HomeBlogsMacRonin's blog

Uncle Sam's Got an RFID Jones

March 30, 2007 - 9:45am — MacRonin

Uncle Sam's Got an RFID Jones: "Opinion: I don't know what to be less impressed with: the arguments for RDID in security documents or the claims that it will always be a privacy disaster.

[...]

Governments seem determined to adopt RFID in identity documents and to view it as a security device. Privacy advocates seem determined to oppose them in all cases. I think this stuff is complicated.

Now the state of Washington has come up with a plan for a voluntary pilot project of driver's licenses that integrate many security features and radio-frequency identification. One of the big goals is to fit the requirements of the federal government's Western Hemisphere Travel Initiative. You may know this as the rules recently announced that would require a passport to travel to Mexico or Canada. In fact, the rules were more complex and didn't strictly require a passport.

[...]

And then there's the RDID component, the really controversial part. I'm suspicious of the value of having RFID. If you take the security of the card seriously you have to have a person scrutinize the card and the person bearing it. RFID lets the authorities easily bring up records of who should own that card, but so could a 2-D bar code. My New Jersey driver's license has one of these bar codes on it.

Back when I wrote about the new ePassports the question seemed simpler, even if the opposition was just as hysterical. But there was a crucial difference: The ePassport has a chip that transmits all of the ID information in the passport, including the photograph. This makes it easy to conceive of privacy and other security breaches.

I quoted Kevin Ashton, the co-founder of MIT's Auto ID-Labs, which gave birth to EPCglobal, the international network for tracking items through a supply chain using RFID. EPCGlobal defines a key numbering system, which is implemented in practice by VeriSign, so that items can be tracked throughout the supply chain worldwide. Readers can read the chips anywhere and use the number as a database key for lookups, or simply report it on to some database for tracking of its movements.

Ashton argued that if RFID is in passports at all, it should be implemented the way EPCglobal does it--all the chip stores is a unique code. You need to have access to the database to know anything about the holder of that code. This is what Washington has done: The only thing that the driver's license RFID transmits is a code.

(Via eWEEK Security.)


Bookmark/Search this post with: