The Swiss government has decided that our passports, like a few before ours, should store data on RFID chips. Meaning, the following data would be stored in that chip:

• fingerprints
• a digital photograph
• all the data that’s also available in printed form (name, gender, date of birth, eye color, and so on)

All this data could then be read out via electrical readers (as pictured in the diagram to the right, labels German).

That in and of itself isn’t necessarily evil! The current proposal concerning regulations and technology lets it be implemented in ways that make it evil though. Let me lay out why that is.

About RFID

If you haven’t heard of RFID before, it’s high time you read up at Wikipedia – and even if you did, there’s quite intriguing things I haven’t read before in there too. Short version:

An RFID tag is an object that can be applied to or incorporated into a product, animal, or person for the purpose of identification and tracking using radio waves. Some tags can be read from several meters away and beyond the line of sight of the reader.

Additionally, the RFID chip can be passive – meaning, it has no energy source of its own and thus potentially lives forever. And as I’ll explain later more in-depth, you can’t track who obtains information from it. There are also active RFID chips, but since the ones used in passports are passive and there are no other fundamental differences beyond range between active and passive types, I’ll neglect active RFID chips for the rest of this post.

There are places where RFID chips make sense and most privacy concerns don’t apply (like race tracking, inventory systems, some kinds of animal tracking). But passports definitely aren’t one of them.

The Referendum

The referendum (a federal facultative referendum, that is) is carried from a surprisingly (in a very positive way) large number of independent political forces.

The referendum was launched because there is a vast number of unresolved issues that are introduced with biometric RFID passes (details see below).

Here is the RFID referendum website

If you’re Swiss, I strongly urge you to sign it within the next 10 days, if you haven’t already, and spread it among your friends and coworkers. Time is running out, the referendum only runs until September 22th, and apparently, over 30’000 more signatures are needed. Signature sheets are available on their site.

Privacy

It is not a coincidence that the RFID chip started out, originally, as an espionage device. Its passive nature and long life make it perfect for stealth placement and readout.

Accesses to the chip are not trackable, and while the chips in passports are protected by a metal mesh covering them that shields them against malicious scans, this (just like other things when it comes to RFID) doesn’t work as it should. Uncovered at the Blackhat 2006, a proof of concept showed:

The problem, according to Flexilis, is that the shielding does not fully protect passport against remote scans. Kevin Mahaffey from Flexilis says a medium powered scanner could detect a partially opened passport from four to six inches away. The theoretical maximum detection range is more than 10 feet, but Mahaffey said that would require a “huge amount of power.”

So, when you have such a passport, you’re trackable, identifiable, by anyone who has access to that kind of technology. Which is just about anyone who’s determined enough.

Furthermore, even “legitimate” (as per the legal text) kinds of tracking can go way beyond what we’re comfortable with. Airline companies, other companies with special permissions, your own and foreign governments, can and may track your every move. And once enough companies have your data in their databases, it’s bound to be stolen and out in the open eventually – data leaks do happen.

If you’re in the fortunate position to understand German, the StopRFID pages of the FoeBuD e.V. have way more info.

Security

There is a simple fact about RFID chips that no lobbyist will openly admit:

They are not secure.

You may have heard of MythBusters. It’s a Discovery Channel series that … busts myths. Often funny, like “can you surf on a wave created by a dynamite explosion”, but also stuff like “can you hack security fingerprint systems”. They tried to do an episode on RFID, and they were shut down by the industry. You draw the conclusions. References here: tom’s hardware, cnet news, the consumerist, all via Bruce Schneier.

“But”, I hear you say, “they’re meant to be made secure!” Well … yes. Read for yourself, in the federal Swiss decree:

Der Datenchip ist gegen Fälschungen und unberechtigtes Lesen zu schützen. Der Bundesrat bestimmt die entsprechenden technischen Anforderungen.

More or less, the chip is to be protected against malicious readouts, and details are to be determined by the executive.

But, there’s a problem with this: The same thing was meant to happen with the British passes’ RFID chips. And what happened? They were hacked a couple weeks after they were released. Read the details on The Guardian:

“The reader – I bought one for £250 – has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.”

More info on TechNewsWorld. Now, this was a white hat hacker. Who tells us that black hats have problems with what he achieved in 48 hours? We already know that it’s easy to access credit card numbers like that, why should full blown identity theft be made as easy as the (too easy) credit card theft?

Teleology

As we know, the main reason for adding those RFID chips in the first place is that the US wants everybody to do so. In their Enhanced Border Security and Visa Reform Act of 2002, we find:

Additionally, by October 26, 2004, in order for a country to remain eligible for participation in the visa waiver program its government must certify that it has a program to issue to its nationals machine-readable passports that are tamper-resistant and which incorporate biometric and authentication identifiers that satisfy the standards of the International Civil Aviation Organization (ICAO).

Why is it that the US government wants everybody to use those RFID chips in the first place then? Bruce Schneier has, yet again, brilliant vista:

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.

This, of course, is speculation. I haven’t seen another reasonable explanation to date yet though.

The fun thing is that the US government keeps pursuing that course, despite even large independent bodies like the Smart Card Alliance (who actually represents RFID vendors, among others, and thus has it in their best economic interest that RFID chips are used) warning them from privacy and security dangers. If you have a long breath, you might want to read this extensive report from May 2006.

The future

Maybe some time in the future, the technology will be where it needs to be in order to make a private, secure chip that makes international travel easy without exposing its users to unnecessary risks. The proposed RFID chips certainly aren’t that technology.

Of course, even when we eventually do have the technology, other things like better tolerance and education would be more effective in preventing terrorism. But that’s an entirely different discussion.