ntouk.com - Jerry Fishenden's technology policy blog

It's no surprise to see continuing negative publicity about the security issues of ePassports. This time it's a report that Adam Laurie - who recently gave evidence to the House of Lord inquiry into personal Internet security - has shown how easy it is to access information on the new generation of UK ePassports.

Using a brute force attack, he was able to read the RFID chip embedded in the new type of passport, further confirming the type of vulnerability that researchers have shown previously. It would be relatively easy to then clone the ePassport in the same way existing paper passports are already widely faked. More worryingly perhaps, it means our personal data (potentially including our biometric information) can be acquired from ePassports without our knowledge or consent:

...Laurie said the new passports were marketed as enhancing security, "but so far I don't see anything about it that increases my security."

Adam's relatively easy breach of the ePassport reflects the recent Budapest Declaration on Machine Readable Travel Documents (MRTDs) which warned that ePassports increase the risk of identity theft.

This sort of careless breach of privacy and security will continue so long as people design technologies and systems that breach the laws of identity. Perhaps it's time for OGC to build into its gateway review processes a systematic check that any identity system being used in public sector projects does not breach these laws. In the same way ISO 17799 compliance is required for security, we need to see the same levels of process and control applied to identity and privacy.

There's been a great deal of discussion over recent months of inherent flaws in the ICAO standards that governments are forced to comply with for travel documents, such as passports. In the paper document age, there was no choice but for passports to "broadcast" our personal information to anyone who requested to look at them - hotel check-in staff for instance. (Quite why anyone feels they are entitled to examine a travel document anywhere other than an official international border is a point I won't debate here).

In the electronic era, there is a great chance to move to a model that does not wilfully expose our personal data to anyone who has access to the document. Electronic travel documents such as ePassports could be designed not to release any information to anyone, other than when explicitly authorised to do so by the carrier. But ICAO rules require personal information to be widely and freely exposed through printed content, machine readable strips and now through the design of the RFID chips used in the new generation of ePassports. Such privacy-violating requirements are major threats to our personal security as frequent reports have made clear.

ICAO requirements breach the laws of identity - and hence breach best security and privacy practice. Until this problem is fixed, I anticipate many more reports of the kind sparked by Adam's work.

This is one of many reasons why lately there has been great consideration as to whether any UK ID card should also double-up as a travel document: if it were to do so, it would immediately be compromised by the ICAO requirements. It would prevent the UK designing a twenty-first century identity system without any of the compromises of the old paper world being present.

So let me restate what I blogged before:

I think all of this reinforces the point that many have tried to make: this is not just about an ID cards programme or ePassports: it is about how we best design a modern identity system for the twenty-first century. If we continue to pick away at pieces of this jigsaw without addressing the wider context, it will not just be "law of unintended consequences 30, security and privacy 0" - but game, set and match to the bad guys.

I can only concur with the recommendations of FIDIS:

FIDIS calls for short-term damage control measures to be taken (because biometric ID is already being rolled out), and for "a new convincing and integrated security concept" to be developed within the next three years.

Technorati tags: identitysecurityprivacytechnologypolicy