DHS plans privacy safeguards for border-crossing card

WILLIAMSBURG, Va.?The Homeland Security Department may use a reference number rather than personal identifying information on a new border-crossing card as a method to help protect privacy, a top department official said today.

The card is likely to have an ultra-high frequency Radio Identification (RFID) chip. Privacy would be safeguarded, in part, by the absence of personal identifying information such as name, address and age, Kenneth Mortensen, DHS senior adviser to the privacy officer, said Monday at the Interagency Resources Management Conference.

The reference number will be linked with a secure database maintained by the department, which will contain the personal information and biometrics, he said.

The RFID chip is being considered for the Peoples Access Security Services (PASS) card under development to meet the requirements of the Western Hemisphere Travel Initiative.

It is an ultra-high-frequency chip capable of being read at about 50 feet. It is similar to what the U.S. Visitor and Immigrant Status Indicator System (U.S. Visit) uses for foreigners arriving at five land ports. However, the PASS card would be for U.S. citizens, as well as for Mexicans and Canadians.

The reference number would be read and checked against a secure database maintained by the agency, which would match the number to a name and identifying information, including a photo, Mortensen said. That follows the model as the U.S. Visit tests, which also use reference numbers checked against a database.

One concern about the model is the possibility that an RFID card containing only a reference number could be displayed by someone other than the person to whom it was issued. To guard against that, border patrol guards will look at the travelers passing through the entry point to confirm that they are the person who is in the photograph in the secure database, Mortensen said.

The privacy office is being consulted while the card is in development to ensure that concerns are considered from the beginning, Mortensen said.

"We're trying to be more than just the policy shop," Mortensen said. Rather than just issuing privacy policies, to be effective you have to put the protections into operation, he said.

The privacy office has not yet completed a privacy impact assessment on the PASS card, Mortensen said.

"We are doing a privacy impact assessment, so we can fully mitigate the issues with that card, not just with the RFID, to make sure the technology is used appropriately," he said.