|
E-Passport: Doorway to the Panopticon
November 21, 2006 panopticon
- a circular prison with cells
distributed around a central surveillance station; proposed by Jeremy
Bentham in 1791 (www.thefreedictionary.com) Part
I
Several
years ago word got round that the First,
the players:
ICAO
– International Civil Aviation
Organization. This is,
for lack of a better reference, the United Nations Air Travel Overlord.
It is a multi-national, transnational organization that sets the
standards and rules by which international flights are conducted.
One of their top mission priorities is to regulate border
crossings by airplane. As
such, they have taken on the task of developing the standards which all
nations will adhere to when sending or receiving international
passengers on flights across their respective borders.
This scope has been expanded to the entire design of
specifications for passports worldwide. Interpol
– International Criminal Police
Organization. If you
weren’t aware, this is an international police force that focuses on
crimes that cross borders, specifically terrorism, human trafficking,
and smuggling, among others. They
have been very busy bees, setting up the I-24/7 global network of
databases which governments and police agencies are using to track
criminals internationally. IATA
– International Aviation Travel
Association. A trade
alliance of airlines that regulates everything from what seats will be
available on a plane to the price-fixing rules airlines must adhere to
when selling you a ticket. In
our story, they are one of the victims, though I would hardly call this
enemy of my enemy a friend. They
are desperate to get in on the whole scheme in order to get their piece
of the power-pie and feel more than a little snubbed that they weren’t
invited to the party earlier. ISO
– International Standards
Organization. If
you’re into computers, you’ve heard this acronym thrown around.
This is the organization that decides technical specifications
for all technologies. If
you’ve ever heard the term, “ISO standard,” this is who they are
talking about. In this case,
they set the base standards of the RFID chip that is being embedded into
passports. Our
story actually starts some 30 years ago, when ICAO first recommended
that passports have a Machine Readable Zone (MRZ) at the bottom of the
data page.
Probably 90% of today’s passports have this, and it’s not a big deal, really. It’s just a way for a scanner to read the same data on the front of the passport and push it into a computer screen with a wee bit of check-digits to verify on. But it set the stage for the universalization of the passport internationally. Today, ICAO has revealed its mandated specifications for the new generation of passports. But why does ICAO feel the need for a new passport? Their justifications are quite simple and obvious. 1. Terrorism 2. International Crime 3.
Holistic Transnational Identity Integrity Holista-what?
Yeah, that’s the one they snuck in there and it’s a fun, fun
phrase. Holistic,
as in broadly viewed, all encompassing, well-rounded.
Transnational as in
global, not limited to national borders.
Identity integrity, as
in verifying that you really are who someone thinks you should be. If
you’re worried about National Id or Real Id, baby, you got another
thing coming. So
what they want, right there, is the ability to identify any traveler by
any number of means, from any angle, in any country, with as much
absolute certainty as can be had; and
not a negative identification, as in, “Whoever you are, you’re not
Osama.” But positive identification, “You are not Osama.
You are Joe Paxer.” Positive
identification, worldwide, at any time, by all governments, even ones
that won’t claim you. But
there are obvious problems with trying to identify all the traveling
citizens of all the governments in all the countries in the world.
All these governments have different databases, some don’t have
any databases of the citizens at all, and if they do, they are in
different formats with different purposes and different abilities.
The logistics of trying to interconnect 189 governments’
databases quickly escalates well beyond the realm of “nightmare”
into some kind of Lovecraftian singularity of technological horror. Enter Interpol, stage right. The I-24/7 network constructed by Interpol is more than just network. It is in its third year of operation and they’ve got the bugs worked out. There are several databases behind the I-24/7 network, of which 189 countries including the United States are members of and are connected to. I’ll just list a few: · NCB – a database of criminal data currently containing the information on over 170,000 international criminals, including their biometric data such as fingerprints, iris scans, and photographs. · SLTD – a database tracking lost and stolen passports around the globe. Countries that have blank passports stolen can register them here, and whenever they pop up again, Interpol can track them. · DNA – a database of individuals, not necessarily criminal that I’m aware of, that contains DNA records. Thirty-six nations currently routinely submit DNA records to this database. Yup, a global DNA database. ·
ICAID – International Child Abuse Image Database.
