Juels is quick to note that the cards won’t be the only thing protecting the border. “If border agents do all that they’re supposed to do [including, for example, comparing the photographs stored in the database with those printed on the ID], they should be able to detect counterfeits,” he says. He adds, however, that it’s human nature to become less vigilant when there’s technology to lean on.
When I asked the Department of Homeland Security about these concerns, press secretary Laura Keehner responded with a statement that said, in part, “While the risks described in the University of Washington/RSA paper may be technically possible, we believe that many are improbable, and even if realized, would have little impact other than causing an individual traveler minor inconvenience at the border. … As we identify additional mitigation strategies, we will continue to strengthen requirements for … cross-border travel documents in order to both enhance border security and privacy of the document holder.”
The New York License, and Beyond
No independent researcher has yet published an evaluation of New York’s enhanced driver’s license, but the card avoids some of the concerns raised about the federal and Washington cards. The chips in the New York licenses have serial numbers to protect them against counterfeiting, and their memory banks have been locked to protect them against unauthorized use of commands. It’s admirable that Homeland Security and the states it’s working with are willing to make use of better technologies than they chose at first. But it’s not clear whether these efforts will go far enough.
The New York licenses present the same privacy issues that the other cards do, and as Keehner’s comments suggest, officials have a tendency to dismiss such concerns–which could very well mean that nothing will be done about them. Yet surely it’s possible to protect the privacy of cardholders without requiring them to keep track of privacy sleeves. For example, says Avi Rubin, each card could be fitted with a button that allows the user to control when to send information. Unless the button was pushed in, the ID wouldn’t respond to queries. Such cards would cost a bit more, but they could offer more security as well as more privacy.
As long as the remaining problems are ignored, though, it’s unlikely that the technology will become good enough to protect international borders without compromising the privacy of thousands or millions of people. Tadayoshi Kohno, for one, says that at this point, he is not convinced that RFID even offers security advantages over the old IDs. Technology used on this scale, and for purposes this important, should be clearly better than what it’s replacing: the U.S. experience with electronic voting systems shows what can happen when it’s not. If officials continue to advocate band-aids such as privacy sleeves rather than working to address the full extent of critics’ concerns, they will ultimately undermine the very technology that they hope to promote. While new ID technology seems likely to stay, it could become a fiasco if officials don’t pay attention to the work of hackers and security researchers. These people try to expose weaknesses before they can be exploited maliciously. It’s much less painful to swallow the news from them than to wait until a problem becomes embarrassing–or devastating.
Erica Naone is a Technology Review assistant editor.