Pattinson had clearance to observe the test as a smart card vendor
representative. Before the scheduled trial, he advised the American
Civil Liberties Union about the potential privacy problems. At the NIST
test, the ACLU’s academic expert proved that an electronic reader
equipped with an antenna could lift "an exact copy of digitally signed
private data" from a contactless e-passport chip located 30 feet — or
360 inches — away.
Pattinson called EE Times
and went public with the NIST test results
a time when bureaucrats at ICAO, the Department of Homeland Security
and the State Department were doing their best to dodge privacy issues
in the interest of “national security,” Pattinson helped prove to the
government’s own testers that the e-passport system would be insecure
"unless the government reconsiders its current position and decides to
add a … mechanism beyond the digital signature to its e-passport,” as he
told EE Times
after the test.
Influencing policy makers
is easier said than done, especially if you’re just an engineer. It’s
more convenient to swallow your misgivings and complain around the water
cooler about clueless bureaucrats and political expediency. Afterward,
you get to say, “I told you so.”
Or you can marshal all the
ammunition at your disposal to get your point across, as Pattinson did.
“In a way, yes, I orchestrated the demo at the NIST trial,” he says.
After the trial, he sat down privately with Frank Moss, the State
Department's deputy assistant secretary for passport services, and told
him, “You’ll be a hero if you change your mind about this now.”
the end, the State Department amended the e-passport proposal to
include BAC, which requires authentication before a tag can be read and
encryption of data sent over the air, as well as an electromagnetic
shield built into the e-passport that mitigates the threat of skimming.
Today, those mechanisms are standard security for e-passports in 21
Click on image to enlarge.
2004, Gus Hosein, then a fellow at the London School of Economics and a
senior fellow at advocacy group Privacy International, told EE Times
"At some point, [technology] vendors need to rein in the deepest wishes
of government officials who are neither experts in privacy nor have a
sufficient understanding of technology and law.”
As the United
States galloped headlong toward an e-passport system that threatened to
open more holes than it closed, Neville Pattinson pulled back on the
reins. Quietly, courageously and with a bit of guile, he got the
national security establishment to reverse course.
Which, as we all know, is impossible.