Loss of Privacy

Keeping you informed on recent losses to privacy and civil rights worldwide.

Browsing Posts in RFID

While doing some research on another story, I came across the US government’s website for the new electronic passports’ FAQ.  Although factually accurate, many of the government’s answers led me to more questions and I decided to delve deeper into how my privacy will be affected under the new electronic passport system.

The very first question in the FAQ explains what an electronic passport is, but it fails to explain the details in order for a person to fully understand it.

An Electronic Passport is the same as a traditional passport with the addition of a small integrated circuit (or “chip”) embedded in the back cover.  The chip will store the same data visually displayed on the data page of the passport, a biometric identifier in the form of a digital image of the passport photograph, which will facilitate the use of face recognition technology at ports-of-entry, the unique chip identification number and a digital signature to protect the stored data from alteration.

While the second question in the FAQ attempts to clarify the answer to the first question, it still does not explain that the integrated chip is an RFID chip, nor does explain why this information is necessary in the first place.  The chip is storing the same data that is visible.  The customs agent is still going to have to look at the picture to verify if it is really you.  This does not matter if the customs agent looks at the actual photo on the passport or scans the chip to see the photo on a computer.  Visual verification is still needed.

The new passports will use photo recognition as a biometric, though other forms, such as fingerprints and iris scans, can be added later.  These will still need to be verified at each port of entry, which will still create lines.

Also in the FAQ are questions concerning security.

The special features of an Electronic Passport are:

  • Securely stored biographical information and digital image that are identical to the information that is visually displayed in the passport; and
  • Contactless chip technology that allows the information stored in an Electronic Passport to be read by special chip readers at a close distance.
  • Uses digital signature technology to verify the authenticity of the data stored on the chip.  This technology is commonly used in credit cards and other secure documents using integrated circuits or chips.

As mentioned before, securely stored information on the passport does not ensure that others cannot access your passport.  It is merely a digital copy of what’s printed inside the passport.  The chip itself, can, and has, been read from distances, leaving your passport open to cloning.  A digital signature is included for verification of authenticity, however, if your passport is cloned, the digital signature does little to prevent identity theft.

The FAQ continues to proclaim the ease of travel by asserting that the electronic passport will facilitate travel by “Automated identity verification; Faster immigration inspections; and Greater border protection and security.”

As I have outlined above, faster immigration inspections do not seem likely since there still has to be visual confirmation that the passport being checked belongs to the person carrying it.  If you want faster immigration inspections, you need to simply swipe and move on.  That is less secure and, is also the most likely road we are headed down.  The new electronic passports will automatically identify the passport but, if the customs agent does not actually look at the photo to see the person, then there is no way that it will provide greater protection and security.

The FAQ claims that the new passports are a good security measure by stating that the reason electronic passports have been issued is because Congress passed a law forcing countries who participate in the Visa Waiver Program to have these types of passports.  Most of these countries did not want this type of technology in their passports and, when forced by the United States, they reciprocated by telling the United States that it has to do the same.  No one, except the United States, wanted this type of passport.

While discussing the Electronic Passport logo, it is unclear whether there will be two separate lines for those entering the United States.  Will those who do not have the new passports be forced into one line, while those with the chip be put in another?  One must also consider the fact that the first US passports issued with the new chips was in August 2006, making it highly likely that there will be a disparity among Americans until 2016 when the last of the old passports finally expire.

A new caveat of the electronic passports is that they cannot be amended.  If you change your name, which often happens when women get married, you must obtain a new passport.  Under the old passport system, you mailed official proof of your name change with your passport and the passport agency would amend it and mail the documents back to you, free of charge.  The new system will require you to return your passport as well and it is only free within the first year of issuance.

One of the most important aspects of the electronic passport is left until near the end of the FAQ, and covers the privacy issues of stealing the data off your passport without your knowledge.  It explains how skimming and eavesdropping occurs and how it is extremely difficult to do successfully.  There have been many stories over the past year of just how easy it is to obtain your data.  The US government attempts to assure you that your data cannot be read while the passport is closed and not in use.  The British government also assured their citizens of the same thing, yet it can be read before you even receive it in the mail.  Australia has a similar problem with cloning of their new electronic passports.

The last item on the FAQ covers what might be the most commonly asked question.  What happens if all this new technology fails.  Rest assured, you can still use your passport because you are allowed to use the passport until its expiration date.  You will just proceed as if you never had a chip in the first place.  For me, this is a positive response to a major problem of my privacy.  Sledge hammer meet my passport.

So, if all this technology fails, you revert to the system that is now considered antiquated but was, in essence, more secure because your information was only available to thieves if you lost your passport or it was stolen.  You will no longer know if your information was stolen or cloned until it is far too late.  Do yourself a favor and purchase a special wallet that will prevent surreptitious sniffing of your personal information and remember to keep fighting to repeal the law or actually make it secure.