Images of abused children are stored here for the purposes of
identifying them and prosecuting their tormentors. Interestingly,
all governments are connected to these databases, except Somalia.
Of all the countries, the U.S. is the least connected. It
has Interpol
stations at only two entry points in the US--the border of Mexico
and Texas, and in But
Interpol is more than just an international police force or a police
networking agency. They have
the ability to request that an identity (remember, you aren’t a
person, you are a holistic, transnational identity) be denied
international travel by simply making the request to the UN.
That request is propagated out to the member countries, who are
obliged to comply and detain whoever matches that identity they can find
and turn them over to Interpol. So
Interpol and the UN are in bed together, and ICAO is a branch of the UN
responsible for determining passport specifications.
A passport that is universally similar can be universally added
to a single database, even if that passport contains biometrics, and
Interpol has a global network of databases already in operation.
Nice convergence, don’t you think? Now,
this is no conspiracy. None
of this is secret stuff and Interpol really is interested in catching
criminals and beating up child molesters and ICAO really is interested
in giving people better methods to guarantee they are who they say they
are. There is no “We’re gonna get the peasants now!” mentality.
The problem is not insidious intent, but typical scope creep and
a basic assumption that differs from those of us in the freedom
movement. That
scope creep is nothing more than, “Let’s try this one more thing,”
over and over again. And the
assumption is, quite simply, that we, the peasants, can and should trust
them and all of their actions implicitly.
There are lots of discussions on privacy of the passport holders,
but always privacy between me and you.
Not once do they mention privacy from
the government or the police forces.
It simply doesn’t enter their minds.
The concept is as alien as a revolution without dancing. This
is not to excuse any of their actions.
On the contrary, pointing out that they do not have evil
intentions only emphasizes what the road to hell is actually paved with.
And let there be no mistake, this road is indeed paved.
Not planned, not under discussion, paved.
It’s a done deal. The
e-Passport specification is law. You
never got to vote on it. There
were no legislators to petition. No
letters to write. No
recourse other than a newspaper, if they would even bother with such dry
material. ICAO is not an
elected organization, and they developed their mandate with only the
input they specifically sought. They
are not beholden to whatever government claims you, rather that
government is beholden to them. That
is why I called them a transnational organization, as their authority
exceeds the nations that are a part of it. So
while we were complaining about Real ID, and National ID, and Piggly-Wiggly
Grocery store cards, ICAO simply took the entire debate out of the
public view and made it happen. E-Passports,
passports with an embedded RFID chip are here and they are here to stay.
As of the end of 2006, 16 nations including the Today,
right now, as you are reading this, there are already more than 50
million e-Passports in circulation, and most people who have them
don’t even know it. It
seems that ICAO wanted to avoid the much maligned “RFID” stigma, so
they dropped it from open discussion, changed the name, and the entire
thing slipped beneath the radar. So
much so that, when they had a trial run of the technology at LAX, folks
carrying e-Passports didn’t get into the express e-Passport lines,
because they didn’t know what they were carrying, or what the symbol
on their passport meant. ICAO
has since tasked their PR department to promote and education the public
on their e-Passports.
If you want a non-chipped passport, you’d better get it now. 2010 may seem like a long way off, but the countries that struggle to meet that deadline are the same ones that struggle for things like food and water. Germany has already fully implemented the e-Passport. Most of the European Union members are geared up for it as we speak and will have it in 2007. As I mentioned earlier, the US is already issuing them. Every day that passes increases your chances of getting a chip in your passport. And
even if you do get one without a chip, all you’ve done is buy some
time. Many of the countries
are scaling back the validity of their passports to five years instead of
the more common ten. What
this means is that by 2020, every legal international traveler will have
an e-Passport, as all the non-chipped passports in the world will have
expired by then. Many
travelers will have had three passport issuances or renewals by then, one
every five years. The
e-Passport is here and it’s here to stay. Doesn’t
bother you? You don’t
travel internationally? Pay
attention. Interpol and ICAO
both have openly stated that e-Passport is the first step, not the last.
Airports are a convergence of security issues as you have people,
property, airplanes, airports, and national and international borders
all sardined into little aluminum tubes on air.
Of course that’s the priority.
