Here is a story in CGN.com on a new report from Homeland Security on the privacy implications of RFID. 

The Homeland Security Department’s Privacy Office has issued a draft report from a technology analysis group that strongly criticizes the personal privacy and security risks of using radio frequency identification device units for human identification and says the technology offers little performance benefit over competing methods.

The Privacy Office is seeking comments on the report, which are due by May 22.

The department’s Emerging Applications and Technology Subcommittee of the Data Privacy and Integrity Advisory Committee prepared the report, which is titled “The Use of RFID for Human Identification.”

The critical report comes against the background of a continuing debate within the department over the security and privacy issues surrounding the use of RFID technology to identify people at border crossings.

State and DHS are considering the benefits of establishing a single RFID standard for an array of border-crossing credentials. They include:

  • The SENTRI and Nexus trusted traveler cards
  • The “laser visa” Mexican Border Crossing Card
  • The Free and Secure Trade card for truck drivers

The People Access Security Service card now being developed will comprise a “passport-lite.”

In addition, the U.S. Visit program is promoting the use of nonsecure RFID technology to identify foreigners carrying I-94 immigration forms as they leave the country.

But the draft report roundly condemns RFID technology, stating that it can be used to monitor human behavior. The report endorses the use of RFID for miners and firefighters in dangerous situations.

“Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example) but can in fact be used for monitoring human behavior,” the report states.

“For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings,” the report continues. “When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.”

The report goes on to specify various ways in which information stored on RFID tags can be compromised or improperly used for human surveillance. It notes that RFID units can slightly reduce the delay when people pass through checkpoints, but says “Against these small incremental benefits of RFID are arrayed a large number of privacy concerns.”

The report proposes methods to be used when deciding whether or not to use RFID technology and best practices to maintain privacy in RFID systems used to track humans.

Industry representatives have been at pains to distinguish between insecure RFID technology and the secure technology that they refer to as contactless smart cards. Both technologies use radio frequency transmission to transfer data.

Neville Pattinson, director of Technology & Government at Axalto Inc. of Austin, Texas, offered a representative comment from the smart-card industry. He welcomed the public comment period on the report.

“It’s inappropriate to use RFID technology for tracking and authenticating identities of people,” Pattinson said.

“You can think of RFID as an insecure barcode with an antenna. In contrast, not everything that uses radio frequencies is RFID,” Pattinson wrote in an e-mail comment on the report.

“Wireless computers and mobile phones use radio frequencies too, but they’re secure devices because they contain computers and are securely associated with individual identities over networks,” he wrote.

According to Pattinson, contactless smart-card technology is not the same as RFID. He compared contactless smart cards to secure wireless computers.

“Contactless smart cards are suitable for identifying individuals because the technology has all of the security features to protect the privacy of the individual and secure the identity of the individual in identification applications,” Pattinson wrote. “Contactless smart cards are the appropriate technology to uphold privacy and security.”

I have looked into the contactless cards and it appears they can be programmed to be compatible with the Laws, especially Law 4.   But as the industry moves towards contactless cards, their very flexibility will make it hard to discern which specific implementations obey the Laws, and which ones don't.  It's my view that we will need a set of objective criteria which contactless cards will have to meet in order to be deemed acceptable, and these criteria will have to be broadly vetted by the privacy community before moving forward.

This said, it is most encouraging to see Homeland Security paying so much attention to these issues, which deeply affect not only our privacy, but our individual security.

Published by

Kim Cameron

Work on identity.