Yesterday at the Computers, Freedom and Privacy conference in Seattle, Ed Felten cornered a State Department Fed who was there to advocate for passports enabled with RFID chips that will make it possible to track Americans as they wander the streets of foreign cities, and for terrorists and crooks to target American citizens by detecting the signature radio-pulses their passports give off. Ed asked the Fed why the US needed remotely readable passports, instead of passports with smart-cards or other "contact-read" technologies in them? The Fed's responses are hilariously lame:
In the Q&A session, I asked Mr. Moss directly why the decision was made to use a remotely readable chip rather than one that can only be read by physical contact. Technically, this decision is nearly indefensible, unless one wants to be able to read passports without notifying their owners — which, officially at least, is not a goal of the U.S. government's program. Mr. Moss gave a pretty weak answer, which amounted to an assertion that it would have been too difficult to agree on a standard for contact-based reading of passports. This wasn't very convincing, since the smart-card standard could be applied to passports nearly as-is — the only change necessary would be to specify exactly where on the passport the smart-card contacts would be. The standardization and security problems associated with contactless cards seem to be much more serious.
After the panel, I discussed this issue with Kenn Cukier of The Economist, who has followed the development of this technology for a while and has a good perspective on how we reached the current state. It seems that the decision to use contactless technology was made without fully understanding its consequences, relying on technical assurances from people who had products to sell. Now that the problems with that decision have become obvious, it's late in the process and would be expensive and embarrassing to back out. In short, this looks like another flawed technology procurement program.