FacebookTwitterGoogle+TumblrRedditHacker News

Flattr this!

According to Cnet, implanting people with RFID chips isn’t as lucrative, or popular, as we are led to believe.  Ever since VeriChip went public with their idea to implant humans, their stock has been struggling.  The chip, to be used for medical purposes, has attracted a mere 222 humans willing to be chipped.

Three years ago, VeriChip began its ad campaign about how wonderful and useful it would be to be chipped.  Everyone from civil libertarians to my grandma balked at the idea, claiming that there were severe privacy issues at stake in such an endeavor.
Cnet also points out that

Virtually all the company’s revenues come from two Canadian companies it acquired in 2005. These companies, EXI Wireless and Instantel, specialize in infant tracking and “wander” detection systems in rest homes. In these systems, RFID tags alert nurses and medical professionals if an infant or other patient is passing through the exits or into unauthorized areas. In these systems, however, the RFID chip is contained in a wristband.

VeriChip, however, has stated that they intend to continue to market their RFID chips because it’s a good idea for medical patients to always have their records with them.  While these chips are a good idea for tracking things such as a lost pet or merchandise, it’s not a good idea to tag every single human just because it’s a convenience.  In theory, tagging grandpa in the old folks’ home to keep track of where he’s wandered off to, again, is a good idea.  However, you already pay thousands of dollars to have actual, live humans do this job.  And they’ve been doing this job for decades.  Has there suddenly been a huge increase of old folks running off the reservation?

Using the VeriChip for other medical reasons might also seem reasonable if you have severe allergies or you have some sort of special needs.  However, it is not reasonable to use my tax dollars to force hospitals across the USA to redo their emergency rooms solely because you can’t be bothered to get a bracelet and an ID card listing your medical condition.  It is your responsibility to take care of your health matters and not place the burden on someone else.

One Problem not addressed in implantable RFID chips are what to do when you need an MRI.  It is known that the skin around the tag will burn when subjected to devices like an MRI.  You could solve this by implanting the RFID tag in a finger, but that just makes it easier for a thief to take that finger with them when they rob you.  If you want to prevent identity theft, then you have to introduce two factor identification, which negates the benefits of having a chip at all because third parties would be introduced, making the entire system less secure than advertised.

Larger problems deal with the end of life issues of a chip.  Technologies change and, in ten years, the chip will not work with the latest technologies.  This would force a person to get a new chip.  If standards are not imposed, you will need different chips for different things.  It makes much more sense to create human RFID tags to be placed in something the person wears every day, such as a wedding ring or a bracelet.  Upgrades will create nightmares, literally, for people once the chip becomes obsolete and a person must return to have the chip removed and replaced.

It’s also no surprise that no one wants this from VeriChip.  We are already uniquely identifiable by a dozen or so different processes.  We have retina scans, fingerprints, DNA and voice recognition.  Then, there are the “minor” unique characteristics such as race, hair color, eye color, height, weight, and shoe size.  The only thing an RFID chip can do is put this into one place, making it easier than ever to track every single thing you do in life.

The slippery slope in this argument is that we’ve already tracked cargo, then pets and cattle.  Next, we will track immigrants.  Who do you think is the last stop?  That’s right.  It’s you.  The government is going to shove a leash up your ass and you’ll like it.  Within a short period of time, you’ll not even notice it’s there.

These chips can and will be abused to determine what you are doing.  You think it’s bad now, with Presidents getting FBI files on their political enemies?  Hitachi now has a chip so small that you can literally dust an area with them and connect the dots later.  Imagine what can be done when there are no longer any paper trails to expose illegal activity.  RFID will be used to see exactly who you voted for, what dissident group you belong to, and who you co-mingle with that also does not like the current governmental regime.

There is no way to justify implanting legal, foreign nationals who have chosen to live here.   In order to do it, you would have to chip every American citizen as well.  Then, you would be faced with the prospect of what you are going to do with the illegal citizens who have no chips?  They will stick out in a field of chipped Americans and the government will no longer be able to turn a blind eye to illegal immigration.  Worse yet, would be the tit-for-tat retaliation that other countries will enforce against the United States.

I am a, mostly, law abiding citizen.  I do not take kindly to people telling me what I can and cannot do.  I do not like people tracking my whereabouts.  When I leave my home, no one knows where I am except “out” and I’d like to keep it that way.  There is not a soul on this planet that needs to know where I am every moment of every day.  I wear a medic alert bracelet should something terrible happen to me while I’m out.  If wearing a bracelet versus being implanted means that those two seconds are the difference between life and death for me, then I chose death.  I will not be tracked and I will not allow others to decide that I need to be tracked.  Keep your RFID tags and chips and use them to track Fluffy or your cargo.  Do not come near me with them.