Of course air travel is
the focus today. But the
specification for biometrics and the RFID chip structure has been
specifically designed to be suitable for use in all travel documents,
National IDs, and social service IDs.
Indeed, the passport specification itself allows the issuing
country flexibility to include any additional functionality they want,
including additional biometrics, cross references to social service
records such as Social Security, or even allowing the bearer to add in
his loyalty shopping cards and bank accounts, if the country allows it.
All of it tied directly to your biometric data and uploaded to
national and international databases for tracking.
Fully implemented, the ICAO specification could be used to secure
identity not only at airports, but land and water borders, concerts,
sports events, critical infrastructure and industry, and even your local
shopping mall. Cameras
recording your every public move are passé, last year’s news.
The problem with camera recordings is that there aren’t enough
people to watch them. And
that brings us to the brilliantly logical and effective piece of the
ICAO specifications for biometric RFID passports, facial recognition
biometrics. Stay tuned!
In
Part I, I covered the basic premise of the e-Passport.
The International Civil Aviation Organization and Interpol have
collaborated to create a universally accepted and trackable passport
with biometrics stored in the RFID chip embedded into the passport.
Fifty million e-Passports are already in circulation, and most
people don’t know they have them.
The Facial
Recognition
Two
years ago the community was up in arms over the idea that a chip in a
passport would contain an iris pattern or a retina pattern or even a DNA
pattern for anyone to scan. And
then that faded out and it appeared to be scaled back to a simple
digital version of the photograph of the bearer stored in it.
And that is exactly true. Doesn’t
seem insidious at all, really. But
there are reasons, very good reasons, why there is a photo instead of a
fingerprint or an iris scan in the chip data.
And that’s because your face is
a biometric. Not only is it
a biometric, it is the
universal biometric standard of the human race.
Every day you yourself use facial recognition to identify people.
You don’t need a computer, special training or even working
eyeballs (ask a blind person to identify you by touch). Facial
recognition technology has quietly matured to the point where software
can scan live video feeds in real-time, find faces in the video stream,
capture them, and match them against photographs in databases in merely
a few seconds. I was shown a
demonstration where software was real-time scanning and matching
multiple people walking across a lobby.
A large LCD display showed the video stream with little red boxes
zooming in on heads, freezing good frames whenever the software detected
a face turned towards the camera, and a second computer monitor was
matching up to six faces simultaneously to a database of photographs.
I matched someone in their test database at 54%.
A low match, for certain, but if the tolerance is turned up to
80%, agents have a reliable method of determining if you look close
enough to a wanted person to be stopped for questioning. The
company doing this demonstration told me they recently implemented the
system at the 2006 US Open Golf Tournament, where their camera scanned
crowds and incoming fans’ faces and matched them against criminal
watch lists. They had
probable matches on 23 people, and ended up refusing entry to three of
them. Their
software is production worthy, not a beta-test or a concept or a trial
run. Write them a check, and
they’ll plug it in for you wherever you like.
They even had some great suggestions for capturing close up
images for even better profiling, such has hiding cameras at eye level
behind seductive advertising. Even
a quick glance up to the boobs in your face gets your head framed
perfectly for capture and matching to the photographic databases. No
problem, you say. You’ll
just grow a beard and get a tan. Sorry,
but superficial facial features are given superficial weight.
The key features facial recognition uses are written in bone
structures. Good luck
changing the size of your eye sockets, the distance between your eyes,
the width of your head, or the corners of your mouth without having your
skull smashed by a Freightliner first.
I suspect your best bet at foiling these cameras requires
stealing an idea from Claire Wolfe’s book, Rebelfire: Out of the Gray Zone, and start a fashion trend in
wide-brimmed floppy hats.
Of course, when you enter a place where you are presumed to volunteer your face for biometric examination, you will be required to remove hats and facial coverings (except prescription eyeglasses, as the software compensates for those). So a wide-brimmed, floppy hat will be great at the basketball game, but won’t do you any good checking in for your flight, bus, or train. And
this is established technology. What’s
next? Since facial
recognition works by plotting distances between key features, such as
the center of the eyes, it is merely an application of formula to take
those measurements into three dimensions, thus allowing for facial
recognition software to compensate for distance, rotation, and tilt of
the head. That’s right,
3-D facial recognition is on the very near horizon.
