Upload
wicked-mercy
View
217
Download
0
Embed Size (px)
Citation preview
8/14/2019 RFID[1] YOU DONT WANT THESE
1/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
1 of 13
Report No. 2006-02The Use of RFID for Human Identity Verification
This
paper
reflects
the
recommendations
provided
by
the
Data
Privacy
and
Integrity
Advisory
Committee
(Committee)totheSecretaryandtheChiefPrivacyOfficeroftheDepartmentofHomelandSecurity(DHS).The
CommitteescharterundertheFederalAdvisoryCommitteeActistoprovideadviceonprogrammatic,policy,
operational,administrative,andtechnologicalissuesrelevanttoDHSthataffectindividualprivacy,data
integrityanddatainteroperabilityandotherprivacyrelatedissues.
I. Introduction and Executive SummaryThepurposes of thispaper are to: (1) offer an analytical framework foruseby theDepartment of
Homeland Security (DHS or the Department) in determining whether to deploy a Radio
FrequencyIdentification
(RFID)
enabled
system
to
identify
and/or
record
the
presence
of
individuals;
and(2)offerasetofbestpracticestoconsiderwhenDHSchoosestouseanRFIDenabledsystem.The
focusofthispaperisonsuchsystemsinbordercrossingcontexts. Webelievethattheissuesraisedin
thispaperarerelevant toothercredentialorhumanidentificationrelatedapplications,and that the
bestpracticeswerecommendarealsoapplicableinthosecontexts.
There is general agreement among industry, government, and privacy advocates that automatic
identificationtechnologiessuchasRFIDcanhavevaluableuses,especiallyinconnectionwithtracking
things for purposes such as inventorymanagement. RFID is particularly usefulwhere it canbe
embeddedwithinanobject,suchasashippingcontaineroradocument.
There
is
less
agreement
among
industry,
the
public,
government,
and
the
advocacy
community
on
the
appropriatenessofusingRFIDenabledsystemstoidentifyindividualspassingacheckpoint. Onthe
onehand, there is thepotential forbenefits in termsofgreateraccuracy,speedandefficiencywhen
deploying anRFIDenabled system to identify individuals.NewerRFID credentialsmay alsohave
addedbenefits of greater fraud prevention and tamper resistance than existing credentials. This
wouldbe the likely case in any new credential,whether RFID or not,but maybe considered a
collateralbenefitofdeployingnewcredentials. Suchnewtechnologymayalsoincreaseboththecost
and complexityofusing forgeddocuments. Lastly, theremaybebenefits in tracking lost identity
credentials,suchaspreventingthecasual/opportunisticmisuseofthecredential.However,itdoesnot
addressissuesrelatedtoconcertedeffortstofalsifycredentials.
Ontheotherhand,thereareavarietyofconcernsabouttheuseofsuchsystems,including:
Thepotential forunauthorized access to thedata on theRFIDenableddevice, or thedatawhenintransitbetweenthedeviceandreader;
TheselectionofRFIDenabledsystemsforanapplicationifotherexistingandpotentiallylessprivacyimpactingalternativescanachievethesamebenefit;
TheconcernthattheinformationproducedbyanRFIDenabledcredentialsystemforastatedpurpose mightbe reused or leveraged for a second purpose without the knowledge or
consentofthosepersonswhoseinformationwascollectedfortheoriginalpurpose;
8/14/2019 RFID[1] YOU DONT WANT THESE
2/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
2 of 13
The concern that the deployment of RFIDenabled systems represents the potential forwidespread surveillance of individuals, includingUS citizens,without their knowledge or
consent.
Beforedeploying any technology, theDepartment shoulddefine the program objective,determine
whattechnologiesmayapply,andunderstandthebenefitsandconcernsrelatedtoeachdeployment.
Withthatasbackground,thereneedstobeananalysisofwhatisthe leastintrusivetechnologythat
canbeusedtoaccomplish theobjectivesof theprogramandwhattechnologiescanbeused tohelp
addressanyprivacyconcernsthatexist.
With specific reference toRFIDdeployments,we recommend that if theDepartment, after careful
consideration of all technologies and analysis of the least intrusivemeans to achieve department
objectives,determinestodeployanRFIDenabledsystemtoidentifyindividuals,thatitbuildin,from
thedesign stage, sufficientprivacyand security safeguards toensure that theuseofRFIDenabled
systemsmeetstheDepartmentsobjectiveswhilerespectingandprotectingtheprivacyandsecurityof
informationcollectedaboutindividuals1 throughoutthelifetimeofthesystemand,inthecaseofthe
information,beyond.
