WASHINGTON —
The Bush administration suddenly finds itself confronting privacy and security issues associated with radio frequency identification technology, an awkward position for a U.S. government aggressively promoting RFID and contributing to a potentially huge commercial market for wireless tracking chips and infrastructure.
While the Department of Defense and the Department of State are going full bore on RFID-as GSM proponents consider jumping on the bandwagon-serious privacy and security vulnerabilities are beginning to surface at the highest levels.
Creating intense controversy is a draft report of the Department of Homeland Security’s Emerging Applications and Technology Subcommittee on the use of RFID for human identification. The draft report, delivered to the full Data Privacy and Integrity Advisory Committee and otherwise in limbo, urged DHS to think twice about embracing RFID to keep tabs on citizens.
“RFID technology may have a small benefit in terms of speeding identification processes, but it is no more resistant to forgery or tampering than any other digital technology,” the subcommittee draft report concluded. “The use of RFID would predispose identification systems to surveillance uses. Use of RFID in identification would tend to deprive individuals of the ability to control when they are identified and what information identification processes transfer. Finally, RFID exposes identification processes to security weaknesses that non-radio-frequency-based processes do not share.”
As such, the draft report recommended that the DHS “should consider carefully whether to use RFID to identify and track individuals, given the variety of technologies that may serve the same goals with less risk to privacy and related interests.”
Jim Harper, a privacy expert at the Cato Institute and a member of DHS’ Data Privacy and Integrity Advisory Committee, has been quoted as claiming that political operatives attempted to quash the subcommittee draft report on RFID human identification.
Larry Orluskie, a DHS spokesman, declined to comment on Harper’s claim. Orluskie said the full committee continues to solicit comment on the subcommittee’s draft report and that the full committee is scheduled to meet on Dec. 6. The agenda for that meeting has yet to be set.
“Governments must stop promoting uniform identifiers, identification requirements, and data collection,” writes Harper in his book Identity Crisis: How Identification is Overused and Misunderstood. “Then, each of us pursuing our own interests can guide the private sector toward serving our identification and information interests in the best possible way.”
2004 test flaws?
Last week, the Electronic Privacy Information Center posted on its Web site a document obtained from the State Department purportedly showing that 2004 government tests found passports with embedded RFID chips were read significantly less successfully than the previous machine readable zone technology (two lines of text printed at the bottom of the first page of a passport that includes name, passport number, two check digits, nationality, date of birth, sex, passport expiration date and personal identity number).
Meantime, researchers at the University of Massachusetts at Amherst have found widely deployed first-generation RFID-enabled credit cards are susceptible to privacy invasion and relay attacks.
A 2005 Government Accountability Office report revealed scores of federal agencies have begun to implement or plan to pursue use of RFID technology to track military gear, baggage on flights and other assets, even though privacy mitigation measures-such as use of tag deactivation mechanisms, blocking technology and an opt-in/opt-out framework for consumers “remain largely prospective.”
Jim Dempsey, policy director of the Center for Technology & Democracy, said RFID technology is being rolled out by government and the private sector before privacy and security issues have been adequately addressed. “And that’s a disaster,” he said.
RFID technology has been touted by retail giant Wal-Mart Inc., DoD and others for its potential to vastly improve supply-chain management, with other potential applications envisioned for healthcare, agriculture, hazardous materials management, logistics and goods transport, public transport and library systems.
U.S. officials see RFID just as valuable for keeping track of people in the post-9/11 environment, combining the capability with biometrics and other identification technologies in hope of enhancing inventory control of humans trying to move in and out of the United States.
The State Department recently took steps toward implementing documentation requirements of the Western Hemisphere Travel Initiative by seeking public comment on a federal rule proposing the development of an RFID-based passport for international travel by U.S. citizens through land and sea ports of entry between the United States, Canada, Mexico, the Caribbean and Bermuda. The proposed passport card would use long-range, or vicinity, RFID technology to link the card to a secure U.S. government database containing biographical data and a photograph. However, according to the State Department, the card itself will not contain any personal information. The State Department said DHS will implement protections to keep the database secure.
Thwarting danger
However, Cato’s Harper doubts expanded government identification of individuals contributes much toward thwarting terrorists.
“Terrorists, willing to die as they are, do not fall within that large category of people whose behavior is controlled by identification and the threat of accountability,” Harper writes. “Identifying people at checkpoints is security theater. Surveying the general population to make people feel safer does not actually make them so.”
Government regulation does not appear to be in the cards as an option. In a recent speech, Federal Trade Commission Chairman Deborah Platt Majoras said “the consumer protection concerns that technological advances create often can be addressed without the passage of new laws or the issuance of new regulations.”
