privacy_advcom_rpt_rfid_draft

The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 2 of 15 I. Introduction The purposes of this paper are to: (1) address the use of Radio Frequency Identification technology (RFID) by the Department of Homeland Security (DHS) to identify and track individuals; (2) outline the potential data privacy and integrity issues implicated by this use of RFID technology; (3) offer guidance to the Secretary of DHS, program managers, and the DHS Privacy Office on deciding whether to deploy RFID technology to track individuals; and (4) offer steps to consider in order to mitigate privacy and data integrity risks when planning to use RFID to identify and track individuals. II. Executive Summary Automatic identification technologies1 like RFID have valuable uses, especially in connection with tracking things for purposes such as inventory management. RFID is particularly useful where it can be embedded within an object, such as a shipping container. There appear to be specific, narrowly defined situations in which RFID is appropriate for human identification. Miners or firefighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low. But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security. Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict. For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings. When DHS does choose to use RFID to identify and track individuals, we recommend the implementation of the specific security and privacy safeguards described herein. 1 “Automatic identification technology” (AIT) is used here to refer to means of identifying things or individuals, collecting data about them, and automatically causing that data to be entered into a computer system, with no human interaction. Examples of AIT’s include bar codes, optical character recognition, RFID, biometrics, magnetic stripes, smart cards, and voice recognition. See http://en.wikipedia.org/wiki/Automated_identification_and_data_capture. See also RFID: APPLICATIONS, SECURITY, AND PRIVACY (Simson Garfinkel and Beth Rosenberg, Editors) (2006) at 4. The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 3 of 15 III. Background RFID is a leading automatic identification technology. RFID tags communicate information by radio wave through antennae on small computer chips attached to objects so that such objects may be identified, located, and tracked. The fundamental architecture of RFID technology involves a tag, a reader (or scanning device), and a database. A reader scans the tag (or multiple tags simultaneously) and transmits the information on the tag(s) to a database, which stores the information. Transmitting identification data by radio rather than by manual transcription increases the quality, speed, and ease of that information transfer, which is the basis for the technology’s appeal. RFID tags can be installed on objects such as products, cases, and pallets. They can also be embedded in identification documents and even human tissue. Both the private and public sectors are increasingly using RFID to track materiel (such as for inventory management), but RFID is also being considered and adopted by DHS and other government agencies for use in tracking people. While RFID can demonstrably add value to manufacturing, shipping, and object-related tracking, there is an impulse at this time to deploy it for purposes to which it is not well suited. RFID’s comparative low cost, invisibility, and ease of deployment in automated tracking often make it appear more attractive than the alternatives. RFID may also address some logistical or efficiency problems in human identification and tracking, but some current and contemplated uses of RFID for tracking people may be misguided. Attempts to improve speed and efficiency through using RFID to track individuals raise important privacy and information security issues. This paper is not a tutorial on RFID technology itself.2 Nor does it address the problem of developing international standards to support widespread deployment of RFID technology efficiently. Rather, this paper addresses only the privacy and data integrity issues raised by the use of RFID when explicitly designed and used for tracking people. It does not discuss the use of RFID on general objects, such as clothing or food items purchased from a store that might used to track people without their knowledge or consent. This latter practice raises far greater privacy concerns than explicit tracking and it should be rejected in all cases except when the security mission calls for tracking individuals about whom suspicion has met an appropriate legal threshold. 2 We have included an Appendix to this paper listing background materials on RFID. The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 4 of 15 IV. The Legal Basis for RFID Use in Human Identification We know of no statutory requirement that DHS use RFID technology, specifically, to track people. The major laws, executive orders, and programs under which RFID is being considered or used are either permissive as to technology or not legally binding on the U.S. government.3 In this analysis of RFID as a generic technology, we cannot address all the rights, statutes, and regulations that may limit the use of RFID for human tracking, limit the use of information collected via RFID, or grant individuals rights pertaining to data collected via RFID. When RFID is used for human tracking, the data collected will undoubtedly comprise a “system of records” under the Privacy Act of 1974. People should have at least the rights accorded them by that law when they are identified using RFID. Systems using RFID technology are, of course, also subject to the E-Government Act’s Privacy Impact Assessment requirements. V. RFID for Human Identification: Clarifying Incorrect Assumptions A number of DHS programs are premised on the identification of human subjects. At the border in the US-VISIT program, at airports in the CAPPS I program, and at entrances to secure facilities of all kinds, checking identification cards is a routinely used security measure. Behind many of the current ideas for using RFID in human identification is a commonly held misperception that RFID improves the speed of identification. RFID is a rapid way to read data, but RFID does not identify individuals. If RFID is tied to a biometric authentication factor, it can reliably identify human beings; but tying RFID to a biometric authentication negates the speed benefit. A. Controlling Access, Controlling Borders, and Interdicting Suspects Checking identification is intended to achieve a number of different goals: Facilities managers use identification to control access to sensitive infrastructures that may be damaged or used to harm Americans. They use it to control access to facilities where sensitive information about other infrastructure may be kept, or where security planning or operations are carried out. The government uses identification administratively to track the border crossings of international travelers. At borders and checkpoints, 3 The REAL ID Act, about which regulations are still being formulated, calls for a “machine-readable technology” but does not specify the technology. Homeland Security Presidential Directive 12 calls for “a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).” The State Department adopted RFID technology in the e-passport to meet International Civil Aviation Organization standards, which are not legally binding on the U.S. government. The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 5 of 15 identification can help detect and interdict undesirable entrants to the country and known or suspected terrorists. These identification processes are intended to protect a wide variety of institutions, infrastructures, processes, and persons from a wide variety of threats, each having a different risk profile. At base, checking identification seeks to interdict potential attackers on our institutions, infrastructure, and people. We make no effort here to determine how