II.RFID Technology OverviewInordertoframethisdiscussion,webeginbypresentingabriefoverviewofRFIDtechnology.Thisis
notmeanttobeacompletetutorialdiscussion,sincethosemaybefoundelsewhere.2
RFIDisatypeofautomaticidentificationtechnologythatenablestheusertotagobjectswithatiny3
device thatcan laterbedetectedbyautomaticmeans. Thatdetectioncanrangefromsimplynoting
thepresenceofthedevice,toobtainingafixed identificationnumberfromthedevice,toinitiatinga
twowaycommunicationwiththedevice. Theessential functionalityofthesystem isthatwhenthe
tagis
in
the
presence
of
an
appropriate
radio
frequency
(RF)
signal
emanated
by
areader
the
tag
respondsbysendingbackareflectedRFsignalwithinformationinresponse. Somecanonlyoperate
overaveryshortdistanceofafewcentimetersorless,whileothersmayoperateatlongerdistancesof
severalmetersormore. At thehigherendofRF technology, the contactlessRFID tagshavebeen
enhanced with the full capabilities of smart card chips containing generalpurpose computer
processorsandlargernonvolatilememoryspaces.
1 SomecommentatorshavesuggestedthattheCommitteesupplementthispaperwithalistofthevariouscurrent
andplannedusesofRFIDbytheDepartmentofHomelandSecurity. TheCommitteedeclinestodosofortwo
reasons: first,anysuchlistmaysoonbecomeincorrectorobsolete;andsecond,becausethispaperisintendedto
serveasaframeworkfortheDepartmenttouseinanyevaluationofaprogramthatwoulduseanRFIDenabled
systemtoidentifyindividuals.2GarfinkelandRosenberg,eds.,RFIDApplications,Security,andPrivacy. SeealsoDepartmentofHomeland
SecurityOfficeoftheInspectorGeneralreportentitledEnhancedSecurityControlsNeededforUSVISITs
SystemUsingRFIDTechnology(Redacted).OIG0639(June2006)at35,availableat
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_0639_Jun06.pdf. AlsoseeAppendixBackgroundMaterialsonRFIDTechnology.3Theseareassmallas0.15mmx0.15mmandthinnerthanasheetofpaperat7.5micrometers. See
http://www.eetimes.com/news/design/showArticle.jhtml?articleID=179100286.
8/14/2019 RFID[1] YOU DONT WANT THESE
3/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
3 of 13
RFID tags can be made to respond only to specific readers (or ones implementing specific
communicationprotocols).Today, almost all tagsoperate at a singleor small rangeof frequencies
usingasingleprotocol. Someadvancedreadersmayreadmorethanoneprotocolbutgenerallyonly
atonefrequency.
Thetagscomeinthreetypes:passive,active,andsemiactive(orbatteryassisted),eachwithitsownsetof
operatingcharacteristics.
Passive tags have no battery inside and, thus, must depend upon the current induced in their
antennasbythereadersRFsignaltoperformtheirjobs.Thisallowsthedeviceitselftobesmallerthan
activetagdevicesand increases theiruseful lifetime.Dependinguponthe technology,thesepassive
tagscanreturnafixedvalue,bewritableonceandthenreadmanytimes,ormaybefullyrewritable.
Because of their dependence upon the readers continuous RF signal for power to process and
transmit their response, readingpassive tagsmaybe somewhat less reliable than readingactiveor
semiactivetags.
Activetags
contain
their
own
battery.
Once
awakened
by
areaders
RF
signal,
these
tags
employ
theirownpower toperform theirjobs. Otheractive tagsact likebeacons that continually emitan
identification signal. The advantage of the active tags over the passive is their typically greater
computationalcapability,memorycapacity,and thedistanceoverwhich theymaybe read. While
theirbatteriesdohavealimitedlifetime,itistypicallyseveralyears. Sincetheirbatteriespowertheir
response, active tags are more appropriate in situations where RF signals might encounter
interference. Semiactiveorbatteryassistedtagsaresimplypassivetagsthatusethetagsbatteriesto
powertheirelectroniccircuitsratherthandependingonpowerdrawnfromthefieldofthereader. As
aresult,theirrangeislongerthanthatofpassivetags.
Highend,activeRFID tags canhave rather extensive computational capability. They canprovide
cryptographicfunctions
to
support
more
secure
and
private
operations,
have
considerably
larger
memorycapacities,andcanenter intocomplicatedcommunicationsprotocols thatcouldreduce the
possibilityofunintendedcommunicationswithunauthorizedreaders.
