GovernmentExecutive.com

As the private and public sectors adopt technology allowing commuters to travel through toll booths and librarians to track the location of books, security and privacy concerns have gone unheeded, according to congressional auditors.

Best known for tracking materials in warehouses, radio-frequency identification technology rapidly is ushering out the era of the bar code and the magnetic strip for identifying documents, materials and people. RFID technology centers on a chip or tag that is embedded or attached to anything from tanks to documents to pallets. The chip emits radio signals that can be sensed by a reader, which feeds the information into a database.

The cost of a tag is anywhere from 20 cents to $20 depending on the tag's capabilities, and they can be read from a range of 20 to 750 feet.

In a survey of 16 agencies about RFID use, the Government Accountability Office found that only one is considering the issues of protecting a person's privacy while tracking sensitive information.

Of the 24 departments that fall under the 1990 Chief Financial Officers Act, 13 have plans to implement some form of RFID technology, according to GAO. The Defense Department, one of the heaviest users, tracks shipments with it; the Homeland Security Department tracks baggage and weapons on flights; and the State Department wants to embed chips in passports.

The report (GAO-05-551) found that six of the agencies with plans to implement RFID technology are looking at security considerations, which include ensuring that only authorized users can access the information and keeping the chips' data safe from illicit changes.

The implementation of security protocols mandated by the 2002 Federal Information Security Management Act can help reduce the risk of security problems, the report states. Encryption of data could be necessary for protection from unauthorized access.

Privacy issues include the fear that RFIDs could be used to track people without their authorization, the GAO report states. The chips could gather information on a person's habits and preferences and as the tags become more pervasive, secondary uses of that information could create additional concerns.

The legal framework governing RFID privacy is found in the 1974 Privacy Act, which limits the government's use and disclosure of personal information, but there are no limits on how agencies can collect that information.

COMMENTS

• Part II of my comments... In the case of the future passport… Everywhere an American traveler goes in a foreign country they are required to keep their passport on their person at all times. The passport can be cloned as described in my first commentary, and since the passport holder will have their passport on them, won’t have made a report to law enforcement of the identity theft. Hence, the identity theft by cloning won’t be added to an Interpol list of lost and stolen passports. An identity thief will be able to pass through U.S. immigration checkpoints without creating the slightest bit of suspicion with ICE officers. Identity theft by cloning—exploiting the RF capabilities of smart cards has already happened in France, so the description above is not speculative but already happened. I suggest anyone issued the State Department’s future passport evade any nation where it is already known the tech know-how exists and clones of RF credentials been made. Dawn Posted June 12, 2005 10:38 AM
• No one has published how RF platforms defeat the purposes for which they are intended. It is possible to remotely capture the data stored on RF chips using an altered flash camera, smart card reader or crude made-at-home device. Smart card readers now come the size of cell phones and PDAs, so are not easily distinguished at distances from other small smart devices. Both smart card readers and flash cameras are in wide distribution, so the tools to capture data stored on RF chips from remote distances are readily available in the mass market. Furthermore, RF travels in a radius around smart chip identification credential holders--data can be stolen remotely by thieves standing to the front, sides and flank of RF-enabled credential holders. The thief could even be behind an obstacle, so be fully obscured from a RF credential holder's vision. Everywhere an RF credential holder goes the data stored on their credential can be stolen without their knowledge. It is possible to clone RF chips using smart card readers and rudimentary made-at-home devices. Since RF-enabled credential holders would have their credential on their person they would have no reason to suspect a thief has stolen the data stored on their credential and is to clone their credential. A lack of discovery means a failure to make a report to law enforcement. Everywhere the original RF credential holder’s reputation would permit them, a thief will be permitted to gain entry/access riding on the original credential holder’s reputation. The thief wouldn’t draw the slightest bit of suspicion. The addition of biometrics to an RF platform is easily overcome. A “tool” used to load and unload data stored on smart chips costs retail $ 5,000. If chips are purchased in mass quantities, the manufacturer often throws the tool in the box for free. Once an identity thief has purchased a tool, they can easily unload the biometrics of the original card holder from a cloned chip and load the biometrics of an identity thief so that the identity thief's biometrics are matched to the original card holder’s demographics on a cloned chip. Dawn Posted June 12, 2005 10:35 AM