by Adam Walser

The criminals new joy with Biometrics is, once you’ve fool the system, your faked fingerprint is made of the same stuff as fruit pastilles, so you can simply dress the evidence on other innocent victim, without letting the victim any chance to hold himself blameless.

LOUISVILLE, Ky. (WHAS11) — A Louisville woman says she was arrested by police, thrown in jail and went to court for crimes she never committed three times in the last year and a half because of her name.  The woman’s name is Melissa Ann Richardson, but she’s not the only woman with that name in Louisville.  Richardson says another Melissa Ann Richardson has been getting in lots of trouble and doesn’t show up for court, which is making her life increasingly difficult.
Whenever Melissa Ann Richardson leaves home, she has to have lots of documentation proving that she’s Melissa Ann Richardson because recently she’s been confused with a different Melissa Ann Richardson.  She is also white, has brown hair, green eyes and an October birthday.  The difference is that Melissa Ann Richardson has been arrested dozens of times for prostitution and drugs. “I don’t see any resemblance and that’s just because I don’t want to be affiliated in any way with prostitution,” said Richardson.
The other Melissa Ann Richardson also has an unfortunate habit of not showing up for court.  Twice last year, Melissa Ann Richardson was arrested, booked and had to go to court for the other woman’s crimes. “They told me that it was done. They typed everything in. The clerk said ‘Okay, we’re sorry. It won’t happen again,’” said Richardson.  However, on Friday, Richardson said it happened again.
She was stopped at a red light in a minivan in West Louisville when a police officer pulled her over and questioned her.  After checking her ID, the officer arrested Richardson on charges she says belong to the other woman.  The other Melissa Ann Richardson apparently even gave officers the first Melissa Ann’s date of birth when she was arrested so it was back to jail.
“Usually it’s only been about eight hours. This past weekend, it was the worst of it. It was 33 hours,” Richardson said.  Police say the mix-ups can happen because right now, pictures aren’t placed on e-warrants, which are displayed on officers’ laptop computers so police rely on the information they’re given. A Louisville Metro Corrections Department spokesperson says it’s standard procedure to use a fingerprint scan on all prisoners who are booked.  It’s unclear as to what happened in the latest case.
As for Richardson, she’ll keep carrying her makeshift purse.  “Thank you for not believing me, but I’m out. And if you arrest me again, I’m gonna get out again. But this time, I’m pursuing a different angle. I’ve called our attorney and we’re gonna go that route,” Richardson said.
Late this afternoon, we learned that part of the problem at the jail is that the records for both Melissa Ann Richardsons were apparently merged, leading them to believe they had the right suspect over the weekend.
We tried to locate the other Melissa Ann Richardson to talk to her about the situation today, but like the police, we weren’t able to find her.

By Spencer Ackerman | August 25, 2010

BAGRAM AIR FIELD, Afghanistan — Don’t think of the U.S. military’s new Detention Facility In Parwan as just a holding pen for suspected insurgents. It’s also an emerging datafarm, storing biometric information on its inmate population. In a country with a shaky commitment to the rule of law, those identifiers could become weapons.

Parwan, with its thousand-or-so detainee population, will become an Afghan-run detention complex next year. By 2014, it’ll become a major Afghan jail, run by the Ministry of Justice to incarcerate convicted criminals, not hold insurgents taken off the battlefield. But Army Brigadier General Mark Martins, who currently runs day-to-day operations at the detention center, explains that there’s a basic problem with Afghanistan’s criminal justice system: It doesn’t have a efficient information infrastructure to identify the people it holds. That’s where he comes in.

Every detainee who comes into Parwan leaves basic information with the Detainee Services Branch during in-processing: Name; father’s name; residence. A mark of any identifying scars, marks or tattoos. Residence of record. After a shower and a medical exam, the DSB scans their irises and collects prints from all of their fingers, rolling their thumbs for a 360-degree view. Its cameras snap five photographs of every detainee’s face. All of this information goes into a military database called the Automated Biometric Information System.

