RFID poses serious privacy risk, says report

Radio frequency identification is becoming increasingly popular inside the US government but agencies have not seriously considered the privacy risks, federal auditors said.

In a report published on Friday, the Government Accountability Office said 13 of the largest federal agencies are already using RFID or plan to use it. But only one of 23 agencies polled by the GAO had identified any legal or privacy issues - even though three admitted RFID would let them track employee movements.

"Key security issues include protecting the confidentiality, integrity and availability of the data and information systems," the GAO said. "The privacy issues include notifying consumers; tracking an individual's movements; profiling an individual's habits, tastes and predilections; and allowing for secondary uses of information."

RFID is a catchall term for a broad array of technologies that includes everything from battery-powered "active" tags, such as those used in highway toll booths, to "passive" RFID tags that measure a fraction of a millimetre in each dimension, not counting the antenna in the device.

Agencies are already experimenting with passive RFID technology. Among the list of planned or actual uses: the Department of Defense for tracking shipments; the Department of Homeland Security for immigration and baggage tracking; the State Department for electronic passports; the Department of Veterans Affairs for "audible prescription reading".

In addition, under the Real ID Act, the Department of Homeland Security is responsible for designing a standardised ID card that could be RFID-outfitted.

Few privacy concerns exist when RFID is used merely to track warehouse pallets. But when RFID chips are embedded in ID cards or otherwise linked to personal information, the GAO warned, the privacy risks increase dramatically.

"Consumers have raised concerns about whether certain collected data might reveal personal information such as medical predispositions or personal health histories and that the use of this information could result in denial of insurance coverage or employment to the individual," the report said. "For example, the use of RFID technology to track over-the-counter or prescription medicines has generated substantial controversy."

California's Senate this month approved a ban on the use of RFID tags in driver's licences and other state-issued forms of identification.

Declan McCullagh writes for CNET News.com