This story appeared on Network World at

http://www.networkworld.com/columnists/2005/050905bradner.html

'Net Insider

Maybe it is mulish stupidity after all

By Scott Bradner, Network World, 05/09/05

Scott Bradner

Three weeks ago I wrote about the U.S. government's efforts to keep the pending electronic passport from being too secure. I still don't know for sure why the government tried so hard to do this, but it's beginning to look like we should apply the old adage "Never ascribe to malice what can be adequately explained by stupidity."

Deputy Assistant Secretary of State Frank Moss spoke on a panel about electronic passports at the Conference on Computers, Freedom & Privacy in mid-April. Security guru Bruce Schneier and Barry Steinhardt, director of the ACLU's Freedom and Technology Program, joined him on the panel. You have to give Moss credit for being willing to come to what was obviously going to be a den of doubters.

Network World sister publication PC World covered the event and provided audio recordings of the talks. Schneier spoke first and focused on putting the issues in context (zipped audio file).

Next came Moss, who said the government had received more than 2,400 comments on the electronic passport proposal (zipped audio file). He did not say, but it's my guess that most of the comments did not much like the proposal. He said that the passports, which are scheduled to be given to U.S. diplomats in August, would not be implemented unless the government was sure that they would be safe. (The government is doing a test drive of its own targets.) He said that the government was looking at a number of options, including building a Faraday cage into the passport to block scanning, but then he reiterated that the passports could only be read by a scanner from a distance of 10 cm. He went on to say: "The idea that you can walk down a hallway in a hotel and pick out the Americans, is quite honestly, poppycock. The same thing goes for the bar in Beirut. These things can only be read at very short distances." I expect Moss is right about the hotel hallway, but expect he is incorrect about the Beirut bar - something that he was about to find out.

Third up on the panel was Steinhardt, who proceeded to give a live demonstration of scanning a passport, which was outfitted with an RFID chip of the type specified in the standard, at a distance of three feet. Moss finally seemed to have paid attention when this was demonstrated in front of him because a few days later, he told Wired News that the government was suddenly "taking a very serious look" at the scanning issue. He didn't say what the result of the serious look might be, but maybe the government will adopt the Basic Access Control standard developed by the same people who developed the rest of the standards for electronic passports. See the paper "Security and Privacy Issues in E-passports" by researchers Ari Juels, David Molnar and David Wagner for an analysis of this and other security issues about e-passports.

So maybe Moss and company just needed to be shown they were wrong - in public - to get them to listen. We will know soon if they learned any lasting lessons.

Disclaimer: Lasting lessons are what places like Harvard are all about but we prefer to not use public embarrassment to get a student's attention. Anyway, the above is my hope, unshared (as far as I know) by the university.