April 4, Privacilla.org is pleased to make the following comments on the proposed Electronic Passport rule.

Similar documents
Biometrics in Border Management Grand Challenges for Security, Identity and Privacy

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG-MRTD)

Before the BUREAU OF CONSULAR AFFAIRS DEPARTMENT OF STATE. Washington, DC DOS (RIN 1400-AC58) COMMENTS OF THE IDENTITY PROJECT (IDP),

Now, in the interest of full disclosure, I must begin my remarks with the following important announcements. These include:

Passports. transgender people and. A Resource from the National Center for Transgender Equality September 2008

Enhanced Driver s Licence (EDL) and Enhanced Identification Card (EIC) Program

Chips Ahoy? The Legal Issues Associated with Radio Frequency Identification Technology (RFID) in the Workplace

An Act to Promote Transparency and Protect Individual Rights and Liberties With Respect to Surveillance Technology

Biometrics: primed for business use

e-passports: Uses, Limitations, and Impact on Simplifying Passenger Travel Initiatives

The Manitoba Identification Card. Secure proof of age, identity and Manitoba residency

Chief, Legal Division, Office of Passport Policy, Planning and Advisory Services, 2100 Pennsylvania Ave., NW., 3rd Floor, Washington, D.C.

The Manitoba Identification Card. Secure proof of age, identity and Manitoba residency

Testimony of. Lawrence Norden, Senior Counsel Brennan Center for Justice at NYU School of Law

Ontario Enhanced Driver s Licence Applicant s Guide

Ontario Enhanced Driver s Licence Applicant s Guide

... moves to amend H.F. No. 3959, the third engrossment, as follows:

Moving to the Second Generation of Electronic Passports

An Open Letter to the ICAO

fraud prevention done right

Second wave of biometric ID-documents in Europe: The Residence Permit for non-eu/eea nationals

State Legislative Activities & Identity Management

International Civil Aviation Organization HIGH-LEVEL CONFERENCE ON AVIATION SECURITY (HLCAS) Montréal, 12 to 14 September 2012

WORKING DRAFT REVISE AS NEEDED

Proposed Agency Information Collection Activities; Comment Request

Bonding solutions in e-passports

Fragomen Privacy Notice

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

Topics. Current Challenges at the Land Border. Western Hemisphere Travel Initiative (WHTI) Identity and Security at the Border

your guide to B.C. s enhanced driver s licence program

COUNCIL OF THE EUROPEAN UNION. Brussels, 11 November /04 LIMITE VISA 203 COMIX 684 NOTE

If further discussion would be of value, we stand by ready and eager to meet with your team at your convenience. Sincerely yours,

555 Wright Way Carson City, Nevada Telephone (775) December 9, 2009

BIOMETRIC RESIDENCE PERMITS General Information for Applicants, Employers and Sponsors

Biometrics how to put to use and how not at all?

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

16 March Purpose & Introduction

ICAO MRTD & emrtd Specifications: High Level Overview

The Spanish eid document.... Both a national identification and a compliant travel one

10126 Federal Register / Vol. 81, No. 39 / Monday, February 29, 2016 / Rules and Regulations

BIOMETRICS - WHY NOW?

Testimony and Statement for the Record of. Marc Rotenberg President, EPIC. Hearing on. Employment Eligibility Verification Systems (EEVS) Before the

CHAPTER 2 LITERATURE REVIEW

DEPARTMENT OF JUSTICE CANADA MINISTÈRE DE LA JUSTICE CANADA

The Philippine Department of Foreign Affairs began the issuance of the Philippine epassport (electronic passport) on 11 Aug 2009.

Electronic Privacy Information Center September 24, 2001

Confronting Biometric Detractors

Interstate Commission for Adult Offender Supervision

International Biometrics & Identification Association

Identity Management Transcending Markets in Today's Society. October 11th, 2005 Patrick McQuown Adjunct Professor - Georgetown University

Passports culture of identity

The Business Network: Terms of Use

Arthur M. Keller, Ph.D. David Mertz, Ph.D.

(Havana, Cuba, 21 July 2017)

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

The Lawyer s Ethical and Legal Duties to protect Private Information

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

EUROPEAN DATA PROTECTION SUPERVISOR

Cell Site Simulator Privacy Model Bill

Five Year Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

ENTRY VISA TO CAMEROON

Security Breach Notification Chart

E-Channels Customer Master Agreement - HSBCnet (Business) Customer Details. Full Customer (Company) Name: Address: Emirate: Postal Code / PO Box:

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

1. What sort of passenger information will be transferred to US authorities?

Chairman Feinstein, Ranking Member Kyl, distinguished members of the Subcommittee:

3T Software Labs EULA

News Release May 11, 2010

Strategic Partner Agreement Terms

SUBCHAPTER B PROCEDURAL RULES

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

United States Government Accountability Office GAO. Report to Congressional Requesters. June 2010 BORDER SECURITY

August 25, Comments on Non-Federal Entity Data System (NEDS) System of Records Notice (SORN) [73 Fed. Reg ] Docket No.

