Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Gigi Zenk, a spokesperson for the Washington State Department of Licensing, says that she doubts the severity of the findings because the researchers “made a lot of assumptions about how customs and border control work.” While she says that no system is ever completely invulnerable, she stresses that the cards contain no personal information, and that the state of Washington has made it a felony to attempt to skim information from them. “We believe we took considerable steps to mitigate risk,” Zenk says, “and I get concerned about this causing unnecessary fear.”

Juels agrees that “if border agents do all that they’re supposed to do”–including, for example, comparing the photographs stored in the database with those printed on the ID–“they should be able to detect counterfeits.” But he adds that the agents may be tempted to rely on the technology and relax their vigilance.

Even if border agents prove vigilant, the researchers maintain, the cards could still pose risks. “These cards can still reveal information about our lives,” says Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, who worked on the research. “If you think about the social-security number, at some point there could have been an argument that it’s just a number, not personal information. But numbers evolve over time, and uses evolve over time, and eventually these things can reveal more information than we initially expect.”

Jonathan Westhues, an independent security researcher who has studied RFID, notes that much depends on how the tag is actually used. If any official assumes that the tag itself is sufficient proof of identity, then the threat of cloning is serious. He notes, “It’s hard to say what exactly they plan to do with the tag, so it’s hard to say whether the overall system will be secure.” As far as privacy goes, he adds that many people already carry smart cards or cell phones that could be used to track them.

The researchers say that they hope to see passport technology improve as a result of the questions they’ve raised. “The whole RFID infrastructure is not a bad idea,” Juels says. “It just needs to be done well.”

3 comments. Share your thoughts »

Credit: University of Washington/RSA Laboratories

Tagged: Computing, Communications, security, privacy, RFID

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me