Security and Privacy Issues Associated With Federal RFID-Enabled Documents

(1) U.S. Government Should Abandon RFID-Enabled Border Crossing Documents

(2) Government Moves Ahead Despite Privacy Warnings

(3) Alleged Benefits Do Not Outweigh the Privacy Risks

(4) Still Time to Change Policy and Adopt Privacy Protecting Technology

(1) U.S. Government Should Abandon Insecure RFID-Enabled Border Crossing Documents

In the wake of the September 11 attacks, the 9/11 Commission identified the security of U.S. land borders as a critical area for improvement. The federal government responded with the Western Hemisphere Travel Initiative (WHTI), a set of ID specifications for border crossings. Beginning June 1, 2009, anyone seeking to enter the U.S. by land or sea must present a passport or other “WHTI-compliant” document.

In order to accommodate U.S. citizens without a passport, the State Department and the Department of Homeland Security (DHS) have developed two new alternative ID cards: the passport card and the Enhanced Driver’s License (EDL). Both of these cards carry a long-range radio frequency identification (RFID) chip that presents a privacy nightmare for American citizens.

These insecure chips, containing traveler data, could be read from long distances by anyone, without the cardholder’s knowledge or consent, and could be used to track and profile the movements and activities of innocent Americans. Moreover, access to a traveler’s “unique ID number” could be used to further access sensitive personal information held by the government under WHTI. These privacy costs would be borne without any proven benefit to national security or border operations.

The choice of RFID technology for these new ID cards was made without proper evaluation of the privacy implications or efficiency benefits, and other technologies offering greater privacy protections apparently were not considered. The Departments turned a deaf ear to warnings and opposition expressed by Congress and DHS’ own Inspector General, as well as in thousands of public comments. Indeed, as Senator Patrick Leahy observed, DHS has behaved “like a skydiver who jumps first and tries to pack his parachute on the way down.”

CDT takes no position on the new identification requirements at the border generally, but any such requirements must be implemented with the proper technological and procedural safeguards to protect Americans’ privacy.

Prepared Oral Statement Before Senate subcommittee (April 29, 2008)

Written Testimony Before Senate subcommittee (April 29, 2008)

Comments of Sen. Patrick Leahy (D-Vt.) on DHS Draft Plan for New WHTI Border-Crossing Requirements
(June 20, 2007)

(2) Government Moves Ahead Despite Privacy Warnings

In 2004, Congress sought to implement recommendations of the 9/11 Commission with the passage of the Intelligence Reform and Terrorism Prevention Act of 2004, which led DHS and the State Department to develop WHTI. Under the initiative, the practice of accepting oral declarations of citizenship from travelers reentering the U.S. from Canada, Mexico, or the Caribbean was phased out in January 2008, and only WHTI-compliant documents (i.e. passports, passport cards, EDLs, and certain other Trusted Traveler ID cards) will be accepted as proof of citizenship beginning in June 2009. While an express goal of Congress’ was to secure the border while also facilitating cross-border travel, it is important to note that Congress did not mandate the creation of the passport card or EDL, nor did it require the use of long-range RFID technology that poses significant privacy risks to Americans.

RFID refers to a set of technological standards that allow communication between small data storage devices (RFID chips) and radio emitters that read the data (RFID readers). However, there are crucial differences between different RFID standards and applications, and it is here where the technological choices made by the State Department and DHS put privacy in jeopardy on a massive scale.

The RFID-enabled “electronic passports” issued by the State Department take a variety of reasonable precautions to protect privacy: Sensitive data is encrypted to prevent unauthorized access; the booklet itself contains RF blocking material to prevent any access when the booklet is closed; and the particular RFID standard used is designed to only allow access at distances of under approximately three inches. In contrast, the State Department and DHS are mandating “vicinity” RFID in both the passport card and EDL, using the interoperable “Generation 2″standard and no encryption. Each card would carry the holder’s unique ID number (UID), which would then be tied to other personal information in new government databases at both the state and federal levels. Under this system, anyone with an off-the-shelf RFID reader would be able to access someone’s UID from distances of 30 feet or more and use it to track the cardholder or uncover more personal information through data breach or insider fraud.

DHS has some limited experience with RFID-enabled IDs through its Trusted Traveler programs, Whereas certain Trusted Traveler programs for pre-approved travelers and commercial truck drivers already involve RFID-enabled ID cards, they use a slightly more privacy-protective “Generation 1” standard. But DHS and the State Department have chosen “Generation 2 long-range RFID, ignoring the conclusion of its own Inspector General who noted, in reviewing CBP’s Trusted Traveler programs, that “[a]dditional security controls [such as encryption] would be required if CBP . . . migrates to universally readable Generation 2 (Gen2) products.”

In the push to implement “vicinity” RFID technology, both DHS and the State Department engaged in serious procedural missteps. DHS did not conduct a privacy impact assessment (PIA) on the proposed EDL program, instead deferring to a PIA on the use of RFID generally; and the State Department did not conduct a PIA on the passport card program. And while DHS solicited comments on the EDL program in its proposed regulations pursuant to the REAL ID Act, it did not issue final rules to govern the EDL program and ensure Americans’ privacy would be protected.. Similarly, the State Department solicited comments on the use of long-range RFID in the passport card, but ignored thousands of comments opposing the technology choice. The State Department also issued a request for proposals for the RFID-enabled passport card in spring 2007, half a year before the public comment period closed; the State Department clearly had no intention of considering input from the public, and offered a comment period as a formality.

