dupe Americans into accepting RFID tags on their passports, said Barry Steinhardt, director of the ACLU’s Technology and Liberty Program.
“It’s a frightening, Orwellian use of the language,” said Steinhardt, referring to the “contactless” branding effort. Steinhardt called the RFID tags the Homeland Security Department is using, which have faster processors and more storage capacity than retail tags, “RFID on steroids.”
Government agents will use reader devices to track individuals wherever they use their RFID-tagged identification documents, Steinhardt and Tien said.
“They can call it a contactless chip,” said Tien, “but it is still RFID. And it shares virtually all of the same vulnerabilities.”
Identity thieves will be able to lift an RFID-tagged passport holder’s personally identifiable information with reader devices that can be purchased for less than $500, said Steinhardt.
Terrorists could also track down and kidnap Americans oversees by secretly reading their chipped passports.
“Let’s say you are in Beirut, carrying a passport with an RFID tag,” said Steinhardt. “A terrorist with a portable reader device could easily tell who is the American (in a public space).”
University of California at Berkeley assistant professor David Wagner, who researches computer security and cryptography, has reviewed engineering studies of the type of RFID tag that will be used in passports. Wagner called Steinhardt’s terrorist scenario “absolutely conceivable.”
“And,” said Wagner, “unlike an ID with a bar code or magnetic strip, you’d never know your card has been read.”
Homeland Security’s Broghamer insisted that the contactless chips for ID documents are vastly different from RFID tags used in retail supply chains, because contactless chips must be held very close to a reader device to be activated and to transmit their data.
RFID manufacturers are typically making radio tags for ID documents that comply with ISO/IEC 14443, the contactless chip industry technology standard. This standard limits transmission ranges to a distance of about 4 inches. Other RFID tags can be read at distances up to 30 feet, making them easier targets for identity thieves trying to capture their data, said Broghamer.
Broghamer would not admit to something engineers testing ISO/IEC 14443-compliant chips have demonstrated, however: that electronic eavesdroppers up to 30 feet away can capture data (including biometric records) while it is being sent by the chips to an authorized reader device.
ISO/IEC 14443-compliant chips can also be read directly over much longer distances by specially built devices, according to a Tel Aviv University study (.pdf).
Broghamer seemed eager to stay on-message about the Homeland Security Department’s name for its RFID technology, despite its apparent vulnerabilities.
“I nearly fell out of my chair,” Broghamer said, when he read a Wired News report that the Homeland Security Department’s employee ID card will include an RFID tag. “I never used the term ‘RFID,'” said Broghamer, describing a presentation he made at a technology conference last month. “I only used ‘contactless chip’ or ‘proximity chip’ to describe it.”
A Philips sales executive, however, testifying last summer to the House Committee on Energy and Commerce, called contactless smartcards “RFID systems with advanced computing power, storage and strong encryption accelerators, offering advanced services with enhanced security and privacy protection.”
The Homeland Security Department’s employee ID card will use state-of-the-art authentication and encryption systems to protect the department and its employees from identity thieves and spies with unauthorized RFID tag readers, said Broghamer.
But the chips in passports will not have any of those digital security features, said Homeland Security Department spokeswoman Kimberly Weissman. “We want it to be compatible,” she said, “with as many reader devices used by other countries as possible.”