Although the cards don’t store personal information, the researchers concluded that even storing a unique number raises some privacy concerns. “If you think about the Social Security number, at some point there could have been an argument that it’s just a number, not personal information,” says Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, who participated in the study. “But numbers evolve over time, and uses evolve over time, and eventually these things can reveal more information than we initially expect.” What’s more, relatively common RFID readers, such as those used for inventory control, could under some circumstances read the cards’ numbers from quite a distance. The researchers felt there was a risk that the cards could be used to track people, the way a few shopping centers in Britain have used signals from cell phones to track customers’ shopping habits and monitor how long they stay in stores. Although people carry other cards and devices that could also be used for tracking, the researchers note that the identification cards can be read at longer range than many other RFID tags and that people are likely to carry them at all times, while they might leave, say, their cell phones at home. And regular U.S. passports, which also contain RFID chips, use technology that makes privacy problems less likely. Passports, unlike passport cards, must be read from up close, and they have a security system that requires an official to optically scan characters from the document in order to gain access to the personal data stored in the chip.
Gigi Zenk, a spokesperson for the Washington State Department of Licensing, says that Washington has made it illegal for third parties to use data from RFID tags without the tag owners’ consent. She and other officials add that anyone concerned about privacy can use the privacy sleeves provided with the cards, which are designed to block radio signals so that the cards are harder to read surreptitiously. But the Washington study showed that the sleeves didn’t always work: they didn’t block radio signals when crumpled, for instance. The researchers also argued that most people are unlikely to use the sleeves, anyway. Even some privacy researchers Juels consulted confessed to having lost them, he says.
And privacy isn’t the only issue here: the researchers say that unauthorized reading would threaten border security as well. If it’s easy to get the identification number out of the cards, then it’s relatively easy to counterfeit them, simply by loading a stolen ID number onto a blank, off-the-shelf chip. If each RFID chip also had a unique, hardwired serial number, which had to correspond to the stored ID number, it would be harder to counterfeit. But neither the Washington licenses nor the passport cards have that extra security feature.
The Washington cards are open to one additional type of attack: EPC tags can be disabled when a reader issues a “kill” command. Although each tag is designed to be protected by a PIN that allows only authorized users to issue the command, the state never set the PIN on the cards it distributed, allowing anyone with an RFID reader to set it himself and commence killing cards. If a good number of Washingtonians with enhanced licenses were gathered at a border crossing, someone could cause a disruption by killing large numbers of cards. An attacker could also use this tactic to harass particular individuals, since a killed card is likely to draw suspicion.