RFID-enabled official IDs raise privacy fears

Published 16 July 2009

More and more government documents which U.S. citizens are now required to present at border crossings and entry points — e-passports, electronic PASS cards, enhanced driver’s licenses — are equipped with RFID tags so they can easily be scanned by readers; trouble is, they can be scanned through a pocket, backpack, or purse from thirty feet, opening the door for a digital identity pickpocketing

Chris Paget cruised the streets of San Francisco in his Volvo, which he has outfitted with a Matrics antenna and a Motorola reader he bought on eBay for $190. He goal: to read the identity cards of strangers, wirelessly, without ever leaving his car. San Francisco Chronicle’s Todd Lewan writes that it took Paget twenty minutes to do it. Zipping past Fisherman’s Wharf, his scanner downloaded to his laptop the unique serial numbers of two pedestrians’ electronic U.S. passport cards embedded with RFID tags. Within an hour, he would skim four more of the new, microchipped PASS cards from a distance of twenty feet.

More and more governments around the world are promoting the chipping of identity documents as a twenty-first century application of technology that will help speed border crossings, safeguard credentials against counterfeiters, and keep terrorists from sneaking into the country. Paget’s February experiment demonstrated something privacy advocates had feared for years: That RFID, coupled with other technologies, could make people trackable without their knowledge.

Paget filmed his heist, and soon his video went viral on the Web, intensifying a debate over a push by the U.S. government, federal and state, to put tracking technologies in identity documents and over their potential to erode privacy.

Putting a traceable RFID in every pocket has the potential to make everybody a blip on someone’s radar screen, critics say, and to redefine Orwellian government snooping for the digital age.

Some are already calling it Little Brother, — even though elements of the global surveillance Web they warn against exist only on drawing boards, neither available nor approved for use.

Lewan writes that with advances in tracking technologies coming at an ever-faster rate, critics say that it will not be long before governments could be able to identify and track anyone in real time, 24/7, from a cafe in Paris to the shores of California.

On 1 June, for example, it became mandatory for Americans entering the United States by land or sea from Canada, Mexico, Bermuda, and the Caribbean to present identity documents embedded with RFID tags, though conventional passports remain valid until they expire (this is the Western Hemisphere Travel Initiative, of WHTI).

Among new options are the chipped e-passport, and the new, electronic PASS card — the size of a credit, with the bearer’s digital photograph and a chip that can be scanned through a pocket, backpack, or purse from thirty feet.

Alternatively, travelers can use enhanced driver’s licenses embedded with RFID tags now being issued in some border states: Washington, Vermont, Michigan, and New York. Texas and Arizona have entered into agreements with the federal government to offer chipped licenses, and DHS has recommended expansion to non-border states. Kansas and Florida officials have received briefings on the licenses, agency records show.

The purpose of using RFID is not to identify people, says Mary Ellen Callahan, the chief privacy officer at DHS, but “to verify that the identification document holds valid information about you.”

An RFID document that doubles as a U.S. travel credential “only makes it easier to pull the right record fast enough, to make sure that the border flows, and is operational” — even though a 2005 Government Accountability Office (GAO) report found that government RFID readers often failed to detect travelers’ tags.

Critics warn that RFID-tagged identities will enable identity thieves and other criminals to commit crimes against victims who won’t immediately know they’ve been violated.

For now, chipped PASS cards and enhanced driver’s licenses are not in wide use in the United States. To date, roughly 192,000 licenses have been issued in Washington, Vermont, Michigan and New York. As more Americans carry them, long-range tracking of people on a large scale will rise, says Paget, an Internet security consultant.