As airports employ Radio Frequency Identification (RFID) technologies, concerns of privacy rights will rise. However, RFID can enhance airline security and border security, among several other applications. The technology is becoming very popular and use is likely to increase.
RFID has been explored in three past WAR Reports in 2006, each covering a different type of security: beta testing of RFID passports , airport baggage tracking using RFID , and securing government facilities using biometrics . The technology is being employed in major security applications.
In June, the Department of Homeland Security Office of the Inspector General released a redacted report that the US VISIT program needed enhanced security controls for use of RFID technology (source). Recommendations included, but were not limited to, password protection policies, the remedy of software vulnerabilities, and developing a strong policy and procedure to both prevent counterfeiting or cloning and protect personal information.
Rollout
This week, another major rollout employing RFID was incorporated into US passports. The Department of State took a step forward in strengthening border security and facilitating travel with the issuance of the first e-passports to the American public on August 14. E-passports incorporate the latest technology, including a contactless computer chip in the rear cover of the passport that contains the same biographic data found on the passport’s data page. The e-passport, completely redesigned, employs a multi-layered approach to protect the privacy of the information and the security of this valuable document (source). The chip stores all the information contained in conventional passports and can be scanned by electronic chip readers. The information held on the chips is the same as that on the first page of a traditional passport: name, date of birth, gender, place of birth, date of issuance and expiration, passport number, and image.
A spokesman for the Department of State says that “metallic anti-skimming material” in the front cover and spine of the book prevent information from being read from a distance when the book is fully closed. The new passport also deploys a cryptographic technique called “Basic Access Control,” whereby the RFID chip reveals its contents only after a reader has authenticated itself as being authorized to receive information.
Although RFID-enabled e-passports are 14 percent more expensive than their predecessors, the Department of State claims they carry added security benefits and offer advantages such as speedier processing.
Not Everyone Loves E-Passports
The rollout began a controversy among privacy advocates. CompEx Inc created a video for the Transportation Security Agency (TSA), and it illustrated how passengers can be tracked throughout the airport terminal without their knowledge or consent. A clip shows a citizen remotely identified and tracked by RFID devices from the time he enters the airport and as he navigates to his gate. The video went on to show frames of a government agent surreptitiously monitoring a man and his belongings as he waits for his flight. Many viewers found the video disturbing and pointed to a future replicating an Orwellian airport experience.
CompEx Inc. President Aram Kovach, who developed the film as a demo for the TSA, received a US Patent for what he calls “Method for Tracking and Processing Passengers and their Transported Articles” in November 2005. According to company press releases, TSA officials entertained his ideas twice, once in 2002 and again in 2003, and “offered to direct CompEx in pursuing a segmented objective within the guidelines they have set forth.”
Further, the new passports are vulnerable to hacking and cloning by criminals. Two weeks ago, at the Black Hat security conference in Las Vegas, German researcher Lukas Grunwald showed how easily a criminal or terrorist could clone RFID tags like those in US passports using inexpensive and readily available hardware.
Conclusion
The application of RFID can work, and it can speed up the check-in and security processes. However, the implementation must include tight policies to protect the sensitive data. It will be difficult to provide privacy advocates assurances that personal rights will not be violated, but in the realm of providing the safety and security of US soil, it will not be an issue that can be won by all sides.