The Associated Press reports on the privacy and security problems that can come from embedding use radio frequency identification (RFID) technology (which transmits data wirelessly from a chip or tag to a reader) into identification cards. The Associated Press discusses the video made by Chris Paget, a hacker who was able to remotely scan, gather ID information, and clone “passport cards” and “enhanced driver’s licenses.”
Paget used cheap, off-the-shelf technology, “a Matrics antenna and a Motorola reader he’d bought on eBay for $190″ in order to “read the identity cards of strangers, wirelessly, without ever leaving his car.” “Within an hour, he’d ‘skimmed’ the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet.”
Paget’s experiment comes as governments are increasingly using wireless RFID technology in identification documents. Read my previous post about academic researchers who detailed (pdf) security and privacy vulnerabilities in the federal government’s “passport cards” and “enhanced driver’s licenses,” which the federal government deploys in conjunction with some state motor vehicle departments.
In testimony to the House Committee on Homeland Security in February, Homeland Security Secretary Janet Napolitano supported the use of RFID in ID cards, calling such a system in San Diego “a good example of better technology leading to greater capability.” However, the Department of Homeland Security’s own Data Privacy and Integrity Advisory Committee and the Government Accountability Office have both cautioned against (pdf) using RFID in identification documents. The privacy committee has urged (pdf) that long-range RFID only be used in ID documents if RFID is the “least intrusive means,” because there are significant privacy and security drawbacks.
DHS Privacy Chief Mary Ellen Callahan says “the purpose of using RFID is not to identify people.” The purpose is “to verify that the identification document holds valid information about you,” she says, according to the Associated Press.
Likewise, U.S. border agents are “pinging” databases only to confirm that licenses aren’t counterfeited. “They’re not pulling up your speeding tickets,” she says, or looking at personal information beyond what is on a passport. […]
Such assurances don’t persuade those who liken RFID-embedded documents to barcodes with antennas and contend they create risks to privacy that far outweigh the technology’s heralded benefits. They warn it will actually enable identity thieves, stalkers and other criminals to commit “contactless” crimes against victims who won’t immediately know they’ve been violated.
Some states have laws that would protect such data. For example, Washington state has a law to prevent “skimming” (unauthorized gathering of data from RFID tags), however:
There are no federal laws against the surreptitious skimming of Americans’ RFID numbers, so it won’t be long before people seek to profit from this, says Bruce Schneier, an author and chief security officer at BT, the British telecommunications operator.
Data brokers that compile computer dossiers on millions of individuals from public records, credit applications and other sources “will certainly maintain databases of RFID numbers and associated people,” he says. “They’d do a disservice to their stockholders if they didn’t.”