RFID In Government Issued ID?

RFID! writes, "The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on using RFID in government-mandated identity cards and documents (PDF link). But this met with some consternation among the DHS bureaus that plan to use RFID in this way and the businesses eager to sell the technology to the government, and now a vote on the report has been delayed until December."

It was only a matter of time

[PixieDust]

While I can see plenty of good, legitimate, wholesome uses for this, personally I think it opens the foor for too much. Though the same could be said of the current Bar Codes and Magnetic Stripes, they're not actually just sitting there broadcasting.

Personally I don't like the idea of RFID tags in much of anything. Too many things being tracked. When you see just how much information Corporate America has on it's customers, it makes you shudder thinking about how much the Government must have on you. It is odd, however, to note that occasionally the Industrial Espionage works better than the US Government's does.

C.f. Hollerith Cards

[Kadin2048]

RFID is a great technology in its place.

I've seen some automated warehouse and inventory-management systems that depend on RFID tags, and (if you're into this kind of stuff) they're the slickest thing you've ever seen. If your full supply chain uses tags, then there's no manual inventorying; as stuff gets unloaded from the trucks at a loading dock (by the pallet-full -- scanners can 'talk' to tens or hundreds of tags at once), it gets noted. When it gets put on a shelf, it gets noted. When an order comes in, the system knows whether it's in stock, and where's it's located. The picker (guys who pull individual items from warehouse shelves) can follow a wrist-mounted computer right to the location, and scan it as they pick it up. As orders get loaded on a truck to go out, they get scanned again at the dock doors. At every step in your supply chain, you can do this.

It's not quite a fully-automated warehouse, but it's pretty close. If you've ever worked in industry or retail, you can appreciate the beauty of such a system. All that real-time data; I won't say there's "no limit" to what you can do, because I don't want to start sounding like an ad, but there's a lot.

So really, don't blame the technology here. The gear is really good. The problem is that a lot of contractors, who want to make a few bucks from Uncle Sam, have convinced some govvies that this sort of data flow -- which is great when you're talking about cases of Rice Krispies or DVD players -- would be nice to have on all of us. The problem with "RFID" as people have come to think of it, is totally a social one. If you could somehow 'uninvent' RFID, put the genie back in the bottle, it wouldn't fix the real issue: that our government is currently obsessed with reaching down into the personal lives of individual citizens, either by accident or by design. A government which took more of an interest in privacy concerns, probably wouldn't think that embedding RFID tags in passports and drivers licenses would be a good idea. That they do, is indicative of a problem in government, not in the tags.

An apt analogy would be Hollerith card sorters and other indexing machines, in the early part of last century. They let people do all sorts of rapid data analysis and were indispensable to industry and government for countless projects. Yet they were also used by the Nazis, to greater or lesser effect depending on who you choose to believe. That a particular technology was used reprehensibly isn't necessarily a valid criticism of the technology itself; virtually anything can be perverted for ill uses.

So in short, don't blame RFID in general. It's a great technology, when used correctly, and its potential for abuse isn't any greater than similarly revolutionary systems were in their day.

Re:

[skarphace]

Though the same could be said of the current Bar Codes and Magnetic Stripes, they're not actually just sitting there broadcasting.

RFID tags do not broadcast. In fact, they are totally passive and have no power source. They react to broadcasted signals from an RFID reader and then it returns a processed signal from what it recieves.

Sorry, I explained that a little weird.

Re:

[voice_of_all_reason]

That's a silly distinction, like saying office windows don't shine -- it's the sun.

RFID's receive a signal and then spit it back out again, "casting" the signal in a "broad" manner.

Re:

[wtansill]

When you see just how much information Corporate America has on it's customers, it makes you shudder thinking about how much the Government must have on you. It is odd, however, to note that occasionally the Industrial Espionage works better than the US Government's does.