Troops in the field can access the system through a set of portable consoles that the DSB has on hand. The Biometrics Automated Toolset, or BAT, allows troops who detain insurgents on the battlefield to get a quick biometric identification of who they’ve captured, all through talking to the database. One clunky component of it, the Handheld Interagency Identity Detection System (HIIDE), which looks like a big black FunSaver, takes pictures of a captive’s irises, facial features and fingerprints. BATS and HIIDE were used in Iraq, where counterinsurgents like David Kilcullen praised the devices for allowing troops to quickly and positively identify known insurgents during the surge.

But any detective will tell you that a database is only as good as the data it contains. And after 30 years of war, Afghanistan isn’t really in the data-collection game. The U.S. military’s detentions command, known as Joint Task Force-435, is working with the Afghan Ministry of Interior to kick-start an up-to-date records program.

Martins says he and the ministry want “enrollments on 15 percent of fighting-age males,” Afghans between the ages of 14 and 49.  Studies that he’s seen convince him that 15 percent represents a Gladwellian tipping point, allowing the U.S. and the Afghans to match exponentially more latent fingerprints off homemade bombs to Afghans in the system.

But that means biometric information about one million people. And the easiest way to get this information is by locking up a whole lot of Afghans and collecting it against their will, one of the reasons that human rights advocates are wary about the U.S.’s plans to turn over Parwan to the Afghans.

In Iraq, privacy advocates raised similar concerns about weaponizing the biometrics database — essentially, turning it into a military hit list. Afghanistan is filled with corruption, fraud and malicious police officers. Its commitment to the rule of law is, to be charitable, immature. In such a circumstance, a counterinsurgency tool like the biometric database just as easily become predatory, allowing its possessors to take out their political or ethnic rivals and reward their allies. If theWikiLeaks disclosures put Afghans in danger, imagine what iris scans and fingerprints could mean for people who don’t want to pay bribes to crooked cops.

“That’s a policy-significant issue,” Martins admits, “Who holds the data?” According to an October memorandum signed by the U.S. and Afghan governments, the Afghans will. The U.S. might see its collected records become the “biometric component of a national ID” Martins says, good for property ownership records, establishing credit lines and other economic behavior. But first, the biometrics database will be “MOI’s data,” in the hands of the security services — the legacy of ten years of U.S. detention operations in Afghanistan.

Credit: DoD Biometrics

BY D-USA, ON AUGUST 24TH, 2010

As the first results of our Endorsement Survey are arriving, and we feel that we need to clarify one of our questions and share our reasons for opposing a particular law in Oklahoma.

The Pirate Party of Oklahoma is not opposed to the inclusion of an identifying facial picture on drivers licenses issued to Oklahomans. Our drivers license was not created to be an ID card, it’s only purpose was to certify that the carrier of the license passed an examination by the Department of Public Safety and is authorized to operate a motor vehicle in the State of Oklahoma. For a law enforcement official to verify that the bearer of a license is the licensee in question, the official needs to be able to visually compare the person that is in possession of the license to the person the license was issued to. This objective is achieved by taking the picture at the time the license is issued and then printing it on the license.

The process we oppose is the collection of a biometric picture, in addition to biometric fingerprints, whenever a drivers license is being issued. Biometric facial pictures feature a higher resolution than is needed for a small picture on a license. This high resolution picture is then digitized, a biometric template is created, and together with a digital version of your fingerprint this information is stored in a database controlled by the Department of Public Safety.

Including a traditional photograph on your drivers license enables a law enforcement official to physically compare your face to the picture on the license. Taking your picture and adding your biometric profile stored in a database enables the Department of Public Safety to compare this profile to any other picture they want. This is already happening every time you renew your license, or when you change your address and have a new license issued. The Department of Public Safety takes a new biometric photo, converts it to a digital biometric profile, compares it with the previous biometric profile they have stored in your database, and if they match you get a new license.

