Friday, April 08, 2005

Coming to Your Pocket: A Terrorist Beacon?
Coming to Your Pocket: A Terrorist Beacon?

By David Coursey
What do you suppose our enemies would pay for a device capable of identifying all the Americans walking down the street in a foreign city? And why might the U.S. Department of State be making such a weapon possible?

We're talking about a plan to embed RFID (radio-frequency identification) chips into U.S. passports, which the State Department claims will help swoosh U.S. citizens through border crossings. The Washington Post says the RFID chip will include all the printed information from the passport along with an enhanced photograph of the passport holder, useful for photo recognition.

The State Department claims the RFID data will be readable only out to a distance of about four inches. It plans to begin issuing new passports using the technology to diplomats starting in August. (You have to give these people credit for eating their own dog food.)

The rest of us would get the RFID model as our current passports expire. Mine was recently renewed and is good for another 10 years. I expect the issue will be solved long before I must face it personally, but I hate to think of the danger this might pose to our diplomatic corps.

The comment period on the proposal ended Monday, with more than 1,500 comments filed, many in opposition. A decision on whether to go ahead with the new passports is due later this spring.

Critics from the travel industry and elsewhere say the RFID passports could become electronic beacons, allowing terrorists to more easily separate Americans from a group of potential victims.

"This is an inappropriate use of technology and it's dangerous," said Bill Scannell, a California publicist and former intelligence officer who created the Web site to fight the new passports, which he calls "terrorist beacons."

Scannell said he believes State Department officials "fell in love" with RFID technology when it was presented to them and only later became aware of the potential dangers of using it. He says U.S. intelligence agencies have already chosen not to use RFID in their employee ID badges, a common use for the technology in the private sector.

Click here to read more about a controversy surrounding possible use of RFID in government ID badges.

Here's the problem: To find the Americans in a crowd, a terrorist wouldn't need to "read" the information contained in the passport. If only Americans are carrying RFID passports, then all a terrorist need do is determine whether the device exists. A simple "wanding" by an RFID receiver would be enough to find the U.S. passport holders at close range.

The question—or bet, if you like to think of the world that way—is the distance at which the RFID might be detectable in the future, especially by someone with a fanatical "need-to-know."

Common sense says that if you don't actually need to read the data you can discover the device from a greater distance than if you do. How great that distance is will be the subject of a National Institute of Standards and Technology study due later this year. How the report will deal with how future technological improvements might increase that distance remains to be seen.

If this distance extends far enough, there's the possibility that hidden readers could find U.S. passport holders for other reasons besides terrorism, in other situations such as entering and leaving buildings.

A version of this is already being done with automobiles, where the "toll tags" used to pay bridge and other vehicle tools are also used for traffic monitoring. To do this, monitors are installed along freeways that record when a particular tag passes a particular place. Later, when the tag passes a monitor down the road it is possible to measure the time it took the vehicle to get from the first point to the second.

That information becomes the "drive time" estimates used by some radio, television and Internet traffic reporters.

Thinking about the RFID problem, I stumbled upon a possible solution: Lead envelopes, such as those used to protect film from X-ray devices at airports. It would be interesting to see how well a plasticized lead envelope could protect the RFID device and prevent it from working unless it was removed from the shielded pouch.

The State Department might provide these with the new passports it issues and they could be available at airport shops and other retail locations. I can't imagine these costing more than a few dollars.

Maybe the NIST will include these simple lead sleeves in its testing. I am not sure they'd work, but the concept seems sound and perhaps could make both sides happy.

Scannell didn't like my proposed "cure," saying that with all the other technology available, including bar codes and smart cards, that RFID shouldn't even be considered. I can't say that I really disagree, thought if it can't be stopped there may at least be a way to mitigate the damage.

To read more about RFID security issues, click here.

As things stand today, the concerns about the RFID plan are well-founded, just as I believe the State Department is sincerely trying to improve the quality of service it offers American citizens. The problem—and this is why I believe the State Department's plan will ultimately be shelved—is that we can't predict advances in RFID technology. Except to guess that they will be significant, including the ability to "read" cards at ever-greater distances.

Given the importance of safeguarding Americans abroad and protecting their privacy at home, I believe the State Department would be wise to adopt a different technology. In this case, Scannell is probably right: RFID would kill. Let's hope it doesn't.

originally published April 5, 2005