RFID[1] YOU DONT WANT THESE

8/14/2019 RFID[1] YOU DONT WANT THESE

1/13

DataPrivacy&IntegrityAdvisoryCommittee

TheUseofRFIDforHumanIdentifyVerification

AdoptedDecember6,2006

1 of 13

Report No. 2006-02The Use of RFID for Human Identity Verification

This

paper

reflects

the

recommendations

provided

by

the

Data

Privacy

and

Integrity

Advisory

Committee

(Committee)totheSecretaryandtheChiefPrivacyOfficeroftheDepartmentofHomelandSecurity(DHS).The

CommitteescharterundertheFederalAdvisoryCommitteeActistoprovideadviceonprogrammatic,policy,

operational,administrative,andtechnologicalissuesrelevanttoDHSthataffectindividualprivacy,data

integrityanddatainteroperabilityandotherprivacyrelatedissues.

I. Introduction and Executive SummaryThepurposes of thispaper are to: (1) offer an analytical framework foruseby theDepartment of

Homeland Security (DHS or the Department) in determining whether to deploy a Radio

FrequencyIdentification

(RFID)

enabled

system

to

identify

and/or

record

the

presence

of

individuals;

and(2)offerasetofbestpracticestoconsiderwhenDHSchoosestouseanRFIDenabledsystem.The

focusofthispaperisonsuchsystemsinbordercrossingcontexts. Webelievethattheissuesraisedin

thispaperarerelevant toothercredentialorhumanidentificationrelatedapplications,and that the

bestpracticeswerecommendarealsoapplicableinthosecontexts.

There is general agreement among industry, government, and privacy advocates that automatic

identificationtechnologiessuchasRFIDcanhavevaluableuses,especiallyinconnectionwithtracking

things for purposes such as inventorymanagement. RFID is particularly usefulwhere it canbe

embeddedwithinanobject,suchasashippingcontaineroradocument.

There

is

less

agreement

among

industry,

the

public,

government,

and

the

advocacy

community

on

the

appropriatenessofusingRFIDenabledsystemstoidentifyindividualspassingacheckpoint. Onthe

onehand, there is thepotential forbenefits in termsofgreateraccuracy,speedandefficiencywhen

deploying anRFIDenabled system to identify individuals.NewerRFID credentialsmay alsohave

addedbenefits of greater fraud prevention and tamper resistance than existing credentials. This

wouldbe the likely case in any new credential,whether RFID or not,but maybe considered a

collateralbenefitofdeployingnewcredentials. Suchnewtechnologymayalsoincreaseboththecost

and complexityofusing forgeddocuments. Lastly, theremaybebenefits in tracking lost identity

credentials,suchaspreventingthecasual/opportunisticmisuseofthecredential.However,itdoesnot

addressissuesrelatedtoconcertedeffortstofalsifycredentials.

Ontheotherhand,thereareavarietyofconcernsabouttheuseofsuchsystems,including:

Thepotential forunauthorized access to thedata on theRFIDenableddevice, or thedatawhenintransitbetweenthedeviceandreader;

TheselectionofRFIDenabledsystemsforanapplicationifotherexistingandpotentiallylessprivacyimpactingalternativescanachievethesamebenefit;

TheconcernthattheinformationproducedbyanRFIDenabledcredentialsystemforastatedpurpose mightbe reused or leveraged for a second purpose without the knowledge or

consentofthosepersonswhoseinformationwascollectedfortheoriginalpurpose;


2/13




2 of 13

The concern that the deployment of RFIDenabled systems represents the potential forwidespread surveillance of individuals, includingUS citizens,without their knowledge or

consent.

Beforedeploying any technology, theDepartment shoulddefine the program objective,determine

whattechnologiesmayapply,andunderstandthebenefitsandconcernsrelatedtoeachdeployment.

Withthatasbackground,thereneedstobeananalysisofwhatisthe leastintrusivetechnologythat

canbeusedtoaccomplish theobjectivesof theprogramandwhattechnologiescanbeused tohelp

addressanyprivacyconcernsthatexist.

With specific reference toRFIDdeployments,we recommend that if theDepartment, after careful

consideration of all technologies and analysis of the least intrusivemeans to achieve department

objectives,determinestodeployanRFIDenabledsystemtoidentifyindividuals,thatitbuildin,from

thedesign stage, sufficientprivacyand security safeguards toensure that theuseofRFIDenabled

systemsmeetstheDepartmentsobjectiveswhilerespectingandprotectingtheprivacyandsecurityof

informationcollectedaboutindividuals1 throughoutthelifetimeofthesystemand,inthecaseofthe

information,beyond.