There are some sweaty little programmers working on it right now. And
here’s the fun, fun, fun part of why facial recognition was chosen to
be the biometric standard around the world.
How many of you readers have had an iris scan taken?
Anybody? Bueller?
What about fingerprints? Okay,
a few more of you. Has the
government ever take a photo of you?
Maybe before you woke up to freedom?
Driver’s license? Old
passport? Mug shot?
See what I mean? It’s
an obvious choice when you consider the costs of enrolling the world
into an iris scan. Chances
are, they already have a mostly viable photograph of you on file.
It is an elegant convergence of technology and opportunity.
An e-Passport reader demo I viewed scanned the passport, pulled
the physical image up, scanned the chip and pulled the digital image up,
placed the two side by side for comparison, verified they were
identical, took a picture of the person standing in front of them, used
facial recognition to compare the person to the pictures, all while
comparing the pictures to a watch-list database for a match.
Four points of comparison keyed on one photograph, with three
comparison methods engaged: visual
comparison by the operator, one-to-one match against the photos on the
passport, and one-to-many match against the watch-list databases. You
could already be “enrolled” into the international comparison
databases by your government without having to volunteer your biometric
data. There are companies
who have facial recognition software specialized to finding matches from
imperfect mug shots and old photographs.
The vast majority of populations have had their picture taken and
those photos are on file, or will be soon.
Now, the folks doing the matching definitely want higher quality
source photos, so they want to recapture everyone’s picture as best as
they can, but that merely improves the quality of the result. Not
getting your picture ever taken again doesn’t foil the system.
The idea is to have a computer simply flag an operator, “Hey
I got an 80% match on this fella, check and make sure for me,” and
the operator can do that final 20% analysis on your face visually,
without special training in fingerprints or iris scans.
The computers and the software are used to discount the 80 or 90%
negative matches they expect so the operators can visually verify more
people in less time. Additionally,
the biometrics stored in the e-Passport is generic.
It’s not a formula of your facial characteristics, because ICAO
did not want to limit the specification to any particular technology or
proprietary format. It’s a
simple digital image, like any of the billions found on the internet
today. Store the image, and
use whatever the latest, greatest software package is available to
process it. This means that
if a software application is compromised, the country can simply replace
it without having to reissue passports or recapture photos.
However, this does leave room for discrepancy and inconsistent
results between countries as they employ different vendors or different
facial recognition algorithms to process and recognize e-Passport
photographs. With
today’s technology, a decent source photo such as a passport or
driver’s license photo has a 95% success rate to match the subject,
regardless of any superficial facial features.
Ninety-five percent. It’s
going to get more effective with time. Part IIIIn
Part II, I covered the basics of facial recognition, the biometric piece
of the e-Passport, and how the technology works and is implemented.
Unless you have never had a government photo taken of you in your
adult life, or are willing to alter the bone structure of your face, the
technology will probably be able to match you fairly accurately.
In these parts, I cover the technical details of the e-Passport
itself. It gets a bit dry.
I cover document security, chip technology, encryption, and data
security. So if the
technical readouts of this battle station are of no interest, I won’t
get my feelings hurt if you skip parts III and IV.
Neither will the dead Bothans.
Promise. The
Passport
The
goal of the passport specifications as developed by ICAO are meant,
quite simply, to create the most secure document in the world.
No small undertaking, and quite a distant goal to meet, but
that’s the goal, and they’ve made some effective decisions to try and
reach it. Now,
anyone who has studied security in any depth probably realizes that
nothing is secure. Security
is a measure of how expensive it is to thwart the security measures.
Previously, thwarting passport security was a fairly cheap
endeavor. My current
passport is a simple printed booklet with a paper photo laminated into
the inside cover. I could
probably create one with a decent photo copier, some scissors, and a
laminating machine. But the
new passport specs are designed to be more difficult to forge, tamper
with, or steal than ever before. It
will be easier to counterfeit money than to counterfeit a passport. The
physical e-Passport.
There
are three threats to the security of the e-Passport; forgeries,
falsifications, and illegal issuance.
Forgeries involve the complete creation of a false passport.
