E-Passport: Doorway to the Panopticon
Scarmig at Wolfesblog - Claire is running a five-part series about international identification this week. Click the "read more" link for the full post. I'll keep this at the top until the week is up. Look below for newer stuff. Strike the Root has the whole thing on one page. [claire]
<!--break-->
Several years ago word got round that the US government was going to put an RFID chip into a passport. Privacy advocates rallied and ranted about the insecurity of the technology, the lack of standards, the foibles of technological advance, and the massive infrastructure expenses required to build a system to support an RFID passport and pronounced the idea Dead On Arrival. Congratulations are due to those intrepid folks because their voices were heard, their concerns noted, and the International Civil Aviation Organization (ICAO) returned to the drawing boards and have now issued specifications for an RFID-enabled biometric passport that focuses on the technical concerns and addresses them quite handily. The concept remains intact and is now much stronger for the technical tests it was subjected to, rather than weaker for its violations of human rights principals. I found myself with the opportunity to dig deep into the issue directly from the horse's mouth, so to speak, and if you're interested, I'll tell you all about it.
In Part I, I covered the basic premise of the e-Passport. The International Civil Aviation Organization and Interpol have collaborated to create a universally accepted and trackable passport with biometrics stored in the RFID chip embedded into the passport. Fifty million e-Passports are already in circulation, and most people don't know they have them. The US is already issuing them. Most of the EU will be issuing them next year. And by 2010, all 189 member nations will be issuing e-Passports to international travelers. In this part, we cover the biometrics in the passport, a digital photo of your face.
...
And here's the fun, fun, fun part of why facial recognition was chosen to be the biometric standard around the world. How many of you readers have had an iris scan taken? Anybody? Bueller? What about fingerprints? Okay, a few more of you. Has the government ever take a photo of you? Maybe before you woke up to freedom? Driver's license? Old passport? Mug shot? See what I mean? It's an obvious choice when you consider the costs of enrolling the world into an iris scan. Chances are, they already have a mostly viable photograph of you on file. It is an elegant convergence of technology and opportunity. An e-Passport reader demo I viewed scanned the passport, pulled the physical image up, scanned the chip and pulled the digital image up, placed the two side by side for comparison, verified they were identical, took a picture of the person standing in front of them, used facial recognition to compare the person to the pictures, all while comparing the pictures to a watch-list database for a match. Four points of comparison keyed on one photograph, with three comparison methods engaged: visual comparison by the operator, one-to-one match against the photos on the passport, and one-to-many match against the watch-list databases.
In Part II, I covered the basics of facial recognition, the biometric piece of the e-Passport, and how the technology works and is implemented. Unless you have never had a government photo taken of you in your adult life, or are willing to alter the bone structure of your face, the technology will probably be able to match you fairly accurately. In these parts, I cover the technical details of the e-Passport itself. It gets a bit dry. I cover document security, chip technology, encryption, and data security. So if the technical readouts of this battle station are of no interest, I won't get my feelings hurt if you skip parts III and IV. Neither will the dead Bothans. Promise.
The International Standards Organization has specification 14443 for contact-less chip design for identification. The detailed technical specs of this design are available on their site for a fee, if anyone is interested. ICAO took this specification and narrowed it down to make the passport specifications universally applicable across all the member nations.
It is a radio-frequency ID chip, that's the contact-less part. Mandatory minimum data size is 32k, although 64k is recommended, and some countries are implementing even larger storage capacities for their own purposes.
ICAO has specified the LDS, or Logical Data System so that all countries will implement data on the chip the same way. The LDS consists of 16 data groups. And here they are:
...
ICAO recommends (recommends, not mandates), that e-Passports be designed with Basic Access Control (BAC) in mind. Basic Access Control is designed to prevent skimming of the passport. Skimming is what they call it when someone with a chip reader in their pocket waves it over you hoping to trigger the RFID chip and capture its data surreptitiously. BAC consists of two protections. One is that the front and back cover of the passport be lined with aluminum to shield the chip; an honest-to-goodness, official, tinfoil hat. This means that the book must be opened in order to transmit energy to the chip. The other part is the implementation of a read key consisting of the MRZ. The idea is that not only does the book have to be opened, but the Machine Readable Zone must be scanned and transmitted to the chip accurately before the chip will respond to requests. So even if your passport is open in your pocket, a skimmer wouldn't be able to send the right sequence of characters to open the chip except if they were able to accurately predict the data in your passport right down to the check digits in the MRZ. Most countries are including BAC in their passport design. Some are not.
...
Unfortunately, ICAO, being a governmental agency, seems to have a rather convenient blind spot regarding privacy. Yes, they've selected standards and recommended guidelines that help protect my passport data from you, and you from me, but nothing, absolutely nothing, addresses the fact that a few million government agents at entry-level grunt-work border and security jobs will have access to our data through one of the most potentially abusive data networks in the world. They simply assume that each and every one of us can trust each and every one of them with our absolute holistic transnational identities. And considering the security levels in place, how hard to you think it will be prove "them" wrong if someone on the inside abuses the system?
Yeah, that's my thought too.
What is really disturbing is that ICAO openly admits that the facial recognition and watch-lists are effective on their own. In fact, they recommend that countries use negative facial recognition testing as a solution to criminal border crossings. In other words, they recommend that, in the interim, while they only have criminals and not everyone in the system yet, countries simply use the system to make sure you're not on the watch-list. This strongly suggests that, if the purpose of facial recognition is to catch criminals, the mug shots and negative testing against the watch-lists are all that is necessary. But ICAO emphatically wants everyone to move forward with positive identification of this holistic, transnational identity. All that they need is, "You are not Osama." That's all they need. But they want, specifically, to positively identify you, even if you don't remotely match anyone on a watch list. Why is that, do you think?