An analysis of security and privacy issues relating to RFID enabled ePassports
The European Union sees the introduction of the ePassport as a step towards rendering passports more secure against forgery while facilitating more reliable border controls. In this paper we take an interdisciplinary approach to the key security and privacy issues arising from the use of ePassports. We further analyse how European data protection legislation must be respected and what additional security measures must be integrated in order to safeguard the privacy of the EU ePassport holder.
KeywordsPersonal Data Privacy Issue Identity Theft International Civil Aviation Organization Data Protection Directive
- 1.ICAO = International Civil Aviation Organization, http://www.icao.int.
- 2.Information available via http://www.icao.int/mrtd/publications/doc.cfm.
- 4.A. Juels, D. Molnar, and D. Wagner, Security and Privacy Issues in E-passports, IEEE SecureComm 2005; available online at http://www.cs.berkeley.edu/dmolnar/papers/RFID-passports.pdf. The term ‘intended’ indicates the range of vendor-standard readers.
- 5.Protection Profile BSI-PP-0016-2005 and BSI-PP-0017-2005, certified in August and October 2005 respectively by the German Federal Office for Information Security; available via http://www.bsi.de/zertifiz/zert/report.htm.
- 6.This has recently been analysed and demonstrated with a Dutch passport (see H. Robroch, ePassport Privacy Attack, 2006, which also details reading and eavesdropping distances; see http://www.riscure.com/2news/200604%20CardsAsiaSing%20ePassport%20Privacy.pdf.)
- 7.J. Beel and B. Gipp, ePass — der neue biometrische Reisepass, Shaker Verlag, Aachen 2005. Download of chapter 6 “Fazit”: http://www.beel.org/epass/epass-kapitel6-fazit.pdf). In most ePassports the effective key length is far lower than 56 bits, typically 35 bits, and in some cases even as low as 28 bits.Google Scholar
- 8.See, e.g., K. Zetter, Hackers Clone E-Passports, Wired News, August 3, 2006; http://www.wired.eom/news/technology/l,71521-O.html.
- 9.Among others see Z. Geradts (ed.), FIDIS Deliverable D6.1: Forensic Implications of Identity Management Systems, Frankfurt 2006; http://www.fidis.net/fidis-del/period-2-20052006/≠c822/Starbug, How to fake fingerprints?, October 26, 2004; http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml
- 10.In France: e.g., the project INES (identité nationale électronique sécurisée), January 31, 2005; http://www.foruminternet.org/telechargement/forum/presprog-ines-20050201.pdf; in Germany: C. Engel, Auf dem Weg zum elektronischen Personalausweis, Datenschutz und Datensicherheit 4/2006, pp. 207-210, Vieweg, Wiesbaden 2006.
- 11.Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23/11/1995 pp. 0031–0050.Google Scholar
- 12.Article 29 Data Protection Working Party, Opinion on implementing the Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, adopted on 30 September 2001, 1710/05/EN (WP 112).Google Scholar
- 13.R. Jay and A. Hamilton, Data protection — Law and practice, London Sweet & Maxwell 2003, p. 91.Google Scholar
- 14.P. van Eecke and G. Skouma, RFID and Privacy: A difficult Marriage?, in: S. Paulus, N. Pohlmann, and H. Reimer (eds.), ISSE 2005 Securing Electronic Business Processes — Highlights of the Information Security Solutions Europe 2005 Conference (pp. 169-178), Vieweg, Wiesbaden 2005, p. 173.Google Scholar