mytest
UPDATES ON TWITTER: arudoudebito
DEBITO.ORG PODCASTS on iTunes, subscribe free
Hi Blog. With the rerelease of an article I wrote last year (I am reading all my old articles in order for the Debito.org Podcast, so listen here or read it here) is a revisitation of an argument I made about the next-generation “Gaijin Cards” (Zairyuu Kaado), with imbedded IC Chips. I expressed a fear that these “smart cards” will be remotely scannable, meaning the NPA will be able to zap a crowd and smoke out who’s foreign or not (whereas Japanese citizens have no legal obligation to carry ID 24/7 backed up with criminal punishment) — or will further justify racial profiling of people like me who look foreign but aren’t.
Techie Eido Inoue, a naturalized J citizen himself, writes here on invitation to address this argument. He was worried that this topic might get a bit geeky (he has in fact made it very readable, thanks), but never mind, this needs to be discussed by people in the know. However, please do read or page down to the end, where I have some basic counterarguments and a scan of something I saw the other day in a travel shop — a “scan proof” pouch for your valuables on sale! Read on.
//////////////////////////////////////////////
EIDO INOUE WRITES:
There has been a lot of concern these days about the inclusion use of NFC (near field communications) technology, which is a type of RFID (radio frequency identification), being included in the successor to the Japanese ARC (alien registration card), the 在留カード {zairyū kādo} (non-Japanese residence card). In this comment, I’ve summed up, per Debito’s request, some of the back and forth Q&A that has been occurring on other blogs:
Q: What sort of wireless technology is in these new cards? Is it reliable? Is it proven?
A: The card’s IC chip will use JIS X 6322 type B standards, which is basically the Japanese translation of ISO 14443 type B standards. This is the exact same international standard used for both Japanese and overseas e-passports, as well as Japanese driver’s licenses and the 住基カード {jūki kādo} (Japanese citizen residency card).
Q: What will be inside these chips?
A: The same information that’s printed outside the card:
* full passport/English legal name, date of birth, sex, nationality & domicile/state/locale
* resident address in Japan
* [visa] status, and status length / expiration date
* visa status grant date
* residency card number and expiration/renewal date
* work restrictions, if any
* any permitted activities outside of visa status
* color photograph
Special Permanent Residents, however, will only have the following on their cards:
* full passport/English legal name, date of birth, sex, nationality & domicile/state/locale
* resident address in Japan
* special permanent resident number and renewal date
* color photograph
Technically speaking, the 在留カード {zairyū kādo} (non-Japanese residence card) will be called and labeled as a 特別永住者証明書 {tokubetsu eijūsha shōmeisho} (Special Permanent Resident Identification [Card]) for people with this status.
[ the only thing that will not be on the chip but on the outside of the card will be the Ministry of Justice’s seal. Note that there’s much less information on this card than the ARC: no passport info, head of household, employer, etc. ]
Non-Japanese that have kanji names with their governments will have the kanji on the cards. In the case that the kanji is Chinese Simplified or Traditional and can’t be represented with using Japanese character sets, it will be converted to Japanese form.
[it was not clear from the literature I read what characters were permitted and what were not and what underlying character set encoding, such as JIS X 0208 or Unicode, would be used. It was also unclear to me from reading the literature as to whether non-Japansese without official government registered Kanji names, such as Japanese-Americans or those who just want a Kanji (or kana or hybrid) name, even if it’s 当て字 {ateji}]
Customs/airport officials plan to register / use the alphabet passport form and not the Kanji [even if it’s Japanese] form of the name as inputting / copying the kanji name takes too much time.
Unlike the previous ARC cards, there is no plan to list aliases (either katakana or kanji).
[It does not say how non-Japanese, who have Japanese aliases for anti-discrimination or other purposes, will prove what their registered legal alias is]
Years on the card will be specified in Western (ex. 2010) system, not Japanese (ex. H.22 or 平成22) system. Dates will be in Y M D order, and the fields will be labeled [so you know which is the month and which is the date]. Sex will be specified with a “M” or “F” [as opposed to 「男」, 「女」, 「♂」, or 「♀」].
[This should make the card more comprehensible to non-Japanese officials if you attempt to use it as ID overseas]
If a full name is too long for one line, it will be broken into multiple lines.
[better than the ARC and the Japanese driver’s license, which continued long (ie. Brazilian) names onto the back of the card]
Q: If the information inside the chips is the same as the information written on the outside of the card, what’s the point?