OneaspectofmostRFIDtagsisthatitisquiteeasytoawakenthemwiththeappropriateRFsignal.
This implies that theobjectwithwhich the tag isassociatedoftendoesnotneed todoanything to
enable this communications link. In the case of shipping containers or livestock, this is a clear
advantage. However, this automatic feature has proven controversial in the wide variety of
applicationsofRFIDtechnologyaroundhumans.
TodaymanyRFIDtagsarepassive,thoughagrowingnumbersareshifting toactiveorsemiactive.
Factors intheseselectionsincludebothfunctionalityandcost.ThehigherendfunctionsofRFIDare
stillconsideredcostly forbroadcommercialapplication. Size isalsodecreasing,butagain thevast
majority of tags are still applied to shipping cartons, containers and pallets. To datemost RFID
deploymentsarepartofthecommercialbackend,dealingwithsupplychainand logistics. Thereis
generalagreementthatmanyofthecurrentapplicationssuchassupplychain/logisticsandfoodsafety
arebeneficial andhave little tononegativeprivacy implication. As costsdecrease and item level
taggingbecomesmore feasible, greater penetration ofbeneficial applications, such as drug safety,
warranty/service,productsafetyandproductrecall is likely tooccur,but those functionsmayhave
greater privacy implications. The privacy implications arise from the possibility that the item is
8/14/2019 RFID[1] YOU DONT WANT THESE
4/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
4 of 13
carriedbythepersonand,dependingonthetag,technologyandconfiguration,maybeobservedby
otherreaders.
Where issuesariseastowhetherRFIDmaycreateprivacy implications,certaintechnologiesmaybe
appliedtolimitthepotentialexposureof PersonallyIdentifiableInformation(PII).Thesetechnologies
includeencryption,killswitches,tearabletags,on/offswitchesandnonmanufacturertechnologiesto
block,disable,orzaptags. Thesetechnologiesmaybeusedaloneor incombinationstoachievethe
desired levelsofprotectionand functionality. Eachof these functionswill,ofnecessity, increaseat
least the initial cost of such RFIDenabled deployments. It should alsobe recognized that these
technologiesdonotoperate inavacuum,butratheroperatewithin thecontextofvarious lawsand
policies, which may further limit the type of information that can be collected or how such
informationcanbeused.
IV. The Legal Basis for RFID Use in Human IdentificationThemajor laws,executiveorders,andprogramsunderwhichRFID isbeingconsideredorusedare
eitherpermissive
as
to
technology
or
not
legally
binding
on
the
U.S.
government.4
Nevertheless,
when an RFIDenabled system is used to collect data about individuals, the data collected will
compriseasystemofrecordsunderthePrivacyActof1974. Peopleshouldhaveatleasttherights
accordedthembythatlawwhentheyareidentifiedusingRFID. SystemsusingRFIDtechnologyare
alsosubjecttotheEGovernmentActsPrivacyImpactAssessmentrequirements.
V. Use of an RFID-Enabled System for Human IdentificationAnumberofDHSprogramsarepremisedontheidentificationofhumansubjects. Attheborder,at
airports,andatentrances tosecure facilitiesofallkinds,checking identificationcards isaroutinely
usedsecuritymeasure.RFID isarapidwaytoreaddata,butRFID inacredentialmerely identifiesthe
credential,not
the
individual
bearing
it.
One
or
more
biometric
identifiers
can
be
used
to
improve
identificationofhumanbeings,butthestepsneededtoverifythebiometricinformationusingtodays
technology may reduce or negate the speed benefit offered by radio transmission. Earlier
identificationofapersonapproachingapointofidentificationcouldalsoprovidesecuritybenefitsif
theinformationhasnototherwisebeencommunicated.
A. Controlling Access, Controlling Borders, and Interdicting SuspectsWhether throughRFIDorothermeans, checking identification is intended toachieve anumberof
differentgoals:Facilitymanagersuse identification tocontrolaccess tosensitive infrastructures that
maybedamagedorused toharmpeople. Theyuse it tocontrolaccess to facilitieswheresensitive
information
about
other
infrastructure
may
be
kept,
or
where
security
planning
or
operations
are
carried out.The government uses identification administratively to record theborder crossings of
4TheREALIDAct,aboutwhichregulationsarestillbeingformulated,callsforamachinereadabletechnology
butdoesnotspecifythetechnology. HomelandSecurityPresidentialDirective12callsforamandatory,
GovernmentwidestandardforsecureandreliableformsofidentificationissuedbytheFederalGovernmentto
itsemployeesandcontractors(includingcontractoremployees). TheStateDepartmentadoptedRFID
technologyintheepassporttomeetInternationalCivilAviationOrganizationstandards,whicharenotlegally
bindingontheU.S.government.