Falsifications take an existing legally issued passport and
change the data on it. And
illegal issuance is to convince the government to actually issue a legal
passport to someone they didn’t want to, or to steal blank passports
and issue them fraudulently. The
substrate of the passport, or the paper, is highly recommended to
include several features that you’ll probably recognize from all the
Monopoly™ money floating around the globe nowadays.
UV reactive paper lights up all special and pretty under an
ultraviolet lamp. Dual-tone
watermarks are difficult for all but the top-end photocopiers to
duplicate. Chemical
reactions like those special pens they use to check a $20 can be built
into the paper. Fluorescent
fibers, colored flecks, and plastic threads are all options to make it
difficult to reproduce legitimate looking passport paper.
The
printing on the passport is also subject to a wide variety of security
methods. These include
background art and text, often in rainbow colored print.
There can be UV printing that is invisible to the naked eye but
shows up clearly under the same UV lamp.
Micro printing and printed watermarks are also included.
In addition, today’s printing techniques allow all of the above
to be personalized to the passport. So
there could be the bearer’s name micro-printed or UV-printed into the
paper. Or perhaps the
background art includes a UV version of the photograph.
Personalization makes it impossible to get a generic template for
the printer to run off a bunch of legitimate looking passports, because
each one must be customized. And
printing the data for the passport is not printing on
the paper, but into the paper,
laminate, or plastic. The
result is that an ink-jet printed passport actually has ink injected
into the substrate. You
can’t scrape the ink off without damaging the paper, and the paper
changes color and shows tampering very easily.
Laser engraving into the laminate offers the same challenges,
particularly when that laser engraving is personalized.
And
of course, there are the neat-looking OVDs, or Optical Variable Devices
such as holograms and foil printing.
Previously we’ve seen OVDs on credit cards where they are a
generic template. But on the
passport, the OVDs can also be personalized, commonly to be either a
hologram of the photo or even the entire visual passport.
Another twist on this is using lasers to print refractive OVDs
into the laminate of the data page.
Obviously this all requires some very specialized equipment.
Not so obviously, the equipment isn’t very big, and would fit
fully assembled onto an average sized dinner table.
Obviously these measures make forging or altering a passport much more expensive and difficult than previously. And that leads us to the weakest link in the chain, by ICAO’s own admission, fraudulent issuance of a real passport. As
in all automated systems, and all security systems, and indeed, all
systems anywhere and everywhere, human beings can be both the strongest
or weakest links in the chain. In order to secure against the fraudulent
issue of legitimate passports, governments are encouraged to greatly
tighten their issuance security at every point.
From the ordering and storage of passport materials to the
printing process to the application processing agents, they need to
maximize security. They are
also encouraged to make multiple people responsible for the approval of
a passport so that anyone wanting to bribe their way into a fraudulent
passport must bribe two or three or five people instead of just one. Additionally,
governments are encouraged to track all passports from cradle to grave,
including spoiled and blank passports.
Interpol’s I-24/7 Stolen and Lost Passport database will track
any and all non-valid passports and is already in operation catching
criminals with false passports today.
And the passport itself is protected against unauthorized
issuance by the RFID chip embedded within it.
And that, in turn, leads us to the digital technology. Part
IV
Part
III covered the physical design and security of the e-Passport.
In Part IV, I cover the RFID chip, the logical data system, and
the digital security features. More
technical read-outs. No wamp-rats. ISO
14443 Contact-less Integrated Chip
The
International Standards Organization has specification 14443 for
contact-less chip design for identification.
The detailed technical specs of this design are available on
their site for a fee, if anyone is interested.
ICAO took this specification and narrowed it down to make the
passport specifications universally applicable across all the member
nations. It
is a radio-frequency ID chip, that’s the contact-less part.
Mandatory minimum data size is 32K, although 64K is recommended,
and some countries are implementing even larger storage capacities for
their own purposes. ICAO
has specified the LDS, or Logical Data System so that all countries will
implement data on the chip the same way.
The LDS consists of 16 data groups.