Of course now that I want to be clever I cannot find the reference, but there was a discussion about how the political parties track and segment their various constituencies. The number quoted (which I cannot verify) was that they have r

Re:

[voice_of_all_reason]

how much the Government must have on you

I love the two ways that statement can be read. Keyword: "must".

Re:

[drjzzz]

Lots? (just guessing...)
As we've seen repeatedly, the amount of information is not nearly as important as its organization. "The" government (US Federal?, state?, local? combination?) is justifiably ridiculed for its inability to organize information. Call 'em "silos" (databases) or "stovepipes" (access). The US Federal government has focused on integrating disparate information without notable success. I think this is a good thing, since their identifications of evildoers rarely withstands the tests pr

Re:

[voice_of_all_reason]

I meant it as:

Citizen: Crap! The government must have enough information to bury me!
Government: We must have this information to control the People.

stating the obvious

[frovingslosh]

They did a study to support their decision, they didn't get the result they wanted, so they are delaying the vote (can't have it now right before the election) and then will decide to do exactly what they want to do in spite of the study. Nothing to see here, business as usual, move on, don't protest or risk arrest.

Re:

[budgenator]

Oh they got the results they wanted all right

RFID is particularly useful where it can be embedded within an object, such as a shipping container. ... Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low. But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and d

hmm

[User 956]

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on RFID

That sounds like it would have shocking results.

Shocking?

[Kadin2048]

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on RFID

That sounds like it would have shocking results.

Depends on whether their cold water was taken with a grain of salt...

Pwnership Society

[Doc Ruby]

So what? All the reports came back "DON'T INVADE IRAQ" and "DON'T MESS WITH TERRY SCHIAVO'S ANIMATED CORPSE" and "THE LEVEES WILL BREAK" and "FOLEY IS A CHILD MOLESTER" and...

Our Republican government is visionary. They're not distracted by polls [msn.com] or mere facts from government agencies... Republicans know government doesn't work, and they'll prove it to you every chance they get.

So welcome our Republican overlords, and their shiny new RFID IDs. Why should identity theft be limited to a few thousand wired Americans each day, when Republicans can bring us a Pwnership society?

Re:

[Doc Ruby]

Moderation -2
    50% Flamebait
    50% Offtopic

"Shut the fuck up!" is their UserID. And my post wasn't "Flamebait", it's a FLAME. This mod system is a joke.

Re:

[voice_of_all_reason]

Our Slashdot userbase is visionary. They're not distracted by explanations or mere facts from other members... Slashdotters know moderation doesn't work, and they'll prove it to you every chance they get.

!include <sarcasm.h>

[HoosierPeschke]

Boy, what will win, businesses pushing an underdeveloped technology or the sense of rights and privacy we as human beings have come to know and love.

Re:!include [OT]

[HoosierPeschke]

Replace !include with #include...

Re:

[hdparm]

Wouldn't it be quicker to just replace ! with #?

Re:

[HoosierPeschke]

Yeah, good grief 0200 in the morning is NOT good to me...

Re:

[budgenator]

I think you posted that on the wrong forum; but it was not only appropos but deep!

Here's the reason Cato doesn't like RFID

[maynard]

From Jim Harper's blog post:

RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards - indeed it has greater security weaknesses than alternatives. And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card. This is what takes up all the time in the process of identifying someone.

He's saying it isn't any better than other card systems, and it doesn't solve the principal security problem - that of identifying the owner. I bet, however, that if one were to somehow solve the confirmation of identity issue - such as by injecting or surgically implanting and RFID chip - he might change his mind.

I think one could argue that Mr. Harper doesn't oppose RFID as much as he finds it impotent.

Re:

[CortoMaltese]

All of the biometric passports and electronic identity cards use the same technology, namely smart cards [wikipedia.org], i.e. tamper resistant integrated circuit cards. There are contact and contactless cards, the latter of which are often referred to as RFID cards. Note that RFID smart cards have next to nothing to do with RFID tags. Smart cards have a processor, persistent and volatile memory, often cryptoprocessors and many kinds of shields for tamper resistance. Hacking them is quite difficult.