8/14/2019 RFID[1] YOU DONT WANT THESE
5/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
5 of 13
international travelers. At borders and checkpoints, identification can help detect and interdict
undesirableentrantstothecountryandknownorsuspectedterrorists.
These identificationprocessesare intended toprotectawidevarietyof institutions, infrastructures,
processes,andpersons fromawidevarietyof threats,eachhavingadifferentriskprofile. Atbase,
identificationchecksbyDHS seek to interdictpotentialattackersonour institutions, infrastructure,
andpeople.
B. RFID Technology Can Reduce Delay at Entrances and Checkpoints, But StandingAlone, It Cannot Identify An IndividualIt takes some time to check a traditional identification document. The process typically includes
handingthedocumenttoaverifier,whomustreviewtheinformationonthedocumentandauthorize
thebearertopass,recordthebearerspassing,or,ifappropriate,detainthebearer. Theverifiermust
alsocompare the identifiersonthedocumentwith thebearertoensurethatthebearer is theperson
identifiedbythedocument.
AnRFIDchippedidentificationcardcanquicklycommunicateinformationfromthecardtoareader
at adistance,withouta lineof sightorphysical contactbetween a cardand reader. Transmitting
information via radio in advance can thus allow information to be prepositioned before an
individualapproachesanentranceorcheckpoint. While thismay improveefficiencyat theborders
and checkpoints, theverifiermust still reviewauthorizing informationand compare the identifiers
from thecardwith thebearer inorder toensure that theRFIDenabledcard isbeingcarriedby the
personwithwhomitisassociated.Thus,iftheexpectedprimarybenefitofdeployingRFIDisspeed
andefficiency,caremustbetakentoensurethattheactivitiesthatarenecessarytosupportitdonot
offsetthegainsbroughtbytheRFIDdeployment.
VI. Privacy and Security Issues Associated with the Use of RFID for Human IdentificationWhile RFIDenabled systems may provide at least incremental benefits in terms of efficiency of
identification,theuseofRFIDenabledsystemsforhumanidentificationmaycreateanumberofrisks
thatarenotfoundinconventionalidentificationprocesses.
A. Potential for Privacy RisksDigitalidentificationsystemsposeprivacyrisks. InavisualIDcheckenvironment,apersonmaybe
briefly identifiedbut then forgotten,rendering themanonymous forpracticalpurposes Inadigital
(RFbased) identitycheck environment,by contrast, a persons entry into a particular area canbe
recorded
and
the
information
stored
for
some
period
of
time.5
If
not
properly
protected,
this
informationcouldalsoberepeatedlysharedorusedforsecondarypurposes,evenpotentiallyusedfor
broadersurveillance.
5AtitsMarch2006meeting,thenUSVISITDirectorJimWilliamstestifiedtothiscommitteethatbiometricdata
collecteddigitallyinthatprogramiskeptfor75years,statingwewouldnotagreetoexpungethoserecords.
Also,seeWilsonP.DizardIII,EPassportsFirstDeployment,GovernmentComputerNews,Oct.9,2006
http://www.gcn.com/print/25_30/422491.html wherehereportsthatDHSalsointendstokeepdatacollected
usingtheEPassportsystemfor75years.
8/14/2019 RFID[1] YOU DONT WANT THESE
6/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
6 of 13
ThereareparticularrisksofRFIDasthebasisfordigitalidentification: (1)Unauthorizedreadersthat
enableotherpeopletoaccess the informationcontained intheRFID (skimming); (2)Interceptionof
the transmission of the informationby an unauthorized thirdparty (eavesdropping); and (3) if no
specific safeguards are put in place, the use of RFIDenabled systems could ultimately aid the
monitoringofindividualsmovements(tracking).WhilenoDHSprogramplansanysecondaryuseof
thedata thatwouldcreateaprofileofapersonsactivities forsubsequent,nonsecurityrelateduse,
thepotentialformisuseremains.