Testimony before Senate Budget Subcommittee 4 on Implementation of the Federal Real ID Act of 2005

LAW ON PLANT PROTECTION PRODUCTS I. MAIN PROVISIONS

Disclosure Requirements for Research Reports

SHORTCOMINGS OF THE EU PROPOSAL FOR FREE FLOW OF DATA

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

Political Science Department Europe Summer Travel Study Program for 2015 Provisional Itinerary and Schedule Buckingham Palace

Telecommunications (Interception Capability and Security) Bill

Arbitration Rules. Administered. Effective July 1, 2013 CPR PROCEDURES & CLAUSES. International Institute for Conflict Prevention & Resolution

ELECTRONIC ARTS SOFTWARE END USER LICENSE AGREEMENT SYNDICATE

DOCUMENTARY, VOICE IDENTIFICATION AND E-EVIDENCE -- FOUNDATIONAL REQUIREMENTS W. David Lee Superior Court Judges Fall Conference October 23-26, 2007

ENTRY VISA TO CAMEROON

Georgia Computer System Protection Act

Security Breach Notification Chart

Terms and Conditions Revision January 28, 2019

Section moves to amend H.F. No as follows: 1.2 Delete everything after the enacting clause and insert:

U.S. Customs and Border Protection

Paralegal Section MCLE Meeting DCBA Bar Center Date: November 8, 2017

Results report Missing Persons Act What was this engagement about? The Yukon Government was looking to develop legislation as a mechanism to assist

A BILL. (a) the owner of the device and/or geolocation information; or. (c) a person to whose geolocation the information pertains.

A General Outlines - Questions -

Machine Readable Travel Documents: Biometrics Deployment. Barry J. Kefauver

DRAFT PAPER: DO NOT DISTRIBUTE OR CITE WITHOUT PERMISSION OF AUTHOR. Rights Chipped Away: RFID and Identification Documents. Nicole A.

DEPARTMENT OF VETERANS AFFAIRS SUMMARY: The Department of Veterans Affairs (VA) is proposing to amend its

2 nd Symposium on ICAO-Standard MRTDs, Biometrics and Security

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

5/6/2009. E toll Database. Census Database. Database. Database. Consumer Balance and Bill Subscriptions. Mobile Connections.

DEPARTMENT OF JUSTICE. CPCLO Order No Privacy Act of 1974; System of Records

Transcription:

April 4, 2005 Chief, Legal Division Office of Passport Policy, Planning, and Advisory Services U.S. Department of State 2100 Pennsylvania Avenue, NW, 3 rd Floor Washington, D.C. 20037 Re: Comments on RIN #: 1400-AB93 Electronic Passport To Whom It May Concern: Privacilla.org is pleased to make the following comments on the proposed Electronic Passport rule. Privacilla.org is a Web-based think-tank devoted to privacy as a public policy issue. Visitors to the Privacilla site can find hundreds of pages of information and links relating to all aspects of the privacy issue, including privacy fundamentals; commercial privacy including medical, financial, and online privacy; and privacy from government. Privacilla takes a free-market, pro-technology stance towards privacy, placing it at odds, sometimes, with many other privacy advocacy organizations. The Department is likely to find unanimity among privacy advocates on this proposed regulation, however. The proposed Electronic Passport rule is inappropriately cavalier about placing citizens personal information, unencrypted, on an RFID chip that must be carried in order to travel. The use of RFID rather than some other technology or even the status quo is not justified. Rather than following international bureaucratic consensus, the Department of State should lead organizations like the International Civil Aviation Organization toward standards that protect the privacy of all international travelers. Understanding Privacy Privacy has long vexed policy-makers because the term is often used casually to describe many amorphous concepts, including security, fairness, freedom from marketing, and so on. To aid in the examination of privacy issues, Privacilla has put

forward a value-neutral definition of the concept. Privacy is the subjective condition people enjoy when they have the power to control information about themselves and when they have exercised that power consistent with their interests and values. Parsing this definition briefly, privacy is, first and foremost, subjective: One person cannot decide for another that he or she enjoys privacy when that person does not believe it and no regulation can do this either. Privacy relies on having power to control personal information. This goes to whether the legal environment allows a person to take steps that protect personal information from unwanted disclosure. When people have power over personal information, privacy then comes from people s exercise of that power consistent with interest and values. This goes to consumer awareness and market behavior. The Department s proposed regulation falls entirely within the legal environment side of this equation whether consumers may take steps that protect personal information from unwanted disclosure. Because passport regulations condition the exercise of the liberty to travel abroad on information disclosure, travelers do not have legal power to control personal information. This makes it imperative that the Department carefully avoid disclosures and risks of disclosure that Americans find unnecessary and unacceptable. The E-Passport Proposal The proposed Electronic Passport regulation would establish the use of a 64 kilobyte contactless integrated circuit chip with an antenna for storing and communicating citizen data. Though obscured by jargon, we take this to mean a Radio Frequency Identification (RFID) chip. Because encrypted data takes longer to read, the Department intends not to encrypt the information stored on the RFID chip. As noted in the notice of proposed rulemaking, this creates risks of both eavesdropping intercepting the communication between RFID chip and reader in border crossings or skimming activating and reading the RFID chip surreptitiously with a reader, which may happen anywhere a passport is carried. The Department discounts the likelihood of eavesdropping and promises to create an anti-skimming feature before the new passport is implemented. Format is Substance The Department s notice of proposed rulemaking is inappropriately cavalier about placing citizens personal information, unencrypted, on an RFID chip that must be carried in order to travel. The Department should recognize that the format in which data is stored significantly affects the consequences of storing it. To illustrate: A financial statement delivered on paper by U.S. mail carries one set of security and privacy risks. A financial statement

