RFID: For every step forward, a step back
One of the most happening spots at the FOSE tradeshow
in March was the RFID Pavilion. Traffic was brisk; sessions were well attended. And what you heard a lot was government and industry gradually getting past all the negative publicity surrounding radio frequency identification and acknowledging the potential benefits of the technology.
Then a Homeland Security Department subcomittee chimes in with its draft report
, "The Use of RFID for Human Identification," whose authors conclude, "We recommend that RFID be disfavored for identifying and tracking human beings."
Is it possible we're back to the alarmist days of RFID? Proponents have been quick to point out that identifying and tracking people are two different things. Most experts agree the government shouldn't be in the business of tracking individuals through wireless means. But identifying them for the purpose of accessing facilities--or the nation--is a different story.
The draft, which states explicitly, "This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation," includes at least one remarkable passage.
In addressing potential privacy concerns around RFID (and there definitely are privacy issues to deal with--anyone would acknowledge that fact), the report says, "Individuals carrying RFID-tagged documents will have a difficult time determining when they are being identified and to whom. Unless people begin carrying radio frequency detectors or purses and wallets that are impermeable to radio frequencies, they will not know when the RFID chips in their identification cards are being scanned.
" [Emphasis added]
We can't help envisioning people in tinfoil hats protecting their brain waves.
Is it technologically possible? Sure. Likely? That's the rub. RFID applications that read identifying documents are likely to employ RF communications that only travel a few inches. Individuals will know who's trying to surreptitiously read their documents--they'll be the strangers standing way too close and holding an RFID reader up to their purses.
The comment period for the RFID draft report ended yesterday. The Smart Card Alliance, a non-profit industry group whose members include 22 government agencies, submitted a response and shared it with GCN. Here's some of what the alliance said:'We believe that the report defines RFID too broadly and, therefore, this recommendation will unduly restrict appropriate and secure applications of smart cards with RF technology that can meet the strictest privacy and security requirements'.
'The vast majority of identity applications do not track individuals, but have the goal to accurately and securely verify an individual's identity. These two applications of technology have very different purposes and require conscious policies to be put in place to protect the individual's privacy'.
'RFID technologies that are used to add value in manufacturing, shipping and object-related tracking operate over long ranges (e.g., 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. Contactless smart cards, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip.'
The Smart Card Alliance and other RFID proponents are not pooh-poohing the security concerns that dog RFID. But they are saying they can be addressed. After all, some are quick to point out, what is a credit card trail if not a way of tracking people under very specific circumstances? Policies and legislation prevent tracking regular folks through existing means. When it comes to RFID, technologies such as encryption and mutual authenitication contribute an extra layer to information security.
Is RFID the best, or even a necessary way of achieving the ID goals of government? It may be too early to say. But we're getting the sneaking suspicion we may never know.Posted by Brad Grimes
Posted by Brad Grimes, Joab Jackson on May 23, 2006 at 9:39 AM