well the practice of identifying people achieves this mission, how well identification systems are secured against corruption and fraud, or whether the protection provided by identification-based security outweighs its costs to privacy and other interests. We only address here the difference between those identification processes using RFID and those not using RFID. We are aware of two reasons to use RFID in identification processes: to increase the speed and efficiency of identification processes and to hinder forgery and tampering with identification documents. An RFID-chipped identification card can quickly communicate information from the card to a reader from a distance, without a line of sight or physical contact between a card and reader. With the proper use of encryption, information on an RFID chip can be rendered very difficult, if not impossible, to forge or alter. B. RFID Can Reduce Delay at Entrances and Checkpoints It takes some time to check a traditional identification document. The process typically includes handing the document to a verifier, who must review the information on the card and authorize the bearer to pass, record the bearer’s passing, or, if appropriate, detain the bearer. The verifier must also compare the identifiers on the card with the bearer to ensure that the bearer is the person identified by the card. The use of RFID could dispense with one of these steps by eliminating the hand-over of the card. The other two steps are not affected by RFID. The verifier must still review authorizing information and compare the identifiers on the card with the bearer. These are distinct processes. The identification information communicated by an RFID- chipped identification card can be used to determine the bearer’s authorization, but it is not authorization itself. (An RFID-chipped card, just like any card, could have a separate data element indicating authorization, of course, provided it was secure against forgery and tampering.) In order for any document or device to accurately identify someone, it must be linked to the person in some way. This is almost always through some form of biometric — a picture, description, fingerprints, or iris scan, for example. A document that is not linked The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 6 of 15 to a person using a biometric is not a reliable identification document, just as someone holding a key to a house cannot be identified as the owner of the house based upon possession of that key alone. The RFID-chipped I-94 Form, for example, is not directly linked to individuals by a reliable biometric. The RFID chip in the form is useful for tracking the location of the form and correlating the form with a specific entry in a visitor database, but the form and the chip are easily transferred from one person to another. If the RFID-chipped I-94 Form were relied upon to indicate the location of a person without separate verification of identity, it would easily be used to defeat the regulation of border crossings. In terms of speed, the use of RFID probably represents only a marginal improvement in speed over alternatives such as contact chips, 2-D bar codes, and optical character recognition. In some cases, RFID has offered no speed benefit at all. For example, to mitigate some security and privacy concerns, the State Department altered its (RFID- chipped) e-passport to require entering of a PIN number printed on the card to unlock the data on the chip.4 The e-passport must be swiped through an optical character reader in order to gain access to the chip. This welcome personal security measure adds back the delay and inefficiency that RFID technology was designed to overcome, obviating the utility of RFID for this application. RFID can reduce delay at entrances and checkpoints, but typically by only a small margin. Current deployments of RFID either do not provide reliable identification (the I- 94) or do not reduce delay (the e-passport). C. RFID Can Reduce Forgery and Tampering with Identification Documents Encryption allows information to be encoded in such a way that it is hidden from casual view and any attempt at alteration or forgery can be reliably detected. Communicating information from an identification card via RFID allows encryption to be used, suppressing potential attacks on the integrity of the identification system through forgery and alteration. There are many technologies other than encryption that also suppress forgery and alteration. These include special inks, laminates, microtaggants, holograms, kinegrams, and specialized printing techniques, including microprinting, Guilloche printing, and gradient printing. Encrypted data can be hidden in the pixels on a card, giving the same guarantee against forgery offered by encryption in an RFID chip. The anti-forgery benefit provided by the use of RFID in identification documents is not a product of its use of radio, but rather the fact that the data is in a digital format. Any data 4 Department of State, Electronic Passport final rule, 70 Fed. Reg. 61553, 61554 (Oct. 25, 2005). The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 7 of 15 in digital format can be encrypted. Thus, RFID as such offers no anti-forgery or anti- tampering benefit over alternatives such as contact chips, bar codes, or pixelization. D. Use of RFID Creates Risks to Individuals While improving identification-based security by small margins, if any, the use of RFID for human identification may create a number of risks that are not found in conventional and non-radio identification processes. Individuals will likely be subject to greater surveillance in RFID identification. They will be less aware of being identified and what information is transferred during identification, concerns that necessitate transparency in the design of RFID identification systems. And, finally, the use of RFID creates security risks that are not found in non-radio identification systems. These concerns are discussed in the next section. VI. Effects of RFID for Human Tracking on Privacy and Related Interests Identification-based security programs create many concerns relating to privacy and related interests. We confine our analysis here to the incremental concerns created by the use of radio to communicate identity information from a card or token to a reader. A. Increased Surveillance and Eroded Privacy, Anonymity, and Seclusion In a visual ID-check environment, a person may be briefly identified but then forgotten, rendering them anonymous for practical purposes. In a radio ID-check environment, by contrast, a person’s entry into a particular area can easily be recorded and the information permanently stored and repeatedly shared. In this way, RFID may convert identification- based security into an effective surveillance program of all people passing certain locations. Without formidable safeguards, the use of RFID in identification cards and tokens will tend to enable the tracking of individuals’ movements, profiling of their activities, and subsequent, non-security-related use of identification and derived information. This concern exists with all automatic identification technologies that communicate identification information in digital form. The advantage of being able to easily share such digital information is part of its appeal. The concern could be minimized, however, if identity information was maintained in analog form and digital information was used only to guarantee the security of the card or token against forgery or alteration. Advanced “identity management” systems can permit cards and tokens to communicate only the specific information relevant to a particular authorization. Early examples exist, The Use of RFID for Human Identification A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee Version 1.0 This report has not been considered or approved by the Full Data Privacy and Integrity Advisory Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department of Homeland Security as a formal recommendation. 8 of 15