Thursday, May 18, 2006

DHS Privacy Office Bashes RFID Technology To Track People

location based services


The privacy office says the technology offers little performance benefit for identification purposes when compared with other methods.

By Laurie Sullivan
TechWeb.com

May 18, 2006 01:34 PM

The Department of Homeland Security's Privacy Office has issued a draft report that strongly criticizes privacy and security risks of using radio frequency identification devices for human identification. Public comment on the paper is being taken until May 22.

The privacy office says the technology offers little performance benefit for identification purposes compared with other methods and could turn the government's identification system into a surveillance system.

Several government agencies, including the Department of Defense, have had success in managing inventory, tracking blankets, food, and other essentials through the supply chain. RFID tags communicate information by radio waves through antennae on small computer chips attached to objects. A reader identifies the number on the tag, which in turn categories the object.

Now, the DHS wants to deploy RFID to identify and track individuals to cross international borders, for example, saying the technology offers better encryption and forgery controls. But tampering with identification documents isn't unique to RFID. It's one of many digital technologies, including contact chips, bar codes, magnetic stripes and watermarked printing that could curtail forgery.

At the border in the US-VISIT program, at airports in the ePassport program, Computer Assisted Passenger Prescreening System (CAPPS II) program, and at entrances to secure government facilities, checking identification cards is routine. There's a misconception that RFID improves speed of identification, the reports states. "If RFID is tied to a biometric authentication factor, it can reliably identify human beings; but tying RFID to a biometric authentication negates the speed benefit."

The privacy subcommittee believes the "small incremental benefits" RFID offers encompass "a larger number of privacy concerns." The government agency's concerns lie in the ability to collect, save, store, and process information. And, "the silent, unnoticeable operation of radio waves means individuals will always have difficulty knowing when they are being identified and what information is being communicated, leaving them vulnerable to increased security risks such as skimming and eavesdropping."

Slamming the DHS's request to track individuals, the committee said RFID would deprive individuals the ability to control when they are identified and the information gathered. And, the report said, "RFID technology exposes security weaknesses that non-radio-frequency-based processes do not share."

The committee recommends if the DHS chooses to deploy RFID technology to track individuals, people should have the option to turn off signals associated with tracking their presence or activities. To mitigate eavesdropping and skimming, the DHS should ensure only authorized readers can receive signals from DHS-authorized RFID tags.

Other recommendations include keeping the tag data encrypted at all times, and keep the database unconnected from the Internet. The DHS should also limit use, and design the RFID chip so no two communication sessions appear alike.

The committee will review the report at the June 7 public Advisory Committee meeting in San Francisco.

No comments: