An AP story nicely summarizes the controversy over the U.S. government’s plan to add RFID chips to U.S. passports, starting in 2005.

The chips will allow the passport holder’s name, date of birth, passport issuance information, and photograph to be read by radio. Opponents claim that the information will be readable at distances up to thirty feet (about nine meters). This raises privacy concerns about government monitoring, for example of attendance at political rallies, and about private monitoring, especially overseas.

I would certainly feel less safe in certain places if I knew that anybody there could remotely identify me as a U.S. citizen. I would feel even less safe knowing that anybody could get my name and look me up in a database or Google me.

A U.S. government representative says that there is “little risk” to privacy “since we plan to store only currently collected data with a facial image.” In other words, they’re going to take information currently available only to people to whom I hand my passport, plus some extra information, and make it available to everybody who comes near me. Gee, that makes me feel much better.

There is some discussion of encrypting the information, or requiring the passport holder to enter a PIN number to unlock the information. Either of these is some help, but unless the system is designed very carefully, it could still allow dangerous leakage of information.

What I don’t understand is why passports should ever be readable at a distance. Passports should reveal their information only to people or devices who can make physical contact to the inside of the passport. Certainly that’s enough for the immigration agent at the airport, or for any official who asks to inspect the passport. If the officials are doing their jobs, they’ll want to see the physical passport and hold it in their hands anyway.

Oddly, the government’s response to concerns about remote passport reading is to try to limit when the passport can be read remotely. They propose storing the passport in a conductive plastic bag that blocks radio signals, or building a conductive screen into the passport’s covers so that it can be read remotely only when the passport is opened. Either approach adds unnecessary risk – the passport might be read by somebody else when it’s opened.

The right solution, which opponents should advocate, is to remove radio tags from passports altogether, and replace them with contact-readable electronic information.

A Xerox engineer says that color printers from Xerox and other companies print faint information in the background of printed-out pages, to identify the model and serial number of the printer that printed the pages. According to a story, the information is represented as a set of very small yellow dots. (We already knew that some printers did this. The article tells us more about how it’s done.)

We have a Xerox color printer here (a Phaser 860). We tried printing out a page and looking for the dots, but we couldn’t find them, even with the aid of a magnifying glass and blue LED light. If anybody can find the dots on their output, please let me know.

There are still several unanswered questions about this scheme:

Do they use encryption, and if so, how? Even if we can find the dots and read out the digital bits they represent, we may not be able to tell what information those bits are encoding. They might be putting the model and serial number onto the page in such a way that we can learn to read them. Or perhaps they are encrypting the information so that we can’t read out the identifying information but we can at least recognize whether two pages were printed on the same printer. Or perhaps they encrypt the information so that we can’t tell anything without having some secret key.

If there is a secret key, who knows it? The key might be disclosed to the government so that they can extract the model and serial number from a page at will. (And if the U.S. government has the key, which other governments do?) Or the key might be known only to the printer vendor, so that the government needs the vendor’s help to decode the dots. If they use public-key cryptography, then the decoding key might be known only to the government and not to the printer vendor.

Do they try to track who buys each printer? If they can extract the serial number, they might want to know who has that printer. They could try to track the passage of each individual printer through the supply chain, to get an idea of who might have bought it. They might also build a database of information gleaned through service calls and warranty registrations.

What we know already is enough to make privacy advocates itchy. It’s probably possible to design a system that raises fewer privacy issues, while still allowing certain limited use of printer-specific marks as courtroom evidence. For example, one could build a system so that somebody who has physical possession of a printer, and physical possession of a printed page, and access to a special crypto key, can tell whether or not that page was printed by that printer, but can’t learn anything else.

One reason for the growing concern about privacy these days is the ever-decreasing cost of storing information. The cost of storing a fixed amount of data seems to be dropping at the Moore’s Law rate, that is, by a factor of two every 18 months, or equivalently a factor of about 100 every decade. When storage costs less, people will store more information. Indeed, if storage gets cheap enough, people will store even information that has no evident use, as long as there is even a tiny probability that it will turn out to be valuable later. In other words, they’ll store everything they can get their hands on. The result is that more information about our lives will be accessible to strangers.

(Some people argue that the growth in available information is on balance a good thing. I want to put that argument aside here, and ask you to accept only that technology is making more information about us available to strangers, and that an erosion of our legitimate privacy interests is among the consequences of that trend.)

By default, information that is stored can be accessed cheaply. But it turns out that there are technologies we can use to make stored information (artificially) expensive to access. For example, we can encrypt the information using a weak encryption method that can be broken by expending some predetermined amount of computation. To access the information, one would then have to buy or rent sufficient computer time to break the encryption method. The cost of access could be set to whatever value we like.

(For techies, here’s how it works. (There are fancier methods. This one is the simplest to explain.) You encrypt the data, using a strong cipher, under a randomly chosen key K. You provide a hint about the value of K (e.g. upper and lower bounds on the value of K), and then you discard K. Reconstructing the data now requires doing an exhaustive search to find K. The size of the search required depends on how precise the hint is.)

This method has many applications. For example, suppose the police want to take snapshots of public places at fixed intervals, and we want them to be able to see any serious crimes that happen in front of their cameras, but we don’t want them to be able to browse the pictures arbitrarily. (Again, I’m putting aside the question of whether it’s wise for us to impose this requirement.) We could require them to store the pictures in such a way that retrieving any one picture carried some moderate cost. Then they would be able to access photos of a few crimes being committed, but they couldn’t afford to look at everything.

One drawback of this approach is that it is subject to Moore’s Law. The price of accessing a data item is paid not in dollars but in computing cycles, a resource whose dollar cost is cut in half every 18 months. So what is expensive to access now will be relatively cheap in, say, ten years. For some applications, that’s just fine, but for others it may be a problem.

Sometimes this drop in access cost may be just what you want. If you want to make a digital time capsule that cannot be opened now but will be easy to open 100 years from now, this method is perfect.

Rebecca Bolin at LawMeme discusses novel applications for the toll transponder systems that are used to collect highway and bridge tolls.

These systems, such as the EZ-Pass system used in the northeastern U.S., operate by putting a tag device in each car. When a car passes through a tollbooth, a reader in the tollbooth sends a radio signal to the tag. The tag identifies itself (by radio), and the system collects the appropriate toll (by credit card charge) from the tag’s owner.

This raises obvious privacy concerns, if third parties can build base stations that mimic tollbooths to collect information about who drives where.

Rebecca notes that Texas A&M engineers built a useful system that reads toll transponders at various points on Houston-area freeways, and uses the results to calculate the average traffic speed on each stretch of road. This is then made available to the public on a handy website.

The openness of the toll transponder system to third-party applications is both a blessing and a curse, since it allows good applications like the real-time traffic map, and bad applications like privacy-violating vehicle tracking.

Here’s where things get interesting. The tradeoff that Rebecca notes is not a necessary consequence of using toll transponders. It’s really the result of technical design decisions that could have been made differently. Want a toll transponder system that can’t be read usefully by third parties? We can design it that way. Want a system that allows only authorized third parties to be able to track vehicles? We can design it that way. Want a system that allows anyone to be able to tell that the same vehicle has passed two points, but without knowing which particular vehicle it was? We can design it that way, too.

Often, apparent tradeoffs in new technologies are not inherent, but could have been eliminated by thinking more carefully in advance about what the technology is supposed to do and what it isn’t supposed to do.

Even if it’s too late to change the deployed system, we can often learn by turning back the clock and thinking about how we would have designed a technology if we knew then what we know now about the technology’s implications. And on the first day of classes (e.g., today, here at Princeton) this is also a useful source of homework problems.