RFID privacy issues loom large
Despite improvements in encryption and access control technology, users of radio frequency identification, or RFID, systems and their customers should cast a wary eye toward the burgeoning technology, according to experts speaking at IWCE 2007 in March.
Although Generation 2 RFID systems incorporate advanced encryption, access controls that necessitate a “handshake” between the tag and reader before any information is transferred and the ability to lock down the tag, the safeguards aren’t foolproof, said Ron Plesco, director of the privacy and special projects division for consultancy SRA International.
“It’s nuts to put personal information on RFID tags,” Plesco said.
Nevertheless, it’s happening with greater frequency and often without the knowledge of the public. The Department of State has tested the technology in entrance and exit documents at five crossing points along the U.S./Canadian border and will incorporate the technology in passports beginning next year. Meanwhile, Washington State is using long-range RFID — which provides a read-range of 30 feet or more, perhaps as much as 70 feet — in driver’s licenses.
RFID tags are “remotely and secretly readable,” a vulnerability that becomes more troubling when the public isn’t aware its personal information might be at risk, said Melissa Ngo, director of the Electronic Privacy Information Center’s Identification and Surveillance Project. “If someone steals your wallet, you know it’s gone, and you can take the proper steps,” Ngo said. “With RFID, you don’t know.”
Lee Tien, senior staff attorney for the Electronic Frontier Foundation, described RFID as a “very insecure” technology that’s likely to pass along sensitive information. He’s particularly troubled by the use of RFID in applications such as passports and driver’s licenses because the owners of those documents have little choice in the matter.
“You can’t choose another technology that’s more secure — you have to take it or leave it,” he said.
Tien suggested that state and local government refrain from using RFID in such situations until it collects empirical data that defines the risks, as well as the solutions needed to mitigate those risks. Only then can a government agency make an informed decision as to whether the use of RFID is worth the associated risks.
“There hasn’t been enough data collected so far to know for sure what the real risks are,” Tien said. “Much of the time, what is thought to be possible differs from reality.”
Kenneth Mortensen, acting chief of staff for the Department of Homeland Security’s Privacy Office, agreed that risk assessment and greater disclosure should be necessities going forward for any entity contemplating the use of RFID technology.
“We need to be transparent in terms of how this technology is going to be used,” Mortensen said. “We need to tell people that their credentials contain an RFID tag. There hasn’t been openness about this.”
He added that this applies to companies in the private sector as well. “You’re not told at [the clothing store] that there’s an RFID tag in the sweater you just bought,” Mortensen said. “You’re told that you should cut out the tag before wearing, but you’re not told why.”
Ngo agreed and said EPIC guidelines suggest that retailers remove or disable RFID tags before the customer leaves the store and refrain from collecting data from the tag, which often occurs for marketing purposes.
In addition to implementing appropriate safeguards to prevent the interception of personal information, Mortensen recommended RFID users — particularly government entities — ensure that only the information needed for a specific application is transmitted — “nothing extraneous” — and that use limits be defined.
“Additional uses should be put out for public comment,” he said. “That will guard against mission creep.”