Congress has also expressed deep misgivings about both Departments’ handling of the technology selection process. After finding out that the passport card would use “vicinity” RFID technology, Congress mandated a privacy certification by the National Institute of Standards and Technology (NIST). A May 2007 letter from NIST made evident that the agencies were already committed to their technology choice, no thorough evaluation was done and the program was rubber-stamped by NIST. In August 2007, Congress amended the IRTPA a second time to require an EDL pilot program to select a technology “based on individual privacy considerations” but DHS has not altered its position.

(3) Alleged Benefits Do Not Outweigh the Privacy Risks

The DHS Data Privacy & Integrity Advisory Committee cautions against the use of RFID for identifying people given its inherent privacy risks, and yet its own agency has plowed ahead with the choice of “vicinity” RFID without meaningful privacy protections. The current card designs for the passport card and EDL leave the unique ID number unencrypted, making it easily available to anyone with an RFID reader.

The issuing agencies defend the lack of encryption by stating that WHTI-compliant documents will not contain any personally identifiable information. This ignores the fact that the ID number itself contained on the chip will become a piece of personal information; and large amounts of other cardholder data can be easily connected to the unique ID number, whether through visual inspection of the card or the breach of one of the many databases that will link the UID to a wealth of personal information. Such outcomes become more likely under the proposed system, where the databases for EDLs will be kept at the state level, requiring unnecessary duplication and sharing of data with the federal government that will create new opportunities for data breach or insider fraud.

The cautionary tale of the Social Security Number shows what can happen when a new unique identifier is introduced. Despite its limited original purpose, the SSN fell victim to “mission creep” in both government and private use, and has since become associated with vast quantities of private medical, financial, and employment data. That one number is now sufficient to unlock so much other valuable information, and, despite Congressional efforts to limit its use, the SSN has become what the FTC calls “the most valuable commodity for an identity thief.” It is easy to imagine an unencrypted, openly readable UID on a WHTI-compliant card following the same trajectory and becoming a new favorite target for identity thieves.

Currently, DHS plans to charge 50 different state agencies, each operating under different regulations and standards, with maintaining citizenship data for EDL holders and giving CBP direct access to these databases. The government has a poor track record of protecting sensitive data, and the risks are even greater with this sort of unmanageable data proliferation. The best way to mitigate the dangers of creating new databases filled with personal information is to observe simple privacy best practices of limited access and data minimization. Opportunities for mismanagement, breach, and insider fraud will be far fewer if the information is maintained by the State Department under a single set of standards and “firewalled” from state motor vehicle databases.

DHS has responded to demands that it offer more substantive privacy protections by offering a storage “sleeve” to shield cards with “vicinity” RFID chips from unauthorized readers. However, this not only inappropriately places the burden of privacy protection on travelers, but it will provide no protection during intentional transactions. Each time a cardholder removes a passport card or EDL from its sleeve to present identification, whether at a store, a movie theatre, or a border crossing, it will be exposed to any reader within a wide area. Rather than being a substantive security measure, this sleeve is merely proof that DHS and the State Department recognize the threat their plan poses to cardholders’ privacy.

It is unclear whether the use of long-range RFID will even provide the desired operational benefits. Using scanners to pre-position traveler data for inspection can only improve efficiency in the absence of other limiting factors. CBP agents will still need to scan passport booklets and Trusted Traveler IDs by hand, and face-to-face agent screenings may be slow enough to eliminate efficiency gains from long-range scanners. A GAO feasibility study also found that RFID chips produced poor read rates, and any significant error rate would further cut down on efficiency gains. The important thing is that we don’t know, because DHS and the State Department have failed to conduct (or at least release) any speed tests or comparative evaluations of different, more privacy-protective technologies. Rather than verify the benefits of the RFID technology through testing, they have merely speculated about its impact, and thus could compromise the privacy of millions of American travelers with nothing to show for it.

(4) Still Time to Change Policy and Adopt Privacy Protecting Technology

There is still time for Congress and the public to act and to force the State Department and DHS to reconsider the choice of “vicinity” RFID. Only one state, Washington, has begun issuing EDLs, with Vermont planning to issue them beginning in late 2008. The State Department and DHS began issuing passport cards on July 22, 2008, but the requirement of WHTI-compliant documents at U.S. borders is not scheduled to take effect until June 1, 2009.

The choice of the most insecure RFID technology for both cards was made prematurely, without an assessment of costs and benefits or attention to the concerns of Congress and the public. DHS and the State Department have failed to establish that the use of insecure long-range RFID is either operationally or technologically necessary. At the very least, we must demand an honest assessment of the privacy risks associated with putting this technology in the hands of so many Americans and stockpiling sensitive data in new databases. Both Departments clearly know of these privacy concerns, as evidenced by the protections incorporated into the design of the RFID-enabled passport booklet. They have yet to explain why they cannot extend similar measures to the proposed passport card and EDL formats.