The Economist has an enlightening article on the new RFID/biometric passports which are on George W. Bush’s agenda for the world. This is one area where being on the bleeding edge of the technology curve really doesn’t make much sense.
Most of the major issues with remote readability, the inaccuracy of the current level of biometric hardware, a lack of standards for biometric identification, and interoperability of the equipment from different nations are mentioned in the article.
The article clearly points out how one of the major features being pushed by the International Civil Aviation Organisation’s (ICAO) 2003 technical specification may have some very nasty unintended consequences. This may be very similar to what Bruce Schneier wrote about in his recent book, Beyond Fear.
In Beyond Fear, Schneier discusses the choices Russian drivers have made to reduce car theft, and how it didn’t always work out as expected. To prevent their cars from being stolen, the owners installed alarm systems. The alarm systems prevented the cars from being stolen. This is what you would expect. The new alarm systems also led the thieves to wait for the owners and carjack them. Carjackings are far more likely to to end up with a dead or injured owners. Not exactly what you’d expect.
The remote reading capability of the RFID-based passports could have very similar consequences. Imagine bombs made to detonate when enough American passports were gathered nearby. With the remote read capability of the current specification, it could become a possibility.
Before going ahead with a technologically advanced program like this, I would like to know more. Some of the questions I have are:
- How is the data initially gathered for the RFID chips, which are embedded in the passports?
- Where is the passport data stored?
- How secure is the data storage from tampering?
- How do the airport security stations access the data?
- How do you prevent unauthorized use of the data?
- Is each country responsible for its own data, and how is data verified between countries?
- What other companies, agencies, organizations would have access to the data?
- What safeguards are being taken to prevent selling the information to terrorists?
- What authentication methods are used to ensure the data entered is accurate?
We’ve recently seen how easily supposedly private data can be given to criminals. ChoicePoint is the current exemplar for poor corporate behavior as a response to a security breach. Yet, ChoicePoint and some of its various subsidiaries are Department of Homeland Security vendors.
I don’t know if ChoicePoint or any of its subsidiaries are actually involved in the development or deployment of the new passports for the United States, but given the track record of DHS and of these companies, I would rather stick with more basic, less technologically advanced security methods for now.
I would rather not trust my security to untried and untested technologies, especially with companies that have proven themselves to be unworthy of any trust possibly involved. More unintended consequences of technology can be read about here.
Choicepoint, Two Minutes Hate
This was going to be a roundup, but heck, There’s a backlog of hate, and I must post. Under the headline, “Who let Jeb Bush and ChoicePoint into the UK?” ‘Brother Rail Gun of Desirable Mindfulness’ points to a…