States Look to Lock Down RFID - Page 2

The ACLU and other citizen groups such as Consumers Against Supermarket Privacy Invasion and Numbering oppose the use of RFID chips in any ID card issued by federal, state and local governments. Privacy advocates have told eWEEK that theyre concerned about the government setting up a system of ID card checkpoints around the country. More than one, including Kevin Ashton, the co-founder of the Massachusetts Institute of Technologys Auto ID-Labs, have said that chips on passports are both unreliable and a risk to data integrity.

"You can take the chip off one passport and stick it on another. No one will know the difference," said Ashton, now the vice president of marketing at ThingMagic, in Cambridge, Mass., and an instructor at MIT. "It is truly a stupid idea to store any information on an RFID tag other than a unique number [that refers back to a database]. Otherwise there is always the risk of data change."

/zimages/1/28571.gifIs there a compelling reason to go to e-passports? Click here to read why Larry Seltzer says "no."

There are currently two federal bits of RFID legislation being bandied about, both having to do with tracking the pedigree of prescription drugs. The Reducing Fraudulent and Imitation Drugs Act of 2006 calls for the secretary of health and human services to require that any packaging of prescription drugs incorporate RFID or similar "track-and-trace" technology and that the secretary prohibit that technology from containing or transmitting information that would identify a doctor or patient consuming the tagged drugs.

Missing from federal legislation are measures that would protect citizens from the deleterious effects of RFID gone awry—whether that be terrorists skimming the identifying information of a U.S. citizen traveling abroad or a tracked citizen at home.

"The first [strong state] legislation is the one thats going to garner the most attention; thats the one thats going to be a wake-up call on the hill," said Michael Laird, an RFID analyst with ABI Research, in Oyster Bay, N.Y.

Laird is a member of the nascent RFID Caucus, formed in July by two U.S. senators, Byron Dorgan, a Democrat from North Dakota, and John Cornyn, a Republican from Texas. The groups goal: to educate their colleagues about the potential uses and benefits of RFID.

Californias bill could, according to Laird, restrict the way businesses and libraries use RFID, while other states could offer even more restrictions.

"My challenge is RFID is [that it is] a term with a thousand variations," said Laird. "What do you mean when you say RFID? Its legislating against bad behavior, not legislating against the technology—thats what we have to look at."

Wisconsin state Rep. Schneider agrees that the federal government needs to focus.

"The federal government should strike on this as much as they can," said Schneider in Wisconsin Rapids. "The states can act, but the federal government pre-empts. My concern is that once this [technology] becomes used by the Pentagon, as in the proposal [to implant] our soldiers, then it becomes an argument of economic necessity—and you cant control it then."

Arguably, there have been some concessions by the federal government that the use of RFID technology in documents such as passports presents some security and privacy risks. From its first iteration of the chipped document, the Department of State has added the so-called Faraday Cage, which supposedly shields a closed passport from being read, and BAC [basic access control] technology to prevent skimming and eavesdropping of data.

For as many detractors of the use of RFID technology in public settings, there are supporters.

"Were opposed to any existing RFID legislation," said Maureen Riehl, vice president, Government and Industry Relations council at the National Retail Federation, in Washington. "The concerns the privacy advocates have about interfacing with individual consumers is still a fairly long way off. … The whole point is for businesses to see what works and doesnt work in their own supply chains."

Retailers started working with RFID several years ago. Wal-Marts 2004 mandate to its top 100 suppliers that they RFID-enable some pallets and cases of goods kicked off a nationwide discussion around RFID, as did a similar supplier mandate from the Department of Defense.

/zimages/1/28571.gifWal-Mart will double the number of its stores using RFID to more than 1,000 by January 2007. Click here to read more.

NRF and other industry groups such as the AIM Global Consortium are urging legislators to look at current laws—particularly those pertaining to computer crime—that include privacy and security mandates that could include RFID. At the same time, the NRF is working with EPCglobal, the RFID standard-setting organization, to develop the logo or nationally recognized symbol called for in some state legislation bills.

"It has a ways to go," said Riehl in Washington. "But large retailers are embracing it."

Scott Blackmer, a lawyer and board member of the International Security, Trust & Privacy Alliance—a group that has created an IT framework to help companies comply with privacy and security mandates—believes that the security and privacy concerns around RFID are warranted. Blackmer also recommends industry standards in place of legislation. He suggests that big buying organizations like the DOD and Wal-Mart impose standards—such as making it hard for nonremovable tags to be read from a distance, or making it easy to remove tags that can be read from a distance—and others will be forced to follow suit.

"The issue for the Wal-Marts of the world is if there is legislation in three or four states, it is very difficult for them to change procurement for Wisconsin or Florida," said Blackmer in Salt Lake City. "They will have to find ways to comply within those requirements—and that will factor in their decision [on whether] to do RFID at all."

/zimages/1/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.