Well flipping duh.

Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.

It's this reason that putting RFID in passports was such a stupid idea to begin with. Put wireless into any system that protects private information and watch the world come crashing down around you.

I'm not saying that it's impossible to secure a system using wireless, but it takes a whole hell of a lot more effort that was put into the passports system.

Anyway, now that someone has proven this is viable, those fears that someone can just scan a crowd and find the Americans to target have been entirely validated.

In what was a colossally stupid decision, the US put RFID chips in passports. Oh wait, this article is about the outsourcing! Right.

In what was another colossally stupid decision, the US is now outsourcing the production of RFID passports.

A university has hacked the encryption of an RFID chip maker who's contactless smartcard applications include fare collection, loyalty cards, and access control cards.

Washington state passed an anti-RFID law that's unfortunately far weaker than it should be.

The Washington legislation outlaws the use of RFID "spy technologies" to collect consumer information without the owner's consent. The only problem is, heavy corporate lobbying narrowed the scope of the law (before Governor Gregoire signed it) to cover only criminal acts such as fraud, identity theft, or "some other illegal purpose" (making it a Class C felony to do so). Collecting information from consumer RFID chips for marketing purposes in Washington—with or without the owner's consent or even knowledge—is still fair game.

Oh well. I suppose it's a start.

Caspian just released a paper documenting the research showing the causal link between RFID implants and cancer in lab animals. The reason they issued this report is because of the recent news press about the issue. They wrote and issued this report because "a lot of misinformation about the cancer research has circulated since [the original cancer research] was published". Damage control by Verichip perhaps?

In almost all cases, the malignant tumors, typically sarcomas, arose at the site of the implants and grew to surround and fully encase the devices.

That's not subtle is it? Neither is this:

Either VeriChip and the makers of HomeAgain actually don't understand the difference between a benign fibroma and a malignant fibrosarcoma," noted Dr. Albrecht, "or they're deliberately lying to the public. Either way, it's clear they can't be trusted. We hope our new report will set the record straight.

Check out the "Recent Industry Misstatements about Implant-Cancer Research" section near the bottom of the page for specific examples of lies/ignorance told by chip makers and CASPIAN's factual rebuttals.

Nothing like treating people like animals to be tagged and tracked. Of course, it's much easier to start by tracking kids because they don't have much choice in the matter and when they grow up, they'll be less resistant to the practice. Enter surveillance society…

But let's not get ahead of ourselves. They portray the tests as successful, but as Bruce Schneier points out, "So now it's easy to cut class; just ask someone to carry your shirt around the building while you're elsewhere."

Or how about, "it's easy to get someone you hate in trouble by wearing their uniform for a few minutes while vandalizing the teacher's lounge."

Or "We had no idea that constantly bombarding students with radio frequencies in closed spaces during their formative years would lead to these kinds of mutations! Mrs. Johnson, you can't honestly expect us to pay to have Timmy's third arm removed can you?"

I love how companies start implementing RFID without any thought to the consequences.

Because Walmart isn't addressing the privacy concerns with rfid, I can't help but cheer when I hear their efforts to get RFID into all their products has failed.

Wal-Mart's change of plan demonstrates the need for retailers and suppliers alike to tread carefully with RFID. As retailers such as Best Buy have observed, widespread adoption is still years, not months, away. At the same time, some of the greatest benefits may not be in applications first thought to be ripe for the technology, such as automating distribution centers. Instead, retailers are finding early gains closer to the sales floor, where they are using RFID to track consumer buying patterns and ensure products are on shelves in time for promotions.

It used to be that Walmart's market power was so high that they could force anything they wanted, but I guess that's starting to slip a little.

(H/T to Slashdot for the link)

The Consumerist reports that one of their readers asked for a non-RFID credit card from American Express. Granted, they only disabled contactless transactions in their database and did not issue him a spychip-free card, but one of the commenters said that they were able to do so with Washington Mutual.

It never hurts to ask, but it can certainly hurt to not.