A: Three main points:
1. reduction of data entry errors (no hand copying the info from the card to some other system)
2. speed of processing (depends on the operator, processes, & hardware/software implementation)
3. [primary official reason] preventing the creation of completely bogus identifications using high tech printing, copying and manufacturing technology that is available to even amateurs today.
The info on the chip is digitally “signed” (a certificate validating that no information has been added, changed, or deleted) using PKCS (public-key cryptography standards). So long as the signing key is kept secure by the government, it’s mathematically impossible to recreate a government’s digital signature/certificate associated with a bogus identity. Now, you can clone (that is, copy the certificate along with the entire ID, including the photograph, without adding or removing anything) a digital ID. But that’s not the purpose of the certificate. The signature prevents somebody from creating a bogus ID from scratch. These days, thanks (?) to advances in technology accessibility, most professional and even some amateur forgers can create a phony identity card (“Taro McLovin”), mimicking holograms, blacklight ink, microprint, etc., that is so good it can fool a professional trained inspector.
But even the most powerful governments in the word have yet to break the modern strength digital signature/certificate algorithms — because the best mathematicians, working for the best spook agencies (NIST, NSA) in the world, created the system based on principles of impossible to solve quickly mathematics (ie. using ultra large prime numbers), then publicized all their work to have it checked by the other best mathematicians in the world. Based on what mathematicians have known for literally thousands of years, and taking into account the current state of Moore’s Law, the crypto should theoretically be safe from brute force attack for literally eternity. Where things fail is due to errors in implementing the algorithms, or theft/discovery of the secret keys, not in the algorithms themselves.
Anyway, for IDs with digital signature certificates, the forger is going to have no choice but to clone, in its entirety, somebody’s existing digital ID when they make a fake ID. Which means they’re going to have to look an awful lot like the person whose identity they stole because the picture data is calculated with the certificate’s hash. Plus they’re going to have to hope that the identity theft victim didn’t report the ID as stolen / lost or that the victim unknowingly had their ID scanned in a place that would be logically impossible for a followup scan of the cloned card. For example, a digital ID gets scanned in Hokkaidō, then the exact same digital ID with the same serial number gets scanned by another police officer in Fukuoka 5 minutes later; a computer will pick up on that.
Now, if there’s a fingerprint encoded in the chip (which is not the case for Japanese passports or the 在留カード {zairyū kādo} but is true for new European passports) and digitally signed, then even if the fraudster looks like the victim in the digitally signed photograph, they’re out of luck. They can’t remove or change the fingerprint without invalidating the certificate.
Q: Can a civilian or official read my card from a distance?
A: Extremely doubtful. The way the cards work is that while they have no power source of there own; they are powered by a minute amount of power they induce from their radio frequency for no more than a fraction of a second, and this power gives them the strength to produce a very faint signal that can only be practically read reliably by another device that’s less than four or 5cm away. The chips contain power regulators, so even if you send an extra strong signal to the chip in an effort to give the chip more power to work with, it does not produce a stronger return signal.
This is why you can see a lineup of Suica/Pasmo/Icoca/PiTaPa electronic wicket gates in a train station: the radio waves produced by those gates, which are no more than a meter apart, are so faint that each gate can’t hear and interfere with the radio waves being produced by the gates right next to it.
The maximum field range of a ISO 14443 device is less than 10cm. The maximum range that professionals have managed to get out of a ISO 14443 device in a laboratory (meaning neither the card or the reader can move for a long time, the room’s air is shielded from radio noise, and the lab’s using a very nonstandard reader) is 20cm: the length from the tip of your little finger to the tip of your thumb on an average outstretched hand.
Because the return signal from the chip inside the card is constant no matter how how power you throw at it, the only way you’re going to increase the range is by using a larger antenna. But even then there are limits, as the signal is so weak that it’s literally drowned out by the radio noise that permeates the real world.
Some professionals have speculated that, given a large enough (a very non-portable antenna; it would need to be mounted and not hand held), it is possible to increase the maximum range of ISO 14443, in a laboratory (not real world) setting, to 50cm: the length from your wrist to your elbow.
Anything longer than 20cm is suspect; anything longer than 50cm is science fiction, in my opinion.
Q: Could a crowd of people (assuming they’re in range of a reader), or even a whole bag of cards, be scanned en mass?
A: Even if it was possible to read ISO 14443 cards from a distance, ISO 14443 is designed to only work with one card at a time. It is not possible to have one reader read multiple cards, have many readers read one card, or have many readers read many cards.