II.RFID Technology OverviewInordertoframethisdiscussion,webeginbypresentingabriefoverviewofRFIDtechnology.Thisis

notmeanttobeacompletetutorialdiscussion,sincethosemaybefoundelsewhere.2

RFIDisatypeofautomaticidentificationtechnologythatenablestheusertotagobjectswithatiny3

device thatcan laterbedetectedbyautomaticmeans. Thatdetectioncanrangefromsimplynoting

thepresenceofthedevice,toobtainingafixed identificationnumberfromthedevice,toinitiatinga

twowaycommunicationwiththedevice. Theessential functionalityofthesystem isthatwhenthe

tagis

in

the

presence

of

an

appropriate

radio

frequency

(RF)

signal

emanated

by

areader

the

tag

respondsbysendingbackareflectedRFsignalwithinformationinresponse. Somecanonlyoperate

overaveryshortdistanceofafewcentimetersorless,whileothersmayoperateatlongerdistancesof

severalmetersormore. At thehigherendofRF technology, the contactlessRFID tagshavebeen

enhanced with the full capabilities of smart card chips containing generalpurpose computer

processorsandlargernonvolatilememoryspaces.

1 SomecommentatorshavesuggestedthattheCommitteesupplementthispaperwithalistofthevariouscurrent

andplannedusesofRFIDbytheDepartmentofHomelandSecurity. TheCommitteedeclinestodosofortwo

reasons: first,anysuchlistmaysoonbecomeincorrectorobsolete;andsecond,becausethispaperisintendedto

serveasaframeworkfortheDepartmenttouseinanyevaluationofaprogramthatwoulduseanRFIDenabled

systemtoidentifyindividuals.2GarfinkelandRosenberg,eds.,RFIDApplications,Security,andPrivacy. SeealsoDepartmentofHomeland

SecurityOfficeoftheInspectorGeneralreportentitledEnhancedSecurityControlsNeededforUSVISITs

SystemUsingRFIDTechnology(Redacted).OIG0639(June2006)at35,availableat

http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_0639_Jun06.pdf. AlsoseeAppendixBackgroundMaterialsonRFIDTechnology.3Theseareassmallas0.15mmx0.15mmandthinnerthanasheetofpaperat7.5micrometers. See

http://www.eetimes.com/news/design/showArticle.jhtml?articleID=179100286.


3/13




3 of 13

RFID tags can be made to respond only to specific readers (or ones implementing specific

communicationprotocols).Today, almost all tagsoperate at a singleor small rangeof frequencies

usingasingleprotocol. Someadvancedreadersmayreadmorethanoneprotocolbutgenerallyonly

atonefrequency.

Thetagscomeinthreetypes:passive,active,andsemiactive(orbatteryassisted),eachwithitsownsetof

operatingcharacteristics.

Passive tags have no battery inside and, thus, must depend upon the current induced in their

antennasbythereadersRFsignaltoperformtheirjobs.Thisallowsthedeviceitselftobesmallerthan

activetagdevicesand increases theiruseful lifetime.Dependinguponthe technology,thesepassive

tagscanreturnafixedvalue,bewritableonceandthenreadmanytimes,ormaybefullyrewritable.

Because of their dependence upon the readers continuous RF signal for power to process and

transmit their response, readingpassive tagsmaybe somewhat less reliable than readingactiveor

semiactivetags.

Activetags

contain

their

own

battery.

Once

awakened

by

areaders

RF

signal,

these

tags

employ

theirownpower toperform theirjobs. Otheractive tagsact likebeacons that continually emitan

identification signal. The advantage of the active tags over the passive is their typically greater

computationalcapability,memorycapacity,and thedistanceoverwhich theymaybe read. While

theirbatteriesdohavealimitedlifetime,itistypicallyseveralyears. Sincetheirbatteriespowertheir

response, active tags are more appropriate in situations where RF signals might encounter

interference. Semiactiveorbatteryassistedtagsaresimplypassivetagsthatusethetagsbatteriesto

powertheirelectroniccircuitsratherthandependingonpowerdrawnfromthefieldofthereader. As

aresult,theirrangeislongerthanthatofpassivetags.