delivered over the Internet carries a different set of security and privacy risks, just as a financial statement delivered via roadside billboard would have a different set. Data on an RFID chip is more easily revealed surreptitiously than data printed on sheets of paper that are folded together. It is not appropriate to leave personal data unencrypted on an RFID chip just because the personal data stored on the passport s electronic chip consists simply of the information traditionally and visibly displayed on the passport data page. This explanation shows that the Department has not thoroughly considered the security and privacy risks of the proposed rule. Why RFID? RFID technologies offer many consumer benefits when used in supply chain management and logistics. With RFID, goods on trucks, in trains, and in warehouses can be inventoried without unloading and digging through pallets and packaging. Embedded in or attached to consumer products, RFID can improve customer convenience by permitting receipt-free returns and suppressing post-sale theft. As a personal identification device, RFID already enables keycard holders to quickly enter secure buildings and pass through toll gates. All these examples are deployments of RFID where consumers either choose or acquiesce to the use of RFID. None are where RFID is legally mandated for entire populations. In most of these implementations, RFID is yet at an early stage of deployment and being used for relatively low-consequence transactions. The notice of proposed rulemaking is singularly deficient in explaining why RFID technology has been selected for passports. A reference to improved port of entry performance suggests that RFID may increase the speed with which U.S. citizens are able to cross international borders. Though efficiency improvements are always nice, the notice does not discuss the severity of the problem with border crossing speeds, nor whether difficulty with reading passport data is a cause of any such problem. The notice does not discuss what incremental timesavings would occur with chips versus present-day optical character readers. If chips save significant time over optical character readers, the choice of a contactless RFID chip over a contact chip is not explained. This particularly needs justification in light of the security and privacy concerns that come with RFID chips that would store personal information unencrypted. The configuration of the RFID chip and reader at border crossings would apparently require the chip to be brought within four inches of the reader, meaning that RFID holds a four-inch advantage over a contact chip. If the Department believes that not having to move passports four inches to make contact with a reader will alleviate congestion at

international borders, it should say so. If it does not believe this, it should select a non- RFID chip at most, and perhaps withdraw the proposal entirely, sticking with optical character recognition. By no means is it satisfactory to promise an unidentified anti-skimming feature before electronic passports are issued. Without an anti-skimming feature already in place, planning and announcing mandatory use of RFID in passports is, at best, premature. Exercise Leadership The Department of State should exercise privacy leadership by withdrawing these proposed modifications to the passport. It should study more carefully what changes to passports, if any, are justified and needed to accelerate border crossings given the security and privacy risks in using RFID chips carrying personal information. The Department should keep in mind that there is no inherent security benefit from using chips. Documents alone are fully susceptible to encryption and other techniques that make them as forgery-proof as any computer chip. The Department of State should resist following the lead of international organizations like the International Civil Aviation Organization on machine readable document standards, or any others, if those organizations would needlessly compromise the privacy and security of international travelers. The United States is unique in its sensitivity to the most consequential privacy concern: privacy from governments. Standards that are set in international bodies, representing the average international view, are not appropriate to apply to Americans, who have a unique love of freedom and privacy. In short, the Department of State should place the privacy interests of American travelers ahead of international cooperation. This will redound not only to the benefit of Americans, but to travelers of all nations whose privacy may be put at risk by use of RFID in government-mandated identification documents. -------------------------- In most applications, Radio Frequency Identification technology holds out tremendous benefits for consumers worldwide. In light of the savings and convenience that will accrue to them, consumers are likely to choose and enjoy, or at least acquiesce to, the benefits of RFID in thousands of different applications. They do not have these options when government mandates RFID, and they are right to reject having this technology forced upon them. It is regrettable that the Department of State would consider using RFID for the tracking of individuals. This action is precipitous given the early stage for the technology and

given consumer concerns about privacy and technology overall. Appropriate reaction against this proposal will have the unfortunate effect of tarring RFID generally. The Department should recognize that RFID is good for products, not people. It should withdraw the proposal to use RFID in passports and make use of the perfectly adequate and acceptable technologies that carry fewer security and privacy consequences and concerns. Thank you for carefully considering these comments. Sincerely, James W. Harper Editor Privacilla.org

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback