The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
2 of 15
I. Introduction
The purposes of this paper are to: (1) address the use of Radio Frequency Identification
technology (RFID) by the Department of Homeland Security (DHS) to identify and track
individuals; (2) outline the potential data privacy and integrity issues implicated by this
use of RFID technology; (3) offer guidance to the Secretary of DHS, program managers,
and the DHS Privacy Office on deciding whether to deploy RFID technology to track
individuals; and (4) offer steps to consider in order to mitigate privacy and data integrity
risks when planning to use RFID to identify and track individuals.
II. Executive Summary
Automatic identification technologies1 like RFID have valuable uses, especially in
connection with tracking things for purposes such as inventory management. RFID is
particularly useful where it can be embedded within an object, such as a shipping
container.
There appear to be specific, narrowly defined situations in which RFID is appropriate for
human identification. Miners or firefighters might be appropriately identified using
RFID because speed of identification is at a premium in dangerous situations and the
need to verify the connection between a card and bearer is low.
But for other applications related to human beings, RFID appears to offer little benefit
when compared to the consequences it brings for privacy and data integrity. Instead, it
increases risks to personal privacy and security, with no commensurate benefit for
performance or national security. Most difficult and troubling is the situation in which
RFID is ostensibly used for tracking objects (medicine containers, for example), but can
be in fact used for monitoring human behavior. These types of uses are still being
explored and remain difficult to predict.
For these reasons, we recommend that RFID be disfavored for identifying and tracking
human beings. When DHS does choose to use RFID to identify and track individuals, we
recommend the implementation of the specific security and privacy safeguards described
herein.
1 “Automatic identification technology” (AIT) is used here to refer to means of identifying things or
individuals, collecting data about them, and automatically causing that data to be entered into a computer
system, with no human interaction. Examples of AIT’s include bar codes, optical character recognition,
RFID, biometrics, magnetic stripes, smart cards, and voice recognition. See
http://en.wikipedia.org/wiki/Automated_identification_and_data_capture. See also RFID: APPLICATIONS,
SECURITY, AND PRIVACY (Simson Garfinkel and Beth Rosenberg, Editors) (2006) at 4.
The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
3 of 15
III. Background
RFID is a leading automatic identification technology. RFID tags communicate
information by radio wave through antennae on small computer chips attached to objects
so that such objects may be identified, located, and tracked. The fundamental
architecture of RFID technology involves a tag, a reader (or scanning device), and a
database. A reader scans the tag (or multiple tags simultaneously) and transmits the
information on the tag(s) to a database, which stores the information.
Transmitting identification data by radio rather than by manual transcription increases the
quality, speed, and ease of that information transfer, which is the basis for the
technology’s appeal. RFID tags can be installed on objects such as products, cases, and
pallets. They can also be embedded in identification documents and even human tissue.
Both the private and public sectors are increasingly using RFID to track materiel (such as
for inventory management), but RFID is also being considered and adopted by DHS and
other government agencies for use in tracking people.
While RFID can demonstrably add value to manufacturing, shipping, and object-related
tracking, there is an impulse at this time to deploy it for purposes to which it is not well
suited. RFID’s comparative low cost, invisibility, and ease of deployment in automated
tracking often make it appear more attractive than the alternatives. RFID may also
address some logistical or efficiency problems in human identification and tracking, but
some current and contemplated uses of RFID for tracking people may be misguided.
Attempts to improve speed and efficiency through using RFID to track individuals raise
important privacy and information security issues.
This paper is not a tutorial on RFID technology itself.2 Nor does it address the problem of
developing international standards to support widespread deployment of RFID
technology efficiently. Rather, this paper addresses only the privacy and data integrity
issues raised by the use of RFID when explicitly designed and used for tracking people.
It does not discuss the use of RFID on general objects, such as clothing or food items
purchased from a store that might used to track people without their knowledge or
consent. This latter practice raises far greater privacy concerns than explicit tracking and
it should be rejected in all cases except when the security mission calls for tracking
individuals about whom suspicion has met an appropriate legal threshold.
