Too easy to identify

The nation's new electronic passports may be more vulnerable to privacy breaches than government officials originally claimed.

State Department officials last month said the computer chips on the passports, if unprotected, could transmit personal data wirelessly to an unauthorized reader at a distance of up to two feet -- six times farther than they initially asserted.

To better protect privacy, the department is adding new security features to the new passports, including a metal shield covering the chips, said Frank Moss, deputy assistant secretary for passport services at the State Department. The agency also is considering encryption.

"I'm not going to start rolling this out until we've answered the privacy concerns," Moss told Washington Technology.

The episode is just one of the recent outcries about potential loss of privacy from the chip technology, referred to as both radio frequency identification and "contactless chip," used in identity documents. Industry analysts see burgeoning applications worldwide as many countries look to add the chips to passports and government identification documents as a security measure.

If the privacy controversies continue, however, it could mean the technology may not be ready for homeland security uses as quickly as supporters hope.

NO CHIPS IN CALIFORNIA

For example, the California Senate approved legislation May 18 to outlaw radio frequency tags on all identity documents issued by state and local agencies. Specifically, it would prohibit any "contactless integrated circuit or other device that uses radio waves to broadcast personal information or to enable personal information to be scanned remotely."

That bill, if it becomes law, could have a far-reaching impact on the RFID and contactless chip industries, especially if it is emulated around the nation.

In addition, the Government Accountability Office last month said RFID usage by government agencies raises "key privacy concerns" about the confidentiality and security of the data. Twenty-four federal agencies are using RFID in some form, mostly in logistics, but only one agency reported it is considering the legal issues related to data privacy, according to the May 27 GAO report.

RFID has a solid foundation in commercial applications such as supply-chain management and goods tracking, and is expected to grow to a $2 billion market this year, according to Marketstrat Inc., a market research firm in Fremont, Calif.

Federal government use of RFID is likely to double to $112 million in fiscal 2009, up from $51 million in 2004, according to a January report from Input Inc., a research firm in Reston, Va. But those figures reflect a limited definition of RFID that does not include the federal market for contactless chip identity documents.

Both RFID and contactless chips use radio waves, but the contactless chips are considered more sophisticated and have more capabilities.

The potential government market for the chips could be huge. Already under way or under consideration is the U.S. passport program, European and Asian passport programs, and government employee identification programs in the United States and around the world. The Agriculture Department also is considering the radio frequency chips for livestock tracking.

Industry executives acknowledge that the State Department and California controversies may hurt the industry's prospects, but they said many privacy concerns arise primarily from confusion about what the chip technology is and how it can be used.

"There is a lot of confusion and misinformation about RFID," said Bert Moore, a spokesman for the Association for Automatic Identification and Mobility Global, a trade association representing ID card technology makers.

For example, proponents contend that encryption, physical barriers or coverings that prevent the radio waves from being transmitted, and other security protections can address privacy concerns when the radio frequency chips are used on identity documents.

"If you look at this as a technology that's relatively new, especially with high-profile applications such as identity cards and financial cards, there is a need for education," said V.C. Kumar, business director of contactless commerce for Texas Instruments Inc.

The technology has some strong supporters. Former Homeland Security Department Secretary Tom Ridge in April joined the board of radio frequency identification contractor Savi Technology Inc. Less than a week later, he spoke at an industry event in Chicago touting RFID as a way to help protect Americans from terrorism.

The State Department is adding security measures to the electronic passport after privacy advocates pointed to risks of identity theft and unauthorized release of data, and the department's own tests validated some of those risks.

The fear is that a criminal or terrorist could use a reader from several feet away to get personal information from Americans, making them vulnerable to identity theft or other harm.

While the State Department initially dismissed those concerns, insisting that the chips could be read only at a distance of four inches or so, officials in recent weeks have revised that view.

State Department testing has shown that the computer chips on the passports can be read wirelessly at distances of up to 24 inches, and even theoretically as far as 40 inches in unusual cases of reader equipment with extremely high wattage, said the State Department's Moss.

"It would be like pointing a microwave oven at someone," Moss said of the 40-inch distance. However, the two-foot reading was "feasible," he said.

RFID and contactless-chip industry members and privacy advocates will be invited to the department's laboratory in Colorado this summer to review the results of the testing, Moss said. No date has been set.

Moss said he hopes to finish the tests by late June and to debut the electronic passports in late summer or early fall, although "it's probably inevitable we might have some schedule slippage."

CONTROL ISSUES

The department has added new controls to address privacy worries, including a physical barrier made of metal that covers the chip when the passport is closed. The State Department is examining additional measures such as Basic Access Control, which involves encryption of the data communication to the reader, Moss said.

The department also is coordinating with the Homeland Security Department's plans for encryption of the readers to prevent inadvertent data leakage.

Despite such protections, Jack Riepe, spokesman for the Association of Corporate Travel Executives, said a substantial portion of the trade group's members are dissatisfied with radio frequency chips and its risks in official travel documents.

"Our members are not mollified," Riepe said. "We've had a groundswell on this."

The battle over privacy is being openly fought in California, where RFID and contactless chip companies are urging the State Assembly not to adopt the ban on such technologies in identity documents.

The Northern California chapter of the American Civil Liberties Union, one of the prohibition's strongest supporters, believes chips and devices using radio frequencies are unsafe for sensitive identity documents at this stage of development.

"This technology is designed for enabling surreptitious access," said Nicole Ozer, technology and civil liberties policy director for the chapter. With the rapid pace of technological change and the prevalence of cybercrimes, it is likely that hackers and criminals will soon learn how to defeat safety protections that exist for wireless chips, she said.

But Randy Vanderhoof, executive director of the Smart Card Alliance ? a non-profit group promoting smart cards, which contain computer chips, including contactless chips, used for multiple purposes for identification and payments -- considers the California legislation "a misguided approach."

"We are an industry that advocates appropriate security," Vanderhoof said, but California's proposed ban is far too broad and "would throw out the baby with the bath water."

Staff Writer Alice Lipowicz can be reached at alipowicz@postnewsweektech.com.