Proposed Passport Card with RFID Technology Bad News for Privacy and Security, Says Smart Card Alliance
PRINCETON JUNCTION, NJ, October 19, 2006–Using the long read range radio frequency identification (RFID) technology the Department of Homeland Security (DHS) and State Department are proposing for passport cards will do little to increase the security of the nation’s borders, and opens up possibilities that U.S. citizens could be tracked, the Smart Card Alliance said today. The Alliance contends that a more privacy sensitive and secure passport card solution using the same contactless smart card technology found in the new electronic passports (ePassports) can improve border security without causing delays at crossings.
“Using long range RFID technology is a major step backwards for government-issued identity credentials,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “These RFID tags simply don’t have the security features necessary to protect the border and also maintain citizen privacy.
“The stated goal of the passport card program is to help secure the border without compromising citizen privacy or efficiency at the border crossing. The only proven technology that meets all of these objectives is the contactless smart card technology that is used in the ePassport. This would achieve the objective of a faster, more secure means for tens of millions of citizens to cross back into our borders from land and sea, while still protecting the security and privacy of individuals,” concluded Vanderhoof.
Part of the Western Hemisphere Travel Initiative (WHTI), the proposed passport card is an option that can be used instead of a regular passport book when U.S. citizens are re-entering the United States from Mexico, Canada and the Caribbean at land and sea entry points. Today, only about 25 percent of U.S. citizens carry passports. The Department of State has announced that the proposed passport card will use long range RFID technology that conforms to ISO/IEC 18000-6, Type C, “Radio frequency identification for item management–Part 6.” This standard, published by ISO in July 2006, is based on the EPC Gen 2 Class 1 UHF standard developed by EPCglobal. EPCglobal is the organization working to develop standards for the Electronic Product Code™ (EPCs) to support the use of RFID in the supply chain environment. According to the State Department Federal Register notice, machines at border crossings would read information on the RFID tag and link the passport card to a secure U.S. government database containing biographical data and a photograph. While the RFID tag in the card itself would not hold any personal information, each card will transmit a unique reference number that can be read from up to 20 feet away.
“The vicinity read RFID technology proposed for the passport card does not support the necessary security safeguards to allow border officials to verify that the passport card is authentic, nor does it prevent the citizen’s unique reference number from being tracked when it is outside of its protective sleeve,” said Vanderhoof.
Additionally, this proposal for the passport card program means that the government will be relying on secure databases and networks to communicate the cardholder’s personal information to the border crossing point in real-time during the identity verification process. “The government does not have a good track record when it comes to managing and protecting databases, as evidenced by recent data breaches at the Department of Veteran’s Affairs,” said Vanderhoof.
Unlike the ePassport program, no third party standards body has been involved in defining the passport card program in order to develop specifications for how to protect and use information. Instead, the DHS is relying on private industry contractors to design, implement and operate the program. “They are going to be making it up as they go along,” said Vanderhoof.
“If this proposal is accepted, citizens will have no choice but to pay for a passport if they want to have their privacy protected and ensure that their unique identifier isn’t being tracked or used by someone with a cloned RFID card,” he said.
The Smart Card Alliance and its members worked closely with the Department of State to define, develop, test and implement secure contactless smart card technology in ePassports. Since the announcement of the proposed passport card program in April, industry leaders from the Alliance have requested to meet with DHS officials directing this program to share knowledge of both the RF vicinity read technology and contactless smart card technologies. The Alliance also suggested side-by-side trials to validate DHS benefit statements regarding EPC Gen 2 RFID technology. So far, the DHS has not met with smart card industry technology providers.
“These border entry points are being equipped to begin accepting the new electronic passports. By adding a different technology for reading the passport card, the DHS will now have to handle both types of documents, creating inefficiencies in the border crossing process and increasing costs to tax payers,” said Vanderhoof.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.securetechalliance.org.