Summary: Radio frequency identification (RFID) is an automated data-capture technology that can be used to electronically identify, track, and store information contained on a tag that is attached to or embedded in an object, such as a product, case, or pallet. Federal agencies have begun implementation of RFID technology, which offers them new capabilities and efficiencies in operations. The reduced cost of the technology has made the wide-scale use of it a real possibility for government and industry organizations. Accordingly, GAO was requested to discuss considerations surrounding RFID technology implementation in the federal government. Specifically, GAO was asked to (1) provide an overview of the technology; (2) identify the major initiatives at federal agencies that use or propose to use the technology; (3) discuss the current standards, including those for interoperability, that exist; (4) discuss potential legal issues that the 24 Chief Financial Officer (CFO) Act agencies have identified in their planning for technology implementation; and (5) discuss security and privacy considerations surrounding the technology and the tools and practices available to mitigate them. The Office of Management and Budget agreed with the contents of this report.
The main technology components of an RFID system are a tag, reader, and database. A reader scans the tag for data and sends the information to a database, which stores the data contained on the tag. The major initiatives at federal agencies that use or propose to use the technology include physical access control and tracking assets, documents, or materials. For example, the Department of Homeland Security is using it to track and identify assets, weapons, and baggage on flights. RFID standards define a set of rules, conditions, or requirements that the components of the system must meet in order to operate effectively. There are multiple sets of standards that guide the use of RFID technology. In addition, the standards used often depend on the type of activity the application is used for and the industry or country in which it is used. For applications where global interoperability between systems is necessary, such as electronic passports or global supply chains, a common set of standards can assist with the proper interaction and interchange of information between systems. Of the 16 agencies that responded to the question on legal issues associated with RFID implementation in our survey, only one identified what it considered to be legal issues. These issues relate to protecting an individual's right to privacy and tracking sensitive documents and evidence. The use of tags and databases raises important security considerations related to the confidentiality, integrity, and availability of the data on the tags, in the databases, and in how this information is being protected. Key privacy concerns include tracking an individual's movements and profiling an individual's habits, among others. Tools and practices are available to address these considerations, including existing and proposed information security technologies and practices, and other practices required by law.