The problem with technology like this is the always popular mission creep of our Government. Once the State of Oklahoma is in possession of your biometric profile, it can be used for many applications not originally indented by the legislators who wrote the law. Storing your biometric profile enables the state to use automated surveillance to monitor and log the activities of Oklahomans.

Using CCTV cameras already in use in many places, the state will be able to record crowds and use facial recognition software to scan the faces present at the event and match them to stored biometric profiles. Law enforcement officials would be able to use cameras mounted on vehicles to scan all the faces in a particular area and compare them to the database. Law enforcement officials on foot will be able to utilize hand-held video cameras to record your presence at a lawful rally, then scan all the faces and create a log of all people present. In short time the State of Oklahoma will have a database that shows that Oklahoman X was present at the Tea Party Rally, the Gay Pride Parade, and the Thunder playoff games. And by analyzing your past behavior, the state can anticipate your future actions.

While this might sound very futuristic and unlikely to many Oklahomans, we urge you to keep in mind that the same Department of Public Safety that is responsible for storing and using your Biometric Data is currently in the process of implementing an Automated License Plate Recognition System; one requirement of which is the ability to keep a database of the time and location each license plate was seen, even if no crime was committed.

Our Department of Public Safety has already demonstrated that given the opportunity to deploy an automatic system that gives them the ability to track the driving habits of any given vehicle in the state that passed the proposed camera systems, they will store this data even if no unlawful activity exists. This eagerness by the DPS to create a database of lawful activities does not give us much hope that they will be able to restrain themselves when it comes to the opportunity to perform additional monitoring of Oklahomans.

Oklahoma legislators are becoming increasingly aware of the threat created by technology such as this, and HB 2923 is a good example of turning towards the right path. HB 2923 would have deleted the biometric data stored by the Department of Public Safety, as well as requiring a return to non-biometric pictures on our license. If would also have prohibited the implementation of radio frequency identification technology , the use of which will require a separate article all together.

As Oklahomans who are concerned with privacy, and the increasing surveillance of our activities, we need to push our legislators to stop this invasive technology before it reaches a point of no return.

By Demian Bulwa • San Francisco Chronicle | Posted: Monday, August 23, 2010 12:15 am | No Comments Posted

Share

OAKLAND, Calif. • When the 24 Hour Fitness chain recently installed finger scanners as a way of verifying members’ identity, it was a public première of sorts for a powerful and fast-expanding technology — and a test of whether consumers will embrace it.

The scanners, which came to the chain’s 60 Bay Area gyms this month, are a form of biometrics, in which people are recognized through a unique physical quality. Although 24 Hour Fitness checks fingers, biometric devices can verify people’s identity based on the contours of hands, eyes and faces, a voice, even a scent or a style of walking.

The technology has become far more accurate and affordable in recent years, allowing it to move beyond longtime police and military uses and to be hailed as a potential solution to the menace of identity theft.

Corporate America has taken notice, as have privacy advocates, who say consumers ought to tread cautiously into a largely unregulated field.

Many companies now have employees punch in with biometrics. At schools, the devices restrict access or allow students to pay for subsidized lunches. The gym at California State University Chico uses hand scanners, while Walt Disney World scans the fingers of pass-holders. In some countries, finger scanners are built into ATMs.

“It’s just part of our cyber-existence these days,” said Dan Miller, a senior analyst at Opus Research in San Francisco, which has focused on voice verification. “The neat thing about biometrics is that you are the thing that identifies you.”

The novelty of the technology, though, prompted an array of reactions at 24 Hour Fitness. Outside a downtown Oakland gym one morning, many customers said they had signed up without reservation for the new “Cardless Check-in” system, seeing only speed and convenience.

“Why not? It’s cool,” said Michael Nguyen, 38, an engineer from San Jose. “It’s not a big deal.”

But others — some of whom refused to participate in the program, which is voluntary — felt as if they had stumbled into a science fiction plot. They worried that the gym was going to do something sinister with their scan, while admitting they couldn’t think of exactly what that would be.

