So, we learned recently that the US-VISIT program, a program that uses RFID to document foreign visitors to the U.S., has certain vulnerabilities in its system with respect to keeping personal data secure.

Although overall the program has effective security, some of the procedures with respect to password security and account access to the database where personal data is stored, are too lax. The database access vulnerabilities seem to be the main issue, not problems with the RFID technology per se.

Guess who discovered the vulnerabilities and published a report about the discovery?

Was it privacy advocates?

Was it the result of some class action lawsuit?

Was it some white-hat hacker?

No. It was the U.S. Department of homeland security itself, through its internal audit procedures of its Inspector General arm.

In June 2006 the Inspector General's office issued an internal audit report identifying certain vulnerabilities with respect to personal data collected under the US-VISIT program. RFID Journal has a detailed article about the report, noting:

The audit results of the AIDMS database "revealed some security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data [relating to person carrying I-94 forms]," says the report. It says these vulnerabilities were based in the area of user account and password management and user access permissions, but the details of such vulnerabilities are removed from the redacted version of the report, available online. During the audit, the team was not able to use unauthorized interrogators to "communicate or read the Form I-94s at ports of entry," but it was able to pull the record indicator from sample forms in a laboratory setting, using a "more sophisticated reader," according to the report, though the redacted report does not detail what type of interrogator was used in the lab. Today, only a record indicator (the unique ID encoded to each form's RFID inlay), rather than any personally identifiable information, is encoded to the RFID inlays embedded in the forms....

I find it interesting that the main vulnerability has to do with old-fashioned database security (password control and account access) rather than with the RFID tags and readers, or with the design of the RFID system itself.

What are we to conclude from this whole process? I'd say two appropriate conclusions are that (1) our government is acting responsibly and self-policing to ensure that RFID-enabled identity systems are secure and properly implemented, and that (2) personal privacy can be properly protected with RFID-enabled identity systems.

A redacted (edited) draft version of the report appears online here (PDF).