ACLU Letter to the Data Privacy and Integrity Advisory Committee Regarding Its Report “The Use of RFID for Human Identification”

Data Privacy and Integrity Advisory Committee
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528

To the DHS Data Privacy and Integrity Advisory Committee:

The American Civil Liberties Union (“ACLU”), representing its hundreds of thousands of members and 53 affiliates across the nation, respectfully submits this comment on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee’s (hereinafter “the Committee”) draft report entitled, “The Use of RFID for Human Identification” (hereinafter “draft report”).

The ACLU applauds the Committee for its clear-sighted analysis of this important issue and endorses the general conclusion of the draft report: namely that Radio Frequency Identification (“RFID”) technology should be strongly disfavored when used to identify and track human beings.

RFID technology poses a grave threat to the security and privacy of individuals because — as the Committee recognizes in its report — it allows for the anonymous and invisible tracking of individuals while simultaneously increasing the risk of identity theft. The draft report is right to caution that any benefits of RFID technology do not outweigh the great risks to privacy and security that it represents. As the ACLU emphasizes in its campaign against the use of RFID technology in identification documents, the government should not jeopardize the privacy, financial security, and personal safety of Americans by experimenting with this vulnerable technology.

Just as significantly, RFID technology represents a threat to the rights and dignity of individuals in our society. The current debate over RFID technology takes place within the larger context of an extraordinary expansion in the number and pervasiveness of technologies that pinpoint an individual’s identity and location — GPS, wireless, cell-site location tracking, and public video-surveillance technologies — as well as the move to create federal databases of personal information through programs such as Real ID. By accumulating and aggregating countless individual points of data, these technologies and databases threaten to allow the government — and potentially others — to invade the privacy of individuals at an unprecedented scale.

Because the right to privacy is a fundamental and necessary aspect of our system of government, any technology that diminishes the privacy of individuals imposes a substantial cost on our society. This cost must be one of the most important factors in the cost-benefit analysis that the government applies to any new technology. The ACLU applauds both the Committee’s careful analysis and its conclusion that the minimal benefits provided by RFID technology are not worth the serious threat that it poses to our safety, privacy, and dignity.

In the rest of our comments we will address some of the ACLU’s more specific concerns.

1. Numerous security and privacy threats posed by RFID have been identified by government organizations, independent researchers, and the technology industry.

There is widespread concern about the safety and security of RFID technology. This concern is not limited to organizations that advocate for privacy rights, such as the ACLU, but is shared by government organizations such as the General Accounting Office, by independent researchers who specialize in RFID technology, and by the technology industry itself.[1] Their chief concerns include:

• Identity Theft: If sensitive personal information, such as a person’s name or Social Security Number, is encoded on an ID and is not adequately protected, anybody with a compatible reader who is within range can steal the information.

• Tracking: Any information that is transmitted remotely — including a random number — which is static and unique to an ID, permits tracking of an individual. Recent U.S. State Department testing showed that even IDs with an intended read range of just 4 inches can actually be read from 2-3 feet away with modified readers. This is more than enough distance to allow an individual’s ID to be read surreptitiously as he or she walks through a doorway or hallway, sits at the airport, stands at a political rally, or visits a gun show. Of course, as with many technologies, RFID readers will continue to become more powerful – thereby increasing their read range many times over – and smaller, thereby making them more portable and easier to conceal. Both of these technological trends increase the likelihood of RFID-facilitated tracking and identity theft.

As the committee notes, any unique identifier number can be used to track an individual, regardless of whether the tracker may access the database that identifies the individual. Even encrypted data, so long as it is static and unique, can be used to track an individual.

Further, a bad actor may gain more information about an individual by using that unique identifier and then accessing a database, by video camera, or by close-range recognition. Subsequent sightings of that identifier number, or stored records of when that identifier number was sighted at a particular place in time, can then be linked to the individual.

• Profiling: Profiling is the reconstruction of a person’s movements or transactions over a specific period of time, usually in order to become better acquainted with a person’s more private affairs. Once a unique identifier number is associated with a particular individual, personally identifiable information can be obtained and then aggregated to develop a profile of the individual. Consumers have raised concerns, for example, about whether certain collected data might reveal personal information such as medical predispositions or personal health histories.

• Security Failures: The ultimate success of using countermeasures to mitigate the threats particularly associated with the use of RFID depends almost entirely on two factors: (1) whether a person who is in a position to compromise the security measures actually does so, and (2) whether all levels of government refrain from abusing a tool that enables bureaucrats to collect unprecedented quantities of information on people. Countless cases from the last few years of insider corruption or carelessness at state DMV offices and of sophisticated government surveillance on citizens cast doubt on a security strategy relying on these two factors.

