What is happening at NIST?
The usually reliable National Institute of Standards and Technology (NIST) at the Department of Commerce really went off the deep end in its certification review
of the State Department's new PASS card system which plans to use the EPC Global GEN-2 long range RFID standard as its base.
The agency lists a number of so called "best available practices and non-ISO standards for the protection of personal identification documents" -- none of which are written for government use of identity documents -- to justify its analysis.
How can CDT, which has been vocally opposed to the use of the standard in the PASS card
including in our comments to the State Department on their draft
, be so sure that this was not the intent of these documents?
Well, one of those cited is the product of a CDT Working Group: Privacy Best Practices for Deployment of RFID Technology
. These Best Practices specifically state:
This document is targeted at commercial and private sector consumer applications. It is not intended to address government applications of RFID
or applications of RFID deployed internally by companies in the employer-employee context, business-to-business applications, or uses of RFID for personal identification systems
How much clearer do we need to make this to ensure that it is not misused?
Read more »