Response to DHS Report on RFID Technologies

The Smart Card Alliance is submitting the comments below in response to the request for comments by the DHS Emerging Applications and Technology Subcommittee of the DHS Data Privacy and Integrity Advisory Committee on the draft report, ""The Use of RFID for Human Identification."

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Our organization includes as its members all of the identification application technology providers and all of the industry segments that use smart card technology, including twenty-two federal government and other non-federal agencies. Our organization invests heavily in education on the appropriate uses of technology for identification and strongly advocates the use of smart card technology in a way that protects privacy and enhances data security and integrity. To be true to these principles we must regularly educate potential users about the differences between secure chip technology and other forms of identification technologies like RFID, barcode, optical stripe, and magnetic stripe.

We first would like to commend DHS for the report's conclusion that DHS should consider best practices and implement specific safeguards for protecting the individual's privacy and for protecting the security of data used by the identity application in programs that identify and track individuals. It has been and still is the Smart Card Alliance's position that privacy and security need to be a priority for any identity system and that these need to be designed into the entire identity system, regardless of the technology used for the identity token itself.

We do, however, disagree with the report's conclusion to "disfavor" all RFID technologies for applications involving human identification. We believe that the report defines RFID too broadly and, therefore, this recommendation will unduly restrict appropriate and secure applications of smart cards with RF technology that can meet the strictest privacy and security requirements.

The report also uses the terms human identification and tracking interchangeably (for example, section IV is titled "The Legal Basis for RFID Use in Human Identification," but contains content describing human tracking) and assumes that an identification program using RF technology would be for both identification and tracking. We feel strongly that the report should not suggest that future DHS uses of technology for identifying human beings be linked to tracking human beings. The vast majority of identity applications do not track individuals, but have the goal to accurately and securely verify an individual's identity. These two applications of technology have very different purposes and require conscious policies to be put in place to protect the individual's privacy.

There are a wide range of RF technologies used for a variety of applications - each with different operational parameters, frequencies, read ranges and capabilities to support security and privacy features. For example, the RFID technologies that are used to add value in manufacturing, shipping and object-related tracking operate over long ranges (e.g., 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. Contactless smart cards, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip.

The contactless smart chip includes a smart card secure microcontroller and internal memory and has unique attributes other RF technologies lack, i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF with a contactless reader. Applications using contactless smart cards support security features that ensure the integrity, confidentiality and privacy of any personally identifiable information stored or transmitted, including strong information security, strong