2 We have included an Appendix to this paper listing background materials on RFID.
The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
4 of 15
IV. The Legal Basis for RFID Use in Human Identification
We know of no statutory requirement that DHS use RFID technology, specifically, to
track people. The major laws, executive orders, and programs under which RFID is
being considered or used are either permissive as to technology or not legally binding on
the U.S. government.3
In this analysis of RFID as a generic technology, we cannot address all the rights,
statutes, and regulations that may limit the use of RFID for human tracking, limit the use
of information collected via RFID, or grant individuals rights pertaining to data collected
via RFID. When RFID is used for human tracking, the data collected will undoubtedly
comprise a “system of records” under the Privacy Act of 1974. People should have at
least the rights accorded them by that law when they are identified using RFID. Systems
using RFID technology are, of course, also subject to the E-Government Act’s Privacy
Impact Assessment requirements.
V. RFID for Human Identification: Clarifying Incorrect Assumptions
A number of DHS programs are premised on the identification of human subjects. At the
border in the US-VISIT program, at airports in the CAPPS I program, and at entrances to
secure facilities of all kinds, checking identification cards is a routinely used security
measure. Behind many of the current ideas for using RFID in human identification is a
commonly held misperception that RFID improves the speed of identification. RFID is a
rapid way to read data, but RFID does not identify individuals. If RFID is tied to a
biometric authentication factor, it can reliably identify human beings; but tying RFID to a
biometric authentication negates the speed benefit.
A. Controlling Access, Controlling Borders, and Interdicting Suspects
Checking identification is intended to achieve a number of different goals: Facilities
managers use identification to control access to sensitive infrastructures that may be
damaged or used to harm Americans. They use it to control access to facilities where
sensitive information about other infrastructure may be kept, or where security planning
or operations are carried out. The government uses identification administratively to
track the border crossings of international travelers. At borders and checkpoints,
3 The REAL ID Act, about which regulations are still being formulated, calls for a “machine-readable
technology” but does not specify the technology. Homeland Security Presidential Directive 12 calls for “a
mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal
Government to its employees and contractors (including contractor employees).” The State Department
adopted RFID technology in the e-passport to meet International Civil Aviation Organization standards,
which are not legally binding on the U.S. government.
The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
5 of 15
identification can help detect and interdict undesirable entrants to the country and known
or suspected terrorists.
These identification processes are intended to protect a wide variety of institutions,
infrastructures, processes, and persons from a wide variety of threats, each having a
different risk profile.
At base, checking identification seeks to interdict potential attackers on our institutions,
infrastructure, and people. We make no effort here to determine how well the practice of
identifying people achieves this mission, how well identification systems are secured
against corruption and fraud, or whether the protection provided by identification-based
security outweighs its costs to privacy and other interests. We only address here the
difference between those identification processes using RFID and those not using RFID.
We are aware of two reasons to use RFID in identification processes: to increase the
speed and efficiency of identification processes and to hinder forgery and tampering with
identification documents. An RFID-chipped identification card can quickly communicate
information from the card to a reader from a distance, without a line of sight or physical
contact between a card and reader. With the proper use of encryption, information on an
RFID chip can be rendered very difficult, if not impossible, to forge or alter.
B. RFID Can Reduce Delay at Entrances and Checkpoints
It takes some time to check a traditional identification document. The process typically
includes handing the document to a verifier, who must review the information on the card
and authorize the bearer to pass, record the bearer’s passing, or, if appropriate, detain the
bearer. The verifier must also compare the identifiers on the card with the bearer to
ensure that the bearer is the person identified by the card.
The use of RFID could dispense with one of these steps by eliminating the hand-over of
the card. The other two steps are not affected by RFID. The verifier must still review
authorizing information and compare the identifiers on the card with the bearer.
These are distinct processes. The identification information communicated by an RFID-
chipped identification card can be used to determine the bearer’s authorization, but it is
not authorization itself. (An RFID-chipped card, just like any card, could have a separate
data element indicating authorization, of course, provided it was secure against forgery
and tampering.)
In order for any document or device to accurately identify someone, it must be linked to
the person in some way. This is almost always through some form of biometric — a
picture, description, fingerprints, or iris scan, for example. A document that is not linked
The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
6 of 15
to a person using a biometric is not a reliable identification document, just as someone
holding a key to a house cannot be identified as the owner of the house based upon
possession of that key alone. The RFID-chipped I-94 Form, for example, is not directly
linked to individuals by a reliable biometric. The RFID chip in the form is useful for
tracking the location of the form and correlating the form with a specific entry in a visitor
database, but the form and the chip are easily transferred from one person to another. If
the RFID-chipped I-94 Form were relied upon to indicate the location of a person without
separate verification of identity, it would easily be used to defeat the regulation of border
crossings.
