[privacy] DHS privacy office slams RFID technology

["Richard M. Smith" <rms () bsf-llc com>]

DHS privacy office slams RFID technology 
By Wilson P. Dizard III, GCN Staff
05/17/06 -- 03:52 PM
http://www.gcn.com/online/vol1_no1/40808-1.html

The Homeland Security Department's Privacy Office has issued a draft
report from a technology analysis group that strongly criticizes the
personal privacy and security risks of using radio frequency
identification device units for human identification and says the
technology offers little performance benefit over competing methods. 

The Privacy Office is seeking comments on the report, which are due by
May 22. 

The department's Emerging Applications and Technology Subcommittee of
the Data Privacy and Integrity Advisory Committee prepared the report,
which is titled "The Use of RFID for Human Identification." 

The critical report comes against the background of a continuing debate
within the department over the security and privacy issues surrounding
the use of RFID technology to identify people at border crossings. 

State and DHS are considering the benefits of establishing a single RFID
standard for an array of border-crossing credentials. They include: 

      * The SENTRI and Nexus trusted traveler cards
      * The "laser visa" Mexican Border Crossing Card
      * The Free and Secure Trade card for truck drivers
      * 
The People Access Security Service card now being developed will
comprise a "passport-lite."


n addition, the U.S. Visit program is promoting the use of nonsecure
RFID technology to identify foreigners carrying I-94 immigration forms
as they leave the country. 

But the draft report roundly condemns RFID technology, stating that it
can be used to monitor human behavior. The report endorses the use of
RFID for miners and firefighters in dangerous situations. 

"Most difficult and troubling is the situation in which RFID is
ostensibly used for tracking objects (medicine containers, for example)
but can in fact be used for monitoring human behavior," the report
states. 

"For these reasons, we recommend that RFID be disfavored for identifying
and tracking human beings," the report continues. "When DHS does choose
to use RFID to identify and track individuals, we recommend the
implementation of the specific security and privacy safeguards described
herein." 

The report goes on to specify various ways in which information stored
on RFID tags can be compromised or improperly used for human
surveillance. It notes that RFID units can slightly reduce the delay
when people pass through checkpoints, but says "Against these small
incremental benefits of RFID are arrayed a large number of privacy
concerns." 

The report proposes methods to be used when deciding whether or not to
use RFID technology and best practices to maintain privacy in RFID
systems used to track humans. 

Industry representatives have been at pains to distinguish between
insecure RFID technology and the secure technology that they refer to as
contactless smart cards. Both technologies use radio frequency
transmission to transfer data. 

Neville Pattinson, director of Technology & Government at Axalto Inc. of
Austin, Texas, offered a representative comment from the smart-card
industry. He welcomed the public comment period on the report. 

"It's inappropriate to use RFID technology for tracking and
authenticating identities of people," Pattinson said. 

"You can think of RFID as an insecure barcode with an antenna. In
contrast, not everything that uses radio frequencies is RFID," Pattinson
wrote in an e-mail comment on the report. 

"Wireless computers and mobile phones use radio frequencies too, but
they're secure devices because they contain computers and are securely
associated with individual identities over networks," he wrote. 

According to Pattinson, contactless smart-card technology is not the
same as RFID. He compared contactless smart cards to secure wireless
computers. 

"Contactless smart cards are suitable for identifying individuals
because the technology has all of the security features to protect the
privacy of the individual and secure the identity of the individual in
identification applications," Pattinson wrote. "Contactless smart cards
are the appropriate technology to uphold privacy and security." 

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy