DHS Subcommittee Questions RFID Security

The DHS' Data Privacy and Integrity Advisory Committee warns that RFID technology has too many security and privacy issues to be trusted with tracking people.

Despite the U.S. Department of Homeland Securitys efforts to steamroll through the use of RFID technology in all U.S. issued passports by the end of 2006, not every governmental entity believes RFID is the answer to speedier passport checks.

A draft report released May 23 by a subcommittee of the DHS Data Privacy and Integrity Advisory Committee (a group within the DHS Privacy Office) urges that the government "consider carefully" its use of RFID to track people.

The reason: the technology is rife with security and privacy issues, the report said.

"RFID increases risks to personal privacy and security, with no commensurate benefit for performance or national security," reads the report, titled "The Use of RFID for Human Identification."

"Most difficult and troubling is the situation in which RFID is ostensibly used for tracking object ... but can be in fact used for monitoring human behavior."

The point, according to the DHS subcommittee report, is that utilizing RFID to track individuals presents potentially risky outcomes that are currently "difficult to predict."

At the same time, RFID technology will not present any of the speed and efficiency gains the DHS said it will achieve in implementing electronic passports.

Potential risks include the prospect that individuals will "likely be subject to greater surveillance," and will be less aware of what information is being transferred, or when its transferred, and may have personal data intercepted.

The report points out two commonly known security breaches possible with RFID data transmission: skimming and eavesdropping.

Skimming happens when someone creates an unauthorized connection with an RFID tag to gain access to the data contained in it. Eavesdropping, on the other hand, is the interception of the communication between an RFID tag and reader to gain access to data being transmitted.

While the State Department, which will be the issuer of electronic passports, will incorporate technology that blocks skimming through encryption, its not the entire answer, according to the Privacy Office.

"Though indecipherable itself, the encrypted information can act as an identifier if it remains the same each time it is skimmed," according to the report.

The DHS Privacy Office is not the first governmental agency to release such findings. In May of 2005 the U.S. Government Accounting Office released a report titled, "Information Security: Radio Frequency Identification Technology in the Federal Governments" that identified a number of security issues.

/zimages/2/28571.gifLogan Airport to demonstrate baggage, passenger RFID tracking. Click here to read more.

The basic complaint posited by that report is that without effective security controls, data thats transmitted through the air can be intercepted for potentially nefarious means, and data stored in databases can be accessed by unauthorized users.

However its unclear what, if any, impact either report will have on the DHS plans to move forward with its electronic passport plans.

"When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of specific security and privacy safeguards," says a telltale passage in the report.

Neither a Privacy Office or DHS spokesperson was available at press time.

Some privacy advocates also see an inconsistency with the subcommittees report.

"Its a good idea that the Privacy Office is trying to put the brakes on RFID in passports," said Katherine Albrecht, founder and director of RFID watchdog organization CASPIAN.

"But theres one other important point: Where [the Privacy Office] was really sounding the alarm on privacy, they were hedging their bets with a compromise conclusion—that there are ways to use RFID if you put the appropriate safeguards in place."

Security and privacy advocates would argue the point, according to Albrecht.

The DHS Data Privacy and Integrity Advisory Committee is set up to advise the secretary of the DHS, along with its chief privacy officer, on technology issues that affect individual privacy as well as on other privacy related issues.

The report suggests a number of things the DHS can do to ensure more security and privacy for electronic passport carriers, including: employing a deactivation, or kill switch, to shut off RFID data transmission after a certain time; employing blocking technology to deter skimming and eavesdropping; adopting an "opt in/opt out" framework so that people can chose whether or not to have their passports embedded with an RFID chip; and mitigating secondary use by reducing the compatibility of readers and tags.

In January 2005, DHS announced that it would start testing RFID technology at five U.S. border crossing points. The tests, which have continued through the spring of this year, are part of an earlier initiative by the DHS, US-VISIT, to gather digital fingerprints and photos of all non-U.S. citizens entering the country.

The DHS is also testing RFID at airports, through its CAPPS program.

Presumably building on its findings, the DHS said in 2005 that it would enable all U.S. passports with passive RFID chips by the end of 2006, despite an overwhelming majority of objections from citizens that weighed in on the subject during the State Departments call for public comments.

Of the 2,335 remarks received regarding the introduction of electronic passports, 98.5 percent were negative. Over 2,000 people listed security and privacy as a top concern.

The Privacy Office subcommittee report will be reviewed before the full committee June 7, after general comments are solicited.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.