Of course, you could just physically disable the RFID with a hammer, drill, or knife.

From the Washington Post:

When the U.S. Food and Drug Administration approved implanting microchips in humans, the manufacturer said it would save lives, letting doctors scan the tiny transponders to access patients' medical records almost instantly. The FDA found "reasonable assurance" the device was safe, and a sub-agency even called it one of 2005's top "innovative technologies."

But neither the company nor the regulators publicly mentioned this: A series of veterinary and toxicology studies, dating to the mid-1990s, stated that chip implants had "induced" malignant tumors in some lab mice and rats.

Glaring omission anyone? The FDA's not talking and anyone else involved says they hadn't read the study. Given that it's the FDA's job to find relevant studies and that the studies about the cancer link were widely available, it seems that something dirty has happened. Of course, the FDA hasn't actually done its job in years.

First they banned rfid tagging of school kids. Now they're fully banning forced RFID implantation of workers.

Tackling a dilemma right out of a science fiction novel, the state Senate passed legislation Thursday that would bar employers from requiring workers to have identification devices implanted under their skin.

Well let's hear it for common sense. But of course, there's always this guy:

Nine senators opposed the measure, including Bob Margett (R-Arcadia), who said it is premature to legislate technology that has not yet proved to be a problem. "It sounded like it was a solution looking for a problem," Margett said. "It didn't seem like it was necessary."

Well, "Bob", maybe it's common practice for legislators to be behind the times and not have the foresight to solve a problem before it comes, but it would be nice if that weren't the case. Most of security is in prevention.

(H/T to Slashdot for the link)

Here's something that will become a catalyst for a lot of bad things, a tiny generator that could be used to replace batteries in devices that are hard to reach. Why is this a problem? Think "hidden wireless camera". Think "active RFID tag that lasts forever". Oh man…

This might actually be good news. First, it's only data on their employees instead of countless numbers of innocent people. Second, VeriSign is not that nice of a company. And most importantly, they are responsible for VeriChip, the spinoff company that is responsible for pushing human implanted RFID.

Maybe a little ID theft (or worrying about it) will be a good wakeup call for them and they'll be a little more sympathetic to the "privacy nuts" who are constantly fighting them and everything they do.

Verichip is the first major company to try to make a market out of implanting people with a hard to remove tracking device. They tout it as a "security" device in that it can be used for proximity detection in sensitive areas and can be used to link to medical information in an emergency where the patient can't speak for themselves (for a yearly fee of course).

Considering that the chips actaully weaken security, are hard to remove, and basically destroy all privacy you might have had, I find it hard to understand why people would consider this.

Anyway, there's a good summary of the Verichip company here.

The people over at CASPIAN have warned about how companies are trying hard to get RFID tags into all their products without people knowing. Well, now they will. The anti-theft tags that nearly every product currently has will be combined with RFID technology so that nearly every item you walk out of the store with will also transmit a unique identifying number to any reader nearby. Theives, marketers and big brother are salivating.

You don't believe that companies are desperately interested in what you do every waking moment? Then you haven't been paying attention.

From the "thank god someone is paying attention" department, California is working on a bill to ban RFID chipping kids.

Legislation approved Monday would prohibit public schools from requiring the implementation of radio-wave devices that broadcast students' personal identification and monitor their movement around campus — information the mechanical horrors could theoretically use to turn our children into livestock.

…

More RFID bills led by Simitian are currently being sent through California committees. One bill places a similar temporary ban on RFID technology in California driver's licenses. Another will place privacy safeguards on any existing RFID-enabled government IDs. Simitian also has led a bill that would restrict forced RFID chip implants in people.

Nice. Yeah, California!

For those who weren't paying attention, fears of child abduction and abuse are fairly overblown.

Although statistics show that rates of child abduction and sexual abuse have marched steadily downward since the early 1990s, fear of these crimes is at an all-time high. Even the panic-inducing Megan's Law Web site says stranger abduction is rare and that 90 percent of child sexual-abuse cases are committed by someone known to the child. Yet we still suffer a crucial disconnect between perception of crime and its statistical reality. A child is almost as likely to be struck by lightning as kidnapped by a stranger, but it's not fear of lightning strikes that parents cite as the reason for keeping children indoors watching television instead of out on the sidewalk skipping rope.