In terms of speed, the use of RFID probably represents only a marginal improvement in
speed over alternatives such as contact chips, 2-D bar codes, and optical character
recognition. In some cases, RFID has offered no speed benefit at all. For example, to
mitigate some security and privacy concerns, the State Department altered its (RFID-
chipped) e-passport to require entering of a PIN number printed on the card to unlock the
data on the chip.4 The e-passport must be swiped through an optical character reader in
order to gain access to the chip. This welcome personal security measure adds back the
delay and inefficiency that RFID technology was designed to overcome, obviating the
utility of RFID for this application.
RFID can reduce delay at entrances and checkpoints, but typically by only a small
margin. Current deployments of RFID either do not provide reliable identification (the I-
94) or do not reduce delay (the e-passport).
C. RFID Can Reduce Forgery and Tampering with Identification Documents
Encryption allows information to be encoded in such a way that it is hidden from casual
view and any attempt at alteration or forgery can be reliably detected. Communicating
information from an identification card via RFID allows encryption to be used,
suppressing potential attacks on the integrity of the identification system through forgery
and alteration.
There are many technologies other than encryption that also suppress forgery and
alteration. These include special inks, laminates, microtaggants, holograms, kinegrams,
and specialized printing techniques, including microprinting, Guilloche printing, and
gradient printing. Encrypted data can be hidden in the pixels on a card, giving the same
guarantee against forgery offered by encryption in an RFID chip.
The anti-forgery benefit provided by the use of RFID in identification documents is not a
product of its use of radio, but rather the fact that the data is in a digital format. Any data
4 Department of State, Electronic Passport final rule, 70 Fed. Reg. 61553, 61554 (Oct. 25, 2005).
The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
7 of 15
in digital format can be encrypted. Thus, RFID as such offers no anti-forgery or anti-
tampering benefit over alternatives such as contact chips, bar codes, or pixelization.
D. Use of RFID Creates Risks to Individuals
While improving identification-based security by small margins, if any, the use of RFID
for human identification may create a number of risks that are not found in conventional
and non-radio identification processes. Individuals will likely be subject to greater
surveillance in RFID identification. They will be less aware of being identified and what
information is transferred during identification, concerns that necessitate transparency in
the design of RFID identification systems. And, finally, the use of RFID creates security
risks that are not found in non-radio identification systems. These concerns are discussed
in the next section.
VI. Effects of RFID for Human Tracking on Privacy and Related Interests
Identification-based security programs create many concerns relating to privacy and
related interests. We confine our analysis here to the incremental concerns created by the
use of radio to communicate identity information from a card or token to a reader.
A. Increased Surveillance and Eroded Privacy, Anonymity, and Seclusion
In a visual ID-check environment, a person may be briefly identified but then forgotten,
rendering them anonymous for practical purposes. In a radio ID-check environment, by
contrast, a person’s entry into a particular area can easily be recorded and the information
permanently stored and repeatedly shared. In this way, RFID may convert identification-
based security into an effective surveillance program of all people passing certain
locations.
Without formidable safeguards, the use of RFID in identification cards and tokens will
tend to enable the tracking of individuals’ movements, profiling of their activities, and
subsequent, non-security-related use of identification and derived information.
This concern exists with all automatic identification technologies that communicate
identification information in digital form. The advantage of being able to easily share
such digital information is part of its appeal. The concern could be minimized, however,
if identity information was maintained in analog form and digital information was used
only to guarantee the security of the card or token against forgery or alteration.
Advanced “identity management” systems can permit cards and tokens to communicate
only the specific information relevant to a particular authorization. Early examples exist,
The Use of RFID for Human Identification
A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee
to the Full Data Privacy and Integrity Advisory Committee
Version 1.0
This report has not been considered or approved by the Full Data Privacy and Integrity Advisory
Committee and has not yet been provided to the Secretary or the Chief Privacy Officer of the Department
of Homeland Security as a formal recommendation.
8 of 15
本文档为【privacy_advcom_rpt_rfid_draft】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。