RealTime IT News

ACLU Issues Warning on RFID Passports

The American Civil Liberties Union (ACLU), a non-profit organization that works to defend citizen's rights as defined by the U.S. constitution and Bill of Rights, claims the U.S. government is rushing the rollout of insecure, RFID-enabled passports in hopes of creating a de facto global identification standard.

The organization said that government documents it obtained under the Freedom of Information Act show that the United States ignored experts' advisories on security and encryption of data to be stored on RFID chips in passports.

The ePassport initiative is a response to the Enhanced Border Security Act, which Congress passed in 2002. It requires that new passports be equipped with biometric identifiers capable of being read automatically.

The passports will adhere to a standard developed by the International Civil Aviation Organization (ICAO), which the ACLU claims is dominated by the the richest countries, including the United States.

"We've seen what amounts to -- whether intentional or not -- a coherent effort to bypass a national identification card and go straight to an international identification card through this process of coming up with what they call a globally interoperable machine readable passport," said Jay Stanley, an ACLU technology expert.

The proposed RFID tags in passports will contain the usual information, including the person's name, date and place of birth, as well as a digital photo and a digital face recognition template.

RFID tags are tiny transponders that respond to radio signals from RFID readers by broadcasting information stored on their chips. Supply chain operations are using the tags to automatically track pallets and cartons of goods as they move from factory to warehouse to retail store.

However, while the tags used in the retail sector contain only a unique numeric code that must be matched to a database in order to obtain information, the proposed passport chips will contain unencrypted versions of all the information now printed on passports.

"This issue is bigger than just passports," the ACLU stated in a warning last week. "It is about the construction of a global identity card that will likely influence the creation of national identity documents and threaten to facilitate tracking and loss of privacy around the globe."

International privacy organizations say they were shut out of the ICAO standards process, and that the United States blocked efforts to encrypt and secure passport data in its desire to impose a standard that could be adopted by the poorest countries.

"It was a behind-closed-doors event," said Katherine Albrecht, executive director of CASPIAN, an organization that advocates for consumer privacy. "We privacy advocates would have liked to have some input, but the public deserves to speak on this issue, as well."

Thirty-five international organizations signed a March letter to the ICAO expressing alarm and urging it to impose restraints on the collection, processing, retention and transfer of data. It specifically asked the organization to prevent countries from building national biometric databases.

The ACLU warned that these RFID-enabled passports will let third parties skim the information. A store could gather the names and addresses of shoppers, while terrorists could single out the Americans in a group of tourists.

"We can see these passports becoming a necessity if they become regarded as the gold standard for identity and adopted by more and more private parties," said the ACLU's Stanley. "Citizens will get asked for them at every turn," just as Social Security numbers and drivers licenses in the United States are now used as identifiers by most public and commercial entities.

"This is the government compelling you to carry around something that, even if it is encrypted -- has a unique identifier associated with it that commercial entities can exploit," said Edward Hasbrouck, a travel technology expert and travel book author.

Eliminating encryption and authentication will make RFID-enabled passports cheaper and thereby lower resistance to them from poorer countries, according to Hasbrouck. He said the documents obtained by the ACLU show a "very clear agenda of the U.S. wanting to have it quietly become a fait accompli before any debate," adding that leaving the data clear and unencrypted also facilitates government surveillance.

Hasbrouck said that the lack of encryption could have been a Faustian bargain with the travel industry to win its support, because leaving the data open makes it accessible for commercial use, including as an electronic ticket, boarding pass, frequent flyer card and preferred traveler card. The international travel industry has been working on a paperless airport initiative since 2000.

"A lot of preexisting agendas have piggybacked on the rubric of security," Hasbrouck said. "If security can be used to sell something that cuts costs for airports, they're willing to go along."

On Nov. 1 the U.S. Government Printing Office contracted with four companies to produce an initial test of RFID-enabled passport covers. It expects all passports to be shipped by the end of 2005.