Agencies said to overlook ID tag privacy and security issues
A majority of agencies using radio-frequency identification technology aren't paying enough attention to such concerns, GAO says.
As the private and public sectors adopt technology allowing commuters to travel through toll booths and librarians to track the location of books, security and privacy concerns have gone unheeded, according to congressional auditors.
Best known for tracking materials in warehouses, radio-frequency identification technology rapidly is ushering out the era of the bar code and the magnetic strip for identifying documents, materials and people. RFID technology centers on a chip or tag that is embedded or attached to anything from tanks to documents to pallets. The chip emits radio signals that can be sensed by a reader, which feeds the information into a database.
The cost of a tag is anywhere from 20 cents to $20 depending on the tag's capabilities, and they can be read from a range of 20 to 750 feet.
In a survey of 16 agencies about RFID use, the Government Accountability Office found that only one is considering the issues of protecting a person's privacy while tracking sensitive information.
Of the 24 departments that fall under the 1990 Chief Financial Officers Act, 13 have plans to implement some form of RFID technology, according to GAO. The Defense Department, one of the heaviest users, tracks shipments with it; the Homeland Security Department tracks baggage and weapons on flights; and the State Department wants to embed chips in passports.
The report (GAO-05-551) found that six of the agencies with plans to implement RFID technology are looking at security considerations, which include ensuring that only authorized users can access the information and keeping the chips' data safe from illicit changes.
The implementation of security protocols mandated by the 2002 Federal Information Security Management Act can help reduce the risk of security problems, the report states. Encryption of data could be necessary for protection from unauthorized access.
Privacy issues include the fear that RFIDs could be used to track people without their authorization, the GAO report states. The chips could gather information on a person's habits and preferences and as the tags become more pervasive, secondary uses of that information could create additional concerns.
The legal framework governing RFID privacy is found in the 1974 Privacy Act, which limits the government's use and disclosure of personal information, but there are no limits on how agencies can collect that information.