There has been some comment online regarding the privacy and security risks of the forthcoming United States Biometric Passports, and the Department for Homeland Security's plans for Federal Employee Smart ID Cards, as outlined by this Wired article and the RFID Kills website.
However it should be remembered that the United Kingdom Passport Service is planning to issue very similar Biometric Passports, to the same International Civil Aviation Organisation standards for Machine Readable Travel Documents at almost the same time as the United States.
"The UKPS is planning to implement a facial recognition image biometric in the British Passport book from late 2005/early 2006.""In line with ICAO recommendations, the UKPS will deploy contactless integrated circuit media (i.e. a computer chip) of sufficient capacity to facilitate storage of the facial image and at least one additional biometric identifier. A contactless chip includes an aerial to allow close proximity readings, i.e. without being swiped through a reader. Modern contactless chips are paper-thin and therefore particularly suited to being incorporated in passport books or passport identity cards."
Privacy International have published an analysis of the Passport Service's 5 year plan and the confusion with the controversial National Identity Register and ID Card scheme.
Astonishingly, as outlined in the recent Identity Cards Bill Second Reading debate in the House of Lords, the UK Government does not currently plan to insist on checking the Biometrics of United States passport holders, despite the wretched US-VISIT system, which the United States has unilaterally imposed on United Kingdom tourists and business travellers.
The Minister of State, Home Office (Baroness Scotland of Asthal):"Thus if the United Kingdom were not to introduce its own biometric passports, British citizens visiting the United States would first have to obtain a visa.
Lord Maclennan of Rogart: My Lords, I am extremely grateful to the noble Baroness for giving way. Is there any intention to achieve reciprocity in this respect? Do the British Government intend to make similar demands of American citizens?
Baroness Scotland of Asthal: My Lords, the British Government have not come to a view on that"
Surely border controls between two countries should be on an equal footing in terms of cost, inconvenience and delay to travellers ?
"remember, the privacy activist is nowhere near as technically sophisticated as you are but can smell a universal identifier from a mile away"
RFID Contactless Biometric smartchips, embedded in a United Kingdom passport will introduce exactly the same risks to personal privacy and safety a sthe United States RFID Biometric Passport, making us more vulnerable to criminals and terrorists than using the alternative and well understood contact smarcards, e.g. like Chip & PIN credit cards etc. We have been pointing these sort of risks with RFID tags, especially if they are ever used by our military armed forces, for over two years now, but only recently have some of the media started to pick up on these potential risks.
It does not matter how much more sophisticated the RFID chips in Passports can afford to be, compared with the disposable ones being touted for individual supermarket item barcode replacement tags, the privacy risks are almost the same.
Even if strong encryption is incorporated at some point in the message exchange protocol between the Passport chip and the reader device, the initial part of the handshake will be unencrypted and easily recognisable as a United Kingdom or United States passport.
Even if strong encryption is used, there is simply no way to protect against man-in-the-middle attacks by rogue passport reader equipment which an attacker has placed between a genuine Passport reader and the victim's RFID passport, which cannot communicate with the genuine Reader , because of the alleged "security feature" of a restricted range for the normal operation of the RFID radio link. Since the plan is to use Industrial Scientific Medical band "licence free" radio frequencies, there will be lots of cheap off the shelf hardware available which can read these chips or can be modified to extend the normal working range with non-standard antennas or amplifiers.
There may be some level of protection available against such a man-in-the-middle attack, at some airports and port passport control booths, in some countries, but not worldwide , and not if the Passport is demand and checked by, for example hotels or car hire offices.
This ability to select by Nationality or even by Individual very worrying prospect as it is ideal for a terrorist bomb trigger to be activated when a sufficient number of UK or US Passports, or when a certain individual Passport (and almost certainly the holder of the Passport) is detected within its blast radius.