Highend,activeRFID tags canhave rather extensive computational capability. They canprovide

cryptographicfunctions

to

support

more

secure

and

private

operations,

have

considerably

larger

memorycapacities,andcanenter intocomplicatedcommunicationsprotocols thatcouldreduce the

possibilityofunintendedcommunicationswithunauthorizedreaders.

OneaspectofmostRFIDtagsisthatitisquiteeasytoawakenthemwiththeappropriateRFsignal.

This implies that theobjectwithwhich the tag isassociatedoftendoesnotneed todoanything to

enable this communications link. In the case of shipping containers or livestock, this is a clear

advantage. However, this automatic feature has proven controversial in the wide variety of

applicationsofRFIDtechnologyaroundhumans.

TodaymanyRFIDtagsarepassive,thoughagrowingnumbersareshifting toactiveorsemiactive.

Factors intheseselectionsincludebothfunctionalityandcost.ThehigherendfunctionsofRFIDare

stillconsideredcostly forbroadcommercialapplication. Size isalsodecreasing,butagain thevast

majority of tags are still applied to shipping cartons, containers and pallets. To datemost RFID

deploymentsarepartofthecommercialbackend,dealingwithsupplychainand logistics. Thereis

generalagreementthatmanyofthecurrentapplicationssuchassupplychain/logisticsandfoodsafety

arebeneficial andhave little tononegativeprivacy implication. As costsdecrease and item level

taggingbecomesmore feasible, greater penetration ofbeneficial applications, such as drug safety,

warranty/service,productsafetyandproductrecall is likely tooccur,but those functionsmayhave

greater privacy implications. The privacy implications arise from the possibility that the item is


4/13




4 of 13

carriedbythepersonand,dependingonthetag,technologyandconfiguration,maybeobservedby

otherreaders.

Where issuesariseastowhetherRFIDmaycreateprivacy implications,certaintechnologiesmaybe

appliedtolimitthepotentialexposureof PersonallyIdentifiableInformation(PII).Thesetechnologies

includeencryption,killswitches,tearabletags,on/offswitchesandnonmanufacturertechnologiesto

block,disable,orzaptags. Thesetechnologiesmaybeusedaloneor incombinationstoachievethe

desired levelsofprotectionand functionality. Eachof these functionswill,ofnecessity, increaseat

least the initial cost of such RFIDenabled deployments. It should alsobe recognized that these

technologiesdonotoperate inavacuum,butratheroperatewithin thecontextofvarious lawsand

policies, which may further limit the type of information that can be collected or how such

informationcanbeused.

IV. The Legal Basis for RFID Use in Human IdentificationThemajor laws,executiveorders,andprogramsunderwhichRFID isbeingconsideredorusedare

eitherpermissive

as

to

technology

or

not

legally

binding

on

the

U.S.

government.4

Nevertheless,

when an RFIDenabled system is used to collect data about individuals, the data collected will

compriseasystemofrecordsunderthePrivacyActof1974. Peopleshouldhaveatleasttherights

accordedthembythatlawwhentheyareidentifiedusingRFID. SystemsusingRFIDtechnologyare

alsosubjecttotheEGovernmentActsPrivacyImpactAssessmentrequirements.

V. Use of an RFID-Enabled System for Human IdentificationAnumberofDHSprogramsarepremisedontheidentificationofhumansubjects. Attheborder,at

airports,andatentrances tosecure facilitiesofallkinds,checking identificationcards isaroutinely

usedsecuritymeasure.RFID isarapidwaytoreaddata,butRFID inacredentialmerely identifiesthe

credential,not

the

individual

bearing

it.

One

or

more

biometric

identifiers

can

be

used

to

improve

identificationofhumanbeings,butthestepsneededtoverifythebiometricinformationusingtodays

technology may reduce or negate the speed benefit offered by radio transmission. Earlier

identificationofapersonapproachingapointofidentificationcouldalsoprovidesecuritybenefitsif

theinformationhasnototherwisebeencommunicated.

