Tracker, Locator, Identifier, Spy?

With the increase of identity theft resulting from illegal use of Social Security numbers and other personal information, the federal government's use of ...

by / June 12, 2006
With the increase of identity theft resulting from illegal use of Social Security numbers and other personal information, the federal government's use of radio frequency identification (RFID) is met by a typical American suspicion colored by Orwellian fears. Countless organizations already track our buying habits and daily activities with information we voluntarily provide to credit card companies and online vendors. We purchase fruit snacks at the store, and a week later, fruit snack coupons appear in our mailbox. Some don't seem to mind being regularly tracked by marketing companies, but how would we feel if government agencies used similar methods to keep tabs on us?

This question has been raised regarding government use of RFID, and few people appear willing to suffer this loss of privacy. But what do we know about RFID, and what benefits and challenges does this technology present for those employing it and those being tracked?

Another Sweeping Use of Radio Waves
RFID tags store and remotely retrieve data with silicon chips and antennas that respond to radio frequency queries from a transceiver. Any entity implementing RFID will need tags, tag readers, edge servers, middleware and application software. Passive tags, the most popular variety, do not require an internal power source and are cheaper to manufacture. Active tags broadcast their own signal and are used in container management, and require an internal power source.

Although relatively new, RFID is already used in numerous ways, including highway toll collection and item-level tagging by Wal-Mart, which mandates supplier compliance with the technology. Depending on the application, tags can provide data on a product's whereabouts or next destination in the supply chain; and specifics, such as date of use or manufacture.

The technology is not yet widely deployed, but federal RFID spending is projected to increase 120 percent by 2009, according to research firm INPUT. Defense agencies lead with that spending growth, with significant civilian agency adoption expected in 2007. INPUT expects substantial growth as private-sector use demonstrates similar cost benefits in areas outside the supply chain process. The Department of Justice began using RFID file tracking systems in 2005, and other federal branches are acquiring such systems now.

The Department of Defense is deploying RFID technology to improve its supply chain management for the war in Iraq. In 2004, the U.S. Food and Drug Administration began promoting its use to reduce counterfeit drugs in the supply chain, and some pharmaceutical companies have followed suit. The Department of Homeland Security (DHS) and the Coast Guard use RFID for shipment tracking in the ports of Los Angeles and Long Beach.

Some more complex RFID devices can be encrypted and used to authenticate personal identification. Biometric passports -- being introduced in Europe and the United States -- identify holders with an embedded RFID chip, which is basically a digital signature. In the United States, E-Passports -- whose RFID chips contain a photo, biographic information from the data page, and other identifying data such as fingerprints -- have only been issued to diplomats thus far. They will likely be issued nationwide by October 2006, at which time, 27 countries will also be required to issue readable passports. Passport chips are remotely readable and in use in the European Union and Japan.

RFID devices are mostly used to track product locations on shelves or in the supply chain -- book tracking in libraries and bookstores, animal identification, ID badges and building access control. Colorado even uses RFID to protect elk herds from contagious diseases.

Like any new technology, these small, wireless devices bring their own set of challenges and concerns. RFID will continue generating research into uniform standards, security and privacy, while observers watch how far Americans want the government to go in guaranteeing safety and how much privacy they're willing to sacrifice in the process.

The possibilities for RFID use are too numerous to imagine, especially with its potential in all government levels for information management and national security tracking.

Buying and Using RFID
RFID is gradually being considered as a tool for streamlining government services and processes.

"Process improvements, and more importantly cost savings, obtained through the employment of RFID in a limited number of existing programs, such as DHS's Free and Secure Trade program, will encourage greater acceptance within civilian agencies in the future," said Chris Campbell, senior analyst for federal market analysis at INPUT. He said RFID adoption would continue to appear at the program level versus agencywide until the technology is more widely accepted.

