Monday, 20 July 2009

Why RFID chips (passports / ID cards) are stupid: Economist

An interesting article in the Economist “Have chip, will travel - Why chips in passports and ID cards are a stupid idea” (via QuickLinks), takes the view that:

  1. there’s little speed improvement for e passports
  2. all the chip does is confirm what’s printed in the passport; it doesn’t prove the holder is the person he or she claims to be
  3. e passport chips are too easily hacked / cloned as security’s not what it should be - encryption keys are easy to guess, e-passport chip transmission range is too large, physical attacks are possible
  4. chipped identity cards are even more insecure – they broadcast unencrypted data 10 meters or more and can be locked or killed by a remote attacker.

See also EU agency ENISA’s excellent February 2009 position paper Privacy Features of European eID Card Specifications, which contains comparisons between privacy features offered by various European eID card specifications; expert analyses of risks risks to personal privacy resulting from the use of national electronic identity card schemes; and techniques available to address these risks.

The paper (which was discussed at the European e-Identity Management Conference 2009) also looks at how these available privacy enhancing technologies are implemented in existing and planned European eID card specifications, the European Citizen Card and ICAO electronic passport specifications.

It is perhaps telling that the UK was the only EU member state involved which refused to show ENISA its e-ID card specification, even in draft (which Germany did).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.