And here they are: 1. MRZ – the same data that is in the Machine Readable Zone visible on the passport. Mandatory. 2. Facial image sample – this is the mandatory digital photograph sample to be used for facial recognition. Usually about 20K in size. Conforms to ISO image standard SC37. 3. Fingerprint image sample – Optional storage for fingerprint biometrics, should the issuing country choose to include it. Also ISO SC37 standard. 4. Iris image sample – Optional storage for iris biometrics, should the issuing country choose to include it. Also ISO SC37 standard. 5. Secondary facial image storage – Optional storage of a second image. This is for profile images, angled images much like the multiple angles taken for mug shots. Not SC37 standard as this will be country-specific (think National ID images). 6. Reserved. 7. Signature image storage – Optional image of the bearer’s signature. 8. Substrate security features – Optional. This tells a chip reader what security measures to look for in the paper. 9. Data structure security features – Optional. This tells a chip reader what security measures to look for in the data structure. 10. Data security features – Optional. This tells a chip reader what security measures to look for in the data itself. 11. Additional personal details – Optional name, alias, address, or document numbers. This is stored in national characters (whereas the rest of the document is stored in the Latin alphabet). This means that Arabic language names or Kanji could be reproduced accurately in the native alphabet and length here. 12. Additional details about the document – Issuing agency, issue date, image of the document, observations, and amendments. Also in national alphabet instead of Latin. 13. Optional data field – Anything the country wants to put here. 14. Reserved. 15. Active Authentication Public Key (in the future, this will be used to verify an authorized reader is attempting to access the chip). 16.
Emergency contact
information – People to contact in case of emergency and their
contact information. In
addition, there are six Secure Object Data fields that are stored in the
protected memory of the chip. This
is where the hash values and private keys for the encryption are stored. So
as you can see, there’s quite a bit of potential in these chips.
Lots of room for governments to add what they want, and many of
them are taking advantage of it. Germany
is using the fingerprint field and the optional fields to tie their
e-Passport to their National ID. Other
governments will use them to tie into social service accounts and
records. We can probably
expect that someone will tie it into medical records. But
how is this chip authenticated and secured?
So glad you asked. Hashes,
Encryption and Keys, Oh My!
The
data on a passport includes a hash value of the data in the MRZ (Machine Readable Zone).
What is a hash value? Pretty
simple concept. A hash takes
a string of characters and performs a calculation on them to get the
hash value. For example, if
we say each letter of the alphabet’s numeric value is its position, A
= 1, B = 2, C = 3, and we have a hash formula of +4, then the hash value
of “ABD” = 568, because A (1) + 4 = 5, and B (2) + 4 = 6.
Usually hash formulas are far more complicated than that, but
that’s the idea. So
the passport contains the data, plus the hash value of the data.
If you want to verify that the data hasn’t been changed, you
take the data, perform the hash calculation on it, and check and see if
it is the same as the hash value stored on the passport.
So in our example, if the hash value presented is 568, but the
data on the passport is ABC, when we apply +4 to ABC we get 567 as a
result, which is different than 568, and we know the data has been
changed. Of course, the key to this, is keeping the hash formula a
secret. If the formula gets
out, a counterfeiter could alter the data, apply the formula, and then
alter the hash value to match the forged data. So
the next step is to secure the hash value.
This is done by encrypting the hash value with a 2048 bit
encryption scheme. If
you’re familiar with PGP, this stuff is the same.
The hash is encrypted with a 2048 bit private key, which can only
be unlocked using the appropriate public key.
So when a government issues a passport, it calculates the hash
value, and then encrypts it with its ultra-secure private key.
That private key is recorded in the
inaccessible-to-all-but-itself private memory of the chip (any hackers
feel their Spidey-sense tingling?). When
a reader wants to validate a passport, it looks at the data on the
passport and applies the hash calculation.
Then it takes the country’s public key and uses it to try and
open the encrypted hash value stored in the passport.
The chip matches the public key presented by the reader to the
private key stored in secured memory and if they match, decrypts the
hash value. The reader then
compares the two hash values to see if they match. So who secures the public keys? I am utterly ecstatic that you asked. The
public keys are shared among the issuing countries and to ICAO in what
is called the Public Key Directory (PKD).
This is a wide open directory of keys and anyone can download all
the keys. Anyone.