Our privacy is slowly disappearing.  Some care.  Most do not.  I suspect that, by the time I am an old lady, rocking in my chair on the front porch each afternoon, that I, and a few like me, will remember a time when privacy mattered.  I will witness the erosion of privacy and individual rights as the generations behind me freely give up what the generations before me fought so hard to preserve.

FacebookTwitterGoogle+TumblrRedditHacker News

Flattr this!

In the latest RFID news, IBM has announced that they are planning on inserting RFID chips into Italian scooters and diapers in order to track their movements.  IBM will implement this, most likely, via their new WebSphere RFID Information Center , a new software that allows multiple companies to log and share data from RFID tags.

Honda Italia Industriale, which sold 12.7 million scooters last year, plans to use RFID chips and IBM software to track motorcycle parts and tools circulating within its manufacturing plant in Atessa, Italy.

This, Honda believes, will lead to a more efficient plant because they can easily be tracked throughout the warehouse.

Pliant, based in Schaumburg, Ill., will sell a new RFID-embedded plastic wrap to consumer-goods companies that want to detect any tampering of their products in transit from manufacturer to distributor. Pliant is using IBM’s software to keep track of RFID-marked cargo–everything from cereal boxes to diapers–in the warehouse.

Though Pliant wants to keep track of tampering [] , there is no word on whether the RFID tags will be disabled before the unsuspecting public purchases items embedded with the tags.

These two companies add themselves to the new, and evolving, technology that IBM hopes will be a boon for businesses.  Boeing already tracks their parts via RFID but many retail outlets are still hesitant to use the new technology due to its cost and the lingering questions of consumer’s privacy, such as those that were asked about the Nike iPod.

Other companies already using RFID in their products include US Passports and discs that aim to prevent piracyRitek, the world’s largest DVD and CD maker, introduced these discs through their subsidiary, U-Tech in September 2006 in conjunction with IPICO, who makes the RFID chips for the discs.  This affects all discs, stamped and recordable.

The technology, which can also be used for Blu-Ray and HD-DVD discs, will allow movie studios to remotely track individual discs as they travel from factories to retail shelves to consumers’ homes.

Home DVD players will eventually be able to check on the chip embedded in a disc, and refuse to play discs which are copied or played in the ‘wrong’ geographical region, the companies behind the technology expect.

“This technology holds the potential to protect the intellectual property of music companies, film studios, gaming and software developers worldwide,” said Gordon Yeh, chief executive of Ritek Corporation.

RFID readers will then be built-in to home DVD players to extend the anti-copying technology into homes as part of a digital rights management system.

Again, while it is important to note that having the ability to track your product from warehouse to stores is a good idea, once a person purchases CDs and DVDs, they should actually own the product.  What this does is create a system whereby you are only leasing the product, to be used in your own home, in a manner, that someone else dictates.

It also locks you into one specific system that you are able to use to watch your purchased product.  Your DVD player will perform security tests to locate the RFID chip.  This will be done at the hardware level instead of the current system of software and drivers.  If it does not locate the chip, you will not be able to use the disc.

Ritek believes that this will eliminate piracy altogether.  It may, but I will believe it when I see it.  There will always be a way to copy or record something.  It might take a bit of time, but we have seen protection scheme after protection scheme broken.  Firmware has been modified for years and, if this new technology requires firmware, it will be cracked.  The most recent story is that the HD-DVD restrictions have been cracked and pirated copies of Serenity are available via bittorent.

GM and Toyota have also used RFID tags in the past and still had problems with theft.  Nissan is also implementing RFID.  Even if the data is encrypted, if all you need is a copy, then that is easy to do.  You can be on your way in your new car with a working copy of a key or ID.

Though tracking shipments is a good use of RFID tags, placing them on individual packages presents dangers.  Not all tags are passive and, in many warehouses, tags can be read from several meters away using standard issue readers.  Several meters away is still far enough away that you won’t notice someone reading your tags when you leave the supermarket.   Once you reach home and use the products, all a person needs to do is pass by your garbage cans with a reader and, over time, can account for the types of items you like to buy.  There is no need to for them to dig through your trash and get dirty because a brisk walk will gather all the information that they will need for whatever nefarious purpose they can think of.

IPICO claims that its RFID tags can be read from at least six metres away, and at a rate of thousands of tags per minute. The passive chips require no battery, as they are powered by the energy in radio waves from the RFID reader.

With this reality, it will not be hard to read the RFID tags for whatever possibility a person can imagine.  By continuing to label consumers as the bad guys, much of the RFID technology will be used to prevent normal people from doing normal things with items they purchased and legally own.  These protections aren’t even used to combat piracy, as Hollywood has finally admitted.  What will happen is the elimination of fair use for media, tracking of individual’s personal habits, and abuses of the system.  The question is, are those in Hollywood and Washington going to accept this as they watch their sales dwindle further because Joe Citizen is no longer purchasing their products or will Joe Citizen blindly accept yet another control telling them how to live?

