18-02-2011, 12:02 PM
[attachment=8776]
The Electronic Passport and the Future of Government-Issued RFID-Based dentification
Radio Frequency Identification (RFID) technology include embedding transponders in everyday things used by individuals, such as books, payment cards, and personal identification. While RFID technology has existed for decades, these new applications carry with them substantial new privacy and security risks for individuals. These risks arise due to a combination of aspects involved in these applications:
1) The transponders are permanently embedded in objects individuals commonly carry with them
2) Static data linkable to an individual is stored on these transponders
3) The objects these transponders are embedded in are used in public places where individuals have limited control over who can access data on the transponder.
In 2002, the U.S. Department of State proposed the adoption of an “electronic passport,” which embedded RFID transponders into U.S. passports for identification and document security purposes. In this project, we use the U.S. Government’s adoption process for the electronic passport as a case study for identifying the privacy and security risks that arise by embedding RFID technology in “everyday things.” We discuss the reasons why the Department of State did not adequately identify and address these privacy and security risks, even after the government’s process mandated a privacy impact assessment. We conclude with recommendations to assist government as well as industry in early identification and resolution of relevant risk.
Description:
The new applications of RFID can offer benefits, such as decreasing transaction time, they also pose new privacy and security risks for individuals which are not present with more traditional RFID applications. These risks arise out of a combination of factors. First, the transponders are permanently embedded into objects individuals commonly carry with them, making the transponder ever-present, or ubiquitous. Second, the data stored on these transponders is static and can be linked to an individual. Third, the user may be unaware of the presence of the transponder, or the transponder may not clearly signal to the user when and by whom it is being read. Fourth, the objects in which these transponders are embedded are used in public places where unauthorized entities may be able to access the data on the transponder without an individual’s knowledge due to the transponder’s remote readability and lack of signaling to the individual that any access has transpired. By keeping in view the above security concerns we are providing a novel method in which whenever an entity tries to access the data from the transponder without an individual’s knowledge an alarm is raised.
Description:
ELECTRONIC IDENTITY DOCUMENTS
The most commonly used method of establishing identity and citizenship for use in international travel is the passport. Of the numerous passports in the world, a United States passport is often considered the “holy grail” of travel documents, widely respected and accepted by virtually all nations. In 2004 nearly nine million U.S. passports were issued [2]. The U.S. Department of State, in conjunction with the Department of Homeland Security (DHS), began issuing a redesigned passport with incorporated technology to defend against misuse and fraudulent reproduction in limited numbers to U.S. citizens on August 14, 2006. Nations also often require certain visitors to apply for a visa or official authorization from the government in order to enter. Several western European nations, some south Pacific nations, Japan, and the United States participate in the Visa Waiver Program, which allows travelers from any member country to travel to another member country for up to 90 days without obtaining a visa. Established in 1986, the program aims to improve international travel by “promoting better relations with U.S. allies, eliminating unnecessary barriers to travel, stimulating the tourism industry, and permitting the Department of State to focus consular resources in other areas” [1]. VWP countries generally follow the guidance of the International Civil Aviation Organization (ICAO), an arm of the United Nations, with respect to passport design and often take part in the body’s The 9/11 attacks on the U.S. pushed national security to the forefront of American politics. As the U.S. began its invasion of Afghanistan and assault on the ruling Taliban regime, Congress and the executive branch searched for holes in the nation’s intelligence and security infrastructure. Simultaneously with its pursuit of the Patriot Act, the federal government sought both policy and technology-based solutions to the porous border issue. The Enhanced Border Security and Visa Entry Reform Act of 2002 set, among numerous other items, “technology standard and interoperability requirements respecting development and implementation of the integrated entry and exit data system and related tamper-resistant, machine-readable documents containing biometric identifiers” (including October 26,
James Sensenbrenner (R-Wisc.), House Judiciary Committee chairman, the legislation called for total compliance with ICAO standards for electronic/biometric passports by VWP countries. The law did not specify which revision of the standards needed to be complied with, Leading to some recent confusion over what requirements VWP countries needed to meet.
Numerous recent deployments of technology-based identity documents have taken place under the auspices of government agencies other than the State Department, and more are likely to occur in the near future. In fact, the lack of a government-wide standard for identity documents has
been greatly criticized. Perhaps the most notable recent deployment of identity documents was initiated by the Department of Defense and applies to all military and civilian personnel. Approved in2001, the Common Access Card (CAC) is now the main form of identification used by Defense employees, serving as the primary indicator of authority to enter U.S. military bases and allowing authorized users to access classified and unclassified computer resources. All CAC’s contain a contact IC smart chip, as compared to the contactless RFID,which stores credentials and authentication information [5]. The contact chip requires the user to remove the card and slide it into a reader in order to access the digitally signed and encrypted stored personal information. The CAC also features one-dimensional and two-dimensional barcodes for quicker access to basic, unprotected information. On the other hand, the Department of Health and Human Services and the Treasury Department are known to use RFID technology for internal access control purposes
The most common form of identification used in the United States is the state-issued driver’s license. Each state has its own design, with most currently in circulation having some embedded technology for the purpose of verification or guarding against counterfeit documents. Informalagreements exist for standardization of these identitydocuments, but no overarching standard currently exists.Table I indicates the current deployment of widely useddriver’s license technologies by specific technology. An upcoming potential technology deployment which has garnered substantial attention from politicians and privacy advocates is the implementation of the Real ID Act of 2005. Passed in May 2005 as part of an emergency supplemental appropriations bill for the ongoing war in Iraq, the law calls for interoperability of state driver’s license databases, along with a “common machine-readable technology” for all driver’s licenses issued nationwide [8]. Nothing in the law dictates what that technology will be, what it will store, or if it can be used to store biometric data. The Department of Homeland Security is charged with determining the standards for these newly revised licenses, and the law specifies 2008 as the year when the DHS-specified standards will go into effect.