A government plan to use radio frequency identification (RFID) chips in a proposed passport card program for U.S. citizens is drawing fire from some quarters. The identification cards would be needed by residents who don't have passports for verifying their identity at land and sea border crossings.
The Smart Card Alliance, a nonprofit industry body representing several large vendors of smart-card and RFID technologies, this week formally urged the government to reconsider a decision to use RFID technology in personal ID verification cards. The alliance cited security and privacy concerns for its stance.
It was responding to an Oct. 17 notice in the Federal Register in which the Department of State announced plans to use RFID chips for a proposed new passport card to be issued as part of the Western Hemisphere Travel Initiative, or WHTI.
Under WHTI, all Americans traveling to Mexico, Canada, the Caribbean and Bermuda will be required to show some form of personal identification approved by Department of Homeland Security when entering the United States. The identification could be in the form of a passport or the proposed new passport card and is intended to shore up security at the nation's borders. Passengers traveling by air between the different countries will be required to show such proof of identity starting Jan. 1, 2007, while those traveling by land and sea have until January 2008.
In its notice, the State Department said it would use "vicinity read" RFID technology in the cards rather than the "proximity read" contactless smart-card technology being incorporated into new ePassports. The goal is to have credit-card-size passport cards that can be read from at least 20 to 30 feet away by customs and border-protection officials to speed up the authentication process.
There are several problems with that approach, said Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J.
For instance, long-range RFID technologies are vulnerable to snooping and forgery, Vanderhoof said. Cards built using such chips will have no built-in security features for verifying their authenticity, he added. In contrast, the contactless smart cards used in ePassports support encryption and digital certificate technologies for securing data and verifying authenticity. Because that technology differs from what is being used in the ePassports, U.S. border infrastructures will need to be updated, Vanderhoof explained.
An equally big concern is the potential privacy threat posed by RFID-enabled cards, said David Williams, vice president for policy at Citizens Against Government Waste (CAGW) in Washington.
While there is a need to enhance border security, "we do not believe RFID is the best way to do this," Williams said. People carrying such RFID-enabled identity cards could unknowingly be exposed to greater surveillance, he said. Individuals with such cards are also likely to have less control over when they want to be identified and what information is read, stored and shared.
"With other forms of identification, you literally have to pull your card out of your wallet. With RFID, you don't know when it is being accessed," Williams said.
Those concerns prompted CAGW to send a letter to the DHS this week urging its Data Privacy and Integrity Advisory Committee to pass an earlier subcommittee draft report that recommends against the use of RFID for personal identification. In that report, released in May (download PDF), the DHS subcommittee had argued that RFID use could marginally reduce delay times at borders and checkpoints but carried several risks, including the potential for increased surveillance and erosion of privacy and anonymity.
"In a visual ID-check environment, a person may be briefly identified but then forgotten, rendering them anonymous for practical purposes," the report noted. "In a radio ID-check environment, by contrast, a person's entry into a particular area can easily be recorded and the information permanently stored and repeatedly shared."
The DHS subcommittee is scheduled to meet Wednesday to discuss the issue.
In reality, it is unlikely that individuals carrying the cards will be tracked, said Tres Wiley, director of e-documents at Texas Instruments, which manufactures both RFID and proximity-read smart-card technologies. However the mere possibility is likely to scare people off, he said. "Citizen acceptance is going to be very important to the use of this card," and that's not going to be easy to get, he noted.
This story, "Industry group urges caution for RFID-enabled ID cards" was originally published by Computerworld.