• Key Management: Unlike with other technologies, addressing the security and privacy risks associated with RFID technology in government IDs depends almost entirely on the use of such countermeasures as unique identifier numbers, encryption, and mutual authentication. The more layers of protection that are implemented, however, the more complicated the architecture of the security system becomes and the more opportunities for failure are created. In a mass contactless ID system involving millions of IDs, thousands of authorized persons and readers would need to know the name and personal information that goes with the unique identifier number. Thousands would also need to access the central database where that information was stored; they would need to know how to decrypt the information and so they would need the encryption key; and they would need the authentication key to authenticate the presenter of any ID. With so many secrets known to potentially thousands of people, there would be good reason to doubt whether these secrets could be kept for long.

• Development of a Comprehensive Tracking Infrastructure: The possibility that everyone could be carrying around and using the same kind of contactless ID could create the incentive within government or industry to implement a comprehensive tracking infrastructure in which people’s movements are captured and recorded by readers as they travel through airports, step off a train, visit a government building, drive on the highway, or shop at a store.

• Reliability of Countermeasures: Most security countermeasures, such as encryption, mutual authentication, basic access control, and shield devices have never been deployed together in a mass contactless ID system. Their effectiveness has not withstood the test of a real-world deployment; therefore, the government should expect that some method for circumventing these protections could and will be devised.

2. A broad coalition of Americans opposes the use of RFID technology in identification cards.

Many Americans oppose the use of RFID technology in government ID cards because of the risks of tracking, stalking and identity theft. According to the National Conference of State Legislatures, in 2005 at least 12 states introduced privacy legislation to control the use of RFID technology. In California, for example, Senator Joe Simitian authored the Identity Information Protection Act (SB 768), a bill requiring proper privacy and security protections for the use of RFID technology in government-issued IDs.

The Identity Information Protection Act has received widespread support from a broad spectrum of women’s groups, civil rights groups, domestic violence prevention groups, business organizations, and conservative organizations. These groups include the AARP, The California National Organization for Women, California Alliance Against Domestic Violence, California State Parent Teacher Association (PTA), Consumer Federation of California, Privacy Rights Clearinghouse, National Council of La Raza, Asian Americans for Civil Rights and Equality, Association of American Physicians and Surgeons, the Eagle Forum, the Republican Liberty Caucus, and many more. The bill has also received editorial support from newspapers up and down the state of California, such as the Los Angeles Times, Sacramento Bee, Orange Country Register., San Francisco Chronicle, Oakland Tribune, and San Jose Mercury News.

The bill was passed by the California State Senate with overwhelming bipartisan support. It, along with two other California bills on RFID technology, SB 433 and SB 1078, are awaiting votes in the California Assembly this summer.

In addition to legislative action, the extent of the opposition to RFID technology in identification documents was made clear recently when school officials at Brittan Elementary School in Sutter, California, became the first public school in the nation to introduce a student-tracking system based on RFID technology. Under the program — which Scientific American denounced as “human inventory control” — children as young as five years old were forced to carry student badges around their necks embedded with RFID tags.

As students walked through a classroom or bathroom door, the computer chip in their student badge transmitted a stored personal identification number to a central school server that tracked and recorded their movements throughout the day. The school, wooed by hopes of saving a few minutes a week in attendance-taking and promises of royalties from future sales of the product, implemented the program without discussing it with parents or considering the serious privacy, civil liberties, and security implications of RFID tags.

While the school board did not recognize the grave implications of the RFID program, the parents in Sutter understood them all too clearly. Parents worried that the school district and the company never provided adequate assurance about how they would protect the children’s personal information and location information from unauthorized access, use, and disclosure. And, they feared that although RFID technology might make it possible for the school to keep track of who and where students were, it also made it possible for strangers with access to a chip reader to find out this private identity and location information.

The story, which received widespread media coverage, resonated with people across the nation and around the world who agreed that children should not grow up in a school atmosphere where they are tagged and tracked and their movements recorded. Eventually parental pressure — along with the combined efforts of the ACLU of Northern California, the Electronic Frontier Foundation, and the Electronic Privacy Information Center — ended the RFID program in Sutter, but this “Orwellian invasion of privacy” (San Jose Mercury News), and the hostile political response to it, would only be magnified if RFID technology were instituted at a national level.

3. Other technologies can provide the same security, durability, and convenience without the privacy risks associated with RFID.

As the draft report rightly explains, because the identification information on an RFID equipped ID card must be verified independently, the speed and efficiency benefits of the technology — which make it so useful for tracking inventory or cattle — are largely nullified.

In a recent report brought to light through a FOIA request submitted by the Electronic Privacy Information Center, a Department of Homeland Security (“DHS”) trial found that the RFID technology used in the proposed e-Passport actually caused delay and distraction at customs inspections. In some cases inspectors were required to hold the passports firmly against the reader in order to transfer the stored data, effectively eliminating any efficiency or speed benefits of RFID technology. In other cases, inspectors were distracted from their observations of passengers by the messages on the card-reader screens.[2]

Moreover, as the Committee’s draft report notes, current e-Passport technology requires that the passports be scanned through an optical character reader as a security measure, a process which once again effectively negates the purported efficiency benefits of the RFID chip.

