Skinner: US Visit program RFID needs better security controls

Use of radio frequency identification tags within the U.S. Visitor and Immigrant Status Indicator Technology program has been applied with privacy protections but has not been adequately configured and tested to ensure that those protections are effective, according to a new report from the Homeland Security Department inspector general.

The RFID tags currently are being used on Form I-94 documents issued to foreign visitors at several U.S. land ports of entry. As of December 31, 2005, US Visit had issued 149,414 RFID-enabled Form-I-94s to travelers, DHS Inspector General Richard Skinner said.

The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which is a small computer chip, contains only a number. This number must be viewed within US Visit's secure database to obtain personal information on the visitor.

Overall, the inspector general judged these privacy protections to be effective, and to present no "high or medium" information security vulnerabilities.

However, the report identified vulnerabilities in US Visit's password management and user access system that allows US Visit employees to access the personal information contained in the database.

"U.S. Visit has not properly configured its Automated Identification Management System database to ensure that data captured and stored is properly protected," the inspector general wrote.

Furthermore, US Visit has not prepared and tested contingency plans to make sure that the database can be restored following a disruption, the report said.