You, me, Joe Blow. This
is because the keys are used to authenticate the data on the passport,
not provide privacy protection. Did
you get that? The
idea is that anyone who needs to validate your passport can download
these keys and use them to check that the passport was authentically
issued and that the visible and machine readable data matches the data
stored on the chip. What’s
to keep someone from using the public keys to reverse engineer the
private keys and make their stolen passports authenticate?
Fantastic question. My
giblets quiver with joy. The
ICAO PKD also keeps the Country Certificate Authority, which validates
that the public keys are still valid.
The recommendation is that each key be used for 90 days or a
couple hundred thousand passports. When
using a public key to decrypt a passport, the software should validate
the key is still usable with ICAO. If
the key is compromised, the validation fails and the software notifies
the operator that the passport may be compromised as well.
Yes, this means that if someone hacks a public key, several
hundred thousand people will get pulled aside when they try to use their
passports for extra special questioning. So
who secures the Country Certificates?
Lots of men with lots of guns, knives, and sharp, pointy sticks.
You knew it would come to that.
It always does. So
what about privacy, now that I’ve brought it up? Privacy
was one of the biggest complaints about RFID-enabled passports brought
to bear by critics. And
while the solution is not perfect, it does appear to satisfy at least
some of the complaints. ICAO
recommends (recommends, not mandates) that e-Passports be designed with
Basic Access Control (BAC) in mind.
Basic Access Control is designed to prevent skimming of the
passport. Skimming is what
they call it when someone with a chip reader in their pocket waves it
over you hoping to trigger the RFID chip and capture its data
surreptitiously. BAC
consists of two protections. One
is that the front and back cover of the passport be lined with aluminum
to shield the chip; an honest-to-goodness, official, tinfoil hat.
This means that the book must be opened in order to transmit
energy to the chip. The
other part is the implementation of a read key consisting of the MRZ.
The idea is that not only does the book have to be opened, but
the Machine Readable Zone must be scanned and transmitted to the chip
accurately before the chip will respond to requests.
So even if your passport is open in your pocket, a skimmer
wouldn’t be able to send the right sequence of characters to open the
chip except if they were able to accurately predict the data in your
passport right down to the check digits in the MRZ.
Most countries are including BAC in their passport design.
Some are not. The
other threat to privacy that ICAO acknowledges is the threat of
eavesdropping, this being where, while a legitimate authority (boy, do I
hate that phrase) is reading your passport’s chip, someone with a
hidden reader nearby is also receiving the transmission.
Unfortunately, the recommendation to protect against this threat
is a little weaker and consists of, “Make sure you buy passport readers that are shielded from eavesdropping”,
thus putting you and me at the mercy of government competence and
forethought. You can sense
my confidence all the way over there, can’t you. Unfortunately,
ICAO, being a governmental agency, seems to have a rather convenient
blind spot regarding privacy. Yes,
they’ve selected standards and recommended guidelines that help
protect my passport data from you, and you from me, but nothing,
absolutely nothing, addresses the fact that a few million government
agents at entry-level grunt-work border and security jobs will have
access to our data through one of the most potentially abusive data
networks in the world. They
simply assume that each and every one of us can trust each and every one
of them with our absolute holistic transnational identities.
And considering the security levels in place, how hard to you
think it will be prove “them” wrong if someone on the inside abuses
the system? Yeah,
that’s my thought too. Part VPart
III and IV covered the details of the e-Passport, including the security
measures of the physical book and the digital design of the chip.
In this concluding part, I speculate, postulate, and theorize on
where it’s all going and what we can do about it.
You might want to have a drink handy.
No, not that drink, a real
drink. The
Crystal Ball
This
is the fun part. Speculation,
rhetoric, paranoia. Love it,
love it, love it. All of this will be implemented from two directions. Scratch that, is being implemented from two directions. From one direction you will get the “justified” version: International arrivals on flights and border control. From the other side you’ll get security around social events and infrastructure. How ubiquitous is the corporate ID badge? It’ll get there too, eventually. On
the travel side you will soon see e-Passport readers on Customs
agents’ desks. That’s
guaranteed. Also guaranteed
within the next two or three years is that you will see kiosks to
check-in for flights where you put your e-Passport into the slot and it
automatically takes your picture, validates, and prints your boarding
pass. Most likely, your
boarding pass will include your biometric data as well, so that you
don’t give it away before you board the plane, you naughty, naughty
boy. IATA,
the International Air Travel Association, AKA, the Airline Cartel, is
miffed with this whole development, because they were never invited to
the party. Airlines are seen
as the first line of defense against international And
where it’s implemented internationally, it’s only a hop and skip and
reach-around to require it domestically, although this might be harder
in the Almost
all major sports events and social gatherings will soon have real-time
cameras scanning faces and matching against criminal databases.