Contactless cards offe

Re:

[badfish99]

So what if the technology could have been made safe and secure? The whole problem is that it wasn't made secure, and now we're stuck with a spec for RFID passports that is reducing border security instead of increasing it.

Re:

[CortoMaltese]

Yes, it is a shame that we have a spec that allows skimming, eavesdropping and cloning of electronic passports. However, instead of bashing the technology (contactless/RFID smart cards) we should bash the application (ICAO specs).

To be pedantic, the vulnerabilities of the passports are mostly privacy and safety concerns for their individual holders. And I'm not saying that this is a minor issue. It's not. But the passports do increase border security. It is possible to clone the chip (due to protocol vuln

Re:

[enbody]

What comes to security, there are two main vulnerabilities in contactless cards: eavesdropping and accessing the card without holder's knowledge is easier than in contact cards.

Yes and no. Contactless cards get their power from the radio waves (the "R" of RFID) which provides very little power over the expected time period within range. For that reason, they cannot do much processing, e.g. good cryptography. (See http://en.wikipedia.org/wiki/Speedpass [wikipedia.org] for information about cracking RFID encryption.) Ther

Re:

[CortoMaltese]

Contactless smart cards can do just as much processing as contact cards, also in terms of cryptography (e.g. use of 2048 bit RSA keys is reasonable). The Speedpass you refer to uses a different technology, as explained in the Wikipedia article. This is the common fallacy of confusing RFID tag or transponder technology with contactless smart card technology.

Contactless (or RFID, if you prefer) smart cards are passive in the sense that they don't have a power supply. Due to the power consumption, the operat

Re:

[maynard]

You appear to have missed that I quoted from the article in question. I read it. My only point is that surgically implanting an RFID chip would appear to meet the author's requirements based upon his argument. IOW: his argument is not based on privacy policy, but that there are better technical alternatives to RFID.

Re:

[voice_of_all_reason]

That's exactly the same reason that use of biometrics for identification should raise much larger privacy concerns.

They probably asked for something so heinous so that it would draw everyone's fire. Then, when they roll out their real plan (arm barcodes) it doesn't seem so bad in comparison.

Re:

[Seth Cohn]

I won't put words into Jim's mouth, but having met him and discussed REAL ID and RFID with him, you're wrong. See his book for his own views.

Re:

[maynard]

Well that may be true. I'm going with the argument presented in his blog entry and linked within the story submission. Do you know of anything online of his that makes a more general argument in support of electronic privacy, rather than simply the efficacy of RFID security?

Re:

[Seth Cohn]

Jim was editor of Privacilla.org (now defunct, see wayback:
http://web.archive.org/web/20050306022005/http://w ww.privacilla.org/index.html [archive.org] )

It was "a web-based think tank that takes a free-market, pro-technology approach to privacy policy."

He's also author of "Identity Crisis: How Identification is Overused and Misunderstood"
Search inside it at Amazon.

Also, google is your friend... lots of stuff. Not sure exactly what you are looking for.

Re:

[JimBobJoe]

I think one could argue that Mr. Harper doesn't oppose RFID as much as he finds it impotent.

Though I've only met him once, and haven't read fully his book Identity Crisis [amazon.com] I think he is very anti-RFID but chose only to discuss the issue in the context of how well it works for that particular blog entry.

I believe him to be very pro-privacy and civil liberties, but he often chooses to argue against a system on efficacy grounds instead of invoking philosophical arguments.

If you needed another reason to clean house(s)....

[guisar]

Here it is. There's only one way to stop the madness- a clean sweep! So mark Nov 7th on your calendar and make sure to read the manual for the automated voting machine and of course, bring your ID. For your safety and convenience there's no need to stick it a slot or show it to the attendent; just pass it it by this handy reader.... We know who you are.

Re:

[voice_of_all_reason]

Hey, if you start two days early you get to use knives and fancy kar-ah-tee.

