Smart Card group raps NIST certification

An industry group is accusing the National Institute of Standards and Technology of failing to properly evaluate the technologies to be used in the Homeland Security and State departments' upcoming border-crossing identification card.

The group, the Smart Card Alliance, believes that NIST certified the Generation 2 Radio Frequency Identification card architecture for the People Access Security Services (PASS) Card without using "the appropriate standards and best practices relevant to human identity applications," wrote Smart Card Alliance Executive Director Randy Vanderhoof in a May 17 letter to NIST Director William Jeffrey. The alliance is a trade association representing companies that make identification cards and related systems.

Furthermore, the institute did not properly evaluate whether the Gen2 RFID technology choice is appropriate for the context in which it will be used in the Pass Card, Vanderhoof contended. "NIST has, for the first time, endorsed a technology without exploring its use in the context of the government mission and presenting the pros and cons of that technology offering for that mission," Vanderhoof wrote.

The alliance is asking NIST to revoke its certification and start over by reviewing the proposed architecture's compliance with international standards for ID cards.

The Pass Card is part of the Western Hemisphere Travel Initiative and is intended for use by Americans, Mexicans and Canadians who frequently cross the border.
Its design has been controversial because the Gen2 RFID tags it uses were originally developed for tracking merchandise in warehouses. The tags can be read wirelessly from 20 feet away or more, raising privacy worries. Homeland Security officials have asserted that the technology, with privacy protections, will enable the department to identify people and also provide convenience and speed in border crossings.

NIST recently reviewed, and recommended changes to, the proposed PASS card architecture. The revised design, with many of the recommended changes, meets the relevant international security standards, Jeffrey wrote in a May 1 letter to senior DHS and State officials. The design has not been released publicly.

Jeffrey wrote that since the departments had already selected a technology, NIST's goal was to ensure that the PASS card complies with international standards. Congress requested the review under Section 546 of the homeland security appropriations bill of fiscal 2007.

"Given this agreement between the departments of State and Homeland Security, NIST focused its efforts on working with the two agencies to assure that the Gen-2 RFID met the requirements of Section 546," Jeffrey wrote.

Vanderhoof and Jeffrey were not available for further comment.