Could broad anti-RFID laws cause problems?

Panelists at an industry event to evaluate RFID complain of "Luddite" activists, politicians. But they do want encryption.

Anne Broache
Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
3 min read
WASHINGTON--Hasty laws drafted by technologically impaired politicians could stifle the promise of radio frequency identification tags, U.S. government officials and policy analysts said on Thursday.

RFID tags, which broadcast a unique ID through radio frequencies, have been hailed as a breakthrough that will allow retailers to track inventory more closely and, like bar codes, result in lower prices and more choices for consumers. But some politicians and liberal groups have been attacking the tags on privacy grounds, which has led to proposals like one in California last year to levy onerous regulations on RFID technology.

"The problem we see in spades in California is legislators don't know the technology nearly as well as you do," said Dan Caprio, the Department of Commerce's deputy assistant secretary for technology policy and chief privacy officer. Caprio was referring to the audience, which included representatives of technology companies.

The panel, hosted by the American Electronics Association, was designed to address the outcry from "Luddite privacy people who don't like this new technology," said Robert Atkinson, director of the Progressive Policy Institute's Technology and New Economy Project.

RFID refers to a range of technologies embedded in devices with such diverse uses as paying highway tolls to tracking inventory at Wal-Mart Stores. But its use in ID cards has raised eyebrows, and caused California state legislators to consider a second proposal aimed at restricting chips in driver's licenses and state-issued ID cards.

Thirteen federal government agencies are currently using or plan to use the technology. Under the Real ID Act, the Department of Homeland Security would create standardized, electronically readable identification cards that could include RFID.

The Department of Defense "went through lots of questions and some level of hysteria" when it started working on RFID tags about four years ago, said Michael Butler, who manages the department's smart-card office. "No one ever comes back and complains anymore."

Butler said that each day, the department issues about 10,000 RFID cards to employees, their families and retirees around the world. They use the devices to log in to their e-mail accounts and to prove eligibility for benefits--at the prescription counter, for instance. "I have complete trust" in the technology, Butler said, but he also recognized the need for "a really good, secure mechanism for transferring data."

No panelist offered a clear idea of what form that mechanism would take. Kenneth Mortensen, who works for the Department of Homeland Security's technology privacy office, suggested that privacy impact assessments, which weigh the security afforded by new pieces of technology before they're adopted, would ensure the safety of any new RFID-powered devices. (In the past, Homeland Security has fallen short of these obligations.)

"We need to have some sort of encryption on transmission devices," Mortensen said. "We need to have secure communications protocols."

Without encryption, an RFID tag transmits its unique ID number in a way that can be easily intercepted. But because the unique ID tends to be a random number that is only a pointer to a field in a database, other panelists said they weren't worried.

Transparency and education are also high on the list, Mortensen said, because people need to know what the technology can and cannot do, what information it stores and who can access it. If anything goes awry along the way, he said, "Fix the vulnerability, and then admit to the vulnerability."

CNET News.com's Declan McCullagh contributed to this report.