DHS report faults use of RFID for human identification

Computerworld - A committee of the U.S. Department of Homeland Security next week will consider a report that criticizes the use of radio frequency identification (RFID) technology for security authentication.

The report, now in draft form (PDF), was prepared by the DHS’s Emerging Applications and Technology subcommittee. A final version is to be presented Wednesday at a meeting of the DHS’s Data Privacy and Integrity Advisory Committee, which advises the secretary of DHS and his chief privacy officer.

While the authors of the report acknowledge that RFID is useful for such tasks as inventory management, the report said that the technology, overall, is undesirable for processes connected with people. The benefits of its support for rapid communication over distances and its uses in security are outweighed by its risks to privacy, the report stated.

"Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict. For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings," the report said.

Howard Beales, the committee chairman, noted that the report has garnered more public response than usual. The report remains a work in progress, he said, and after being discussed next week, it will probably be returned to the subcommittee for more revisions.

Any formal recommendation to Homeland Security Secretary Michael Chertoff will probably wait until September or December, when the committee holds its quarterly meeting. "I think RFID in general is a very interesting technology," Beales said, but added that "it can raise privacy concerns." He said these are the sorts of issues the committee and subcommittee will consider.

The report points out that some believe that an RFID system could be a way of rapidly authenticating an individual and ensuring that a user identification document, such as a passport, is valid. However, the report said that an RFID system can’t necessarily verify who an individual is. That could be done only by having the RFID tag tied to a unique biometric characteristic, such as a fingerprint. This would still require a manual verification process, and any speed benefits from using RFID would be marginal, the report said.

The report noted that the State Department required that e-passports equipped with RFID tags be swiped through a reader and that a personal PIN be used for authentication. "This welcome personal security measure adds back the delay and inefficiency that RFID technology was designed to overcome, obviating the utility of RFID for this application," the report states.