|Homepage / Publications & Opinion / Silicon.com
Bordering on stupidity
Are electronic passports up to the job?
Written in a coffee shop in Mountain View CA and dispatched the next day from a free wi-fi service in the hotel.
What could be easier? Take that old paper passport and add some electronics to turn it into a super-secure means of ID and certification.
After all, we only have to decide on the global standards for content, format, encryption, transmitters, receivers, scanners and so on, and we are home and dry. Right? Wrong.
From the outset such an ideal has been fraught with international disagreements and tensions that start with the need to get standards in place. To be blunt, these standards still don't exist.
But the biggest failure seems to be the rush to get the technology out and into general use. Decisions appear to have been made without enough thought, without modelling, or a view to the future IT capabilities available to those on the dark side.
As far as I can see, every ePassport design introduced to date, including the UK's, Germany's and the USA's, have been demonstrated to be relatively insecure provided you muster a reasonable set of tech skills.
In short; the information can be read, changed, and cloned. With the demonstration of false passports able to pass as authentic by UN-approved reader software, the entire program might be expected to be in disarray and needs to be rethought.
But no, everything seems to still be rolling ahead as planned. How can this be? ePassport rollout has started en masse and it was all supposed to make us more secure but it appears that the technology provides little or no defence against a determined enemy.
At best it might just speed up our transit at immigration points. But if it is a flawed technology, we will be back where we started, having wasted billions. The long lines of people waiting for a visual inspection a page at a time will still be there.
Of course, this actually is rocket science. It does need a high degree of tech knowledge and capability to get it right. And most countries do have that capability.
Certainly it is available on the international stage. But not, I fear, the management and political nous required to build a successful solution and transition plan.
With any security system it is foolish to rely on any one parameter set or technology approach. It is even more foolish to assume that attackers won't be able to keep up, or even overtake in due course.
All security solutions have to evolve and try to keep ahead of those determined to breach them.
In the case of ePassports there needs to be at least an online database augmentation of the information contained in the embedded chips, and in addition, some form of PIN, password, phrase and/or picture choice known only to the real identity holder. This might just keep ahead of the dark side for some considerable time.
From the outset it seems all ePassport programs to date have been rushed through in some kind of blind panic.
But with any IT project it is essential the managers and politicians are sufficiently versed in technology to grasp what is said to them - and in such cases political imperatives must bow to reality.
Wasting billions is one thing but potentially weakening our security by the temporary illusion of electronic infallibility is another.