“The only time I ever saw that before was in the movie ‘Total Recall,’” said Isaac Thomas, 36, a Caltrans worker from Vallejo. He said he had submitted to scanning but added, “Now I’m wondering what they’re going to do with my fingerprint.”

“I did not do it,” said Jenica Babbitt, 35, a social worker from Oakland. “I don’t know why I didn’t do it. It just seems weird.”

Another woman said she was concerned about the scanners but for a different reason: She often sneaks into 24 Hour Fitness under a friend’s membership. She declined to give her name.

Company officials, concerned about the public perception of the scanners, tested them for months at some locations while soliciting feedback from members. They say the reaction was overwhelmingly positive, with just 3 percent of people declining to be scanned during the pilot program.

The officials say they have no ulterior motive. They say the scanners simply allow visitors to show up without a club card and an ID, while preventing nonmembers from sneaking in. The company also saves on paper, plastic and postage, having issued 1.9 million cards last year.

Members using the machines must first enroll, submitting to an initial scan. Then, during visits, they punch in a 10-digit code before placing the pad of one of their index fingers over a small window. Using the code, the system compares the finger to the one that was previously enrolled. False matches, or rejections, are rare, the company says.

The system doesn’t actually store fingerprints of the type that could be compared with prints from a crime scene, officials say. The machines, made by MorphoTrak of Alexandria, Va., map out unique points within the ridges of a finger, then convert that information into a binary code— ones and zeroes — that is encrypted.

If someone were able to crack the encryption, said Gary Jones, MorphoTrak’s senior manager for biometric security products, “it would still be impossible to reverse-engineer the information into a person’s fingerprint image.”

Two privacy experts who have followed biometric technology said that, in isolation, the health club’s program may be perfectly safe. But they said consumers should be certain that biometric scans taken at places such as 24 Hour Fitness are stored securely and not used for any other purpose.

It is conceivable, they said, that a law enforcement agency could figure out a way to compare fingerprints with a database such as the one kept by 24 Hour Fitness. It’s also possible, they said, that finger scans could be stolen as credit card numbers are.

Jared Kaprove, an attorney who focuses on domestic surveillance at the Electronic Privacy Information Center in Washington, said, “It’s easy to get a credit card reissued, but you can’t get your fingerprints reissued.”

Posted in Medical, National on Monday, August 23, 2010 12:15 am Updated: 11:26 pm.

Why are fast fingerprint matching algorithms not used by the FBI for IAFIS? Ten (10) minutes for a fingerprint match?

Lockheed heads a $1.5 billion project upgrading the FBI IAFIS. The upgrade regarding fingerprints has occurred, and new statistics show full fingerprint matching takes at least 10 minutes when submitted electronically. That’s on a database of 56 million criminal prints, plus nearly 250 million civil prints. How can that be? With commercial matching algorithms available that perform at 20 million fingerprints/sec, it should only take 15 secs, add a few for comm lag. Are the newer algorithms not really reliable, or do Lockheed and the FBI disdain new developments from smaller companies? Why is 10 minutes the best match time from IAFIS?

A man was arrested in Florida for loitering. Police fingerprinted him and electronically submitted his prints to the FBI’s fingerprint database. Within five minutes, Florida police were notified that their loitering suspect was wanted in California on murder charges. California officials were also notified.

The database is fed by more than 86,000 agencies

Our Integrated Automated Fingerprint Identification System responds quickly to requests like this 24 hours a day, 365 days a year, to help our local, state, and federal partners—and our own investigators—solve and prevent crime and apprehend criminals and terrorists.

IAFIS houses some 56 million criminal prints (plus nearly 250 million civil prints) submitted by more than 86,000 criminal justice agencies. Included in our criminal database are fingerprints from 73,000 known and suspected terrorists processed by the U.S. or by foreign law enforcement agencies who work with us.