The UK Biometric Passport specifications still seem to be secret, but, if they follow the United States ones, then none of the information encoded on the embedded chip will not be encrypted, although it will hopefully be digitally signed to reduce, but not entirely eliminate, the chance of forgery.
One obvious solution to the privacy and security risks that such RFID Passports imply is to shield the RFID antenna and prevent it from being read in secret. Metal foil will do the job nicely, as we have demonstrated with our aluminium foil lined London Transport Oyster Card wallet holder.
There are two approaches to this, one to have the Faraday cage radio frequency shielding built into the cover of the Passport book, in which case whatever alleged time saving a "contactless" RFID chip may possibly have over a Contact chip evaporates, as people and officials have to manually open the covers sufficiently to expose the RFID chip embedded page inside the Passport to the Reader.
The second approach is to keep your passport in an external holder or outer wallet which is shielded. This might work reasonably well, given that there are usually queues in front of Passport control , where the "dead time" of queuing can absorb the fumbling to get remove the RFID Passport from its shielded wallet.
Unfortunately this approach negates all the attempts to use metal dtetectors, Passive Millimetre Wave , Low Intensity Backscatter X-Ray, Teraherz or Ultra Wideband imagers which are meant to find possible weapons or drugs etc - your shielded Passport or wallet shows up opaque on all these systems and will lead to a massive number of false alarms.
How better to smuggle small quantities of drugs etc. or explosives than in a shielded Passport wallet ?
There is some muttering from the US authorities that they might somehow use a grid of wires rather than a continuous metal shield to protect from RFID snooping, which might, in theory, if it is designed to block the RFID frequency only, overcome the "see under your clothes" or metal detector problem. This does not address the extra delay and cumbersome manual procedure of having to find the correct inside page of the RFID passport to present to the Reader device.
Many countries already optically scan or photocopy the Machine Readable page of modern passports. This resides on the inside back cover of the Passport. If built in shielding is used, then the RFID chipped page cannot
be placed on this page, as it will not work - the shielding behind the RFID antenna will be enough to interfere with the induction of sufficient electric current into the RFID antenna which then powers up the contactless RFID chip.
If a Biomteric SmartCard chip is to be embedded in a Passport, then it is safer, more private and more convenient from a handling point of view to use a contact system like a Chip & PIN credit card, or a completely optical system such as a 2D barcode, rather than a Contactless RFID chip.
It is obvious that this site is maintained by an pro rfid player. You think you can come in on this side to work a few word! We know.
The Wired article
http://www.wired.com/news/privacy/0,1848,67333,00.html
has details of some of the alleged security improvements being considered for the US Biometric Passport, and presumably for the UK one as well.
"Basic Access Control" seems to be a case of "can't see the wood for the trees".
If the system is capable of Optically Scanning the most important text from a Passport page, it is a complete waste of time and effort to use this to create a cryptographic hash key in order to authenticate the Passport to the Reader, so that an encrypted channel can be established, with the ultimate aim of reading the data from the RFID chip.
In the case of US Passports, where the claim is that there will be nothing on the RFID chip which is not also printed on the Passport, this *totally undermines the need for RFID in the first place* - what is the point of reading the data Optically, so that it can be read via encrypted RFID a few seconds later ?
The paper mentioned in the Wired Article,
http://eprint.iacr.org/2005/095.pdf
by Ari Juels of RSA Technologies, David Wagner, professor of computer science at the University of California at Berkeley and UC Berkeley graduate student David Molnar, also points out that the BAC "hash key" *never changes* throughout the life of the Passport, so that once it has been read by a foreign Government or a car rental firm or a hotel chain, then this unique tracking identifier can be potentially abused ad infinitum.
Even the actual encryption protocol also contains "unique identifiers" which have the same privacy implications as the much less sophisticated Wal-Mart style disposable item level RFID tags
If you missed the live Biometrics E-Symposium™ Web Conference, you can register for the presentation archive free of charge and listen to world-leading experts from the convenience of your own workplace, http://www.biometrics.e-symposium.com.