25 October 2006 at 9:02:50 AM
Brother! While we have the chorus of RFID cheerleaders saying "Don't worry, America, don't ask about privacy or security, particularly with your ID cards, let us chip everything before you realize what's going on"... DHS (Department of Homeland Security) issued a draft report that says RFID is disfavored for use for identifying and tracking humans. Before you read some of the excerpts, notice, from Cato, what happened when the RFID cheerleaders saw the draft...
Back in June, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (on which I serve) published a draft report on the use of RFID for human tracking. (”RFID” stands for radio frequency identification, a suite of technologies that identify items - and, if put in cards, track people - by radio.) The report poured cold water on using RFID in government-mandated identity cards and documents. This met with some consternation among the DHS bureaus that plan to use RFID this way, and among the businesses eager to sell the technology to the government.
Despite diligent work to put the report in final form, the Committee took a pass on it at its most recent meeting in September - nominally because new members of the Committee had not had time to consider it. The Committee is expected to finish this work and finalize the report in December.
But skeptics of the report continue to come out of the woodwork. Most recently, the Center for Democracy and Technology wrote a letter to the Privacy Committee encouraging more study of the issue, implicitly discouraging the Committee from finding against RFID-embedded government documents. CDT invited ”a deeper factual inquiry and analysis [that] would foster more thoughtful and constructive public dialog.”
Now back the report, which I think is excellent, fair and should be read in its entirety.
There appear to be specific, narrowly defined situations in which RFID is appropriate for human identification. Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low.
But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security. Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict.
For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings. When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.
The draft report talks about using RFID for border security aka REAL ID or the RFID laced passports
A number of DHS programs are premised on the identification of human subjects. At the border in the US-VISIT program, at airports in the CAPPS I program, and at entrances to secure facilities of all kinds, checking identification cards is a routinely used security measure. Behind many of the current ideas for using RFID in human identification is a commonly held misperception that RFID improves the speed of identification. RFID is a rapid way to read data, but
RFID in passports must have a biometric aspect to be useful.
These are distinct processes. The identification information communicated by an RFIDchipped identification card can be used to determine the bearer’s authorization, but it is not authorization itself. (An RFID-chipped card, just like any card, could have a separate data element indicating authorization, of course, provided it was secure against forgery and tampering.)
In order for any document or device to accurately identify someone, it must be linked to the person in some way. This is almost always through some form of biometric — a picture, description, fingerprints, or iris scan, for example. A document that is not linked to a person using a biometric is not a reliable identification document, just as someone holding a key to a house cannot be identified as the owner of the house based upon possession of that key alone.
The anti-forgery benefit provided by the use of RFID in identification documents is not a product of its use of radio, but rather the fact that the data is in a digital format. Any data in digital format can be encrypted. Thus, RFID as such offers no anti-forgery or antitampering benefit over alternatives such as contact chips, bar codes, or pixelization.
Pages 6-14 talk about the effects of RFID on human tracking.
In a visual ID-check environment, a person may be briefly identified but then forgotten, rendering them anonymous for practical purposes. In a radio ID-check environment, by contrast, a person’s entry into a particular area can easily be recorded and the information permanently stored and repeatedly shared. In this way, RFID may convert identificationbased security into an effective surveillance program of all people passing certain locations.
Without formidable safeguards, the use of RFID in identification cards and tokens will tend to enable the tracking of individuals’ movements, profiling of their activities, and subsequent, non-security-related use of identification and derived information.
This concern exists with all automatic identification technologies that communicate identification information in digital form. The advantage of being able to easily share such digital information is part of its appeal. The concern could be minimized, however, if identity information was maintained in analog form and digital information was used only to guarantee the security of the card or token against forgery or alteration.
The paper gives an example of the Clear Card on p 7.
B. The Difficulty with Notice to Subjects of RFID Identification
It can be disempowering and unfair to collect certain types of information about people without their knowledge. Doing so prevents people from taking steps to conceal information they might prefer not to share. Human identification using RFID has serious potential to deprive people of notice that potentially highly specific, detailed information about them is being collected. (Here, we discuss collection of information consistent with a planned use of the RFID identification system. Unplanned collection of information by outsiders to the system is a security threat, which we will discuss separately below.)
RFID-tagged identification documents present a significant problem in terms of notice, along two dimensions. First, individuals carrying RFID-tagged documents will have a difficult time determining when they are being identified and to whom. Unless people begin carrying radio frequency detectors or purses and wallets that are impermeable to radio frequencies, they will not know when the RFID chips in their identification cards are being scanned. Designing chips to communicate over limited distances can ameliorate, but not eliminate, this problem. Technologies and both government and commercial identification policies may change over time, putting people in the position of being identified at times and places they are not aware of.
