Language Selection

English French German Italian Portuguese Spanish

GAO study of RFID technology, policy seen flawed

Filed under

A recently released Government Accountability Office study of radio frequency identity device security is flawed because it omits discussion of technologies and federal policies in the arena, according to smart-card industry executives.

GAO defended the report, saying it relied on information provided by other federal agencies and did not delve deep into individual RFID programs that the agencies are implementing.

The GAO report, titled Information Security: Radio Frequency Identification Technology in the Federal Government, discusses privacy and security aspects of RFID tags used for inventory control as well as contactless smart cards used to make personnel credentials. GAO issued the report May 27.

The report cites several privacy and security issues that RFID units can pose, such as "tracking an individual's movements, profiling an individual's habits, tastes or predilections and allowing for secondary uses of information." According to GAO, "While measures to mitigate these issues are under discussion, they remain largely prospective."

But as Patrick Hearn, business development director for Oburthur Card Systems of Chantilly, Va., stated, federal law, regulations and policies mandate many privacy and security protections for the use of smart cards in federal credentialing programs.

"The security measures-encryption and authentication-listed [by GAO as 'prospective'] all exist today and are incorporated into programs such as the State Department's e-passport program," Hearn wrote in an e-mail comment on the GAO report.

Hearn also cited the existence of the Federal Information Processing Standard 140-2, which applies to contactless smart cards issued to federal employees and contractors, as well as privacy and security rules mandated in the Federal Identity Management Handbook.

Hearn noted that the standards that apply to federal use of contactless smart cards mandate compliance with the Privacy Act of 1974, the e-Government Act of 2002, Office of Management and Budget memorandums relevant to the topic and National Institute of Standards and Technology standards for smart-card security and privacy.

Full Article.

More in Tux Machines

Mozilla Boosts Leadership Team With Connected Devices Appointment

Today, we are pleased to announce that Ari Jaaksi will be joining the Mozilla leadership team next month as our new Senior Vice President of Connected Devices. In this role, Ari will be responsible for Firefox OS and broader exploration of opportunities to advance our mission across the ever-increasing range of connection points of the modern Internet, i.e. phones, TVs, IoT, etc. Read more

Lessons From Volkswagen

  • MEP: "Car manufacturers should make their software available for review"
    Car manufacturers should be obliged to make their motor management software available for review, Paul Tang, a Dutch member of the European Parliament for the Labour Party, requested in questions to the European Commission. Such a measure should prevent the manipulation of the emissions tests, in which Volkswagen was recently caught by the US Environmental Protection Agency (EPA).
  • VW’s Cheating Proves We Must Open Up the Internet of Things
    It’s been a rough year for the Internet of Things. Security researchers uncovered terrifying vulnerabilities in products ranging from cars to garage doors to skateboards. Outages at smart home services Wink and Google’s Nest rendered customers’ gadgets temporarily useless. And the Volkswagen emissions scandal, though not precisely an Internet of Things issue, has exposed yet another issue with “smart” physical goods: the possibility of manufacturers embedding software in their products designed to skirt regulations.
  • VW Software Scandal May Lead To More Open-Source Code

Proxmox VE 4.0 Has Linux Containers Support, Based on Debian 8.2 Jessie - Video

Proxmox Server Solutions GmbH, through Martin Maurer, has had the great pleasure of announcing the final release of their commercial Proxmox VE (Virtual Environment) 4.0 operating system based on Debian GNU/Linux. Read more

Univention Corporate Server 4.1 to Implement Docker Apps, Linux Kernel 4.1 LTS

Univention's Maren Abatielos has been very happy to inform Softpedia earlier today, October 6, about the general availability of the first milestone of the upcoming Univention Corporate Server (UCS) 4.1 Linux kernel-based operating system. Read more