It’s been field tested and it works.
The Olympics, the US Open, the Super Bowl have all had successful
facial recognition profiling systems in operation in the past two years. What
is really disturbing is that ICAO openly admits that the facial
recognition and watch-lists are effective on their own. In fact,
they recommend that countries use negative facial recognition testing as
a solution to criminal border crossings.
In other words, they recommend that, in the interim, while they
only have criminals and not everyone
in the system yet, countries simply use the system to make sure you’re
not on the watch-list. This
strongly suggests that, if the purpose of facial recognition is to catch
criminals, the mug shots and negative testing against the watch-lists
are all that is necessary.
But ICAO emphatically wants everyone to move forward with
positive identification of this holistic, transnational identity.
All that they need is, “You are not Osama.”
That’s all they need. But
they want, specifically, to positively identify you, even if you don’t
remotely match anyone on a watch list.
Why is that, do you think? Non-digital
databases of mug shots will eventually be digitized and added to the
global databases. Political
rights activists may be able to slow down the adding of driver’s
license and other state-created photo IDs, but eventually, I bet it
happens. The
technology needs some improvements (speed), but it’s only a road bump
to facial recognition on the highways.
On the plus side, this might reduce the number of minor traffic
stops to fish for criminals, as the cameras will simply notify the cops
which cars to chase when they get a near match.
Joe American will love it because he gets surveilled more but
probably hassled less, and that’s just cool with him.
But that assumes your normal traffic stop is actually to fish for
criminals and not just a revenue generator. (Was that a collective sigh
I heard?) In fact, so far, everyone I’ve discussed this with seems to love the idea of just scanning their passport and walking onto a plane. The efficiency it provides far, far outweighs any concerns they have over privacy or tracking, even when they are the ones to mention “Big Brother” first. Apparently Big Brother is just fine and the hash result of 2 + 2 is five. What
can you do?
To
be honest, I’m not sure. They’ve
covered many of the bases. There
is no public recourse for this, it’s a done deal.
There’s no one to punish, these aren’t elected officials.
Anyone who needs or wants a passport that doesn’t reflect their
day-to-day identity better already have their alias identity well
established. That is
the weakest point in the system. Somehow,
they have to get those initial biometrics and identities matched up.
That’s the opportunity, and you get only one shot at it.
Did I mention that one of the checks they do when issuing an
e-Passport is to validate that no other e-Passport has been issued with
matching biometrics? No
double-issuance here. Even
if you get your assumed identity set up with an e-Passport, you’ll
only be able to travel under that identity.
It will become your holistic, transnational identity, even if
it’s not the name your kids call you.
Your false identity could easily eclipse the validity of your
real identity, and I can only guess at the kind of craziness that could
generate. I can just see a
bevy of private individuals with successfully false e-Passports on the
day the e-Passport and the national driver’s licenses are married
together with the bank records and IRS tax rolls and the same biometric
shows up on three identities and trips several dozen alarms across a
thousand government and corporate databases while they fill up the
tractor at the bio-diesel station that just installed a networked photo
camera to comply with their insurance policy. For myself? I came in late to the game, and my state has had digital photos on driver’s licenses for years. I can only assume I’m already compromised. So I’m going to try and stay away from airports and buy a big, floppy, sexy hat.
[1] Image provided by the International Civil Aviation Organization. [2] Image courtesy of the United States Department of Homeland Security [3]
Image provided by the Government of [4] Image provided by International Civil Aviation Organization [5] Image provided by International Civil Aviation Organization [6] Image provided by International Civil Aviation Organization [7] Image provided by International Civil Aviation Organization Scarmig has been active in libertarian, anarchist, and atheist movements since 1999. He is married with children living somewhere in the Texas Hill Country, and is also a moderator in the Strike The Root forum.
|
|||||||||||||||||||||||