A. Controlling Access, Controlling Borders, and Interdicting SuspectsWhether throughRFIDorothermeans, checking identification is intended toachieve anumberof

differentgoals:Facilitymanagersuse identification tocontrolaccess tosensitive infrastructures that

maybedamagedorused toharmpeople. Theyuse it tocontrolaccess to facilitieswheresensitive

information

about

other

infrastructure

may

be

kept,

or

where

security

planning

or

operations

are

carried out.The government uses identification administratively to record theborder crossings of

4TheREALIDAct,aboutwhichregulationsarestillbeingformulated,callsforamachinereadabletechnology

butdoesnotspecifythetechnology. HomelandSecurityPresidentialDirective12callsforamandatory,

GovernmentwidestandardforsecureandreliableformsofidentificationissuedbytheFederalGovernmentto

itsemployeesandcontractors(includingcontractoremployees). TheStateDepartmentadoptedRFID

technologyintheepassporttomeetInternationalCivilAviationOrganizationstandards,whicharenotlegally

bindingontheU.S.government.


5/13




5 of 13

international travelers. At borders and checkpoints, identification can help detect and interdict

undesirableentrantstothecountryandknownorsuspectedterrorists.

These identificationprocessesare intended toprotectawidevarietyof institutions, infrastructures,

processes,andpersons fromawidevarietyof threats,eachhavingadifferentriskprofile. Atbase,

identificationchecksbyDHS seek to interdictpotentialattackersonour institutions, infrastructure,

andpeople.

B. RFID Technology Can Reduce Delay at Entrances and Checkpoints, But StandingAlone, It Cannot Identify An IndividualIt takes some time to check a traditional identification document. The process typically includes

handingthedocumenttoaverifier,whomustreviewtheinformationonthedocumentandauthorize

thebearertopass,recordthebearerspassing,or,ifappropriate,detainthebearer. Theverifiermust

alsocompare the identifiersonthedocumentwith thebearertoensurethatthebearer is theperson

identifiedbythedocument.

AnRFIDchippedidentificationcardcanquicklycommunicateinformationfromthecardtoareader

at adistance,withouta lineof sightorphysical contactbetween a cardand reader. Transmitting

information via radio in advance can thus allow information to be prepositioned before an

individualapproachesanentranceorcheckpoint. While thismay improveefficiencyat theborders

and checkpoints, theverifiermust still reviewauthorizing informationand compare the identifiers

from thecardwith thebearer inorder toensure that theRFIDenabledcard isbeingcarriedby the

personwithwhomitisassociated.Thus,iftheexpectedprimarybenefitofdeployingRFIDisspeed

andefficiency,caremustbetakentoensurethattheactivitiesthatarenecessarytosupportitdonot

offsetthegainsbroughtbytheRFIDdeployment.

VI. Privacy and Security Issues Associated with the Use of RFID for Human IdentificationWhile RFIDenabled systems may provide at least incremental benefits in terms of efficiency of

identification,theuseofRFIDenabledsystemsforhumanidentificationmaycreateanumberofrisks

thatarenotfoundinconventionalidentificationprocesses.

A. Potential for Privacy RisksDigitalidentificationsystemsposeprivacyrisks. InavisualIDcheckenvironment,apersonmaybe

briefly identifiedbut then forgotten,rendering themanonymous forpracticalpurposes Inadigital

(RFbased) identitycheck environment,by contrast, a persons entry into a particular area canbe

recorded

and

the

information

stored

for

some

period

of

time.5

If

not

properly

protected,

this

informationcouldalsoberepeatedlysharedorusedforsecondarypurposes,evenpotentiallyusedfor

broadersurveillance.

5AtitsMarch2006meeting,thenUSVISITDirectorJimWilliamstestifiedtothiscommitteethatbiometricdata

collecteddigitallyinthatprogramiskeptfor75years,statingwewouldnotagreetoexpungethoserecords.

Also,seeWilsonP.DizardIII,EPassportsFirstDeployment,GovernmentComputerNews,Oct.9,2006

http://www.gcn.com/print/25_30/422491.html wherehereportsthatDHSalsointendstokeepdatacollected

usingtheEPassportsystemfor75years.


6/13




6 of 13

ThereareparticularrisksofRFIDasthebasisfordigitalidentification: (1)Unauthorizedreadersthat

enableotherpeopletoaccess the informationcontained intheRFID (skimming); (2)Interceptionof

the transmission of the informationby an unauthorized thirdparty (eavesdropping); and (3) if no

specific safeguards are put in place, the use of RFIDenabled systems could ultimately aid the

monitoringofindividualsmovements(tracking).WhilenoDHSprogramplansanysecondaryuseof

thedata thatwouldcreateaprofileofapersonsactivities forsubsequent,nonsecurityrelateduse,

thepotentialformisuseremains.

