Here is a story in CGN.com on a new report from Homeland Security on the privacy implications of RFID.
The Homeland Security Departmentâ€™s Privacy Office has issued a draft report from a technology analysis group that strongly criticizes the personal privacy and security risks of using radio frequency identification device units for human identification and says the technology offers little performance benefit over competing methods.
The Privacy Office is seeking comments on the report, which are due by May 22.
The departmentâ€™s Emerging Applications and Technology Subcommittee of the Data Privacy and Integrity Advisory Committee prepared the report, which is titled â€œThe Use of RFID for Human Identification.â€
The critical report comes against the background of a continuing debate within the department over the security and privacy issues surrounding the use of RFID technology to identify people at border crossings.
State and DHS are considering the benefits of establishing a single RFID standard for an array of border-crossing credentials. They include:
- The SENTRI and Nexus trusted traveler cards
- The â€œlaser visaâ€ Mexican Border Crossing Card
- The Free and Secure Trade card for truck drivers
The People Access Security Service card now being developed will comprise a â€œpassport-lite.â€
In addition, the U.S. Visit program is promoting the use of nonsecure RFID technology to identify foreigners carrying I-94 immigration forms as they leave the country.
But the draft report roundly condemns RFID technology, stating that it can be used to monitor human behavior. The report endorses the use of RFID for miners and firefighters in dangerous situations.
â€œMost difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example) but can in fact be used for monitoring human behavior,â€ the report states.
â€œFor these reasons, we recommend that RFID be disfavored for identifying and tracking human beings,â€ the report continues. â€œWhen DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.â€
The report goes on to specify various ways in which information stored on RFID tags can be compromised or improperly used for human surveillance. It notes that RFID units can slightly reduce the delay when people pass through checkpoints, but says â€œAgainst these small incremental benefits of RFID are arrayed a large number of privacy concerns.â€
The report proposes methods to be used when deciding whether or not to use RFID technology and best practices to maintain privacy in RFID systems used to track humans.
Industry representatives have been at pains to distinguish between insecure RFID technology and the secure technology that they refer to as contactless smart cards. Both technologies use radio frequency transmission to transfer data.
Neville Pattinson, director of Technology & Government at Axalto Inc. of Austin, Texas, offered a representative comment from the smart-card industry. He welcomed the public comment period on the report.
â€œItâ€™s inappropriate to use RFID technology for tracking and authenticating identities of people,â€ Pattinson said.
â€œYou can think of RFID as an insecure barcode with an antenna. In contrast, not everything that uses radio frequencies is RFID,â€ Pattinson wrote in an e-mail comment on the report.
â€œWireless computers and mobile phones use radio frequencies too, but theyâ€™re secure devices because they contain computers and are securely associated with individual identities over networks,â€ he wrote.
According to Pattinson, contactless smart-card technology is not the same as RFID. He compared contactless smart cards to secure wireless computers.
â€œContactless smart cards are suitable for identifying individuals because the technology has all of the security features to protect the privacy of the individual and secure the identity of the individual in identification applications,â€ Pattinson wrote. â€œContactless smart cards are the appropriate technology to uphold privacy and security.â€
I have looked into the contactless cards and it appears they can be programmed to be compatible with the Laws, especially Law 4. But as the industry moves towards contactless cards, their very flexibility will make it hard to discern which specific implementations obey the Laws, and which ones don't. It's my view that we will need a set of objective criteria which contactless cards will have to meet in order to be deemed acceptable, and these criteria will have to be broadly vetted by the privacy community before moving forward.
This said, it is most encouraging to see Homeland Security paying so much attention to these issues, which deeply affect not only our privacy, but our individual security.