It’s a matter of laws of physics (two signals being in the exact same frequency) and the way the devices were designed. Mobile phones, Bluetooth, and WiFi have very sophisticated and complicated protocols to allow them to share and operate and be individually addressed in a range of airspace, jumping and across (sometimes thousands) of frequencies and channels, sometimes using more than one simultaneously, in an elaborate cooperative ballet to prevent two devices from using the exact same airspace at the same time.
ISO 14443, on the other hand, not only doesn’t have these protocols, but in fact was specifically designed to not share airspace with anything else. There are specific fail-safe parts of the protocol that are designed to make the card/reader shut down, back out, and shut up if it detects something else using its airspace for safety/reliability reasons. It also has safety procedures to handle cases where it doesn’t have enough power or a good enough signal to complete a transaction: Everyone knows it’s futile to try to yank away your payment card or try to swipe your card for only a split second in an effort to fool the vending machine into making a transaction without having your balance debited.
If you’ve ever had two Suica Cards and/or a Japanese driver’s license in the same wallet, you know that the readers will refuse to work or will only work with one card. Again, this is not just a limitation of the technology, it is by design.
Q: But what if somehow somebody comes up with way that allows for eavesdropping of a card talking to a reader (from afar or near)? Am I safe?
A: Some people on the Internet have claimed even farther ranges than what we mentioned above: such as detecting the presence of a signal at 20 meters and actually discerning the digital bits at 10 meters. None of these claims have been independently confirmed or verified, and even if we give them the benefit of the doubt and believe for the sake of argument that it’s possible, nobody has shown they can break the cryptography gleaned from real devices in the field in real world situations.
To an eavesdropper, most ISO 14443 cards “sound alike.” This means they all — be it your e-passport or your U.S. Passport Card or your Japanese driver’s license or your FeLiCa based Suica/Pasmo/Icoca/PiTaPa or your PayPass credit card or your Japanese Taspo tobacco age-verification card — talk on the same frequency (13.56 Mhz). Furthermore, the transaction that occurs between the reader and the card is encrypted, so even if a bad person had such a clear signal that they were able to discern the individual digital bits going back-and-forth between the reader and card, it would be useless for determining the payload or even the type of card being used in most cases.
Thus, just because the card, either in your hand or concealed in a wallet, of you or the person next to you is or isn’t “ squawking” and you are or are not doesn’t mean somebody can figure out that “that person is a foreigner and that person is not” due to the presence or absence of a 13.56 Mhz encrypted squawk. That squawk could be anything, from a Japanese passport to a London train commuter Oyster Card.
NOTE: Some security journals have speculated that it may be possible to perform literally a “man-in-the-middle” attack in some cases. This means putting something physically between (the 10cm) space of air between the card and the reader that is big enough to ensure that the reader and card can’t hear each other; the bad spy device acts as a “relay” between the legit card and reader. So when you swipe, you should be absolutely sure you’re swiping the real legit reader and not something placed directly on top of it.
Q: Even if they can’t read the contents of my card, can a civilian or official detect that I’m in possession (or that I’m not in possession) of a 在留カード {zairyū kādo} (non-Japanese residence card) without my knowledge?
A: No. The reason for this in answered both in the previous question and the following question. You could easily fool an eavesdropper into thinking you swiped any arbitrary ISO 14443 Type B card that uses encryption by simply using another, completely different and unrelated ISO 14443 Type B card. You could purchase and carry your own battery powered USB portable [dummy] reader in a purse or bag, for example.
Q: Can a civilian or official read my card without my knowledge if they’re very near or next to me?
A: Japanese [and U.S. and E.U., but not all countries] e-passports, and yes, the new 在留カード {zairyū kādo} (non-Japanese residence card) have BAC (basic access control).
This means you have to know some piece of information that’s either on the card or in your head to read it.
Even if somebody manages to covertly (say, on a crowded train or bus) get a portable skimmer close enough [less than 10cm] to your back pocket, purse, bag, or briefcase to pick up your card, they still need to know some things that are on the card in order to read it.
NOTE: Not all NFC cards and RFID use this extra access control and/or encryption. So you don’t want to carry all your cards unprotected / unshielded in your back pocket. It is possible to obtain special, practical shielded slips for ISO 14443 based technology (tin foil hats sold separately). Some ISO 14443 technology (such as many, including Japanese, passports) already include a shielding envelope or technology integrated into the device. However, the presence of the shielding does not mean that the shielding is the last or only or even best line of defense against skimming; it is merely one component in a suite of many security components for the passport & residency card, already built-in by design, that would have to be compromised. To stay on topic, the NFC cards which are the discussion of the Q&A, such as Japanese passport, driver’s license, and yes, the 在留カード {zairyū kādo} (non-Japanese residence card), do implement and enforce BAC in addition to encrypting their point-to-point sessions with the readers.