IAFIS keeps communities safe. There’s no better way to illustrate how IAFIS works than to show how it’s been used. Other recent cases:

• Texas Rangers reported four suspicious individuals along a remote part of the U.S.-Mexico border to the U.S. Customs and Border Protection. Customs took the four into custody and, after determining they were in the U.S. illegally, took their fingerprints and sent them electronically to IAFIS. Lo and behold, there was a hit: one of the men was wanted on murder charges in North Carolina.
• In Virginia, a federal program giving credentials to transportation workers sent a potential employee’s prints to IAFIS. Good thing—the man was wanted by Miami authorities for murder (suffice to say he didn’t get the job!)
• Police in New York City arrested an individual on assault charges. His prints were sent to IAFIS, which sent back word that the man was wanted not only by local authorities in Pennsylvania on murder charges but also by the FBI on unlawful flight charges.

IAFIS’ expanded use. We’re taking part in a pilot project that allows near real-time sharing of prints and other information in IAFIS and the Department of Homeland Security’s Automated Biometric Identification System, or IDENT. This means not only do the FBI and agencies like Customs and Border Protection have the benefit of each other’s biometric information, but also that local, state, and federal agencies using IAFIS have access to certain immigration data relevant to their cases.

We’ve already seen some successes. For example, Border Patrol agents working at a port of entry along the California-Mexico border encountered a man coming from Mexico claiming to be a U.S. citizen but who said he left his alien card at home. Suspicious, the agents fingerprinted the man and sent his prints to the joint IDENT/IAFIS program, which informed them that he was wanted by Los Angeles police on murder, rape, and burglary charges.

What’s ahead for our fingerprint operations? Our Next Generation Identification System will incorporate additional biometrics, like iris and facial imaging and palm prints, to enhance identification of terrorists and criminals even more. Says Tom Bush, who heads our Criminal Justice Information Services Division that manages IAFIS, “IAFIS has been a fantastic tool in support of criminal justice and the war on terror—NGI will give us bigger, better, and faster capabilities, and lead us into the future.”

Resources: IAFIS website

Immigration New Zealand (INZ) has begun fingerprint checks with Australia as part of a biometric programme to strengthen border security and prevent identity fraud.

The programme will expand to include checks with the United Kingdom, Canada and the United States under the umbrella of the Five Country Conference (FCC), which has developed a system for securely – and with substantial privacy safeguards – matching fingerprint biometrics of persons of interest. “Fingerprints of FCC citizens will not be shared“.

The system will help INZ combat fraud and strengthen border security by helping identify, early in the immigration process, people with criminal histories or those using false identities.

“Organised crime groups and illegal migrants are increasingly using identity and passport fraud to evade detection,” says Arron Baker, INZ’s Programme Manager for Identity and Biometrics.

“Biometrics uses technology to improve on traditional checks using names to detect and prevent these people from entering New Zealand. It is a fast, effective and privacy protecting way of quickly facilitating genuine clients while filtering out those who pose risks to New Zealand.”

INZ signed a Memorandum of Understanding (MOU) with the Australian Department of Immigration and Citizenship on 30 June 2010, and is now completing similar agreements with the UK, Canada and the US.

The Department of Labour completed a Privacy Impact Assessment of the system in close consultation with the Office of the Privacy Commissioner. This is available to the public at http://www.immigration.govt.nz.

Canada’s privacy commissioner Jennifer Stoddart is taking legal action against the American Association of Medical Colleges for violating Canadian law governing electronic personal information, the Vancouver Sun reports.

Canadian officials are taking legal action against the storage of biometric information for individuals who take the MCAT test

Students who sign up to take the MCAT test must provide fingerprints and photographs to confirm their identity, as they are more secure than a plastic ID card. The enhanced security protocols ensure individuals do not cheat, helping to maintain a high-standing credibility for the exam.

The information is kept in an electronic database for 10 years to ensure an individual who attends medical school is in fact the same person who originally took the test, the news provider relays.

The storing of biometric data is worrisome to many, as the information could be hacked by an outside source or accessed legally by the U.S. authorities under the Patriot Act – an anti-terrorism mechanism that gives U.S. law enforcement officials the power to access electronic records stored in the country.