B. The Difficulty with Notice to Subjects of RFID IdentificationRFIDtagged identification documents present a significant problem in terms of notice along two
dimensions. First,individualscarryingRFIDtaggeddocumentsmaynotalwaysknowwhentheyare
beingidentifiedandtowhom,unlesspeoplebegincarryingradiofrequencydetectorsorpursesand
walletsthatareimpermeabletoradiofrequencies. Second,peoplewithRFIDtaggeddocumentsmay
notalwaysknowwhatinformationtheyaresharingwhentheyareidentifiedusinganRFIDenabled
system.In
avisual
ID
check
environment,
people
know
that
only
the
information
on
the
card
is
availabletoaverifier,alongwithanyinformationlinkedtothatcardindatabases.
C. Security is a Foremost Concern with Using RFID for Human IdentificationSomeofthegreatestconcernswithRFIDenabledsystemsusedtoidentifyindividualshavetodowith
thesecurityofthetransmissionsfromthetagstothereaders.
Making identification information available via radio frequency opens up two sources of security
risks, commonly known as skimming and eavesdropping. Skimming is creating an
unauthorized connectionwith anRFID tag in order to gain access to itsdata. It allows someone
outsideof
the
identification
system
or
program
to
gather
information
surreptitiously.
This
risk
can
be
controlledanumberofways. Oneistoblockthetransmissionofradiosignalstoandfromthechip
when it isnot intended tobe inuse. For example, aFaraday cageor shield is awire screen that
preventstransmissionofradiosignals. TheStateDepartmentsnewepassportwill incorporate this
technology. It ismore convenient in a passbook typedocument like apassport than a card for
whichtherewouldhave tobesomesortofwrapperorsleeve. Thisthreatmaybereducedthrough
theuseofsomesolutionwithhigherfunctionality.
Anotherwaytolimitskimmingistoencryptthedatatransmissionsothatidentificationinformation
appearsindecipherabletoanyoneinterceptingitwhoisnotauthorizedtoreadit. However,thisisnot
acompletesolution. Thoughindecipherableitself,theencryptedinformationcanactasanidentifierif
it
remains
the
same
each
time
the
card
is
skimmed,
just
as
a
person
might
be
known
by
a
nickname.
EavesdroppingistheinterceptionoftheelectroniccommunicationsessionbetweenanRFIDtagand
anauthorizedreader,again,inordertogainaccesstothedatabeingtransmitted. Aswithskimming,
dependingon thedesignof the system,aneavesdroppermaybeable tocollectusable information
fromthecommunicationbetweenanRFIDchipandanauthorizedreaderevenifthecommunication
isencrypted.
8/14/2019 RFID[1] YOU DONT WANT THESE
7/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
7 of 13
Oneway to suppress eavesdropping is to limit carefully the environments inwhich identification
cardsareused. Another is todesign theRFIDchipso thatno twocommunicationsessionsappear
alike.
Inanyevent,privacyandsecuritymustbebuiltintothefulllifecycleoftheRFIDapplicationfromthe
outsetfromthedesignstage,todeploymentanduse,toendoflife. Justasprivacyconcernsmustbe
identified in a broad and systemic manner, so too must technological solutions be addressed
systematically.
D. RFID Security Issues Identified by the GAOTheUnitedStatesGovernmentAccountabilityOfficeaddressedtheuseofRFIDtechnologyinaMay
2005reporttitledInformationSecurity:RadioFrequencyIdentificationTechnologyintheFederalGovernment
(GAOReport)6. TheGAOReportidentifiedanumberofsecurityissuesthatareimplicatedbyfederal
(and commercial) use ofRFID technology. Without effective security controls, theGAOReport
stated,dataonthetagcanbereadbyanycompliantreader;datatransmittedthroughtheaircanbe
interceptedand
read
by
unauthorized
devices;
and
data
stored
in
the
databases
can
be
accessed
by
unauthorizedusers.7 TheGAOstatedthatRFIDsystemsshouldbedesignedto:
Ensure thatonly authorized readers can read the tags,and thatonly authorizedpersonnelhaveaccesstothereaders;
Maintaintheintegrityofthedataonthechipandstoredinthedatabase; Ensurethatthecriticaldataisfullyavailablewhennecessary; Mitigate the risk of various attacks, such as counterfeiting or cloning (when an attacker
produces an unauthorized copy of a legitimate tag); replay (when a valid transmission is
repeated,eitherbytheoriginatororanunauthorizedpersonwhointerceptsitandretransmits
it);andeavesdropping;
Avoidelectroniccollisionswhenmultipletagsand/orreadersarepresent;and Mitigate the likelihood that unauthorized components may interfere or imitate legitimate
systemcomponents.
