State to DHS: Take a pass on using long-range RFID
Technical commitee backs claims about security shortcomings
- By Jason Miller
- May 19, 2006
Data Security Issues: 'We are putting [in] a 96-digit random number that points to our database. ... Someone would have to hack our database to find out your information,' said Jim Williams of U.S. Visit.
The State Department has learned the hard way over the past year that choosing long-range radio frequency identification for moving people across the border is fraught with peril. The hullabaloo over development of its electronic passport made that clear.
Now, State officials are trying to pass those tough lessons on to the Homeland Security Department as the two agencies debate how to construct the People Access Security Services card. DHS officials, however, say they're determined to stick with RFID.
Their determination to do so, however, faced a new obstacle last week as a DHS technical committee issued a report via the department's Privacy Office condemning the use of RFID technology to identify and track humans because of privacy and security concerns.
State will issue the PASS card by January 2008 to U.S. citizens who frequently cross the borders with Canada and Mexico. It will help DHS meet the requirements of the Western Hemisphere Travel Initiative.
'At the end of the day, we are colored by our experience with e-passport,' Frank Moss, deputy assistant secretary of State for passport services in the Bureau of Consular Affairs, said at a recent Smart Card Alliance conference in Arlington, Va.
Privacy experts worried that someone equipped with a card reader close to the passport holder could intercept, or 'skim' personal data.
Their concerns were featured in a draft report written by a DHS technical committee and issued by the department's Privacy Office that strongly condemned the use of RFID systems to identify and track people.
The draft report, titled The Use of RFID for Human Identification, cited the privacy and security risks the technology poses. The report went on to propose specific security and privacy safeguards and best practices.
The DHS Emerging Applications and Technology Subcommittee of the Data Privacy and Integrity Advisory Committee, which drafted the report, said that RFID systems' small reduction of the time need to process people at checkpoints was far outweighed by the technology's privacy risks.
Privacy concerns raised by nongovernmental organizations eventually drove State's Consular Bureau to reinforce the documents' data security.
To foil interception of the personal data on the passports' RFID chips, State added an electrostatic shield and Basic Access Control, a means of securing the data transmission between the passport and reader.
State started to roll out the new, better-secured passports last month to government employees and will issue them to other citizens starting in August, Moss said.
Now, that same debate over security and privacy has moved to the PASS card.
Basically, the PASS card would become a mini-passport for citizens who frequently cross the border. The wallet-sized identification card would let citizens move through quickly, without holding up traffic.
Moss said State wants to issue a request for proposals in the next few months and start issuing cards this year. 'Ninety-five percent of the design of the cards is done,' he said. 'We want to start producing cards within the next nine months.'
The point of contention is that DHS wants to use the RFID technology commonly used for supply chain logistics, in which a device can read the tags at a distance of 30 feet to 50 feet.
But State is pushing for the short-range technology used in e-passports, based on contactless smart card technology.
Jim Williams, director of DHS' U.S. Visitor and Immigrant Status Indicator Technology program, has maintained that the technology State wants to use would take too much time and cause too much disruption at the borders.
'If you add a few seconds to each person crossing the border, that adds up to hours a day,' Williams said, also at the Smart Card Alliance conference.
Williams said he doesn't buy the argument that UHF RFID is less secure than contactless smart-card technology.
'We are concerned about privacy and would put the card in a protective sleeve,' Williams said. 'We are putting a 96-digit random number that points to our database on the card. So someone would have to hack our database to find out your information.'Senior Writer Wilson P. Dizard III contributed to this story.