This new technology's cost can be prohibitive for some, said Kevin Kalinich, co-national managing director of technology and professional risks for Aon, a financial services group. Kalinich, who works daily with major retailers to assess and mitigate the risk of implementing RFID, admits the technology is costly and complex. "Commercial adoption is not widespread because of this. RFID tags cost anywhere from 25 cents to $1 for implementation. Bar codes, on the other hand, cost 1 cent per product." When used for student and employee IDs, each tag can cost as much as $5 to $7.

Regardless of cost, Kalinich said RFID is likely to have a profound and positive impact on its users' IT infrastructure. "The upside is tremendous real-time collection of information. Governments don't care as much about paying the millions of dollars if they have a different goal in mind than the commercial entities, where it's all about profitability."

Kalinich thinks the RFID issue is unprecedented in some ways, which is why his company also offers insurance to entities wishing to protect themselves against potential misuse. RFID's short history, though, does present some challenges for his business, he said. "The challenge from our standpoint is this: In the insurance business, we like to work using actuarial analysis and predictability. We don't have benchmarks or years of actuarial data in the case of RFID."

According to Paul Mathans, manager of emerging technologies and public services at BearingPoint, cost-conscious procurers can take heart that prices on RFID tags in broad ranges have dramatically decreased since demand has increased, and sticker shock depends on the overall cost scenario. "If you are losing books in the libraries, paying in the 25- to 50-cent price range per tag makes sense."

Mathans said in general, price is not a big part of today's discussion. "Looking for the innovative application designs is the critical issue." He sees abundant potential and practicality in RFID, and said the tags, in addition to tracking important military materiel shipments to Iraq, can also streamline health-care assets and patient management, track who's in the penal system, prevent counterfeit sales, and facilitate passage of legitimate travelers across U.S. borders while freeing more resources to track illegal crossings.

Jim Harper, director of information policy studies at the Cato Institute in Washington, D.C., and member of the DHS's Data Privacy and Integrity Advisory Committee, also thinks RFID adds significant value to the supply chain. "RFID has the potential to wring out inefficiency so taxpayers and consumers can keep more of their dollars. Literally billions of dollars are wasted when logistics managers lose track of materiel and it sits idle, when it has to be reshipped, or when products spoil or expire. Billions more are lost to theft," Harper said, adding that in identification tracking, the benefits are much smaller when managers try to use RFID in human environments, and the costs in terms of privacy and security soar.

What About Big Brother?
A potential problem RFID systems pose for both the private and public sectors is that the data contained in the tags, and their adjunct personal and financial data located elsewhere, are very attractive to criminals, especially in the case of digital passports. If the middleware and databases connected with RFID are infected by viruses, the actual tags can be affected as well. Depending on the use of an affected tag, any unblocked security breach could threaten the associated information and who uses it.

Privacy advocates are concerned about technologies like RFID because they fear chips will track individual habits and transmit personal information. But are such fears overblown? Biometrics certainly possess the creep factor when patterns from our own retinas, fingerprints, voices and DNA can potentially be used to track our location and behavior.

On the flip side, cyber-security becomes that much more important in preventing an RFID data file from being combined with home addresses, and Social Security and home phone numbers. But what if RFID data in one tag is only a number, similar to the Social Security number, and isn't used in conjunction with other personal information?

"My father used to paint a yellow line on every tool he purchased as a way to identify it," said Bradford Brown, managing director for Protiviti Inc., a technology risk consulting practice for the federal sector in Washington, D.C. "You send your child off to camp and stick a label on clothes. At football games, you label your cooler. The difference with RFID is someone else is doing it for us, and we don't like that."

When speaking about RFID at a recent conference at the Massachusetts Institute of Technology, Brown fielded many questions and concerns about privacy. "People can see a lot of value in tracking and identifying assets, but when it comes to identifying people and baggage, the issue becomes dicey," he said. "RFID goes to the core of how closely Americans feel about the right to privacy."

