Not yet ready for prime time: RFID technology

Published 29 December 2008

RFID technology is incorporated into more and more documents (e-passports, enhanced driver’s licenses); trouble is, the technology still suffers from privacy and security vulnerabilities

Next summer, U.S. citizens will a passport to travel to Canada, Mexico, Bermuda, and the Caribbean — unless they have passport cards or one of the enhanced driver’s licenses that some states have begun to issue. Those who advocated the passport cards or enhanced driver’s license as alternatives to passports point out that these means of identification are cheaper — the passport cards cost about half as much as a full passport, and the extra cost of getting an enhanced driver’s license rather than a regular one is even lower.

Both the passport card and the enhanced licenses contain radio frequency identification (RFD) tags — which are microchips fitted with antennas. An RFID reader can query to the tag, in response to which the tag returns the data it contains (in the case of a passport card, an identification number that allows customs agents to retrieve information about the cardholder from a government database). Technology Review’s Erica Naone writes that the idea is that instant access to biographical data, a photo, and the results of terrorist and criminal background checks will help agents move people through the border efficiently.

Trouble is, RFID technology has been raising privacy concerns since it was introduced in product labels in the early 2000s. There are three problems:

  • The security of smart cards cannot be taken for granted
  • The cards do not store personal information, but the researchers concluded that even storing a unique number raises some privacy concerns.
  • Privacy is not the only issue: researchers say that unauthorized reading would threaten border security as well. If it is easy to get the identification number out of the cards, then it is relatively easy to counterfeit them by loading a stolen ID number onto a blank, off-the-shelf chip.

As long as the remaining problems are ignored, though, it’s unlikely that the technology will become good enough to protect international borders without compromising the privacy of thousands or millions of people,” Naone writes. “While new ID technology seems likely to stay, it could become a fiasco if officials don’t pay attention to the work of hackers and security researchers. These people try to expose weaknesses before they can be exploited maliciously. It’s much less painful to swallow the news from them than to wait until a problem becomes embarrassing — or devastating.”