B. The Difficulty with Notice to Subjects of RFID IdentificationRFIDtagged identification documents present a significant problem in terms of notice along two

dimensions. First,individualscarryingRFIDtaggeddocumentsmaynotalwaysknowwhentheyare

beingidentifiedandtowhom,unlesspeoplebegincarryingradiofrequencydetectorsorpursesand

walletsthatareimpermeabletoradiofrequencies. Second,peoplewithRFIDtaggeddocumentsmay

notalwaysknowwhatinformationtheyaresharingwhentheyareidentifiedusinganRFIDenabled

system.In

avisual

ID

check

environment,

people

know

that

only

the

information

on

the

card

is

availabletoaverifier,alongwithanyinformationlinkedtothatcardindatabases.

C. Security is a Foremost Concern with Using RFID for Human IdentificationSomeofthegreatestconcernswithRFIDenabledsystemsusedtoidentifyindividualshavetodowith

thesecurityofthetransmissionsfromthetagstothereaders.

Making identification information available via radio frequency opens up two sources of security

risks, commonly known as skimming and eavesdropping. Skimming is creating an

unauthorized connectionwith anRFID tag in order to gain access to itsdata. It allows someone

outsideof

the

identification

system

or

program

to

gather

information

surreptitiously.

This

risk

can

be

controlledanumberofways. Oneistoblockthetransmissionofradiosignalstoandfromthechip

when it isnot intended tobe inuse. For example, aFaraday cageor shield is awire screen that

preventstransmissionofradiosignals. TheStateDepartmentsnewepassportwill incorporate this

technology. It ismore convenient in a passbook typedocument like apassport than a card for

whichtherewouldhave tobesomesortofwrapperorsleeve. Thisthreatmaybereducedthrough

theuseofsomesolutionwithhigherfunctionality.

Anotherwaytolimitskimmingistoencryptthedatatransmissionsothatidentificationinformation

appearsindecipherabletoanyoneinterceptingitwhoisnotauthorizedtoreadit. However,thisisnot

acompletesolution. Thoughindecipherableitself,theencryptedinformationcanactasanidentifierif

it

remains

the

same

each

time

the

card

is

skimmed,

just

as

a

person

might

be

known

by

a

nickname.

EavesdroppingistheinterceptionoftheelectroniccommunicationsessionbetweenanRFIDtagand

anauthorizedreader,again,inordertogainaccesstothedatabeingtransmitted. Aswithskimming,

dependingon thedesignof the system,aneavesdroppermaybeable tocollectusable information

fromthecommunicationbetweenanRFIDchipandanauthorizedreaderevenifthecommunication

isencrypted.


7/13




7 of 13

Oneway to suppress eavesdropping is to limit carefully the environments inwhich identification

cardsareused. Another is todesign theRFIDchipso thatno twocommunicationsessionsappear

alike.

Inanyevent,privacyandsecuritymustbebuiltintothefulllifecycleoftheRFIDapplicationfromthe

outsetfromthedesignstage,todeploymentanduse,toendoflife. Justasprivacyconcernsmustbe

identified in a broad and systemic manner, so too must technological solutions be addressed

systematically.

D. RFID Security Issues Identified by the GAOTheUnitedStatesGovernmentAccountabilityOfficeaddressedtheuseofRFIDtechnologyinaMay

2005reporttitledInformationSecurity:RadioFrequencyIdentificationTechnologyintheFederalGovernment

(GAOReport)6. TheGAOReportidentifiedanumberofsecurityissuesthatareimplicatedbyfederal

(and commercial) use ofRFID technology. Without effective security controls, theGAOReport

stated,dataonthetagcanbereadbyanycompliantreader;datatransmittedthroughtheaircanbe

interceptedand

read

by

unauthorized

devices;

and

data

stored

in

the

databases

can

be

accessed

by

unauthorizedusers.7 TheGAOstatedthatRFIDsystemsshouldbedesignedto:

Ensure thatonly authorized readers can read the tags,and thatonly authorizedpersonnelhaveaccesstothereaders;

Maintaintheintegrityofthedataonthechipandstoredinthedatabase; Ensurethatthecriticaldataisfullyavailablewhennecessary; Mitigate the risk of various attacks, such as counterfeiting or cloning (when an attacker

produces an unauthorized copy of a legitimate tag); replay (when a valid transmission is

repeated,eitherbytheoriginatororanunauthorizedpersonwhointerceptsitandretransmits

it);andeavesdropping;

Avoidelectroniccollisionswhenmultipletagsand/orreadersarepresent;and Mitigate the likelihood that unauthorized components may interfere or imitate legitimate

systemcomponents.

