Key Considerations Related to Federal Implementation of Radio Frequency Identification Technology
GAO-05-849T: Published: Jun 22, 2005. Publicly Released: Jun 22, 2005.
Radio frequency identification (RFID) is an automated data-capture technology that can be used to electronically identify, track, and store information contained on a tag that is attached to or embedded in an object, such as a product, case, or pallet. Federal agencies have begun implementation of RFID technology, which can offer them new capabilities and efficiencies in operations. For example, the State Department has reported plans to use RFID technology in its electronic passports. The reduced cost of the technology has made the wide-scale use of it a real possibility for government and industry organizations. As requested, this testimony will provide an overview of the technology and discuss key security, privacy, and other considerations surrounding implementation of the technology in the federal government. It is based on our recently issued report (GAO-05-551).
The main technology components of an RFID system are a tag, reader, and database. A reader scans the tag for data and sends the information to a database, which stores the data contained on the tag. The use of tags and databases raises important security considerations related to the confidentiality, integrity, and availability of the data on the tags, in the databases, and in how this information is being protected. Tools and practices such as implementing the risk-based framework mandated by the Federal Information Security Management Act of 2002 and employing encryption and authentication technologies can help mitigate these security considerations. Key privacy concerns include notifying individuals of the existence or use of the technology; tracking an individual's movements; profiling an individual's habits, tastes, or predilections; and allowing for secondary uses of the information. Tools and practices can help mitigate these considerations, including existing requirements contained in legislation and proposed measures such as a deactivation mechanism on the tag, among others. In addition to security and privacy, there are other areas of consideration related to the adoption of the technology. These areas include the reliability of the tags and readers; placement and orientation of the tag; costs and benefits associated with implementation; availability of tags; and environmental issues, such as the reuse and recycling of tags.