Possible expansion of the federal US-Visit program has renewed the privacy and civil rights debate that has dogged the RFID-based program since its inception.
For the past eight months, the Department of Homeland Security has been testing radio frequency identification (RFID) technology to keep track of who enters and exits the country. But now that officials are suggesting a widespread rollout of the technology, a DHS subcommittee is worried that the privacy concerns outweigh the technology's benefits.
DHS uses RFID tags as part of its high profile and controversial US-Visit (visitor and immigrant status indicator technology) initiative. The border security program also uses biometric fingerprinting and digital photography to keep track of visitors, generally in cases where a visa is required. If you're between 14 and 79, the U.S. government will keep your fingerprints and photo in a database for up to 75 years.
In five border ports, the government is testing the use of RFID tags in I94 forms, which keep track of a traveler's U.S. arrival and departure. The idea is that a tag reader can handle all this automatically, without a visitor having to slow down. So far the tags are in trials in two locations in Nogales, Ariz., as well as Alexandria Bay, N.Y., and at the Pacific Highway and Peace Arch ports in Washington state.
"The reason for putting the tag in the I94 form is to keep them from looking for people who already left," says Tim Heffernan, director of government relations and public affairs at Symbol Technologies Inc., which makes the RFID tags for the forms. Heffernan said that there are plans to take the program beyond the five test sites, noting that the DHS has issued an RFI (request for information) regarding 50 additional border ports. But he deferred to US-VISIT for details; a press representative for US-Visit did not return calls.
Raising flags among privacy groups is the fact that US-Visit is considering a widespread deployment of RFID technology as part of the Intelligence Reform Terrorism Prevention Act. That law states that by June 1, 2009, all Canadian or U.S. citizens must present either a passport or other document when crossing land borders. The initial deadline was January 2008, but last week the Senate approved an extension.
"We are looking to the State Department to develop an alternative travel document, one [for which] we're emphasizing the need for using radio frequency identification technology," said Jim Williams, director of US-Visit, in a March meeting of the DHS's Data Privacy and Integrity Advisory Committee. He said this would serve two purposes: It would speed up the inspection process by reading a tag 30 feet from the officer's booth; and it would record the data of all entrants into a database.
The DHS's Data Privacy and Integrity Advisory Committee will hold a hearing June 7 in San Francisco to discuss the use of RFID in U.S. border control. Central to that discussion will be a draft report from the DHS's Emerging Applications and Technology Subcommittee, entitled, "The Use of RFID for Human Identification." The report argues that RFID is suited to tag things and not people, that while it is inexpensive it is not necessarily efficient, and that it's discomfiting.
"Without formidable safeguards, the use of RFID in identification cards and tokens will tend to enable the tracking of individuals' movements, profiling of their activities, and subsequent, non-security-related use of identification and derived information," the report reads.
"A well-designed smart card can do away with privacy concerns, but it seems like the DHS is tending toward the kind of RFID tags that are appropriate for cattle and palates of dog food," says report co-author Jim Harper, director of information policy studies at the Cato Institute, a liberitarian-ish think tank.
RFID proponents say the privacy fears are blown out of proportion.
"There are a lot of concerns that this will lead to the government instituting a national RFID identification program, which would lead to them being able to read your underwear from space," says Bert Moore, director of communications for the Association for Automatic Identification and Mobility, an industry trade group. Moore says it would cost tens of billions of dollars to monitor all Americans with RFID tags and readers. "For that kind of money they could hire someone to follow you around. You're not that special."
Symbol's Heffernan points out that the RFID tags currently in use are passive tags, meaning they don't have an internal power source. Instead, they get their transmission power from an RFID reader. As such, they can't be scanned at distances of more than ten feet.
"It's not a tracking technology, it's an authentication technology," Heffernan says. "If you want to track someone, there are better ways to do it -- with GPS (global positioning system technology) or even just a cell phone."
But beyond the basic privacy concerns, Cato's Harper argues that the RFID plan as it stands so far has logical security loopholes.
"The I94 tag is really good for tracking the location of I94 forms," he says. "But you could take it to the nearest truck stop, tape it to a truck, and fool the immigration customs."
In that regard, a more foolproof and controversial RFID solution is VeriChip Corp.'s implantable microchip, which embeds a 16-digit identifier into a person's arm. Most clients so far use the tag in case of medical emergencies, to help doctors get quick access to a patient's records. "Wander prevention" among patients with dementia is one of the applications VeriChip lists on its site, as is the prevention of baby switching.
But a video surveillance company called Citywatcher.com has implanted some chips into employees who require secure access into certain parts of the company, according to VeriChip spokesman John Proctor.
One VeriChip implantee, though, says it's a mistake to use the chip for matters of secure access.
John Halamka, CIO of Harvard Medical School, was implanted with a VeriChip in December 2004 in order to encourage its use in patient identification. "The VeriChip should serve exclusively for identification, and not authentication or access control," he writes.
The reason? VeriChips are vulnerable to cloning attacks, in which a hacker can spoof a reader into accepting a cloned signal, rather than a VeriChip signal, although the hacker must be standing close to the reader. Halamka and three co-authors detail the security risk in a report called "The Security Implications of VeriChip Cloning," which they have submitted to the Journal of the Amercian Medical Informatics Association.
VeriChip's Proctor acknowledges that the chip runs on an unencrypted ISO frequency and should be used in concert with a suite of other security measures.
On the other hand, Halamka's report warns about the implications of cloning also argues that it might not be such a bad thing.
"For bearer safety, a VeriChip should be easy to clone; an attacker then has less incentive to coerce victims or extract VeriChips from victims' bodies," the report says.
Organizations mentioned in this story: