GAO, industry spar over security of RFID

As the government gears up to distribute smart cards, electronic passports and other devices using radio-frequency identification, policy-makers are wrestling with concerns over RFID's security.On one side are industry and federal proponents who have paved the way for acceptance of the technology by crafting standards to assure its security and privacy.And on the other are the experts from the Government Accountability Office, who recently issued a report raising questions about how well RFID devices protect information.The debate comes at a tenuous time for agencies developing plans for a standard federal ID card that can use contact or contactless technology, in accordance with the Na-tional Institute of Standards and Technology's Federal Information Processing Standard-201.A contactless federal ID card would use radio frequency to communicate with the reader.GAO's report, titled Information Security: Radio Frequency Identification Technology in the Federal Government, raises concerns about the privacy and security aspects of RFID tags used for inventory control as well as contactless smart cards used to make personnel credentials. GAO issued the report May 27.Auditors cited issues such as 'tracking an individual's movements, profiling an individual's habits, tastes or predilections, and allowing for secondary uses of information.' According to GAO, 'While measures to mitigate these issues are under discussion, they remain largely prospective.'But RFID experts in industry and government rejected GAO's assertions and criticized GAO's reliance on surveys rather than independently verifying RFID's security and privacy.Patrick Hearn, business development director for Oburthur Card Systems of Chantilly, Va., said, federal law, regulations and policies mandate many privacy and security protections for the use of smart cards in federal credentialing programs.'The security measures'encryption and authentication'listed [by GAO as 'prospective'] all exist today and are incorporated into programs such as the State Department's e-passport program,' Hearn wrote in an e-mail comment on the GAO report.Hearn also cited the existence of Federal Information Processing Standard 140-2 and FIPS-201, which apply to contactless smart cards issued to federal employees and contractors, as well as privacy and security rules mandated in the Federal Identity Management Handbook. Several government officials, speaking on the condition of anonymity, echoed Hearn's claims.GAO defended its report, saying it relied on information provided by other federal agencies and did not delve deeply into individual RFID programs that agencies are implementing.The report's author, Gregory C. Wilshusen, director of information security issues for GAO, said Hearn's view that full RFID privacy and security technology already exists is incorrect.In an e-mail response, he cited the report's statement that some RFID privacy and security methods, such as deactivation mechanisms on tags, blocking technology to disrupt transmissions, and an opt-in/opt-out framework for consumers have not been fully developed.Wilshusen added the report 'was a general overview of RFID technology in federal government.'The federal standards for using RFID in identity credentials incorporate the Privacy Act of 1974, the e-Government Act of 2002, Office of Management and Budget memorandums relevant to the topic and NIST standards for smart-card security and privacy, Hearn noted.GAO produced the report at the request of four members of the House Homeland Security Committee, including the panel's chairman, Rep. Christopher Cox. President Bush last week nominated Cox to be chairman of the Securities and Exchange Committee.One complicating factor in the GAO report is that it covers both simple RFID systems used for inventory control as well as sophisticated contactless smart-card systems used for biometric identification.Randy Vanderhoof, executive director of the Smart Card Alliance, said in a statement, 'The report attempts to present a multitude of technology applications at once, which is bound to misrepresent certain aspects of each use of the technology. They would have been better off separating the inventory tracking and identity applications in the report so they could be treated separately.'Wilshusen said GAO sent surveys to 23 of the 24 agencies covered by the Chief Financial Officers Act, omitting the Defense Department, from which it already had information. The Pentagon is the largest government user of RFID systems.'In terms of the actual implementation [of RFID technology] we did not look at applications. It was a broader view of how agencies are using the technologies,' Wilshusen said. 'We don't come out and say this technology is insecure. We say there are security considerations that agencies need to address.'The report stated that 11 of the 24 CFO agencies surveyed said they have no plans to adopt RFID technology, despite the federal ID credentialing program's call for all agencies to implement the technology.Sixteen agencies surveyed responded to GAO's question about the legal issues associated with RFID implementation, and only one identified what it considered to be legal issues, according to the report.'These issues relate to protecting an individual's right to privacy and tracking sensitive documents and evidence,' the report said.The General Services Administration carries out key responsibilities related to the federal employee-credentialing program. A GSA spokeswoman declined to comment on the report, referrring questions to GAO.