As these examples demonstrate, when used for personal identification, RFID technology does not provide the efficiency benefits that it does in other contexts. It does, however, create serious security and privacy risks that have not been adequately addressed by proponents of the technology.

In the meantime, other identification technologies — which do not pose the same security threats — are just as effective as RFID technology in many situations. For example, contact-required smart cards, optical scan cards, the newest generation of magnetic strip cards, and 2-D barcodes can all serve as alternatives. Optical scan cards, in particular, which the U.S. government employs at the Mexican border, offer unparalleled data security, card durability, and memory storage, without the same privacy risks associated with RFID technology. Such technologies, which provide many of the benefits of RFID technology, should be favored by the government for any personal identification system when the alternative technology is RFID because optical scan cards do not allow for the possibility of remote reading of data.

4. RFID technology should not be used as part of a national ID system.

The ACLU has been firm in its opposition to implementation of the so-called Real ID driver’s licenses or any other form of national identification. The Real ID Act:

• Standardizes data. The Real ID Act requires that driver’s licenses include a wide and standard set of personal data including name and address, date of birth, biometric identifiers, a unique ID number, and a physical description.

• Creates a single national database. The Real ID Act forces states to link their driver databases (databases that contain detailed personal data on every licensed driver) with other states and the Federal Government. This creates, in effect, a single seamless national database, so that all of the private data in motor vehicle records is instantly available to a wide range of state, local, and federal officials. That raises numerous privacy, security, and identity theft concerns.

• Mandates a “machine-readable technology.” The Real ID Act requires that the ID card’s data be made available not only on the front of the card, but also in a machine-readable form. This will make it especially likely that private businesses will make use of the card’s infrastructure to create a parallel, private database, one that will be outside the reach of the Privacy Act and contain much more information than government databases. Because of the value of such information, there will be every incentive for companies to grab personal data from the card and sell it to data brokers like Choicepoint for a few pennies per individual — building a massive national private-sector database in the process.

All of these security concerns are only magnified by the use of RFID technology in a national ID, because the valuable and private information on the identification card could be accessed without the owner’s knowledge or consent by anyone with a compatible reader. It is imperative that RFID technology must not be used in Real ID or in any other national ID card.

5. The ACLU does not endorse the draft report’s discussion of “best practices.”

The ACLU agrees with the concern raised by the Electronic Frontier Foundation that the “best practices” described in the Committee’s draft report will become a way for DHS and other government agencies to deploy RFID without properly addressing the question of whether the technology should be used in the first place.

It is important to remember that every supposed technical limitation on RFID technology has been exceeded by the ingenuity of scientists and hackers. For instance, researchers have demonstrated that there can be a huge disparity between the stated read range of an RFID chip and its actual read range. Testing conducted by the U.S. State Department showed that smart cards with passive chips that had an intended read range of only 4 inches could actually be read from a distance six times as far — 24 inches — and could theoretically be read from more than 3 feet away. It has also been reported that readers can “eavesdrop” on legitimate reader-to-card communications from a distance of 30 feet. Further, the RFID technology deployed in everything from the Dutch e-passport, automatic payment key fobs, and items like the VeriChip approved for implantation in humans, have all been compromised. This past winter, the RFID prototype for the Dutch e-passport was compromised on National television and the VeriChip was hacked in less than two hours.[3]

Because of the fundamental uncertainty in securing RFID technology, and because of the extraordinary importance of the data protected by government ID cards, the ACLU strongly believes that the current “best practice” for the use of RFID in government identification is not to use it at all.

Given the readily available alternatives to RFID technology, the minimal efficiency gains that the technology offers, and the serious threat that it poses to the safety, security, and civil liberties of Americans, the ACLU strongly endorses the Committee’s conclusion that RFID technology should be disfavored when used to track and identify human beings.

Sincerely,

Caroline Fredrickson,
Director, Washington Legislative Office

Timothy Sparapani
Legislative Counsel for Privacy Rights

Nicole A. Ozer
Technology and Civil Liberties Policy Director
ACLU of Northern California

Endnotes
[1] Neville Pattinson, director of Technology & Government at Axalto Inc. of Austin, Texas, commented at the June 7, 2006 DHS Data Privacy and Integrity Advisory Committee that “It’s inappropriate to use RFID technology for tracking and authenticating identities of people,” He further noted, “You can think of RFID as an insecure barcode with an antenna.” See http://www.identityblog.com/?p=451 (last visited June 20, 2006).
[2] http://www.epic.org/privacy/us-visit/foia/mockpoe_res.pdf (last visited June 20, 2006).
[3] Dutch RFID e-passport cracked, US next? http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/; The RFID Hacking Underground. http://www.wired.com/wired/archive/14.05/rfid_pr.html; http://www.internetnews.com/security/article.php/3582971 (last visited July 7, 2006)