TheGAOReportmaintains thatmanysecurityriskscanbemitigated throughcompliancewith the

Federal Information Security Management Act (FISMA), which requires each agency to develop,

document, and implement an agencywide information security program. Specifically, FISMA

requiresagenciesto:

Engageinperiodicriskassessments; Developriskbasedpoliciesandprocedurestoreduceriskstoanacceptablelevel;

Develop

plans

for

providing

adequate

information

security

for

networks,

facilities,

systems,

andgroupsofsystems;

Engageinsecuritytrainingforpersonnelandcontractors;6 See GAO-05-551 (May 2005), available at http://www.gao.gov/new.items/d05551.pdf. See also Testimony of

Gregory C. Wilshusen, Director, Information Security Issues, Before the Subcommittee on Economic Security,

Infrastructure Protection, and Cybersecurity, House Committee on Homeland Security, June 22, 2005, available

at http://www.gao.gov/new.items/d05849t.pdf.7GAOReportat19.


8/13




8 of 13

Testtheinformationsecuritypoliciesatleastannually,includingthetestingofmanagement,operational,andtechnicalcontrolsforeverymajorinformationsystem;

Developaprocesstodetectandreportsecurityincidentsandaremedialactionprocess;and Maintainproceduresforcontinuityofoperationsinlightofasecurityincident.

AsitrelatestoRFID,anagencycanreducetheriskofunauthorizeduseoraccessthroughencryption

andauthentication.

Encryptionshouldincludethedatainthetags,intheair,andwhenstoredinadatabase. Authenticationmeansverifyingtheclaimedidentityofauser. Itcanbeusedbetweentagand

readerasawaytomitigatesecurityrisks. Thiscanhelppreventtheunauthorizedreading of

and/orwritingtotags.

TheGAO states that the privacy issues canbemitigatedby compliancewith existing legislation,

includingcompliancewith:

ThePrivacyActof1974;and ThePrivacyImpactAssessmentrequirementsoftheEGovernmentAct.

TheDepartmentofHomelandSecuritysOfficeof InspectorGeneral, in its reporton theUSVISIT

(The DHS Inspector Generals Report)8, also notes a number of steps that the Department of

Homeland Security can take to ensure the security of databases used in RFIDenabled programs.

Thoserecommendations includedthedevelopmentand implementation ofprocedurestostrengthen

thepasswordmanagement anduser accountprocesses relating to thedatabase associatedwith an

RFIDenabledprogram.

VII. RecommendationsThecase forusingRFIDenabledsystems to trackmateriel isclear. TheDepartmentofDefense, for

example,hasproducedasignificantstudyshowingthebenefitsofusingRFIDtotamethesubstantial

logisticalchallengesitfaces.9 ThecaseforusingRFIDenabledsystemsbythegovernmenttoidentify

and record the presence of individuals, however, requires a more careful analysis involving the

missiontobeaccomplished,thealternativetechnologiesavailable,andthepracticabilityofemploying

safeguardstoprotecttheprivacyandsecurityofinformationcollectedfromandaboutindividuals.

A. The Decision Whether to Use RFID to Identify IndividualsInlightoftheconcernsassociatedwiththeprivacyandsecurityofinformationgatheredbymeansof

an

RFID

enabled

system,

the

recommendations

in

the

GAO

Report

and

the

DHS

Inspector

Generals

Report,and in lightofcommentsreceivedby theCommitteeon the firstdraftof thispaperand the

Committeesowndeliberations,theCommitteerecommendsthatProgramManagerswithintheU.S.

8DepartmentofHomelandSecurity,OfficeofInspectorGeneral,EnhancedSecurityControlsNeededForUS

VISITsSystemUsingRFIDTechnology(June2006)https://www.dhs.gov/xoig/assets/mgmtrpts/OIG_06

39_Jun06.pdf9FinalRegulatoryFlexibilityAnalysisofPassiveRadioFrequencyIdentification(RFID),preparedbytheOfficeof

theUnderSecretaryofDefenseforAcquisitionTechnology&Logistics.Seefullreferenceinappendix.


9/13


10/13




10 of 13

in thisquestion,becauseextensivecollectionsofdatahave, in thepast, tended to findnew,

unanticipateduses.