I suggest you do what I have done; purchase several cheap DVD players, get a lot of blank media, keep your mouth shut, and don’t ever upgrade to this crap idea that those that sell you products should tell you how to use them.

FacebookTwitterGoogle+TumblrRedditHacker News

Flattr this!

Tokyo is about to go Minority Report. Starting next month, the Tokyo Ubiquitous Network Project will launch its services in Tokyo’s Ginza district, sending shoppers ads via its RFID networks.

Shoppers can either rent a prototype reader or get messages on their cell phones. The tags and transmitters identify a reader or phone’s location and match it to information provided by shops.

Along with this nifty way of shoving more ads down people’s throats, there are, yet again, calls of concerns about privacy.

Researchers, for instance, have suggested that a sensor designed by Nike Inc. and Apple Computer Inc. to keep track of running distances could also be used to track runners’ whereabouts — such as by installing readers along running paths.

Others worry that tags embedded in clothing could give a retailer valuable details on how long a consumer spends trying on sweaters.

While RFID has good uses, such as tracking pallets of merchandise in warehouses, modern day uses seem to go too far. Children are being tracked at schools, teaching them that it is okay to have their every move logged into a database somewhere. They no longer think it’s a big deal that their every move is being kept somewhere to be analyzed later. Many regular people balked at the idea of RFID tags, forcing companies to target the wealthy first, then children and, now, the public at large. When being tracked is ubiquitous to breathing, those that argued against RFID will be the minority and no longer count.

FacebookTwitterGoogle+TumblrRedditHacker News

Flattr this!

In not so surprising news, professional hacker, Adam Laurie, has claimed that he has successfully hacked Australia’s ePassport system. His new reader is able to access the passports, even through a jacket pocket, just so long as he is within a few inches of the actual passport. He is working on a new reader that can read passports from greater distances, putting all passport holders’ identities in jeopardy.

He had previously used the same tools to hack into Britain’s electronic passport, and warns it could enable criminals to steal your identity or terrorists to target you based on your nationality

He claims such a “hack” would also allow someone that looks like the passport holder to “clone” passports, and cross borders using a false identity.

Hey, it’s not like this should surprise anyone. These systems are entirely insecure, yet Britain, Australia, and the USA have pushed through these new technologies without proper and complete testing. Of course, the Australian government is downplaying this information and denying that it can actually happen. After all, millions of dollars have been spent getting this system online and, to have it be declared a failure so soon after its inception is an unthinkable admission on the government’s part, especially when, a little more than a year ago, Australia was hailing their passports as unhackable and the most secure ever.

“Each passport has a unique key which must be entered before the operator can access the information on the passport chip. The key is contained in the machine-readable zone on the data page of each passport.”

For crying out loud! We’ve heard this over and over. The government sticks their heads in the sand and says, “nuh-uh you can’t crack this. We’re better than the hackers.” It’s been proven many times already that you can clone the information on the passport. If it’s cloned, of course it’s going to pass whatever security measures the passport actually has. For once, I’d like someone in the government to say, “Holy Shit! Can we take a look at this so we can try to prevent this from happening to our unsuspecting citizens?”

“As far as the key is concerned … the information needed to derive this key is available not only on the printed page inside the passport, but sometimes from other sources such as online airline booking sites,” Mr Laurie said in an email.

“The information required is the date of birth, expiry date of the passport, and the passport number.

“This means that you would be unable to read the passport of a random passer-by, but if you were targeting a specific individual, and could get prior knowledge of those bits of information, you could read the passport without touching or seeing it.”

Don’t you think it would be prudent to listen to Mr. Laurie? He is telling you how to circumvent the passport’s security, thereby letting you know what is vulnerable and, essentially, how to fix it. He is concerned more with the fact that so much information regarding a person’s identity is placed on the chips in passports and that someone who would like to do evil can obtain access to the database.

Mr Laurie also raised the concern of “profiling”, whereby an attacker could potentially target specific nationalities.

Yes, many places, such as Slashdot, discussed this some time ago. You target a specific nationality, then kill them just because of it. In this instance, you do not even need physical access to the passport. You scan and learn the nationality of the person. You hate this particular nation so, it’s just a matter of how you want to kill them. Tell me again how RFID chips, biometrics, fingerprints, etc. will stop the terrorists now?

But, that’s okay, the Australian government says it’s not possible to rewrite or alter their passport’s chips, missing the point completely. There’s no need to worry when those evil muggers and terrorists target you just for being [insert your nationality here], they won’t be able to alter your passport so you’re perfectly safe.

FacebookTwitterGoogle+TumblrRedditHacker News

Flattr this!