The privacy issue continues to hound further adoption of biometric security solutions. Although few people doubt the effectiveness of the technology, there are concerns regarding the storage of private information on electronic databases. In June, a Canadian apartment complex received complaints about a fingerprint scanner used to allow individuals entrance onto the premises, as some people worried about the safety of their information.

POSTMEDIA NEWS – AUGUST 10, 2010 2:02 AM

Canada’s privacy watchdog has gone to court to stop the collection and storage of fingerprints from students who apply to medical schools.

Privacy commissioner Jennifer Stoddart launched legal action in Federal Court last week, accusing the American Association of Medical Colleges of violating the Canadian law that governs electronic personal information.

The association administers the Medical College Admission Test on behalf of schools in the U.S. and Canada. It uses “biometric identity verification” to stop cheating on the tests.

But it also means the fingerprints and photographs of Canadian students who write the MCAT in Canada — even if they plan to attend medical school in Canada — could later be accessed by U.S. authorities under the Patriot Act.

© Copyright (c) The Edmonton Journal

Read more

Third Quarter Fiscal Year 2010 Report to CongressDepartment of Homeland Security Report of the Chief Privacy Officer Pursuant to Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007June 23, 2010

In a country where Nepali’s, Bangladeshis and Pakistani’s can practically walk across the border – why should a terrorist bother to fake a biometric passport?

It could come useful in certain situations. Why would someone like David Headley risk a clandestine crossover, when he could live in the best of hotels, mix in the most hallowed social circles – legally? It’s also a neat trick to shift blame to an Indian citizen, after a terrorist attack.

But an “attack” is not the only thing a cloned biometric passport can be used for. It can also be used to steal your identity. For cheap. If my last post made you believe it’s almost impossible to mess around with a biometric passport, I’m very sorry. Because this one – is about how it’s already been done. With equipment that costs less than ten thousand rupees.

Lukas Grunwald, a German security expert, did it in 2006. British newspapers reported on a similar stunt by Adam Laurie, in 2007. Jeroen Van Beek, a researcher in the Netherlands, actually walked into Amsterdam airport with a fake biometric passport made in the name of Elvis Presley. He was not stopped.

Just Google their exploits – most technically minded terrorists probably already have. Here’s a quick account of how they did it.

A biometric passport has a chip, about the size of the one in your mobile phone SIM. That chip is embedded in a radio transmitter, slightly smaller than your visiting card. The entire unit is then sealed, into the last, thick page of our passports. You’ll get one of these things when you apply to renew your passport.

Effectively – this passport is now a tiny radio transmitter. It emits radio signals at a certain frequency. And over those radio waves, it transmits the information stored in its chip.

If you have a radio scanner listening in on that specific frequency – you can intercept that data. You could be standing ten meters away, you wouldn’t even need to touch the passport. You could read it, then clone it.

I’ll get into the specifics later. But here’s why you should begin to get worried.

1.) Let’s say a terrorist knows he looks a fair bit like you. First, he’d clone all your passport details by eavesdropping on the chip. Then insert his new, cloned chip into a fake paper passport he’s already made.

He’d grow a beard or a pony tail – to confuse the airport guards. When they test his passport on their reader, it wouldn’t ring any alarms – after all it’s a perfect clone of a perfectly valid passport.

When they try to physically cross check his appearance against your facial image stored on the chip, they wouldn’t spot a difference. A biometric facial or fingerprint scanner would have rung alarms – but they’re very expensive and used at very few counters. So a terrorist COULD cross borders – using YOUR passport details.

There is also a psychological problem – if the machine says a passport is OK, airport officials will tend to believe it and drop their guard. They won’t bother to do a more careful physical check. Because that would take more time – and after all wasn’t the biometric passport meant to save time at check in counters?

2.) Or let’s say it’s scamsters who want to target you. The postman or courier boy who delivers your passport home, could copy details from its chip, without even opening the envelope. So could a hotel attendant abroad – when you show him your passport to book a room. Among those details, will be an exact digital copy of the first page of your passport.

