Just had a panel on Privacy Risks of New Passport Technologies, discussing among other things the new RFID tag the US is rolling out for passports in the coming months. The tags will contain a digitally signed copy of your photo plus all the information on your data page except the signature, and will be readable at a distance. The readers are designed to read chips about from about ten centimeters away, but the danger is that it’s possible to design devices that read the tag from longer distances. The exact distances possible aren’t clear to me, but a speaker from the ACLU demonstrated reading a passport with the type of RFID being used from three to four feet away. The State Department is now promising the passport cover will include a Faraday cage to prevent reading when the passport is closed, but that won’t help when the passport is opened.

The dangers really boil down to someone snooping or stealing one’s identity at a distance without one’s knowledge or consent:

1. Skimming: a terrorist, spy or criminal can lurk nearby a hotel or airport check-in desk and read the identities of people checking in. They can use this information to pick out victims or gather information on who gathers at a particular meeting or site.
2. Cloning: reading people’s passport info at a distance and using that information to create a copy. To be effective, you’d need to clone the passport of someone who looks like the person who will eventually use the card, since the picture can’t be changed without invalidating the digital signature.
3. Tracking: if an ID chip isn’t contained in a Faraday cage then they could be used to track people as they walk past readers distributed throughout a shopping center, neighborhood or city. This wouldn’t be possible with passports (they say), but there has been talk among policy makers to extend the RFID chip to driver’s licenses and other forms of ID.

Sounds like pretty big flaws in something in theory designed to make us safer, all of which would be solved by simply making the data only communicate through physical contact. The lone proponent on the panel was Deputy Assistant Secretary of State for Passport Services Frank Moss. I was rather unimpressed with his answers — many parts sounded like a song and dance surrounded by apologies for not really understanding the technology (and thus not being able to explain any details. However, he did answer the one main question I had: why the heck did the US push so hard for passports that could be read at a distance? His answer seems to boil down to it was cheaper and a little more flexible. Specifically:

1. Passport manufacturers said it would be cheaper to change their processes to include RFID chips than contact-requiring chips.
2. Different countries want different designs, and rather than specify a single location for a contact-point it was easier to just embed an RFID reader.

I’m sympathetic to the difficulties in standardizing over a hundred national documents, but that’s a piss-poor excuse given the potential security holes it opens up. The follow-up argument of “we were stupid when we pushed for it, but it’s too late now so tough” is equally unacceptable in my mind.

Update 4/14/05: Ed Felton at Freedom to Tinker was at the same panel and has posted his own summary. His conclusion about the reason we’re getting stuck with a contactless system are in line with my own: “In short, this looks like another flawed technology procurement program.”

After a couple days soaking in privacy issues I’m starting to break everything into a three-part chain: identification, information and actions. (Appropriately enough for this conference, these these are fairly well associated with computers, privacy and freedom respectively.)

1. Identification: ability to identify an individual person or class of person. Includes face recognition, mandatory ID cards, DNA, iris scanners, retinal scanners, thumbprint, spyware, phone-home DRM, RFID chips in your clothing and other “Things That Fink,” etc., as well as obvious things like racial profiling and having someone sign their name.
2. Information/Databases: access to information about those people or class of people. Medical, criminal, financial, your race/culture/religion, consumer preference data, where you’ve been, who you know, who you talk to, what you say…
3. Actions: what people with access to this information do. Some are good for the identified person or society (completing financial transactions, stop crime & terrorism, etc.). Many are bad, including police harassment of a particular race or religion, suppression of political dissent and travel of political activists, identity theft, scam games, red-lining, employment and insurance discrimination, price differentiation, loss of social reputation, and coercive advertising.

Many people have just a visceral negative reaction to someone knowing too much about them, but the consequences are mostly in part 3 — that’s where you get stung. That said, sometimes the best way to stop something bad happening in step 3 is to stop steps 1 or 2 from happening, and often you never even find out that you didn’t get a loan or a job due to a privacy violation.

Veronica Pinero’s presentation, Panopticism vis-a-vis criminal records, had an interesting graphic which I’ve reproduced on the right. It’s a map of all the sex offenders living within a 10-block radius of the CFP conference hotel.

The thing that strikes me is how fear-inducing this list is, both because of what it says and what it leaves out. It includes a map, showing that we’re surrounded by no less than 39 sex offenders, and gives their names, mean-looking photos, and the name of the crime they were convicted of. What it leaves out is exactly where they are (addresses only within 100 numbers) and any sort of details of the crime that might help people figure out whether they or their children are actually at risk. I expect most of these guys did horrible things (is there any way “child molestation” can be better than it sounds?). Some I have no idea about, like “indecent liberties,” or even whether “child rape” includes a 19-year-old having sex with his 17-year-old girlfriend. More importantly, I don’t have any way to tell how frightened I should be or what I should do about it. Avoid downtown? Lock myself in my house? Buy duct tape? What good is this information to us, beyond making us even more afraid than we already are?

I’ll be blogging from Computers, Freedom and Privacy 2005 the next few days, so expect a bunch of posts under the “Big Brother” category.