Q: Can private enterprises read the IC chip?
A: Yes. The MoJ [Ministry of Justice] plans to publish the specifications for reading information from the card. However, they can’t override BAC (see above) which means a private enterprise would not be able to read your card without your knowledge.
[ This is interesting. The literature I have specifically mentions that society, especially financial institutions and mobile phone companies, needs a reliable domestic photo id for non-Japanese residents. ]
Q: What if the chip isn’t working? What if the private enterprise doesn’t have a reader? Is there an alternative electronic way to verify the card without the chip? Will I be hauled off to the police box if my chip isn’t working?
A: The MoJ [Ministry of Justice] is also going to make a website available for checking cards (which presumably could be accessed by even mobile phone browsers). The website will accept the card’s number and one other piece of information from the card to prevent people from randomly guessing 在留カード {zairyū kādo} (non-Japanese residence card) numbers. The literature suggests that this extra information be the card renewal/expiration date.
Upon submitting the number, the website will simply return 有効 {yūkō} (valid) or 失効 {shikkō} (invalid). To protect private information, no other information (such as name, date of birth, nationality, visa status, etc.) will be returned.
ENDS
/////////////////////////////////////////////////////////
COMMENT FROM ARUDOU DEBITO (donning his tinfoil hat):
One conflict I always notice from my side of the spectrum is the inherent mistrust of scientists — when they claim a new technology, open to all manner of theoretical abuses, is “safe”. This is the same camp that tends to blame the scientists on the Manhattan Project for opening Pandora’s Box with The Bomb.
Continuing in that vein in an attempt to contrapose aarguments to Eido’s research above, a whole bunch of “what ifs” and “whys” that are not all that unreasonable quickly come to mind:
1) WHAT IF the sacred encryption keys get cracked or leaked somehow? Can happen quite easily, if not in part due to government error, see here. And hackers are forever getting increasingly sophisticated. It’s hard to imagine the “eternity” scenario in a place when it’s techie vs. techie, and one is but a few steps ahead of the other. The risk is too great — once the door is open, identity theft becomes possible.
2) WHAT IF the realm of “science fiction” becomes “science fact”? We once thought manned flight (with or without gravity), or portable computers, or even gigabytes of data stored in tiny places were impossible, but technology, again, has a habit of catching up and deleting the “im” prefix. Encryption notwithstanding, decrypting computers are getting faster and smarter all the time.
3) WHY are foreigners only required to be IDed by private businesses (last two Qs above)? Actually, I can answer that one. Because the NPA feels the irrepressible need to track people that could commit crime. And because they can’t do that to Japanese citizens due to the outrage — witness the flop of the Juuki Netto system. People just don’t want to be forced to carry ID in this society, much less tracked by it. It’s just happening to foreigners because they can’t stop it. And it increases the Japanese police’s power by deputizing the private sector. This is just common sense — give the police anywhere in the world extra power, and they will feel fully justified in using it to accomplish their goals until they’re told they’ve gone too far (and in Japan, they insufficiently are).
4) WHY is that same private sector now advertising preventative measures against RFID technology? Check this out — a scan-proof pouch for your valuables now on sale in travel shops in Japan (seen because I went and renewed my passport on Tuesday):
Unless this is Snake Oil (and Eido himself points out that non-contact scanning is possible), how do we deal with this? By saying that the distance is too small or the definition of the signal is too vague to matter? Again, I will raise the technology argument to say that once the leap is possible, it’s only a matter of degree. This may be tinfoil-hat-ism, but to me it’s like saying, “Don’t worry about The Bomb; if there is fallout from an unlikely attack, there are anti-radiation pills you can take.” Sorry, I don’t believe in having to put the Genie back in the Bottle. Especially since the reasons for this measure are less a technological inevitability than a political necessity (i.e., tightened policing of the only people you can police this way, since society in general wouldn’t dare accept it). If this is scary enough to the general public for it to be used as a preventative marketing ploy, then the foreigners should also count as members of the general public who are entitled to be scared. Just fobbing it off on a “it probably won’t happen” “eternity scenario” ignores the political realities behind these moves.
Alright, I’ll stop there. Let’s have a discussion. Arudou Debito
ENDS
