US.gov tunes out scathing RFID privacy report

An external security advisory committee reporting to the US Department of Homeland Security has produced a highlight critical report (PDF) advising against the use of RFID technology in government documents.

But the scathing analysis remains stuck in limbo, as a draft report, while the government pushes ahead with plans to include RFID tags in everything from passport and diving licences to library cards.

The Data Privacy and Integrity Advisory Committee of the DHS concludes that RFID chips are useful in inventory management but aren't suitable for human identification, where privacy issues remain a concern. Using RFID tags to identify miners or firefighters more quickly may be a sensible use the technology. Where the technology falls down is where it's used to verify identity, where the experts reckon it offers little advantage over previous technology while creating the possibility that data held on RFID chips might be intercepted by undesirables.

"RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security," the report states.

--snip--

I. Introduction
The purposes of this paper are to: (1) address the use of Radio Frequency Identification
technology (RFID) by the Department of Homeland Security (DHS) to identify and track
individuals; (2) outline the potential data privacy and integrity issues implicated by this
use of RFID technology; (3) offer guidance to the Secretary of DHS, program managers,
and the DHS Privacy Office on deciding whether to deploy RFID technology to track
individuals; and (4) offer steps to consider in order to mitigate privacy and data integrity
risks when planning to use RFID to identify and track individuals.

II. Executive Summary
Automatic identification technologies1 like RFID have valuable uses, especially in
connection with tracking things for purposes such as inventory management. RFID is
particularly useful where it can be embedded within an object, such as a shipping
container.

There appear to be specific, narrowly defined situations in which RFID is appropriate for
human identification. Miners or firefighters might be appropriately identified using
RFID because speed of identification is at a premium in dangerous situations and the
need to verify the connection between a card and bearer is low.

But for other applications related to human beings, RFID appears to offer little benefit
when compared to the consequences it brings for privacy and data integrity. Instead, it
increases risks to personal privacy and security, with no commensurate benefit for
performance or national security. Most difficult and troubling is the situation in which
RFID is ostensibly used for tracking objects (medicine containers, for example), but can
be in fact used for monitoring human behavior. These types of uses are still being
explored and remain difficult to predict.

For these reasons, we recommend that RFID be disfavored for identifying and tracking
human beings. When DHS does choose to use RFID to identify and track individuals, we
recommend the implementation of the specific security and privacy safeguards described
herein.

IV. The Legal Basis for RFID Use in Human Identification
We know of no statutory requirement that DHS use RFID technology, specifically, to
track people. The major laws, executive orders, and programs under which RFID is being considered or used are either permissive as to technology or not legally binding on the U.S. government.3

In this analysis of RFID as a generic technology, we cannot address all the rights, statutes, and regulations that may limit the use of RFID for human tracking, limit the use of information collected via RFID, or grant individuals rights pertaining to data collected via RFID. When RFID is used for human tracking, the data collected will undoubtedly comprise a “system of records” under the Privacy Act of 1974. People should have at least the rights accorded them by that law when they are identified using RFID. Systems using RFID technology are, of course, also subject to the E-Government Act’s Privacy Impact Assessment requirements.

V. RFID for Human Identification: Clarifying Incorrect Assumptions
A number of DHS programs are premised on the identification of human subjects. At the border in the US-VISIT program, at airports in the CAPPS I program, and at entrances to secure facilities of all kinds, checking identification cards is a routinely used security measure. Behind many of the current ideas for using RFID in human identification is a commonly held misperception that RFID improves the speed of identification. RFID is a rapid way to read data, but RFID does not identify individuals. If RFID is tied to a biometric authentication factor, it can reliably identify human beings; but tying RFID to a biometric authentication negates the speed benefit.

VIII. Conclusion
RFID technology may have a small benefit in terms of speeding identification processes, but it is no more resistant to forgery or tampering than any other digital technology. The use of RFID would predispose identification systems to surveillance uses. Use of RFID in identification would tend to deprive individuals of the ability to control when they are identified and what information identification processes transfer. Finally, RFID exposes identification processes to security weaknesses that non-radio-frequency-based processes do not share.

The Department of Homeland Security should consider carefully whether to use RFID to identify and track individuals, given the variety of technologies that may serve the same goals with less risk to privacy and related interests. Should DHS go forward with RFID to identify and track individuals, a number of practices and recommendations exist to guide program managers. More analysis would be needed of specific RFID-based identification programs, particularly as to collection, maintenance, and use of information collected via RFID.