What is happening at NIST?

The usually reliable National Institute of Standards and Technology (NIST) at the Department of Commerce really went off the deep end in its certification review of the State Department’s new PASS card system which plans to use the EPC Global GEN-2 long range RFID standard as its base.

The agency lists a number of so called “best available practices and non-ISO standards for the protection of personal identification documents” — none of which are written for government use of identity documents — to justify its analysis.

How can CDT, which has been vocally opposed to the use of the standard in the PASS card including in our comments to the State Department on their draft, be so sure that this was not the intent of these documents?

Well, one of those cited is the product of a CDT Working Group: Privacy Best Practices for Deployment of RFID Technology. These Best Practices specifically state:

This document is targeted at commercial and private sector consumer applications. It is not intended to address government applications of RFID or applications of RFID deployed internally by companies in the employer-employee context, business-to-business applications, or uses of RFID for personal identification systems.

How much clearer do we need to make this to ensure that it is not misused?

This entry was posted on Friday, May 4th, 2007 at 3:37 pm and is filed under Consumer Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.