I'm working from home today and needed my portable RFID verifier to get things done. So I pulled out my passport and waved it in front of the reader and... it read!

If you're out there on the RFID conspiracy theory loony fringe, you're probably thinking I pulled up my own name, address, place and date of birth, and all the other information about me contained in my passport. Heck, it that darned chip could even have a digitized fingerprint or picture of me in it! But alas, no, I only got a number. It wasn't even something potentially useful like a Social Security Number or even the passport number. It was just a number... the next available number in the pattern that gets written onto the chips as the passports are put together.

Now, if you happen to have access to the U.S. Custom's database that holds passport data, you could use that RFID scan to pull up all the data the hardcopy passport has about me on your computer (and even picures and digitzed fingerprints). Of course, if you happen to have access to the U.S. Custom's database, you didn't that number in the first place, did you?

The RFID chip in your passport is actually a very cool little security feature that makes it darned tough to counterfet a passport. A U.S. Customs official can scan your passport's RFID chip (it could just as easily, and less expensively, have been a barcode - but that's another argument altogether) and pull up the passport information from the U.S. Custom's database for that RFID chip number. The official can now compare his database information to what your hardcopy passport says to make sure they match. To have the RFID chip repeat any information in the hardcopy passport would defeat the whole reason for using the RFID chip in the first place!

but to those not obsessed with RFID as being either the first step toward government/corporate tracking of our every move or the "sign of the beast" or other such nonsense, an understanding of the capabilities (or lack thereof) of a RFID "chip" is usually enough.

The most recent standards for RFID tags (EPC Gen2, 2004) required that all passive RFID tags (the ones you usually see, not the ones with batteries and that look like little transister radios) be able to store 96bits of data. Today, many are capable of storing up to 128bits.

To put that another way, using 8bit ASCII, a 96 bit RFID tag could hold "ABCDEFGHIJKL" and it would be full. A 128 bit RFID tag could make it all the way to the letter P. It's not exactly a medium designed to hold significant amounts of data. If you're familiar with their development and intended usage, that's not surprising.

Another common myth is that people can wander around with RFID readers and pick up those numbers off of tags from hundreds of feet, even hundreds of yards, away. In the real world, the maximum practical distance for reading a passive RFID tag is about 25 to 35 feet under ideal circumstances - and good luck finding those. A good barcode scanner reading a larger barcode (say, an SSCC container code on a pallet) can easily match or beat that distance. Again, if you're familiar with their development and intended usage, that's not surprising.

RFID tags, at the heart of it, are intended to replace barcodes. Barcodes require a line of sight and a human being to remember to aim and scan the code every time he's supposed to. RFID tags avoid those two limitations. If you're Walmart or the Department of Defense, those advantages can mean millions of dollars in inventory savings. Essentially, though, if you're not freaked out by someone reading a barcode, there's no reason to be freaked out by something reading an RFID tag. From the beginning, both techonologies were designed to achieve the same exact purposes.

RFID tags hold a number. That number is the key to a record or records in a database file or files on a back end system that holds the actual associated data. Without access to the backend system, the number tells you nothing useful. It's the same with a barcode. You can easily view the "human readable" number underneath all the long black lines, but what exactly does that tell you?

As you can probably guess, I deal with RFID tags and barcodes on an almost daily basis. I work for a manufacturer who has Wally World as a major customer, and thanks to their RFID manadate to suppliers, we've been struggling with these stupid tags for a few years now. For me, the problem with RFID isn't all the science fiction ways that people are afraid they could be misused, but just how frustratingly difficult it is to get them to even consistently do what they were designed to do. If it gets a little too hot or a little too cold or the package flexes too far in the wrong place or the tag wasn't applied in just the right spot, it breaks or fails to read. Give me a simple barcode label any day of the week over that. They're consistent, durable, and darned cheap.

For an application such as a passport, RFID seems like a complete waste of money, especially given the pains the government has taken to reduce (!) the range at which they can be read. It's not a "danger" to anyone's privacy or personal security, just a waste of money. But RFID is the "wave of the future" and barcodes are "old school." I doubt the question of which technology would be the best to use even came up.

I agree with you on barcodes vs. RFID or other RF communication. I've designed a number of industrial applications and systems over the years with one or the other or both.

We may have to agree to disagree :) about the safety of RFID passports (and other RFID ID).