Question

[Neitokun]

Didn't the guys at Defcon read RFID from like, 60 feet away? And isn't it easy to clone RFID?

Re:

[toddhisattva]

"Didn't the guys at Defcon read RFID from like, 60 feet away? And isn't it easy to clone RFID?"

The distance you can read RFID depends on the implementation and conditions. Some are designed to be read at such distances, even when they're tracking metal or liquid products.

Some RFID is easy to clone, others are designed to be hard to clone. Easier to mimic the signal than copy the device itself, and there may be features of the signal that prohibit easy replication (beyond this guess, my knowledge of the fi

Ouch

[TubeSteak]

This report does more than just "pour cold water" on RFIDs

From the Executive Summary:

"There appear to be specific, narrowly defined situations in which RFID is appropriate for human identification. Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low.

But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security."

"no commensurate benefit for national security"
Translation: This will not protect you from the terrorists.
And really, isn't that
A) the big goal of all these changes?
B) how everyone is justifying their budget?

Re:

[steveg]

What's scary about this statement is that I can't tell if it's tongue in cheek or not.

It's not an uncommon attitude.

Re:

[HoosierPeschke]

"no commensurate benefit for national security" Translation: This will not protect you from the terrorists. And really, isn't that A) the big goal of all these changes? B) how everyone is justifying their budget?

There *is* no benefit for national security, you'd think that blatently broadcasting information for ease of identification would've been the first clue this might be bad. I'm thinking this relates to a word that starts with $.

Re:

[Neitokun]

> I'm thinking this relates to a word that starts with $. How would money effect this? There's no money to really be made, and I can't think of a special interest that would pay for RFID for any reason.

Re:

[HoosierPeschke]

The businesses that make the RFID tags would be greatly appreciative of such a government contract. They may not be major players in the political "donation" arena but it would be a huge payout if RFID tags had to accompany every document and special interest the DHS thought would require one.

That's just the tinfoil talking though =)

Re:

[BiggerIsBetter]

Why does TubeSteak hate America?

Re:

[budgenator]

This will not protect you from the terrorists. because it can be snooped, cloned will answer to anybody, can be left at home, can be traded with somebody else's. Make it cyrptographicaly secure and implanted into the body Muhahahaha ....

Re:

[DragonWriter]

Translation: This will not protect you from the terrorists. And really, isn't that A) the big goal of all these changes? No, the big goal is handouts of public money to corporate supporters of the political leadership, which is why this report didn't put an end to the whole idea.

B) how everyone is justifying their budget?

Yeah, which is why they are now taking more time to figure out a way to reconcile their justifications so they can go ahead with the handouts.

Two Thoughts

[mac_mcgrew]

1. This will probably make it through in a horribly mangled revision of the original proposal. Most likely it will take ten years to implement, will cost ten times as much as was proposed, and will be ten times less effective as a security measure than it already isn't.

2. To the conspiracy know-it-all types that are sure to flood this one, if you've ever worked in government intelligence for any length of time, you'd realize how much time you're wasting with the big brother fantasies. Google's the one to wa

Summary of TFA

[Harmonious Botch]

For those who didn't want to read it, it says that too many senators objected to being RFID'ed. Particularly Mr.Foley, who is trying to turn a new page in his life.

RFID is only a supplemental technology

[unPlugged-2.0]

As someone who works with RFID regularly the report does not surprise me.

The biggest problem with RFID is that too many industries (government included) are implementing it because it is a neat technology. In reality it is great for some things but not so good for others.

I do think that RFID will eventually be good for adding more information and for use as human id's but only with a supplementatl verification system like BioMetrics.

But even just RFID alone is in no way less secure than printing a number on your passport that uniquely identifies you. I think that your passport number is a much easier counterfeit target than a chip in your passport.

If you just clone the chip it is very unlikely that customs will only want to check your chip and not the rest of your passport or your picture.

