News & Analysis
Neville Pattinson protects passport privacy
Junko Yoshida
11/8/2012 8:53 AM EST
e-passport trial
Pattinson had clearance to observe the test as a smart card vendor representative. Before the scheduled trial, he advised the American Civil Liberties Union about the potential privacy problems. At the NIST test, the ACLU’s academic expert proved that an electronic reader equipped with an antenna could lift "an exact copy of digitally signed private data" from a contactless e-passport chip located 30 feet — or 360 inches — away.
Pattinson called EE Times and went public with the NIST test results.
At a time when bureaucrats at ICAO, the Department of Homeland Security and the State Department were doing their best to dodge privacy issues in the interest of “national security,” Pattinson helped prove to the government’s own testers that the e-passport system would be insecure "unless the government reconsiders its current position and decides to add a … mechanism beyond the digital signature to its e-passport,” as he told EE Times after the test.
Influencing policy makers is easier said than done, especially if you’re just an engineer. It’s more convenient to swallow your misgivings and complain around the water cooler about clueless bureaucrats and political expediency. Afterward, you get to say, “I told you so.”
Or you can marshal all the ammunition at your disposal to get your point across, as Pattinson did. “In a way, yes, I orchestrated the demo at the NIST trial,” he says. After the trial, he sat down privately with Frank Moss, the State Department's deputy assistant secretary for passport services, and told him, “You’ll be a hero if you change your mind about this now.”
In the end, the State Department amended the e-passport proposal to include BAC, which requires authentication before a tag can be read and encryption of data sent over the air, as well as an electromagnetic shield built into the e-passport that mitigates the threat of skimming. Today, those mechanisms are standard security for e-passports in 21 countries.
Click on image to enlarge.
In 2004, Gus Hosein, then a fellow at the London School of Economics and a senior fellow at advocacy group Privacy International, told EE Times: "At some point, [technology] vendors need to rein in the deepest wishes of government officials who are neither experts in privacy nor have a sufficient understanding of technology and law.”
As the United States galloped headlong toward an e-passport system that threatened to open more holes than it closed, Neville Pattinson pulled back on the reins. Quietly, courageously and with a bit of guile, he got the national security establishment to reverse course.
Which, as we all know, is impossible.
Pattinson had clearance to observe the test as a smart card vendor representative. Before the scheduled trial, he advised the American Civil Liberties Union about the potential privacy problems. At the NIST test, the ACLU’s academic expert proved that an electronic reader equipped with an antenna could lift "an exact copy of digitally signed private data" from a contactless e-passport chip located 30 feet — or 360 inches — away.
Pattinson called EE Times and went public with the NIST test results.
At a time when bureaucrats at ICAO, the Department of Homeland Security and the State Department were doing their best to dodge privacy issues in the interest of “national security,” Pattinson helped prove to the government’s own testers that the e-passport system would be insecure "unless the government reconsiders its current position and decides to add a … mechanism beyond the digital signature to its e-passport,” as he told EE Times after the test.
Influencing policy makers is easier said than done, especially if you’re just an engineer. It’s more convenient to swallow your misgivings and complain around the water cooler about clueless bureaucrats and political expediency. Afterward, you get to say, “I told you so.”
Or you can marshal all the ammunition at your disposal to get your point across, as Pattinson did. “In a way, yes, I orchestrated the demo at the NIST trial,” he says. After the trial, he sat down privately with Frank Moss, the State Department's deputy assistant secretary for passport services, and told him, “You’ll be a hero if you change your mind about this now.”
In the end, the State Department amended the e-passport proposal to include BAC, which requires authentication before a tag can be read and encryption of data sent over the air, as well as an electromagnetic shield built into the e-passport that mitigates the threat of skimming. Today, those mechanisms are standard security for e-passports in 21 countries.
Click on image to enlarge.
In 2004, Gus Hosein, then a fellow at the London School of Economics and a senior fellow at advocacy group Privacy International, told EE Times: "At some point, [technology] vendors need to rein in the deepest wishes of government officials who are neither experts in privacy nor have a sufficient understanding of technology and law.”
As the United States galloped headlong toward an e-passport system that threatened to open more holes than it closed, Neville Pattinson pulled back on the reins. Quietly, courageously and with a bit of guile, he got the national security establishment to reverse course.
Which, as we all know, is impossible.
|
|
|
|
|
Navigate to related information