The Privacy Office is seeking comments on the report, which are due by May 22.
The critical report comes against the background of a continuing debate within the department over the security and privacy issues surrounding the use of RFID technology to identify people at border crossings.
State and DHS are considering the benefits of establishing a single RFID standard for an array of border-crossing credentials. They include:
- The SENTRI and Nexus trusted traveler cards
- The “laser visa” Mexican Border Crossing Card
- The Free and Secure Trade card for truck drivers
The People Access Security Service card now being developed will comprise a “passport-lite.”
In addition, the U.S. Visit program is promoting the use of nonsecure RFID technology to identify foreigners carrying I-94 immigration forms as they leave the country.
But the draft report roundly condemns RFID technology, stating that it can be used to monitor human behavior. The report endorses the use of RFID for miners and firefighters in dangerous situations.
“Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example) but can in fact be used for monitoring human behavior,” the report states.
“For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings,” the report continues. “When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.”
The report goes on to specify various ways in which information stored on RFID tags can be compromised or improperly used for human surveillance. It notes that RFID units can slightly reduce the delay when people pass through checkpoints, but says “Against these small incremental benefits of RFID are arrayed a large number of privacy concerns.”
The report proposes methods to be used when deciding whether or not to use RFID technology and best practices to maintain privacy in RFID systems used to track humans.
Industry representatives have been at pains to distinguish between insecure RFID technology and the secure technology that they refer to as contactless smart cards. Both technologies use radio frequency transmission to transfer data.
Neville Pattinson, director of Technology & Government at Axalto Inc. of Austin, Texas, offered a representative comment from the smart-card industry. He welcomed the public comment period on the report.
“It’s inappropriate to use RFID technology for tracking and authenticating identities of people,” Pattinson said.
“You can think of RFID as an insecure barcode with an antenna. In contrast, not everything that uses radio frequencies is RFID,” Pattinson wrote in an e-mail comment on the report.
“Wireless computers and mobile phones use radio frequencies too, but they’re secure devices because they contain computers and are securely associated with individual identities over networks,” he wrote.
According to Pattinson, contactless smart-card technology is not the same as RFID. He compared contactless smart cards to secure wireless computers.
“Contactless smart cards are suitable for identifying individuals because the technology has all of the security features to protect the privacy of the individual and secure the identity of the individual in identification applications,” Pattinson wrote. “Contactless smart cards are the appropriate technology to uphold privacy and security.”
Autor/Author: Wilson P. Dizard III
Quelle/Source: Government Computer News, 17.05.2006