TheGAOReportmaintains thatmanysecurityriskscanbemitigated throughcompliancewith the
Federal Information Security Management Act (FISMA), which requires each agency to develop,
document, and implement an agencywide information security program. Specifically, FISMA
requiresagenciesto:
Engageinperiodicriskassessments; Developriskbasedpoliciesandprocedurestoreduceriskstoanacceptablelevel;
Develop
plans
for
providing
adequate
information
security
for
networks,
facilities,
systems,
andgroupsofsystems;
Engageinsecuritytrainingforpersonnelandcontractors;6 See GAO-05-551 (May 2005), available at http://www.gao.gov/new.items/d05551.pdf. See also Testimony of
Gregory C. Wilshusen, Director, Information Security Issues, Before the Subcommittee on Economic Security,
Infrastructure Protection, and Cybersecurity, House Committee on Homeland Security, June 22, 2005, available
at http://www.gao.gov/new.items/d05849t.pdf.7GAOReportat19.
8/14/2019 RFID[1] YOU DONT WANT THESE
8/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
8 of 13
Testtheinformationsecuritypoliciesatleastannually,includingthetestingofmanagement,operational,andtechnicalcontrolsforeverymajorinformationsystem;
Developaprocesstodetectandreportsecurityincidentsandaremedialactionprocess;and Maintainproceduresforcontinuityofoperationsinlightofasecurityincident.
AsitrelatestoRFID,anagencycanreducetheriskofunauthorizeduseoraccessthroughencryption
andauthentication.
Encryptionshouldincludethedatainthetags,intheair,andwhenstoredinadatabase. Authenticationmeansverifyingtheclaimedidentityofauser. Itcanbeusedbetweentagand
readerasawaytomitigatesecurityrisks. Thiscanhelppreventtheunauthorizedreading of
and/orwritingtotags.
TheGAO states that the privacy issues canbemitigatedby compliancewith existing legislation,
includingcompliancewith:
ThePrivacyActof1974;and ThePrivacyImpactAssessmentrequirementsoftheEGovernmentAct.
TheDepartmentofHomelandSecuritysOfficeof InspectorGeneral, in its reporton theUSVISIT
(The DHS Inspector Generals Report)8, also notes a number of steps that the Department of
Homeland Security can take to ensure the security of databases used in RFIDenabled programs.
Thoserecommendations includedthedevelopmentand implementation ofprocedurestostrengthen
thepasswordmanagement anduser accountprocesses relating to thedatabase associatedwith an
RFIDenabledprogram.
VII. RecommendationsThecase forusingRFIDenabledsystems to trackmateriel isclear. TheDepartmentofDefense, for
example,hasproducedasignificantstudyshowingthebenefitsofusingRFIDtotamethesubstantial
logisticalchallengesitfaces.9 ThecaseforusingRFIDenabledsystemsbythegovernmenttoidentify
and record the presence of individuals, however, requires a more careful analysis involving the
missiontobeaccomplished,thealternativetechnologiesavailable,andthepracticabilityofemploying
safeguardstoprotecttheprivacyandsecurityofinformationcollectedfromandaboutindividuals.
A. The Decision Whether to Use RFID to Identify IndividualsInlightoftheconcernsassociatedwiththeprivacyandsecurityofinformationgatheredbymeansof
an
RFID
enabled
system,
the
recommendations
in
the
GAO
Report
and
the
DHS
Inspector
Generals
Report,and in lightofcommentsreceivedby theCommitteeon the firstdraftof thispaperand the
Committeesowndeliberations,theCommitteerecommendsthatProgramManagerswithintheU.S.
8DepartmentofHomelandSecurity,OfficeofInspectorGeneral,EnhancedSecurityControlsNeededForUS
VISITsSystemUsingRFIDTechnology(June2006)https://www.dhs.gov/xoig/assets/mgmtrpts/OIG_06
39_Jun06.pdf9FinalRegulatoryFlexibilityAnalysisofPassiveRadioFrequencyIdentification(RFID),preparedbytheOfficeof
theUnderSecretaryofDefenseforAcquisitionTechnology&Logistics.Seefullreferenceinappendix.
8/14/2019 RFID[1] YOU DONT WANT THESE
9/13
8/14/2019 RFID[1] YOU DONT WANT THESE
10/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
10 of 13
in thisquestion,becauseextensivecollectionsofdatahave, in thepast, tended to findnew,
unanticipateduses.
How is the informationmaintained in thebackend systemsprotected? How longwill theinformation in thedatabasebekept? Is the lengthof timeproposedappropriategiven the
objectiveathand? Canthelengthoftimebeminimizedwithoutunderminingtheobjective?