Re:

[scoot80]

I agree with you. I've done a few electronics designs with RFID, and it has its place. I would not use it as a secure storage. We used it in an educational toy to identify different items - far from hackproof.

Re:

[mbessey]

But even just RFID alone is in no way less secure than printing a number on your passport that uniquely identifies you.

That's a really strange thing to say. Here's short list of potential security problems an RFID presents that a printed number doesn't, off the top of my head:

1. Your RFID chip can be read & potentially copied without your peremission, or even your being aware of it.
2. An RFID-enabled ID allows anyone to build an "American Detector" that's 100% reliable, and works from a distance. This i

Re:

[Anonymous Coward]

3. Someone can "invalidate" your passport remotely, by burning out the chip with high-powered RF. How do you convince the Homeland Security folks that you really DO have a valid passport, despite the fact that the "secure" chip is apparently missing?

From the State Department E-Passport FAQ (http://travel.state.gov/passport/eppt/eppt_2788.h tml)

"What will happen if my Electronic passport fails at a port-of-entry?

The chip in the passport is just one of the many security features of the new passport. If the c

Re:

[badfish99]

So, given that the chips are actually a risk to security, it would be helpful to US border security if we all just fried our passports in the microwave oven. Right?

Re:

[Vengeance]

It's not just helpful, it's our duty as citizens.

Re:

[jibjibjib]

3. Someone can "invalidate" your passport remotely, by burning out the chip with high-powered RF. How do you convince the Homeland Security folks that you really DO have a valid passport, despite the fact that the "secure" chip is apparently missing?

I doubt you ever complained that magnetic stripe cards could be erased remotely by EMP, or that your mobile phone could be fried remotely by high-powered microwaves.

Go ahead and try...

[mbessey]

I'd really like to see someone build a (portable!) device that can erase a mag-stripe card at more than a foot or so of distance. The kind of magnetic field that you'd have to generate to wipe a mag-stripe card from a distance would probably violently attract every piece of loose iron in the vicinity, as well.

As far as the phone goes, I'd be pretty peeved if someone fried it with microwaves, but there's probably at least some protection built into the phone - otherwise, walking directly by a cell tower migh

Re:

[rampant poodle]

Item 5 is seldom discussed but significant. Of course it also applies to any machine readable, "easier to use", identification document. Security personnel get used to swiping the card, hearing a "happy sound", and handing the document back. Actual comparison of the individual and the photo is cursory at best. This one is fresh in my mind as one of our techs who has moved on to bigger and better things came back for a visit. He repeatedly passed through security using his girlfriend's ID Card. (2D bar

Re:

[voice_of_all_reason]

An RFID-enabled ID allows anyone to build an "American Detector"

Would would our citizens even be travelling to other lands where this would be an issue? Do they perhaps... hate America?.

Would you use RFID prepaid cards?

[TheVelvetFlamebait]

Not strictly on topic here, but I want to pose a question. I realise that many /.ers dislike the privacy issues (as I do to), but I also like the idea of RFID-supported checkout-less shopping. Y'know, where people pick up their goods and just walk out the door, with the money charged to your account. Would you go for a RFID prepaid card that stores nothing but the account number and possibly balance? Would you trust a company who claimed something like this to store only this information, and not shopping h

Re:

[maxume]

Smart chips, combined with proper key management, give you the ability to put encrypted and signed information on a card, making it much more difficult to create/obtain a fraudulent card; you need access to the authentic keys to do so.

RFID simply makes it easier to read that information than with a contact based system. For something like a passport, which someone who uses it a lot might use twice a day, it offers basically no advantage, with the disadvantage that someone can try to talk to the card without

Re:

[enbody]

Smart chips, combined with proper key management, give you the ability to put encrypted and signed information on a card, making it much more difficult to create/obtain a fraudulent card; you need access to the authentic keys to do so.

