DHS committee: RFID offers no security

The Department of Homeland Security Privacy Advisory Committee published a draft report on the use of radio frequency identification (RFID) tags to track people, urging caution and saying that the use of RFID “increases risks to personal privacy and security, with no commensurate benefit for performance or national security.”

Wait just a minute. No national security benefit for using RFID?

Consider for a moment the RFID-chipped I-94 form which is now being tested on foreigners traveling to the U.S.: “someone holding a key to a house cannot be identified as the owner of the house based upon possession of that key alone,” the report (PDF) says. “The RFID-chipped I-94 Form, for example, is not directly linked to individuals by a reliable biometric. The RFID chip in the form is useful for tracking the location of the form and correlating the form with a specific entry in a visitor database, but the form and the chip are easily transferred from one person to another. If the RFID-chipped I-94 Form were relied upon to indicate the location of a person without separate verification of identity, it would easily be used to defeat the regulation of border crossings.”

Repeat after me, people: Identification is not security.

And implanting the RFID chips in people isn’t the answer either. They can easily be removed or exchanged with other people through not very sophisticated home surgery with an X-Acto knife.

But of course, only people with something to hide would bother to do that. For everyone else, it’s Big Brother time:

In a visual ID-check environment, a person may be briefly identified but then forgotten, rendering them anonymous for practical purposes. In a radio ID-check environment, by contrast, a person’s entry into a particular area can easily be recorded and the information permanently stored and repeatedly shared. In this way, RFID may convert identification-based security into an effective surveillance program of all people passing certain locations.

Without formidable safeguards, the use of RFID in identification cards and tokens will tend to enable the tracking of individuals’ movements, profiling of their activities, and subsequent, non-security-related use of identification and derived information. . . .

It can be disempowering and unfair to collect certain types of information about people without their knowledge. Doing so prevents people from taking steps to conceal information they might prefer not to share. Human identification using RFID has serious potential to deprive people of notice that potentially highly specific, detailed information about them is being collected.

Not to mention skimming and eavesdropping, whereby a third party can gain access to the information on the RFID chip, and perhaps create a duplicate. Hello, identity theft!

The report is just a draft subcommittee report at this stage, and it’s unclear what, if any, effect it will have on DHS policy. But this sentence from the report is telling: “When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein.” They said when, not if.

“It’s a good idea that the Privacy Office is trying to put the brakes on RFID in passports,” said Katherine Albrecht, founder and director of RFID watchdog organization CASPIAN.

“But there’s one other important point: Where [the Privacy Office] was really sounding the alarm on privacy, they were hedging their bets with a compromise conclusion–that there are ways to use RFID if you put the appropriate safeguards in place.” —

Homeland Security is testing RFID for tracking humans at five land border crossings using modified I-94 forms (I-94A) which contain RFID chips uniquely identifying the form. Most foreigners traveling to the U.S. are required to present the I-94 form when entering and leaving the country.

(Hat tip)