Arethereendtoendauditingcapabilitiesbuiltintothesystemtomonitoruseandmisuseoftheinformation?
Risk Mitigation Credential Risks Whatkindsofinformationarecarriedonthetag? Whatkindsofinformationarepassedtoa
database? Is the amount and type of information narrowly tailored to accomplish the
Departmentsobjective?
How isthe informationon thetagprotected(encryption,nopersonal information ispresentonthecard,etc.)?
Is the communicationwith the reader secured?Are there adequate security protections toensure
that
only
authorized
readers
can
read
the
tags?
DoestheRFIDenabledsystemincludeRFblockingtechnology,suchasthatproposedbytheU.S.DepartmentofStateforuseinitspassportjackets? Ifnot,istherealegitimatereasonnot
tohavesuchamechanism?
What security safeguards are inplace for the associateddatabases, tags,and transmissionsfrom the tags to the databases? Have the ProgramManagers consultedwith information
security experts within theDepartment and, if necessary and appropriate, outside of the
Department, to ensure that the program is adequately protected from skimming,
eavesdropping,andotherthreatstothesecurityandintegrityofthesystem?
Net Effects Onbalance,iftheProgramManagers,inconsultationwiththeDHSPrivacyOffice,determine
that an RFIDbased technology meets a legitimate Department objective, do privacy and
securityconcernsoutweightheincrementalbenefitsgainedbyusinganRFIDenabledsystem
overasystemposingfewerprivacyandsecurityrisks?
B. Proposed Best Practices for Use of RFID by DHS to Identify IndividualsThe Committee recommends that if DHS chooses to deploy an RFIDenabled system to identify
individuals,DHSshoulduseasmanyofthefollowingsafeguardsaspossibleandappropriate,given
the
proposed
use:11
11Theseproposedbestpracticesdrawonanumberofsources,includingtheGAOReport,theEPCglobal
GuidelinesforElectronicProductCodesforConsumerProducts(see
http://www.epcglobalinc.org/public_policy/public_policy_guidelines.html),andtheARTICLE29WORKINGPARTY
WORKINGDOCUMENTONDATAPROTECTIONISSUESRELATEDTORFIDTECHNOLOGY,10107/05/EN,WP105(January
19,2005)(availableathttp://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf).
8/14/2019 RFID[1] YOU DONT WANT THESE
11/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
11 of 13
Notice Individuals should know how andwhyRFID technology isbeing used, includingwhatinformationisbeingcollectedandbywhom. DHSshouldconsiderusingstandardizediconsorother
imagestohighlighttheexistenceanduseofRFIDtagsandtheplacementofreaders;
Open Standards Because
RFID
enabled
systems
can
be
configured
a
variety
of
ways,
it
is
important
thatthepublichaveaccesstoinformationaboutthedesignstandardstowhichthesystemsarebuilt.
Thisinformationshouldnotbelimitedtotheirintendeduses,buttheirmaximumcapabilitiesshould
alsobespecified. Informationaboutthemakerofthechip,theintegrator,andtheproviderofthedata
system should all be made public, to the extent consistent with national security and anti
circumvention concerns, so that the design and integration choices can be assessed by outside
observers,auditors,andtheaffectedpublic.
Choice and Control (Consent) Where possible, individuals should have the option not toparticipate in a program involving the use ofRFID technology to record theirmovements,while
maintaining the rights and privileges (but perhaps losing the convenience benefits) of other
individualswhoareparticipating inaprograminvolvingRFIDtechnology. Ifanationalsecurityor
otherargument
weighs
against
individual
control,
such
an
argument
should
be
explicitly
stated
and
thechoicebemadeavailabletotheextentpossible. Perhapsundersuchcircumstances,anoticeand
commentapproachwouldbeappropriate.
Securing Readers and Data Tomitigateeavesdroppingand skimming,DHSshouldensure thatonly authorized readers can receive signals from DHSauthorized RFID tags. Data should be
encryptedon tags, in transit,and in thedatabase. DHS should limitcarefully theenvironments in
whichidentificationcardsareused,anddesigntheRFIDchipsothatnotwocommunicationsessions
appear alike.Aswith anydatabaseprogram,DHS should take all appropriate steps to assure the
security and integrity of the database itself. Overall, DHS should follow the security
recommendationslaidoutintheGAOReport,includingconductingaFISMAreviewoftheprogram,
aswell
as
recommendations
of
the
departments
Office
of
the
Inspector
General.