The concern is that biometric information databases, if accessed or used illegally, can be manipulated by criminals, terrorists or spies for foreign governments. "The government says it will employ best practices for RFID by following up to make sure information is encrypted, by limiting access, and by only using information for its designated purpose," said Kalinich. "But there is a tremendous disparity in data protection. You're only as good as your worst database."

Privacy is not the only worrisome aspect of RFID. Some believe the possibilities for attacks and misuse of RFIDs are as numerous as its uses. Researchers at the Johns Hopkins University Information Security Institute broke into a cryptographically enabled RFID transponder -- the Digital Signature Transponder manufactured by Texas Instruments -- used in several wide-scale systems, including vehicle immobilizers and the Exxon Mobil Speedpass system. The study indicated that the potential for such security breaks increased the chances of someone's car being stolen and of Speedpass being criminally used to purchase gasoline.

For these reasons, RFID is constantly scrutinized and improved for use in private and public spaces. For example, companies are looking for ways to deactivate the tags after a set period of time, and alleviate the possibility of tags following people and continuing to record information.

There are four legal issues to consider with RFID tags, according to privacy/security attorney Kraig Baker, a partner with the law firm Davis Wright Tremaine. He cited consumer concern about not knowing when their information is being used; a lack of established ground rules for data collection and use; what the data will link to; and the concern that personal information is linked in one place, such as a digital passport. "The tag is fundamentally about location," said Baker, "and there is concern that the information will be linked to a cross-sectional database, combined with sensitive data about you, your DNA and location, to a point where there is no privacy at all."

How does RFID differ from previous information available in public records, such as Social Security numbers listed in real-estate transactions? "It used to be comforting for Americans that some things were too difficult to link and figure out," Baker said. "You had to traipse down to local government agency to find and link the information. You knew that you didn't have total privacy, but it was lots of work to find anything out."

Now, he said, the notion of getting information with the click of a button creates this new discomfort, especially when combined with the idea that the sequence of events in one's life should be private, despite being in the public space. It looks and sounds a lot like stalking. That is where the tags struggle, said Baker. "Agencies and companies that plan to use it have not done a great job educating the public about what the tags can and can't do, how they will monitor its use and what security systems are in place."

Looking Ahead
Regardless, such a powerful and flexible technology is here to stay. There is definitely work ahead for those in government who hope to use RFID to accomplish a variety of goals, including cost-cutting, people and item tracking, and greater overall efficiency. Baker said if entities using the technology sell it to their customers, they will have more success. "Right or wrong, Americans tend to be willing to give up privacy for efficiency, so if you sell people on the fact that this passport tag will allow them to go through security faster, people are more likely to agree with manageable risks that bring an efficiency benefit."

The risk-to-efficiency ratio is part of the equation for CIOs as well. "The biggest challenge facing agencies adopting RFID is how to construct a system architecture that will handle substantially increased amounts of data," said Campbell. RFID technology has brought the issues of privacy and security to the forefront as government agencies struggle to find secure ways to store personal data, especially in light of the growing concern over identity theft.

According to Brown, the Federal Information Security Management Act was passed in January 2003 to address security concerns, protect the nation's critical information infrastructure and encourage government to look at managing the risk in a regulatory environment. "As with any other technology, if you have uniformity and standards, a framework in place to assess risk, and the right policies and procedures in place, I have no doubt we will work around this."

Do we have a choice with our privacy where RFID is deployed? "Where commercial use of RFID is concerned, you know what risks you are taking," Kalinich said. "Public use could be mandated by our government where you don't have a choice about what information they collect."

Or, as Robert Atkinson, president of the Information Technology and Innovation Foundation, told an audience at the Federal Office Systems Exposition 2006 in Washington, D.C.: "We need to distinguish when we react to privacy concerns. Rather than ban the technology, we need to make sure government IDs have encryption devices," he said, comparing RFID to the information contained on a driver's license. "Only the technology is different. The privacy issue is the same."