Correct, but...
One can clone that information. You say, but then the RFID information doesn't match the non-RFID information.
Correct, but ...
In many applications that doesn't matter. For example, it would still work fine for people-less transactions such as Mobil Speedpass f

Re:

[maxume]

So what's your point? Exclusive of RFID, smart chips, used properly, make id cards better. Cloning is certainly a problem, but it doesn't make the addition of smart chips a bad idea, it is just something that needs to be accounted for in the overall process.

To be clear, my thinking is that there is no reason to use RFID in situations where security and identity are an issue, and that there are reasons not to use it. For tracking things, it's great.

The psychological issue of the 'ok beep' that you bring up i

Next, babies will be microchipped...

[AriaStar]

...before leaving the hospital. I foresee this happening in the next 20 years, if not sooner.

Yeah...

[rlazarus]

... but will they run Linux?

Re:

[scoot80]

But will that stop them from still mixing babies up? http://www.abc.net.au/news/newsitems/200610/s17719 40.htm [abc.net.au]

EMP

[splutty]

This is why you need to EMP your newborn as soon as possible, just to be sure...

Re:

[voice_of_all_reason]

Just send up a bunch of satellites that re-image the earth every few months or so.

Oh, and call me Plissken.

Re:

[KORfan]

It would help fight kidnapping and the slave trade, that's for sure. It'd help find runaways as well. Not that it's a good idea and I sure wouldn't want it, but it would help in those areas.

Er, oh

[oGMo]

OK so surely I'm not the only one who saw "RFID In Government Issued IDs?" then had my eyes skip to "poured cold water on using RFID in government-mandated identity cards and documents" and figured they discovered covert RFID tags in paper IDs by getting them wet?

Re:

[scoot80]

Why did that make me think of a wet tshirt competition.. pour cold water and magically discover nipples!

Re:

[budgenator]

how about Arnie wrapping his head in a wet towel and pulling a ping-pong ball out of his nose?

if we must... but then no exceptions

[l3v1]

I don't like this idea, as I don't like many ideas that popped up and slowly turn into reality during the last few years. But if they will introduce this, then I would demand full and total use, with no exceptions. What I mean is, no government official, no agency member, no police people, no soldiers, etc. without such IDs. And if they record, then record everything. If they want us/you followed and tracked, they also shall be followed and tracked, and more so, since they have much more power to eventually

Helping the terrorists - class act

[Anonymous Coward]

You can't but admire the serious amount of effort that is being put into helping terrorists specifically target US citizens. All they need to buy now is (increasingly cheaper) RFID readers and then design bombs that only go off if sufficiently large quantities of US passports have gathered in the proximity. Extra bonus for an extra pile of RFID enabled documents because someone carrying, say, high level Gov document must be worth extra points.

RFID's ONLY benefit over a stupid 2D barcode (which is easy to

And RFID Passports in the USA a Reality Now...

[Lord Satri]

Other RFID stories right here [slashgeo.org]. And let's not forget RFID Passports in the USA a Reality Now [slashgeo.org]:
"Following this previous story [slashgeo.org], we learn from the Washington Post RFID chips in US passports are now confirmed [washingtonpost.com]. From the article: "Passports will come with a shielded cover, making it much harder to read the chip when the passport is closed. And there are now access-control and encryption mechanisms, making it much harder for an unauthorized reader to collect, understand and alter the data. [...] The Colorado passport office is already issuing RFID passports, and the State Department expects all U.S. passport offices to be doing so by the end of the year.""

Re:

[molo]

Okay, so my wife got a new passport after changing her name. How does one go about checking to see if a new passport includes RFID? X-ray it? Then once it is identified, how can we defeat the RFID? Does throwing it in the microwave really work?

-molo

Re:

[Lord Satri]

"How does one go about checking to see if a new passport includes RFID? X-ray it?"

I guess you would 'see' the chip. They're not that small!

"Then once it is identified, how can we defeat the RFID? Does throwing it in the microwave really work?"

I don't know. But I would not mess with it. If they figure out you tried to mess with with, they'll only give you trouble...