RFID: Legislative Action
Wednesday, April 1, 2009 - RFID Connections

Bert Moore

Editor

 

At some recent legislative hearings on whether to limit, regulate or restrict RFID in some way, advocates of RFID finally began to get their views heard. Why? Because many of the advocates weren't companies manufacturing or selling RFID, they were companies and agencies actively using the technology. They were able to point out to state legislators how the technology was actively benefitting citizens of the state. And their real world experiences helped put to rest some of the more outlandish claims of some privacy advocates.

 

At the same time, there are new concerns that some companies and governmental agencies are implementing RFID technology without giving adequate attention to the need for security and, therefore, privacy. Concerns about covert reading of ID cards and similar items must be addressed because they highlight real or potential system vulnerabilities that expose not only individuals but the entire system to unnecessary risk.

 

It is up to those in the RFID community -- both vendors and end users -- to be heard in legislative hearings and community forums in order to present a balanced view of the technology and point to ways in which it can be implemented securely so that it can continue to provide benefits while protecting the integrity of the system and personal privacy.

 

Legislators tend, of necessity, to focus on the concerns of their constituents. That is why the stories of end users are so important. End users can give concrete examples of how the technology is being used and how it provides a positive impact on the local population. These are messages legislators can understand. What's more, end users can answer questions about the capabilities of the technology they're using, what data is on a tag, where it is read, and how it is used.

 

End users that provide solid information about current or proposed use of the technology help dispel the clouds of misinformation and misunderstanding that often muddy legislative hearings. And while it may not be possible in the short term to put the "RFIDs in my underwear" rumors entirely to rest, it is definitely possible to show real examples of real RFID tags and how they actually perform in the real world.

 

At the same time, examples of how other states' citizens are responding to RFID are also useful. Washington State, for example, recently began offering an enhanced driver's license that can be used as an alternative to a passport for border crossings between the U.S. and Canada. Despite vocal opposition on the part of privacy advocates, the general public's reaction has been overwhelming -- so overwhelming, in fact, that the state can't keep up with demand.

 

At the same time, it has been shown that off-the-shelf readers can be used to surreptitiously read the identification number encoded in enhanced driver's licenses from a considerable distance. While some RFID-enabled driver's licenses have an unchangeable factory tag ID (TID) to prevent counterfeiting, some do not.

 

At present, this does not pose a significant threat to the integrity of the system since the ID number is only used to call up a database record on the individual. Information displayed from this database includes a photo. Nonetheless, this fact is troubling since it does give credibility to privacy advocates' fears about covert tracking and raises the possibility, however remote, that the license could be cloned by an individual with a similar appearance to the authorized license holder.

 

There are, however, methods to prevent both unauthorized reading and cloning of tag data. The recently-published ISO/IEC TR24729-4(Information technology — Radio frequency identification for item management — Implementation guidelines — Part 4: Tag data security) provides guidance on assessing potential vulnerabilities and suggested countermeasures. This document was initially developed by AIM Global's RFID Experts Group (REG) and is available in the AIM eStore (see link above).

 

The RFID community needs to provide this information at legislative hearings to help ensure that future implementations of RFID are secure.

 

While it appears that the number of proposed anti-RFID bills is diminishing, it is imperative that the industry and end users of RFID not take success for granted. Vendors and end users alike must continue to provide solid, complete information to legislators to not only help ensure that restrictive legislation is not passed today but also to help ensure that systems are designed and implemented intelligently to prevent security issues that could lead to a legislative backlash in the future.

 

-----

 

Comments on this column?  E-mail me: Bert Moore, Editor

 

 

Share this Story
Digg   del.icio.us   Yahoo   Reddit   Facebook   Google

Related Articles :
No Related Content Found

Search Articles :