Avoid Function Creep DHS should use data collectedby RFID technology only for the statedobjective. Itshouldkeepdataforonlyaslongasnecessarytomeettheoriginalobjectiveforwhichit
wascollected.
Education Campaign RFIDtechnologyisnotwellunderstoodbymuchofthepublic. Governmententitiesandtheprivatesectoroftenalso lackagoodunderstandingofhowRFID technologieswork
andwhenandhow theyarebestapplied. Asaresult, therearemanypeople forwhom theuseof
RFID technology in identity systems is troubling. Most of their concerns couldbe easily resolved
through education and openness. If it usesRFID,DHS should engage in an education campaign
regardingthe
use
of
RFID,
including
why
it
is
necessary
and
what
rights
and
protections
are
afforded
toindividuals.
VIII. ConclusionThe Committee recommends that the Department of Homeland Security carefully weigh the
considerations detailed in Section VII of this Reportbefore deciding to deploy an RFIDenabled
system to identify individuals. An RFIDenabled system shouldbe secure, narrowlytailored to
8/14/2019 RFID[1] YOU DONT WANT THESE
12/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
12 of 13
effectivelyaccomplishaDepartmentobjective,andtheleastintrusivetoprivacyandsecurityinlight
ofalternativetechnologiestoaccomplishthatobjective. Otherwise,theuseofRFID,standingalone,
may not be best suited for purposes of identifying individuals and other solutions should be
considered. TheCommittee further recommends that if theDepartment determines todeploy an
RFIDenabled system to identify individuals, that itbuild in, from thedesign stage, the safeguards
outlined inSectionVIIof thisReport to theextentpossible toensure that theuseofRFIDenabled
systemsadvancetheDepartmentsmissionobjectiveswhilerespectingandprotectingtheprivacyand
securityofinformationcollectedaboutindividuals.
8/14/2019 RFID[1] YOU DONT WANT THESE
13/13
DataPrivacy&IntegrityAdvisoryCommittee
TheUseofRFIDforHumanIdentifyVerification
AdoptedDecember6,2006
13 of 13
Appendix Background Materials on RFID TechnologyINFORMATIONSECURITY: RADIOFREQUENCYIDENTIFICATIONTECHNOLOGYIN
THEFEDERALGOVERNMENT,GAO05551(May2005),availableat
http://www.gao.gov/new.items/d05551.pdf
RADIOFREQUENCYIDENTIFICATION: OPPORTUNITIESANDCHALLENGESIN
IMPLEMENTATION,DEPARTMENTOFCOMMERCE(April2005),availableat
http://www.technology.gov/reports/2005/RFID_April.doc
FINALREGULATORYFLEXIBILITYANALYSISOFPASSIVERADIOFREQUENCY
IDENTIFICATION(RFID),preparedbytheOfficeoftheUnderSecretaryofDefensefor
AcquisitionTechnology&Logistics,availableat
http://www.acq.osd.mil/log/rfid/EA_08_02_05_UnHighlighted_Changes.pdf
RADIOFREQUENCYIDENTIFICATION: APPLICATIONSANDIMPLICATIONSFOR
CONSUMERS,AWORKSHOPREPORTFROMTHESTAFFOFTHEFEDERALTRADE
COMMISSION(March2005),availableathttp://www.ftc.gov/os/2005/03/050308rfidrpt.pdf
RFID: APPLICATIONS,SECURITY,ANDPRIVACY(SimsonGarfinkelandBeth
Rosenberg,Editors)(2006);
ARTICLE29WORKINGPARTYWORKINGDOCUMENTONDATAPROTECTION
ISSUESRELATEDTORFIDTECHNOLOGY,10107/05/EN,WP105(January19,2005),
availableat
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf.
CDTWORKINGGROUPSETOFBESTPRACTICESFORTHECOMMERCIALUSEOF
RFID,May1,2006,availableathttp://www.cdt.org/privacy/20060501rfidbestpractices.php.
NotethatthispaperdealslargelywiththecommercialuseofRFID,asopposedtotheuseof
RFIDbythegovernment,theCommitteeisgratefultohavereceivedtwosetsofwritten
commentsbytheCDTonthispaper,andhastakenthosecommentsintoaccountindrafting
thispaper.
PRIVACYGUIDELINESFORRFIDINFORMATIONSYSTEMS,preparedbyAnn
Cavoukian,Ph.D.,
Information
and
Privacy
Commissioner/Ontario,
June
2006,
available
at
http://www.ipc.on.ca/docs/rfidgdlines.pdf.