DHS report faults use of RFID for human identification

Says threat to privacy outweighs benefits

A committee of the U.S. Department of Homeland Security next week will consider a report that criticizes the use of radio frequency identification (RFID) technology for security authentication.

The report, now in draft form (PDF), was prepared by the DHS’s Emerging Applications and Technology subcommittee. A final version is to be presented Wednesday at a meeting of the DHS’s Data Privacy and Integrity Advisory Committee, which advises the secretary of DHS and his chief privacy officer.

While the authors of the report acknowledge that RFID is useful for such tasks as inventory management, the report said that the technology, overall, is undesirable for processes connected with people. The benefits of its support for rapid communication over distances and its uses in security are outweighed by its risks to privacy, the report stated.

"Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict. For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings," the report said.

Howard Beales, the committee chairman, noted that the report has garnered more public response than usual. The report remains a work in progress, he said, and after being discussed next week, it will probably be returned to the subcommittee for more revisions.

Any formal recommendation to Homeland Security Secretary Michael Chertoff will probably wait until September or December, when the committee holds its quarterly meeting. "I think RFID in general is a very interesting technology," Beales said, but added that "it can raise privacy concerns." He said these are the sorts of issues the committee and subcommittee will consider.

The report points out that some believe that an RFID system could be a way of rapidly authenticating an individual and ensuring that a user identification document, such as a passport, is valid. However, the report said that an RFID system can’t necessarily verify who an individual is. That could be done only by having the RFID tag tied to a unique biometric characteristic, such as a fingerprint. This would still require a manual verification process, and any speed benefits from using RFID would be marginal, the report said.

The report noted that the State Department required that e-passports equipped with RFID tags be swiped through a reader and that a personal PIN be used for authentication. "This welcome personal security measure adds back the delay and inefficiency that RFID technology was designed to overcome, obviating the utility of RFID for this application," the report states.

In addition, the risks to the privacy of those carrying RFID tags on their documents are considerable, the report said. People who use an RFID identification card would be subject to greater surveillance with minimal awareness of what information was being transmitted. "In a visual ID-check environment, a person may be briefly identified but then forgotten, rendering them anonymous for practical purposes," the report said. But using RFID, the information taken from the user’s chip can be stored, shared and used again to track the individual’s movements, the report said

"Human identification using RFID has serious potential to deprive people of notice that potentially highly specific, detailed information about them is being collected," the report found. Additionally, RFID documents might be read by people unauthorized to view such information, it said.

Despite its criticism, the report provided a set of best practices to be followed if such a system is used. The recommendations include encrypting the data being transmitted to prevent outside access and using a kill switch function to turn off the chip. It also recognized that RFID technology could be useful in identifying personnel in dangerous situations, such as firefighters and miners.

"RFID technology may have a small benefit in terms of speeding identification processes, but it is no more resistant to forgery or tampering than any other digital technology," the report said. "The use of RFID would predispose identification systems to surveillance uses."

One supporter of RFID criticized the report, saying it is one-sided and unjustly critical of the technology. Alan Griebenow, a chairman of the RFID special interest group on the Dallas-based Metroplex Technology Business Council, which advocates for the high-tech industry in the Dallas area, said RFID can be used to improve the speed of verification without compromising a person’s privacy.

"As long as we apply common sense principles, as we’re doing with video surveillance, then we can apply the technology in a way that citizens are willing to accept," Griebenow said. He noted that cell phones are already being enabled to trace a person’s location during a 911 call.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon