Should Government Identity Documents Use RFID?

Interesting question - and perhaps simpler than many people think. 

Back in June, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (on which I serve) published a draft report on the use of RFID for human tracking.  (“RFID” stands for radio frequency identification, a suite of technologies that identify items - and, if put in cards, track people - by radio.)  The report poured cold water on using RFID in government-mandated identity cards and documents.  This met with some consternation among the DHS bureaus that plan to use RFID this way, and among the businesses eager to sell the technology to the government.

Despite diligent work to put the report in final form, the Committee took a pass on it at its most recent meeting in September - nominally because new members of the Committee had not had time to consider it.  The Committee is expected to finish this work and finalize the report in December.

But skeptics of the report continue to come out of the woodwork.  Most recently, the Center for Democracy and Technology wrote a letter to the Privacy Committee encouraging more study of the issue, implicitly discouraging the Committee from finding against RFID-embedded government documents.  CDT invited ”a deeper factual inquiry and analysis [that] would foster more thoughtful and constructive public dialog.”

If the correct answer is ”no,” do you have to say “yes” to be constructive? RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards - indeed it has greater security weaknesses than alternatives.  And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card.  This is what takes up all the time in the process of identifying someone.   (If that’s too much jargon, you need to read my book Identity Crisis: How Identification is Overused and Misunderstood.)

I shared my impression of CDT’s comments in an e-mail back to Jim Dempsey.  Jim and CDT do valuable work, but I think they are late to this discussion and are unwittingly undermining the Privacy Committee’s work to protect Americans’ privacy and civil liberties. My missive helps illustrate the thinking and the urgency of this problem, so after the jump, the contents of that e-mail:

Jim:

I’ve had time now to read your follow-up comments on the Department of Homeland Security Privacy Committee’s draft report on RFID and human tracking, and you and I have spoken about it briefly.  I wanted to offer a response in writing, and make my thinking available to others, because you and CDT are important figures in discussions like this.

First, I think it’s important to put the burden of proof in the right place.  When DHS proposes a change as significant as moving to radio-frequency-based (RF), digital human identification systems, the burden of proof is on the DHS to show why they should be adopted.  The burden is not on the Committee to show why they should not.

The use of digital methods to identify people is a sea change in the process of identification.  You know well, because you have written on these subjects extensively, that digital technologies make it very easy to collect, store, copy, transfer, and re-use personal information.  The leading identification systems being proposed and deployed for use on Americans are not just digital – they go a step further and use radio frequency technology of various stripes. 

Digital identification systems, such as the government-mandated RF systems we discuss generally in the report, have entirely different consequences for privacy from the analog and visual identification methods primarily used in government ID up to this point.  We begin to explore these consequences in the report. 

The report tries to confine itself to the concerns created by the addition of RF because trying to reach all the concerns with government-mandated digital ID systems is such a formidable task and because RF systems are the leading ones under consideration and development. 

Which brings me to a second important point: These systems are being designed, built, and implemented right now

The DHS components that want to use RFID to track people are not awaiting the study or studies you propose.  The Privacy Committee’s role is to call out important privacy issues at relevant times and the draft report on using RFID for human tracking does that. 

If you wish to step back and ponder the issues, you are welcome to, but the inference I draw from your letter – that we should delay or suspend the Committee’s report on use of RFID for human tracking – would make the Committee a full participant in a program planning scenario we see too often in Washington, D.C.:  “Ready … fire … AIM!”

As you point out, the draft report does not reach every concern with every system, nor the detailed differences among them.  But it is not the job of the Committee to perform the in-depth study or studies you suggest. That is the job of the Department of Homeland Security components that seek to deploy these systems.

The members of the drafting subcommittee sought information about these systems and the privacy issues associated with them, and considered everything we were told and given by industry, privacy advocates, members of the public, and DHS components.  The information we have leads us fairly and accurately to conclude that the merits (and, through cost-benefit comparison, the net benefits) of these systems have not been shown.

I won’t belabor the specifics of all you invite the Committee to study in your comments, but I was particularly struck by your challenge to us to substantiate the following statement from the draft report:  “Without formidable safeguards, the use of RFID in identification cards and tokens will tend to enable the tracking of individuals’ movements, profiling of their activities and subsequent, non-security-related use of identification and derived information.”

Jim, we have yet to see an RF human identification system that does not collect and store information about every American subject to it for at least 75 years. You know that data collections this deep, held for periods of time this long, tend to find new, unanticipated, and often undesirable uses.  This is but one of the concerns with these systems.

Your letter is awfully sanguine for an organization that advocates for civil liberties and democratic values.  If CDT plans to do a “full and objective” assessment of RFID’s use in human tracking, I would be happy to help bring you up to speed.

 

Jim Harper
Director of Information Policy Studies
The Cato Institute