[LINK] Schneier: Renew Your Passport Now!

[Roger Clarke]

I scrapped my current passport last year, before the RFID-chip came 
in, and got a new one.  Why?  Because I don't know what's in the 
chip, and I don't know how the scheme works - and I have the 
professional competence to understand this technology, and I was a 
participant in the farce that the Passports Office pretended was a 
consultation process.

I write a bit, and people read it (not up to some people's scores, 
but 3.5 million hits this year presumably means something).  So I 
should have explained to people what I did, and why.  I didn't. 
Bruce Schneier has.

(I'm doubly-embarrassed, because I conscientiously object to the new, 
grossly-invasive Census, and arranged not to be anywhere on Census 
night.  But I haven't got around to writing that up either).


http://www.schneier.com/crypto-gram-0610.html

>** *** ***** ******* *********** *************
>
>       Renew Your Passport Now!
>
>If you have a passport, now is the time to renew it -- even if it's not
>set to expire anytime soon. If you don't have a passport and think you
>might need one, now is the time to get it. In many countries, including
>the United States, passports will soon be equipped with RFID chips. And
>you don't want one of these chips in your passport.
>
>RFID stands for "radio-frequency identification." Passports with RFID
>chips store an electronic copy of the passport information: your name, a
>digitized picture, etc. And in the future, the chip might store
>fingerprints or digital visas from various countries.
>
>By itself, this is no problem. But RFID chips don't have to be plugged
>in to a reader to operate. Like the chips used for automatic toll
>collection on roads or automatic fare collection on subways, these chips
>operate via proximity. The risk to you is the possibility of
>surreptitious access: Your passport information might be read without
>your knowledge or consent by a government trying to track your
>movements, a criminal trying to steal your identity or someone just
>curious about your citizenship.
>
>At first the State Department belittled those risks, but in response to
>criticism from experts it has implemented some security features.
>Passports will come with a shielded cover, making it much harder to read
>the chip when the passport is closed. And there are now access-control
>and encryption mechanisms, making it much harder for an unauthorized
>reader to collect, understand and alter the data.
>
>Although those measures help, they don't go far enough. The shielding
>does no good when the passport is open. Travel abroad and you'll notice
>how often you have to show your passport: at hotels, banks, Internet
>cafes. Anyone intent on harvesting passport data could set up a reader
>at one of those places. And although the State Department insists that
>the chip can be read only by a reader that is inches away, the chips
>have been read from many feet away.
>
>The other security mechanisms are also vulnerable, and several security
>researchers have already discovered flaws. One found that he could
>identify individual chips via unique characteristics of the radio
>transmissions. Another successfully cloned a chip. The State Department
>called this a "meaningless stunt," pointing out that the researcher
>could not read or change the data. But the researcher spent only two
>weeks trying; the security of your passport has to be strong enough to
>last 10 years.
>
>This is perhaps the greatest risk. The security mechanisms on your
>passport chip have to last the lifetime of your passport. It is as
>ridiculous to think that passport security will remain secure for that
>long as it would be to think that you won't see another security update
>for Microsoft Windows in that time. Improvements in antenna technology
>will certainly increase the distance at which they can be read and might
>even allow unauthorized readers to penetrate the shielding.
>
>Whatever happens, if you have a passport with an RFID chip, you're
>stuck. Although popping your passport in the microwave will disable the
>chip, the shielding will cause all kinds of sparking. And although the
>United States has said that a nonworking chip will not invalidate a
>passport, it is unclear if one with a deliberately damaged chip will be
>honored.
>
>The Colorado passport office is already issuing RFID passports, and the
>State Department expects all U.S. passport offices to be doing so by the
>end of the year. Many other countries are in the process of changing
>over. So get a passport before it's too late. With your new passport you
>can wait another 10 years for an RFID passport, when the technology will
>be more mature, when we will have a better understanding of the security
>risks and when there will be other technologies we can use to cut the
>risks. You don't want to be a guinea pig on this one.
>
>This op-ed originally appeared in the Washington Post.
>http://www.washingtonpost.com/wp-dyn/content/article/2006/09/15/AR2006091500923.html
>
>Rebuttal:
>http://www.mercurynews.com/mld/mercurynews/news/opinion/15637460.htm
>
>My previous writings on RFID passports:
>http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html
>http://www.schneier.com/blog/archives/2004/10/rfid_passports.html
>http://www.schneier.com/blog/archives/2005/04/rfid_passport_s.html
>http://www.schneier.com/essay-060.html
>http://www.schneier.com/blog/archives/2005/08/rfid_passport_s_1.html
>
>
>** *** ***** ******* *********** *************
...
>** *** ***** ******* *********** *************
>
>CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
>insights, and commentaries on security: computer and otherwise.  You can
>subscribe, unsubscribe, or change your address on the Web at
><http://www.schneier.com/crypto-gram.html>.  Back issues are also
>available at that URL.
>
>Comments on CRYPTO-GRAM should be sent to schneier at counterpane.com.
>Permission to print comments is assumed unless otherwise stated.
>Comments may be edited for length and clarity.
>
>Please feel free to forward CRYPTO-GRAM, in whole or in part, to
>colleagues and friends who will find it valuable.  Permission is also
>granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
>
>CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the
>best sellers "Beyond Fear," "Secrets and Lies," and "Applied
>Cryptography," and an inventor of the Blowfish and Twofish algorithms.
>He is founder and CTO of Counterpane Internet Security Inc., and is a
>member of the Advisory Board of the Electronic Privacy Information
>Center (EPIC).  He is a frequent writer and lecturer on security topics.
>   See <http://www.schneier.com>.
>
>Counterpane is the world's leading protector of networked information -
>the inventor of outsourced security monitoring and the foremost
>authority on effective mitigation of emerging IT threats. Counterpane
>protects networks for Fortune 1000 companies and governments world-wide.
>   See <http://www.counterpane.com>.
>
>Crypto-Gram is a personal newsletter.  Opinions expressed are not
>necessarily those of Counterpane Internet Security, Inc.
>
>Copyright (c) 2006 by Bruce Schneier.

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW