State policy makers are looking carefully at the use of RFID technology in identity cards and the implications that holds for protecting privacy and personal information in identity applications and systems. This brief examines best practices for privacy-secure identity systems from the point of view of card technologies. It was prepared by the Identity Council of the Smart Card Alliance, a non-profit public/private partnership organization whose members include both government users and card technology providers.
What does protecting privacy and personal information mean?
First, protecting privacy and personal information means protecting individuals’ rights to control how personal information is collected, used, stored and passed on. Second, protecting privacy also includes information security–protecting the confidentiality, integrity and availability of personal information. To be considered privacy-secure, an identification system must be designed to satisfy both of these parameters.
Why are electronically readable technologies used in identification systems?
Putting electronically readable technologies into identity credentials can add greater convenience for the cardholder, plus improve operational efficiency and security compared to identity credentials without these features. Two frequently used electronically readable technologies are RFID and RF-enabled smart card technology.
Are RFID and RF-enabled smart card technology the same thing?
No. Like conventional TV and digital TV, RFID and RF-enabled smart card technology are very different. Conventional TV and DTV can both be broadcast through the air, but DTV is far more advanced. Similarly, RFID and RF-enabled smart card technology both use radio frequencies to communicate wirelessly, but RF-enabled smart cards are far more advanced and secure.
What are the differences between RFID and RF-enabled smart card technology?
RFID tags and labels are used mostly in manufacturing, shipping and object-related tracking. They have minimal built-in support for security and privacy. RFID technology is now, in some cases, also being used for identity applications.
RF-enabled smart cards include a small computer and dedicated software and are designed for high security applications. With these built-in resources, smart cards can use many techniques to protect personal identity information, making them very privacy-secure.
For example, RF-enabled smart card technology, also referred to as a contactless smart card, is used in the new electronic passports issued by the United States and more than 40 other countries; Personal Identity Verification (PIV) cards being issued to federal employees; plus contactless payment cards being issued by the banking industry using programs offered by American Express, Discover, MasterCard and Visa. Policy makers and regulators consider all of these RF-enabled smart card-based programs to be safe, secure and appropriate for protecting personal identity information.
How do RF-enabled smart cards make identification systems more privacy-secure?
Data on smart cards cannot be altered and they have extremely strong anti-counterfeit capabilities.
The cardholder can control access to personal information.
Smart card security features (for example, digital signatures, encryption and authentication) better protect personal information.
Smart cards can use encryption to protect data confidentiality and integrity when transmitted using RF.
Smart cards enable e-government and online applications with high security.
Use of the ID card can be better tied to the card owner, with the use of PINs or biometrics.
What are the most important considerations for policy makers?
The most important point is to recognize that RFID and RF-enabled contactless smart cards are very different technologies. RF-enabled contactless smart cards actually enhance privacy, security and information protection in identity systems. It is important that any policy efforts to protect privacy by limiting the use of RFID for identity applications do not also inadvertently affect the use of privacy-secure RF-enabled contactless smart card technology.
What is the best way to distinguish between these technologies?
The Smart Card Alliance Identity Council is focused on promoting the need for technologies and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.