The RFID Debates
Nov 1, 2005 12:00 PM, By Michael Fickes
Smart cards have transformed access control and ID badging into technologies so powerful that the government — at least in California — has taken notice and moved to regulate their use in public applications. The contactless smart card industry is fighting the effort.
Since the regulatory focus thus far has aimed at public or government applications, corporate security directors may assume the debate does not concern private sector uses of radio frequency identification (RFID) technologies. In fact, the debate between the California legislature and the smart card industry may eventually define — if not legislate — acceptable and unacceptable uses for RFID-enabled contactless smart cards in private and public venues. The debate has certainly shown that the public is vitally interested in the privacy issues raised by RFID technology.
Here's how the argument started. Back in January, the Brittan Elementary School in California's Silicon Valley announced that school officials had decided to switch to a new student ID badge. Five days later, children came home from school wearing breakaway lanyards designed to hold the new badge with a 5×4-inch plastic device with a radio frequency (RF) transmitter attached to the back. At first, parents did not know what the transmitter was. Once it was identified, however, it worried them. Could an unauthorized person intercept the signal being sent out and track children? Should school officials employ technology to track children? Is it ethical? How might this technology be misused? Should government regulate its use?
Industry observers say that the school's effort was misconceived from the beginning. The children were given active RFID tags. Quite different from relatively secure passive smart cards, active RFID tags broadcast data constantly to receivers as far away as a few hundred feet.
Parents objected, filed complaints with the district and spoke to their state government representatives. Senator Joseph Simitian, a Silicon Valley lawmaker recognized for his knowledge of technology, took up the cause and introduced legislation designed to control the use of RFID technology in identity management and access control applications by state and local governments in California. Earlier this year, the State Senate passed the Identity Information Protection Act of 2005 by a lopsided and bi-partisan vote of 29-7. The State Assembly — the lower house in California government — will begin its consideration of the bill shortly.
According to Simitian, the bill, as it is now written, would do three things:
make the unauthorized reception of information from RF identification devices a crime;
require privacy protections for RF identification devices, including the use of a unique identifier, encryption and authentication protocols; and
set up a three-year moratorium on government mass distribution documents with RF identification capabilities.
The smart card industry has mounted a vigorous attack on the bill. In response to the bill's first goal of criminalizing the unauthorized skimming of RF information from smart cards, Daniel Greenwood, an industry consultant and advisor as well as an attorney specializing in e-commerce and security, notes that a California computer crime statute already prevents unauthorized access to computer systems.
Are smart cards computer systems? Smart card microprocessors probably qualify as computer systems, Greenwood says. He contends that California's existing computer crime statute “provides for criminal penalties in excess of the penalties contained in Senator Simitian's bill.”
Greenwood also points out that the Simitian bill requires that RF identification technology include at least three security features: unique identifiers, encryption and authentication protocols. In principle, legislation should avoid dealing with technology and instead aim to promote desired outcomes, Greenwood says. “You shouldn't box people into particular technical solutions,” he says. “You should think about what the outcomes should be. In this case, an outcome would be no unauthorized tracking or reading of cards.”
A serious flaw?
Most smart cards transmit unique identifiers, a number or character string that may or may not be encrypted. When a smart card reader picks up a unique identifier sent by a smart card, the reader in turn asks a database to identify the person connected to the unique identifier. The smart card itself does not transmit a name or any personal information to the reader — nothing but the unique identifier. The personal information resides in the database behind the reader.
As long as the database is properly secured, outsiders can intercept but not use the unique identifiers.
And that is one of Greenwood's problems with the legislation. “The bill addresses the front door security problem of skimming,” he says. “But it does not protect against someone hacking into the system and taking data.”
The industry also argues that microprocessor-based smart cards already have substantial built-in safeguards. “With a contactless smart card, the microprocessor can control what information can be accessed,” says Randy Vanderhoof, executive director of the Smart Card Alliance. “These cards can also encrypt data. They can challenge a reader to validate itself. Smart card systems use an ISO (International Standards organization) 14443 communications standard that specifies how the radio signal will travel from the chip to the reader.”
In the end, industry experts fear that the Simitian bill aims to stall implementation and ultimately to ban the use of smart card technology. “To ban a technology is short-sighted,” says Neville Pattinson, director of technology and government affairs for Axalto Inc., Austin, Texas, a smart card provider.
The senator responds
“This is not a ban on technology,” argues Simitian, who notes that his bill applies only to the use of contactless RFID for public sector identification documents. It does not affect contact smart cards or any identification technology used in the private sector, he says, and it simply restricts, without banning, use in the public sector.
Simitian contends that the technology does require more safeguards. “I believe RFID is an extraordinary technology, a minor miracle,” he says. “But as is the case with any technology, there are appropriate uses. My key message is this: If the industry is wise, self-interest will lead it to support reasonable restrictions on this technology — because the acceptance and proliferation of any technology depends on the public's comfort with that technology and how it is used.”
Simitian says he has been willing to compromise. Since first introducing the bill, he has made three major revisions, searching for what he calls reasonable restrictions. The original bill, for example, said that no government identification document could transmit personal information unless the law grants a specific exception for that application.
This was essentially the bill the California State Senate approved 29-7. When the industry voiced its initial objections, Simitian rewrote the bill. “The industry said that the bill seemed to operate under an assumption that the use of RFID was bad unless a specific case were made,” Simitian says. “We altered the bill to exempt some applications from the rule without requiring privacy protections. We exempted other applications if they used basic privacy protections. But we did not want to go all the way to (allowing RFID to be used on) mass distribution documents, such as drivers' licenses and government benefit cards.”
“Finally, we decided to amend the bill to provide for the three-year moratorium on mass distribution documents,” he adds. “During those three years, the industry would have to demonstrate that its privacy protections were adequate, and it would have to make its case that the concerns raised about the government requiring citizens to carry a document that broadcasts their personal information are not significant. These were major changes.”
In the face of continuing opposition, two related events have buttressed Simitian's case. First, the Government Accountability Office (GAO) issued a report entitled: “Information Security: Radio Frequency Identification Technology in the Federal Government.” The report quarrels with a key industry claim that passive RFID devices can be made to broadcast information no further than a few inches. According to the GAO, however, “under perfect conditions tags can be read from a range of about 10 to 20 feet.”
Second, the U.S. Department of State gave in to critics that claimed its electronic passports could be read at distances of a few feet, far enough to permit criminals to obtain personal information from passport holders. “The State Dept. has looked at this issue and decided to encase electronic passports in a Faraday Cage, a network of metal threads to prevent skimming,” Simitian says.
When the California legislature returns in 2006, the Assembly will vote on the measure as it now stands. If it passes, it will return to the Senate for another vote. The Senate will review the major revisions Simitian has made to the bill throughout 2005.
“We've invited Senator Simitian,” says Debra Spitler, a spokesperson for the ASSA ABLOY Identification Technology Group, which owns HID. “In fact, we chose a date that was open on his calendar at the time of our original inquiry. We sincerely hope that he will choose to attend.”
ABOUT THE COMPANIES
For information, circle the Reader Service number (listed below) or visit securitysolutions.com
Want to use this article? Click here for options!
© 2013 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.