{"id":451,"date":"2006-05-19T04:27:18","date_gmt":"2006-05-19T12:27:18","guid":{"rendered":"\/?p=451"},"modified":"2006-05-19T10:28:52","modified_gmt":"2006-05-19T18:28:52","slug":"homeland-security-privacy-office-slams-rfid-technology","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=451","title":{"rendered":"HOMELAND SECURITY PRIVACY OFFICE SLAMS RFID TECHNOLOGY"},"content":{"rendered":"<p class=\"storybody\"><span class=\"story\"><a href=\"http:\/\/www.gcn.com\/online\/vol1_no1\/40808-1.html\">Here<\/a> is a story in CGN.com on a new report from Homeland Security on the privacy implications of RFID.&nbsp; <\/span><\/p>\n<blockquote><p><span class=\"story\">The Homeland Security Department\u00e2\u20ac\u2122s Privacy Office has issued a draft report from a technology analysis group that strongly criticizes the personal privacy and security risks of using radio frequency identification device units for human identification and says the technology offers little performance benefit over competing methods.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">The Privacy Office is seeking comments on the <a href=\"http:\/\/www.dhs.gov\/interweb\/assetlibrary\/privacy_advcom_rpt_rfid_draft.pdf\" class=\"broken_link\">report<\/a>, which are due by May 22.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">The department\u00e2\u20ac\u2122s Emerging Applications and Technology Subcommittee of the Data Privacy and Integrity Advisory Committee prepared the report, which is titled \u00e2\u20ac\u0153The Use of RFID for Human Identification.\u00e2\u20ac\u009d<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">The critical <a href=\"http:\/\/www.gcn.com\/print\/25_8\/40409-1.html?topic=RFID\">report<\/a> comes against the background of a continuing debate within the department over the security and privacy issues surrounding the use of RFID technology to identify people at border crossings.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">State and DHS are considering the benefits of establishing a single RFID standard for an array of border-crossing credentials. They include: <\/span><span class=\"story\" \/><span class=\"story\"><\/p>\n<ul>\n<li>The SENTRI and Nexus trusted traveler cards<\/li>\n<li>The \u00e2\u20ac\u0153laser visa\u00e2\u20ac\u009d Mexican Border Crossing Card<\/li>\n<li>The Free and Secure Trade card for truck drivers<\/li>\n<\/ul>\n<p>The People Access Security Service card now being developed will comprise a \u00e2\u20ac\u0153passport-lite.\u00e2\u20ac\u009d<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">In addition, the U.S. Visit program is promoting the use of nonsecure RFID technology to identify foreigners carrying I-94 immigration forms as they leave the country.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">But the draft report roundly condemns RFID technology, stating that it can be used to monitor human behavior. The report endorses the use of RFID for miners and firefighters in dangerous situations.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">\u00e2\u20ac\u0153Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example) but can in fact be used for monitoring human behavior,\u00e2\u20ac\u009d the report states.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">\u00e2\u20ac\u0153For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings,\u00e2\u20ac\u009d the report continues. \u00e2\u20ac\u0153When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.\u00e2\u20ac\u009d<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">The report goes on to specify various ways in which information stored on RFID tags can be compromised or improperly used for human surveillance. It notes that RFID units can slightly reduce the delay when people pass through checkpoints, but says \u00e2\u20ac\u0153Against these small incremental benefits of RFID are arrayed a large number of privacy concerns.\u00e2\u20ac\u009d<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">The report proposes methods to be used when deciding whether or not to use RFID technology and best practices to maintain privacy in RFID systems used to track humans.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">Industry representatives have been at pains to distinguish between insecure RFID technology and the secure technology that they refer to as contactless smart cards. Both technologies use radio frequency transmission to transfer data.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">Neville Pattinson, director of Technology &#038; Government at Axalto Inc. of Austin, Texas, offered a representative comment from the smart-card industry. He welcomed the public comment period on the report.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">\u00e2\u20ac\u0153It\u00e2\u20ac\u2122s inappropriate to use RFID technology for tracking and authenticating identities of people,\u00e2\u20ac\u009d Pattinson said.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">\u00e2\u20ac\u0153You can think of RFID as an insecure barcode with an antenna. In contrast, not everything that uses radio frequencies is RFID,\u00e2\u20ac\u009d Pattinson wrote in an e-mail comment on the report.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">\u00e2\u20ac\u0153Wireless computers and mobile phones use radio frequencies too, but they\u00e2\u20ac\u2122re secure devices because they contain computers and are securely associated with individual identities over networks,\u00e2\u20ac\u009d he wrote.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">According to Pattinson, contactless smart-card technology is not the same as RFID. He compared contactless smart cards to secure wireless computers.<br \/>\n<img loading=\"lazy\" height=\"9\" alt=\" \" src=\"https:\/\/www.identityblog.com\/images\/clearpixel.gif\" width=\"1\" border=\"0\" \/><br \/>\n<\/span><span class=\"story\">\u00e2\u20ac\u0153Contactless smart cards are suitable for identifying individuals because the technology has all of the security features to protect the privacy of the individual and secure the identity of the individual in identification applications,\u00e2\u20ac\u009d Pattinson wrote. \u00e2\u20ac\u0153Contactless smart cards are the appropriate technology to uphold privacy and security.\u00e2\u20ac\u009d<\/span><\/p>\n<\/blockquote>\n<p><span class=\"story\">I have&nbsp;looked into&nbsp;the contactless cards and&nbsp;it appears&nbsp;they can be&nbsp;programmed to be compatible with the Laws, especially Law 4.&nbsp;&nbsp;&nbsp;But as the industry moves towards contactless cards, their very flexibility will make it hard to discern which specific implementations obey the Laws, and which ones don&#39;t.&nbsp;&nbsp;It&#39;s my&nbsp;view that we will need a set of objective criteria&nbsp;which contactless cards will have to meet in order to be deemed acceptable, and these&nbsp;criteria will have to be broadly&nbsp;vetted by&nbsp;the privacy community before moving forward.<\/span><\/p>\n<p><span class=\"story\">This said, it is most encouraging to see Homeland Security paying so much attention to these issues, which deeply affect not only our privacy, but our individual security.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Homeland Security report strongly criticizes the personal privacy and security risks of using RFID units for human identification<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/451"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=451"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/451\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}