Brought to you as a public service of the Open Spectrum Foundation (Stichting Open Spectrum), Amsterdam - Prague

 openspectrum.info logo

NEWS

RFID criticized by US Dept. of Homeland Security subcommittee

From "DHS Subcommittee Questions RFID Security" by Renée Boucher Ferguson, eWeek, 24 May:

"Despite the US Department of Homeland Security's efforts to steamroll through the use of RFID technology in all US issued passports by the end of 2006, not every governmental entity believes RFID is the answer to speedier passport checks.

"A draft report released May 23 by a subcommittee of the DHS' Data Privacy and Integrity Advisory Committee (a group within the DHS Privacy Office) urges that the government 'consider carefully' its use of RFID to track people. The reason: the technology is rife with security and privacy issues, the report said.

" 'RFID increases risks to personal privacy and security, with no commensurate benefit for performance or national security,' reads the report, titled 'The Use of RFID for Human Identification.' 'Most difficult and troubling is the situation in which RFID is ostensibly used for tracking object[s]... but can be in fact used for monitoring human behavior.' The point, according to the DHS subcommittee report, is that utilizing RFID to track individuals presents potentially risky outcomes... At the same time, RFID technology will not present any of the speed and efficiency gains the DHS said it will achieve in implementing electronic passports.

"Potential risks include the prospect that individuals will 'likely be subject to greater surveillance,' and will be less aware of what information is being transferred, or when it's transferred, and may have personal data intercepted.

"The report points out two commonly known security breaches possible with RFID data transmission: skimming and eavesdropping. Skimming happens when someone creates an unauthorized connection with an RFID tag to gain access to the data contained in it. Eavesdropping, on the other hand, is the interception of the communication between an RFID tag and reader to gain access to data being transmitted.

"While the State Department, which will be the issuer of electronic passports, will incorporate technology that blocks skimming through encryption, it's not the entire answer, according to the Privacy Office. 'Though indecipherable itself, the encrypted information can act as an identifier if it remains the same each time it is skimmed,' according to the report.

"The DHS Privacy Office is not the first governmental agency to release such findings. In May of 2005 the U.S. Government Accounting Office released a report titled, Information Security: Radio Frequency Identification Technology in the Federal Government that identified a number of security issues. The basic complaint posited by that report is that without effective security controls, data that's transmitted through the air can be intercepted for potentially nefarious means, and data stored in databases can be accessed by unauthorized users.

"However it's unclear what, if any, impact either report will have on the DHS' plans to move forward with its electronic passport plans. 'When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of specific security and privacy safeguards,' says a telltale passage in the report.

"Neither a Privacy Office or DHS spokesperson was available at press time.

"Some privacy advocates also see an inconsistency with the subcommittee's report. 'It's a good idea that the Privacy Office is trying to put the brakes on RFID in passports,' said Katherine Albrecht, founder and director of RFID watchdog organization CASPIAN. 'But there's one other important point: Where [the Privacy Office] was really sounding the alarm on privacy, they were hedging their bets with a compromise conclusion - that there are ways to use RFID if you put the appropriate safeguards in place.' Security and privacy advocates would argue the point, according to Albrecht.

"The DHS Data Privacy and Integrity Advisory Committee is set up to advise the secretary of the DHS, along with its chief privacy officer, on technology issues that affect individual privacy as well as on other privacy related issues.

"The report suggests a number of things the DHS can do to ensure more security and privacy for electronic passport carriers, including: employing a deactivation, or kill switch, to shut off RFID data transmission after a certain time; employing blocking technology to deter skimming and eavesdropping; adopting an 'opt in/opt out' framework so that people can chose whether or not to have their passports embedded with an RFID chip; and mitigating secondary use by reducing the compatibility of readers and tags.

"In January 2005, DHS announced that it would start testing RFID technology at five US border crossing points. The tests, which have continued through the spring of this year, are part of an earlier initiative by the DHS, US-VISIT, to gather digital fingerprints and photos of all non-US citizens entering the country. The DHS is also testing RFID at airports, through its CAPPS program.

"Presumably building on its findings, the DHS said in 2005 that it would enable all US passports with passive RFID chips by the end of 2006, despite an overwhelming majority of objections from citizens that weighed in on the subject during the State Department's call for public comments. Of the 2,335 remarks received regarding the introduction of electronic passports, 98.5 percent were negative. Over 2,000 people listed security and privacy as a top concern..."

[Click here for a collection of links to dozens of earlier eWeek articles about RFID.

"The Use of RFID for Human Identification" report will be discussed at a public meeting of the DHS Privacy Advisory Committee in San Francisco on 7 June 2006. The period in which the public can submit written comments on the draft report may have already ended - the DHS website is unclear on this point, but it notes that "Comments will be considered on an ongoing basis." So perhaps it is not too late to send your thoughts to privacycommittee@dhs.gov.]

[: 25 May 2006]

Click here for the LATEST HEADLINES

Recent News...

Bluetooth profile for medical devices due in 2007 (24 May)

802.11n standard to split into fixed, mobile versions? (22 May)

WiFi partly de-licensed in Kyrgyzstan (22 May)

License exempt RF enables localised services: new book, online forum, conference (21 May)

"Affluent early adopters" prefer home WiFi - survey (11 May)

The developing 802.11s wireless mesh standard (11 May)

"AT&T and MobiTV to provide live TV via WiFi hot spots" (10 May)

Report on Software-Defined Radio for Public Safety (8 May)

UWB radar detects buried victims' breathing (8 May)

"RF switch" integrates wireless technologies (8 May)

Wireless sensors monitor and "learn" patterns of behavior for senior home care (8 May)

"The RFID Hacking Underground" (6 May)

Questionaire and Workshop Presentations on Wireless Commons (4 May)

Gigabit UWB for whole-house multimedia (2 May)

"RFID tags used to teach English" (2 May)

RFID Privacy Best Practices Guide (2 May)

"RFID 'Til the Cows Come Home" (25 April)

Developing smart, flexible radios: unsolved problems come into focus (25 April)

Rain/freeze sensor controls irrigation wirelessly (25 April)

"Vision Goes Wireless" (21 April)

Workshop on the collective use of spectrum (Brussels, 27 April) (21 April)

Industrial "Wireless Users Summit" (21 April)

The Forecast Umbrella (17 April)

Austrian highways to get wireless Internet (17 April)

Smart Radio Challenge (14 April)

"World's First RFID-Enabled Arcade Games" (13 April)

RFID tags susceptible to DoS attacks, data-rewrites (12 April)

3 European consultations on license exempt radio (10 April)

"A Single Chipset for Global UWB" (7 April)

Wireless sensor nets make infrastructure smarter (7 April)

Spread Spectrum: Hedy Lamarr and the Mobile Phone (7 April)

RFID-enabled bins track trash by household (6 April)

More pressure for license exempt use of empty TV channels (6 April)

"Cellular WiFi" for mobile/municipal coverage (5 April)

Is wireless creating "an environment of tyranny?" (5 April)

Visit our News Archive for additional stories.

To receive the openspectrum.info newsfeed by email, enter your email address:

(Email subscriptions managed by FeedBurner)