Even years ago (2005) passport RFIDs were read at 69 feet with inexpensive equipment:

"'The proximity chip technology utilized in the electronic passport is designed to be read with chip readers at ports of entry only when the document is >placed within inches of such readers.' The issue is that they're confusing three things: the designed range at which the chip is specified to be read, the maximum range at which the chip could be read, and the eavesdropping range or the maximum range the chip could be read with specialized equipment. The first is indeed inches, but the second was demonstrated earlier this year to be 69 feet. The third is significantly longer." -- Bruce Schneirer's CryptoGram Newsletter, Nov. 15, 2005 ((link...))

And eavesdropping technology will only improve over time.

"War Driver Cruises San Francisco Scanning, Collecting Passports" - Wired 2/2009 ((link...))

"Passport RFIDs cloned wholesale by $250 eBay auction spree..." - The Register ((link...)), Youtube ((link...))

Depending on the RFID frequency and "the size of the reader antenna...." (they) "have a read range of 300 to 2,500 feet....Their unique ID numbers are captured by the RF Code reader, loaded in a seven-pound backpack that Stafford personnel can wear at a job site." -- RFID Journal ((link...))

My point is that we are spending huge amounts of money for an unneeded, unsafe system whose security will only be worse over time.

that doesn't tell you anything without access to something else. And I wish I had equipment that could read barcodes at 69 feet on a consistent basis. Some days, I'd be happy at 69 inches. Maybe if our product wasn't inside of steel cans. :) Anyway, for most practical applications, if you're getting consistent reads at 30 feet, you're doing awfully darned good with this stuff.

What I can't seem to follow from any of the links you provided is what that number is going to tell you in isolation. To fake my passport (or NY state driver's license or any other form of documentation) you're going to also have to see that piece of documentation or at least already know that information about me from other sources. You'll also have to have the necessary equipment and skill to make a convincing fake. Without the RF chip, you'd still have to know all the other information and have the skill/equipment to forge the document. If anything, it makes it at least somewhat more - not less - difficult to steal someone's I.D.

The disconnect, perhaps, is the idea that the number somehow tells you something useful... like the number is a unique form of identification in the same sense as a SSN or passport number or driver's license number or credit card number. But it really isn't. Unlike those other numbers, the RFID tag number is a single purpose identifier. In fact, absent a reader set to just display the result, neither the passport owner nor the customs official would know - or have reason to know - what number was being read off the RFID tag. RFID doesn't require a human to machine interface. What makes the SSN, passport#, Driver's License#, and Credit Card# dangerous isn't the number, it's that you have systems out there keyed to those numbers where, if you type in the ID, you can pull up information about the individual or make purchases charged to that individual. It wouldn't be practical to create a man-machine interface for an RFID tag, because the tag holder doesn't know what that number even is! My passport's RFID number was 590487631398. I challenge you to find some way to make use of that.

The gibberish about using the chip to track someone's movement was quite amusing. Even using the 69' feet number, you're talking about wandering around with a portable RF reader and keeping within 70 feet of someone's position. Even assuming you've modified your reader to somehow triangulate direction as well as distance... you're still performing worse than you would just using your freaking eyeballs. I suppose a government entity could put RFID readers in strategic places so that they have a record of all ID's that were in an area and when - but again, visual identification seems a lot more efficient (use a freakin' camera!) I just don't follow this concern in the least.

But for grins and giggles, let's generate a scenario where using RFID numbers for identication can become a legitimate security issue. If, instead of actually checking my I.D. papers, all I had to do was walk by a RFID reaader for identification purposes, we've got a legitimate problem. If, instead of pulling me over to give me a ticket or taking a picture of my license plate, some municipality gets the bright idea just burying a RFID reader in the roadway and grabbing my identity off my NY driver's license, we got a legitimate problem. In any scenario where the RFID tag becomes the sole required means of identification, you got an issue. As long it's just an additional layer on top of existing identity checks, it's really hard to make that case.

That said, we're still in complete agreement about barcodes being even more secure for this application (it's really hard to read a barcode off an identity card that's in my hip pocket). It also provides a built-in back-up in case of equipment failure (if the barcode scanner goes down, type the blamed number into your computer like any grocery store cashier). There's also the cost advantage (barcodes only cost ink). But you're really having to bend way over backwards to pin this down as some sort of unusual incompetence on the part of the Bush Administration... it's rather like reading bank robber's hold-up note and criticizing his penmanship. :o)

Here's an update on the topic from the Washington post: (link...)

-- OneTahiti