How is the informationmaintained in thebackend systemsprotected? How longwill theinformation in thedatabasebekept? Is the lengthof timeproposedappropriategiven the

objectiveathand? Canthelengthoftimebeminimizedwithoutunderminingtheobjective?

Arethereendtoendauditingcapabilitiesbuiltintothesystemtomonitoruseandmisuseoftheinformation?

Risk Mitigation Credential Risks Whatkindsofinformationarecarriedonthetag? Whatkindsofinformationarepassedtoa

database? Is the amount and type of information narrowly tailored to accomplish the

Departmentsobjective?

How isthe informationon thetagprotected(encryption,nopersonal information ispresentonthecard,etc.)?

Is the communicationwith the reader secured?Are there adequate security protections toensure

that

only

authorized

readers

can

read

the

tags?

DoestheRFIDenabledsystemincludeRFblockingtechnology,suchasthatproposedbytheU.S.DepartmentofStateforuseinitspassportjackets? Ifnot,istherealegitimatereasonnot

tohavesuchamechanism?

What security safeguards are inplace for the associateddatabases, tags,and transmissionsfrom the tags to the databases? Have the ProgramManagers consultedwith information

security experts within theDepartment and, if necessary and appropriate, outside of the

Department, to ensure that the program is adequately protected from skimming,

eavesdropping,andotherthreatstothesecurityandintegrityofthesystem?

Net Effects Onbalance,iftheProgramManagers,inconsultationwiththeDHSPrivacyOffice,determine

that an RFIDbased technology meets a legitimate Department objective, do privacy and

securityconcernsoutweightheincrementalbenefitsgainedbyusinganRFIDenabledsystem

overasystemposingfewerprivacyandsecurityrisks?

B. Proposed Best Practices for Use of RFID by DHS to Identify IndividualsThe Committee recommends that if DHS chooses to deploy an RFIDenabled system to identify

individuals,DHSshoulduseasmanyofthefollowingsafeguardsaspossibleandappropriate,given

the

proposed

use:11

11Theseproposedbestpracticesdrawonanumberofsources,includingtheGAOReport,theEPCglobal

GuidelinesforElectronicProductCodesforConsumerProducts(see

http://www.epcglobalinc.org/public_policy/public_policy_guidelines.html),andtheARTICLE29WORKINGPARTY

WORKINGDOCUMENTONDATAPROTECTIONISSUESRELATEDTORFIDTECHNOLOGY,10107/05/EN,WP105(January

19,2005)(availableathttp://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf).


11/13




11 of 13

Notice Individuals should know how andwhyRFID technology isbeing used, includingwhatinformationisbeingcollectedandbywhom. DHSshouldconsiderusingstandardizediconsorother

imagestohighlighttheexistenceanduseofRFIDtagsandtheplacementofreaders;

Open Standards Because

RFID

enabled

systems

can

be

configured

a

variety

of

ways,

it

is

important

thatthepublichaveaccesstoinformationaboutthedesignstandardstowhichthesystemsarebuilt.

Thisinformationshouldnotbelimitedtotheirintendeduses,buttheirmaximumcapabilitiesshould

alsobespecified. Informationaboutthemakerofthechip,theintegrator,andtheproviderofthedata

system should all be made public, to the extent consistent with national security and anti

circumvention concerns, so that the design and integration choices can be assessed by outside

observers,auditors,andtheaffectedpublic.

Choice and Control (Consent) Where possible, individuals should have the option not toparticipate in a program involving the use ofRFID technology to record theirmovements,while

maintaining the rights and privileges (but perhaps losing the convenience benefits) of other

individualswhoareparticipating inaprograminvolvingRFIDtechnology. Ifanationalsecurityor

otherargument

weighs

against

individual

control,

such

an

argument

should

be

explicitly

stated

and

thechoicebemadeavailabletotheextentpossible. Perhapsundersuchcircumstances,anoticeand

commentapproachwouldbeappropriate.

Securing Readers and Data Tomitigateeavesdroppingand skimming,DHSshouldensure thatonly authorized readers can receive signals from DHSauthorized RFID tags. Data should be

encryptedon tags, in transit,and in thedatabase. DHS should limitcarefully theenvironments in

whichidentificationcardsareused,anddesigntheRFIDchipsothatnotwocommunicationsessions

appear alike.Aswith anydatabaseprogram,DHS should take all appropriate steps to assure the

security and integrity of the database itself. Overall, DHS should follow the security

recommendationslaidoutintheGAOReport,includingconductingaFISMAreviewoftheprogram,

aswell

as

recommendations

of

the

departments

Office

of

the

Inspector

General.

