DHS Subcommittee Questions RFID SecurityBy Renee Boucher Ferguson | Posted 2006-05-24 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The DHS' Data Privacy and Integrity Advisory Committee warns that RFID technology has too many security and privacy issues to be trusted with tracking people.
Despite the U.S. Department of Homeland Security's efforts to steamroll through the use of RFID technology in all U.S. issued passports by the end of 2006, not every governmental entity believes RFID is the answer to speedier passport checks.
A draft report released May 23 by a subcommittee of the DHS' Data Privacy and Integrity Advisory Committee (a group within the DHS Privacy Office) urges that the government "consider carefully" its use of RFID to track people.
The reason: the technology is rife with security and privacy issues, the report said.
"RFID increases risks to personal privacy and security, with no commensurate benefit for performance or national security," reads the report, titled "The Use of RFID for Human Identification."
"Most difficult and troubling is the situation in which RFID is ostensibly used for tracking object ... but can be in fact used for monitoring human behavior."
The point, according to the DHS subcommittee report, is that utilizing RFID to track individuals presents potentially risky outcomes that are currently "difficult to predict."
At the same time, RFID technology will not present any of the speed and efficiency gains the DHS said it will achieve in implementing electronic passports.
Potential risks include the prospect that individuals will "likely be subject to greater surveillance," and will be less aware of what information is being transferred, or when it's transferred, and may have personal data intercepted.
The report points out two commonly known security breaches possible with RFID data transmission: skimming and eavesdropping.
Skimming happens when someone creates an unauthorized connection with an RFID tag to gain access to the data contained in it. Eavesdropping, on the other hand, is the interception of the communication between an RFID tag and reader to gain access to data being transmitted.
While the State Department, which will be the issuer of electronic passports, will incorporate technology that blocks skimming through encryption, it's not the entire answer, according to the Privacy Office.
"Though indecipherable itself, the encrypted information can act as an identifier if it remains the same each time it is skimmed," according to the report.
The DHS Privacy Office is not the first governmental agency to release such findings. In May of 2005 the U.S. Government Accounting Office released a report titled, "Information Security: Radio Frequency Identification Technology in the Federal Governments" that identified a number of security issues.
Read the full story on eWEEK.com: DHS Subcommittee Questions RFID Security