Why is this important? Because companies that want humans to accept RFID implantation will try to use fears of child abduction to sell their products. The industry wants this badly (and possibly the government too), because once people begin implanting children, no one will get them removed as adults and eventually, every citizen will have them. Once we are all tagged, we can be tracked whereever we go and whatever we do. Imagine how easy it is to control and manipulate people once you know all that about them.

(H/T to Schneier's Blog for the link).

From the "don't forget we're people, not products" department, North Dakota is the second state to ban forced RFID implantation. However, even if this is a step in the right direction, does it do enough? It doesn't ban voluntary implantation and last I checked a lot of things that aren't really "voluntary" are treated such under law. Here's a quote from the article of someone who agrees with me:

But Michael Shamos, a professor who specializes in security issues at Carnegie Mellon University in Pittsburgh, believes the law is too vague to do much good. For instance, it only addresses situations where a chip is injected, even though RFID tags can also be swallowed. And it doesn't clearly define what a forced implant really is; someone could make chipping a requirement for a financial reward.

"Suppose I offer to pay you $10,000 if you have an RFID [chip] implanted?" he asked. "Is that 'requiring' if it's totally voluntary on your part?"

It's a poor example, but the right idea. Instead, what if you are offered a high paying job and move your family to a new state, get settled and begin the orientation process for your new job. You find out that they require RFID implants for "security" (which has been proven to weaken security). How much free will do you have in this instance? Can you really afford not to take the job now? You'd have to have an almost religious mentality to refuse it at this point.

Another example, perhaps not so drastic. Companies push and push and finally get most everyone to use RFID implants as identification and method of payment. Because you're smart enough to know what a bad thing this is, you refuse, but find yourself inconvenienced everywhere. You can only shop at certain stores that still have non-RFID checkout. You pay an extra "cash handling" fee for not using the new methods. You have to drive 20 miles away to the only gas station around that's equiped to take non-RFID transactions.

Is it still a choice?

Note that both Spychips.com and Privacy.org are carrying this story and that Spychips lists Ohio, Colorado, Oklahoma, and Florida as more states with anti-implantation bills in the works. The first state to pass such a bill was Wisconsin (note the same flaw as the ND bill).

Before someone leaves a comment saying "well, you complain, but don't offer solutions!", here's the wording I would add to each of these bills:

There. That's a good start.

This is cool. Some people took an offhand comment from the world's leading RFID privacy expert, Katherine Albrecht, and is trying to make it a reality. Some Dutch researchers are working on a portable RFID shield.

I wonder about their ability to actually block the RFID transmission of a target chip rather than just interfere with the transmission.

The DHS apparently has backed off of the requirement to use RFID in the National ID card. It's a start.

In an act of supreme stupidity and ignorance, Washington state has passed a law allowing residents to purchase an "alternative" drivers license that could be used in lieu of a passport at the Canadian border.

Citing the 9/11 Commission's support for more secure documentation for U.S. entry, Chertoff pointed out that U.S. Customs and Border Protection agents currently must look at more than 8,000 different forms of identification, whether birth certificates, driver's licenses or other documents.

So their answer to the problem?

The alternative license will contain a Radio Frequency Identification chip, commonly known as RFID, which the guard booths will use to scan the license as a traveler or trucker pulls up to the booth. U.S. passports issued since late 2006 already contain RFID chips.

They're going to offer a license that has no shielded covers like passports do that border guards will now just non-chalantly swipe across a reader rather than take the time to inspect. Brilliant. Maybe next, they can just put the readers out for the people in the vehicle to use making it even more convenient. That way, the criminals wouldn't have to bother changing the photo on the ID since no one would be looking anyway.

You'd think no one in Washington has been keeping up with the news about RFID passports.