Second, people with RFID-tagged documents will have a difficult time determining what information they are sharing when they are identified using RFID. In a visual ID-check environment, people are aware that the information on the card is what is made available to a verifier. Other media make it more difficult to determine. Magnetic stripes, bar codes, and radio waves are not naturally readable to humans, though they can be interpreted by the technically savvy if they use known standards. However, when encryption is used — to defeat forgery and tampering and to secure the radio communication against outsiders — it can also deprive the individual of any way to decipher the content of the communication, rendering him or her powerless to control the use of personal information.
These concerns highlight the importance of open standards and open processes in any use of RFID for human identification. It should be possible to determine what information the cards people carry actually communicate. Because RFID systems can be configured a variety of ways, it is important that the public have information about all the design standards that systems are built to. This disclosure should not be limited to their intended uses, but their maximum capabilities should also be specified. Information about the maker of the chip, the integrator, and the provider of the data system should all be made public so that the design and integration choices can be assessed by outside observers, auditors, and the affected people. Otherwise, RFID-based identification systems will invite misuse, whether they actually are misused or not.
Now here's their best practices for use of RFID
C. Proposed Best Practices for Use of RFID by DHS to Identify and Track
The Committee recommends that when DHS chooses to deploy RFID technology to track individuals, it use as many of the following safeguards as possible and appropriate, given the proposed use:
Notice – Individuals should know how and why RFID technology is being used, including what information is being collected and by whom. DHS should consider using standardized icons or other images to highlight the existence and use of RFID tags and the placement of readers;
Choice and Control
Data should be encrypted on tags, in transit, and in the database. DHS should limit carefully the environments in which identification cards are used, and design the RFID chip so that no two communication sessions appear alike. DHS should also keep databases secure and unconnected to the Internet. Access to readers and databases should be limited only to authorized DHS personnel. Overall, DHS should follow the security recommendations laid out in the GAO Report, including conducting a FISMA review of the program.
Avoid Function Creep – DHS should use data collected by RFID technology only for the stated objective. It should keep data for only as long as necessary given the objective.
Education Campaign – If it uses RFID, DHS should engage in an education campaign regarding the use of RFID, including why it is necessary and what rights and protections are afforded to individuals.(Consent) – Individuals should be able to turn off any RFID signal associated with tracking their presence or activities. Where possible, they also should have the option not to participate a program involving the use of RFID technology to track their movements, while maintaining the rights and privileges of other individuals who are participating in a program involving RFID technology. If a national security or other argument weighs against individual control, such an argument should be explicitly stated and debated by representative parties on both sides prior to deciding on the implementation approach.Securing Readers and Data – To mitigate eavesdropping and skimming, DHS should ensure that only authorized readers can receive signals from DHS-authorized RFID tags.RFID does not identify individuals. If RFID is tied to a biometric authentication factor, it can reliably identify human beings; but tying RFID to a biometric authentication negates the speed benefit.
Latest Blog Post by salon -Last Show Tonight on SLAPP Suits
You! Leave a Comment! You Know you Want To!
You must be a registered member to comment on the blog.
Your first post is held pending approval to make sure you're not
a spammer bot
Or you can login!
New poster comments are moderated,
meaning they won't show up until approved... or not. Be patient-we
have lives outside this blog, so it might take awhile You want to be rude?
totally stupid? inappropriate? Racist? Bigoted? Flame war baiter? Your
post may be deleted. Spammers or people posting pretend interest comments
but really wanting to hawk their latest book or sell stuff or govt
propaganda flacks won't see their posts published. Comments do not
necessarily reflect the viewpoint of the site owner(salon).
If you have a problem with logging in or registering, please speak up
right away. Love your comments. Oh, except spammers
More on commenting
for Main Page
Friday, November 22, 2019
Last Show Tonight on SLAPP Suits
Louis Vuitton Artistic Director Calls Trump a Total Joke (Keene, Texas)
Here's Creep Trump Giving the Finger to Female Astronauts
Impeaching Trump- Is it acceptable for a president to pressure a foreign.....
Why are Paul Manafort's defense attorneys helping Lev Parnas and Igor Fruman today?
Money Laundering 101- Trump seeks to get rid of regulations on offshore money
Been awhile. Send me an email at email@example.com with the names of who you're talking about, above. Also, the newspaper editor is no longer local, ie officed here, but the paper is run....
(What Happened to Jerry Jacene? )
I'd love to see the Hotel Guest books and see if Jacene's name shows up long before he officially *found* the tracks. I'd like to know if the Visitor's Bureau has emails wit....
(What Happened to Jerry Jacene? )
I see the land or that part of it is now in the hands of Glen Rose's own Corky Underwood.
Is Jacene still involved? I had already informed the Visitor Bureau manager (who's....
(What Happened to Jerry Jacene? )