RFID In Government Issued ID?

RFID! writes, "The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on using RFID in government-mandated identity cards and documents (PDF link). But this met with some consternation among the DHS bureaus that plan to use RFID in this way and the businesses eager to sell the technology to the government, and now a vote on the report has been delayed until December."

Here's the reason Cato doesn't like RFID

[maynard]

From Jim Harper's blog post:

RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards - indeed it has greater security weaknesses than alternatives. And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card. This is what takes up all the time in the process of identifying someone.

He's saying it isn't any better than other card systems, and it doesn't solve the principal security problem - that of identifying the owner. I bet, however, that if one were to somehow solve the confirmation of identity issue - such as by injecting or surgically implanting and RFID chip - he might change his mind.

I think one could argue that Mr. Harper doesn't oppose RFID as much as he finds it impotent.

If you needed another reason to clean house(s)....

[guisar]

Here it is. There's only one way to stop the madness- a clean sweep! So mark Nov 7th on your calendar and make sure to read the manual for the automated voting machine and of course, bring your ID. For your safety and convenience there's no need to stick it a slot or show it to the attendent; just pass it it by this handy reader.... We know who you are.

C.f. Hollerith Cards

[Kadin2048]

RFID is a great technology in its place.

I've seen some automated warehouse and inventory-management systems that depend on RFID tags, and (if you're into this kind of stuff) they're the slickest thing you've ever seen. If your full supply chain uses tags, then there's no manual inventorying; as stuff gets unloaded from the trucks at a loading dock (by the pallet-full -- scanners can 'talk' to tens or hundreds of tags at once), it gets noted. When it gets put on a shelf, it gets noted. When an order comes in, the system knows whether it's in stock, and where's it's located. The picker (guys who pull individual items from warehouse shelves) can follow a wrist-mounted computer right to the location, and scan it as they pick it up. As orders get loaded on a truck to go out, they get scanned again at the dock doors. At every step in your supply chain, you can do this.

It's not quite a fully-automated warehouse, but it's pretty close. If you've ever worked in industry or retail, you can appreciate the beauty of such a system. All that real-time data; I won't say there's "no limit" to what you can do, because I don't want to start sounding like an ad, but there's a lot.

So really, don't blame the technology here. The gear is really good. The problem is that a lot of contractors, who want to make a few bucks from Uncle Sam, have convinced some govvies that this sort of data flow -- which is great when you're talking about cases of Rice Krispies or DVD players -- would be nice to have on all of us. The problem with "RFID" as people have come to think of it, is totally a social one. If you could somehow 'uninvent' RFID, put the genie back in the bottle, it wouldn't fix the real issue: that our government is currently obsessed with reaching down into the personal lives of individual citizens, either by accident or by design. A government which took more of an interest in privacy concerns, probably wouldn't think that embedding RFID tags in passports and drivers licenses would be a good idea. That they do, is indicative of a problem in government, not in the tags.

An apt analogy would be Hollerith card sorters and other indexing machines, in the early part of last century. They let people do all sorts of rapid data analysis and were indispensable to industry and government for countless projects. Yet they were also used by the Nazis, to greater or lesser effect depending on who you choose to believe. That a particular technology was used reprehensibly isn't necessarily a valid criticism of the technology itself; virtually anything can be perverted for ill uses.

So in short, don't blame RFID in general. It's a great technology, when used correctly, and its potential for abuse isn't any greater than similarly revolutionary systems were in their day.

Next, babies will be microchipped...

[AriaStar]

...before leaving the hospital. I foresee this happening in the next 20 years, if not sooner.

Re:Here's the reason Cato doesn't like RFID

[CortoMaltese]

All of the biometric passports and electronic identity cards use the same technology, namely smart cards [wikipedia.org], i.e. tamper resistant integrated circuit cards. There are contact and contactless cards, the latter of which are often referred to as RFID cards. Note that RFID smart cards have next to nothing to do with RFID tags. Smart cards have a processor, persistent and volatile memory, often cryptoprocessors and many kinds of shields for tamper resistance. Hacking them is quite difficult.

Contactless cards offer significantly faster communication speeds than contact cards and also the option to pick one card from many cards within the range of the reader.

What comes to security, there are two main vulnerabilities in contactless cards: eavesdropping and accessing the card without holder's knowledge is easier than in contact cards. In both points, the vulnerabilities can be overcome with protocol design. The card need not broadcast anything without setting up a secure channel and requiring holder verification (e.g. PIN). This is really not a fault in the technology itself, but rather in how it is applied.