This first page is something we often photocopy. We use it as a proof of identity – to open a bank account, to apply for a new phone connection, for a driving license etc. The scamster could send that first page to an Indian bank and open a new account in your name. And funnel in dirty money into it, without you ever knowing.

3.) There’s another loophole in the “Biometric Passport as extra security” scheme. When you walk into a country like the US with your passport, your info is not only scanned and crosschecked – it’s also stored on their servers for a very long time. This supposedly happens to all passports presented at immigration – part of their “War on Terror” is keeping track of the details and frequency of people’s visits.

In theory, a corrupt official in the department could gather your private data and sell it to people on the black market. Right now – someone else can’t easily match your unique biometrics. But technology gets better everyday, so a leak in the department would mean a terrorist could walk around with your identity.

4.) Another pinprick in the “security” angle. At least one researcher has shown how to trigger a small bomb when it comes close enough to radio signals transmitted by a particular country’s passport. Terrorists could also use a similar technique can to single out people of a particular country from a group – and target them for kidnapping/elimination.

It’s not just passports. The technology can be used to eavesdrop and clone other RFID or Radio Frequency Identification Devices. That includes the card you use to get entry into your office, your new driving license and perhaps even the upcoming UID or Universal Identity card.

Getting back to the passports. Inexpensive Radio Frequency scanners can easily be bought online. You could also build one by modifying the Bluetooth receiver on your PC. Software like Golden Reader, that let you communicate with a passport chip, are easily available on the net. The International Civil Aviation Organization or ICAO – the nodal agency behind the biometric passport movement, has it on its website.

When held over a passport reader at the airport, the chip and the reader first challenge each other with a code. Once each is satisfied the other’s a genuine party – the chip transmits the info it carries to the reader.

To prevent people from eves-dropping on this exchange, the designers of biometric passports used a simple trick. They printed a twenty four character, two line strip of data on one of the pages of the passport.

This “Strip” is called a “Machine Readable Zone”, or MRZ. Only after swiping this strip through a machine, would the passport reader be able to generate a valid challenge that the passport chip would respond to. So whoever wants to read the passport, would have to have it open, in his hand.

Smart. The problem is, the characters they’ve decided to print on that strip. Your date of birth, your passport number, its date of expiry and so on – in a specific pattern.

Clever programmers can guess those details. Your DOB, they find from sites like Facebook. From public databases online – they observe patterns in a long series of passport numbers. They also find out the number of passports issued everyday in the country.

They feed all that research into a maths formula that’s often used by companies to generate things like random credit card numbers. And crack the MRZ of your passport, on a normal home PC, in under two hours. The big expense – about Rs 10,000 for a radio scanner. With the MRZ code, a terrorist or scamster can suck data from your chip, standing upto ten meters away at the check in counter.

Governments could of course put in place a more complex passport numbering system. But though such demonstration attacks have been widely reported in the foreign press, they haven’t moved on this yet.

When someone like a postman has the luxury of holding your physical passport in his hand, he can suck it dry with another trick. He swipes the passport against his radio scanner many, many times.

The more the number of swipes, the higher the chance of the computer mathematically guessing the security code. In an ATM, if you enter the wrong code thrice – you’re locked out and can’t withdraw any money. A similar safety feature hasn’t yet been built into these passport chips.

A small backgrounder on how all this started in the first place. After 9/11, America decided that all foreigners entering its borders would need to have machine readable passports with biometrics – on the assumption that these would be tough to forge.

It demanded this of the 27 countries that had a visa waiver agreement with it. Most of Europe fell in line and soon, the rest of the world.

After researchers publicly carried out attacks on these passports, FIDIS, or the “Future of Identity in the Information Age” – a European Union funded body called the technology used in them “poorly conceived”.

“European governments have forced their citizens to adopt documents which dramatically reduce their security and privacy and increase the risk of identity theft.”

The Indian Government however – doesn’t seem to have listened.