Avoid Function Creep DHS should use data collectedby RFID technology only for the statedobjective. Itshouldkeepdataforonlyaslongasnecessarytomeettheoriginalobjectiveforwhichit

wascollected.

Education Campaign RFIDtechnologyisnotwellunderstoodbymuchofthepublic. Governmententitiesandtheprivatesectoroftenalso lackagoodunderstandingofhowRFID technologieswork

andwhenandhow theyarebestapplied. Asaresult, therearemanypeople forwhom theuseof

RFID technology in identity systems is troubling. Most of their concerns couldbe easily resolved

through education and openness. If it usesRFID,DHS should engage in an education campaign

regardingthe

use

of

RFID,

including

why

it

is

necessary

and

what

rights

and

protections

are

afforded

toindividuals.

VIII. ConclusionThe Committee recommends that the Department of Homeland Security carefully weigh the

considerations detailed in Section VII of this Reportbefore deciding to deploy an RFIDenabled

system to identify individuals. An RFIDenabled system shouldbe secure, narrowlytailored to


12/13




12 of 13

effectivelyaccomplishaDepartmentobjective,andtheleastintrusivetoprivacyandsecurityinlight

ofalternativetechnologiestoaccomplishthatobjective. Otherwise,theuseofRFID,standingalone,

may not be best suited for purposes of identifying individuals and other solutions should be

considered. TheCommittee further recommends that if theDepartment determines todeploy an

RFIDenabled system to identify individuals, that itbuild in, from thedesign stage, the safeguards

outlined inSectionVIIof thisReport to theextentpossible toensure that theuseofRFIDenabled

systemsadvancetheDepartmentsmissionobjectiveswhilerespectingandprotectingtheprivacyand

securityofinformationcollectedaboutindividuals.


13/13




13 of 13

Appendix Background Materials on RFID TechnologyINFORMATIONSECURITY: RADIOFREQUENCYIDENTIFICATIONTECHNOLOGYIN

THEFEDERALGOVERNMENT,GAO05551(May2005),availableat

http://www.gao.gov/new.items/d05551.pdf

RADIOFREQUENCYIDENTIFICATION: OPPORTUNITIESANDCHALLENGESIN

IMPLEMENTATION,DEPARTMENTOFCOMMERCE(April2005),availableat

http://www.technology.gov/reports/2005/RFID_April.doc

FINALREGULATORYFLEXIBILITYANALYSISOFPASSIVERADIOFREQUENCY

IDENTIFICATION(RFID),preparedbytheOfficeoftheUnderSecretaryofDefensefor

AcquisitionTechnology&Logistics,availableat

http://www.acq.osd.mil/log/rfid/EA_08_02_05_UnHighlighted_Changes.pdf

RADIOFREQUENCYIDENTIFICATION: APPLICATIONSANDIMPLICATIONSFOR

CONSUMERS,AWORKSHOPREPORTFROMTHESTAFFOFTHEFEDERALTRADE

COMMISSION(March2005),availableathttp://www.ftc.gov/os/2005/03/050308rfidrpt.pdf

RFID: APPLICATIONS,SECURITY,ANDPRIVACY(SimsonGarfinkelandBeth

Rosenberg,Editors)(2006);

ARTICLE29WORKINGPARTYWORKINGDOCUMENTONDATAPROTECTION

ISSUESRELATEDTORFIDTECHNOLOGY,10107/05/EN,WP105(January19,2005),

availableat

http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf.

CDTWORKINGGROUPSETOFBESTPRACTICESFORTHECOMMERCIALUSEOF

RFID,May1,2006,availableathttp://www.cdt.org/privacy/20060501rfidbestpractices.php.

NotethatthispaperdealslargelywiththecommercialuseofRFID,asopposedtotheuseof

RFIDbythegovernment,theCommitteeisgratefultohavereceivedtwosetsofwritten

commentsbytheCDTonthispaper,andhastakenthosecommentsintoaccountindrafting

thispaper.

PRIVACYGUIDELINESFORRFIDINFORMATIONSYSTEMS,preparedbyAnn

Cavoukian,Ph.D.,

Information

and

Privacy

Commissioner/Ontario,

June

2006,

available

at

http://www.ipc.on.ca/docs/rfidgdlines.pdf.

Documents

RFID[1] YOU DONT WANT THESE