Industry groups enter debate over border-crossing IDs
- By Alice Lipowicz
- Apr 20, 2006
Joe Tasker, ITAA senior vice president, said that specifying a certain technology to use in border-crossing IDs will not ensure that privacy concerns are met.
Controversy over which type of radio frequency identification chip should be used in border-crossing cards has become a divisive issue for industry and government officials.
The Homeland Security and State departments are debating whether to use ultra-high-frequency RFID or chips similar to those in e-passports for the Western Hemisphere Travel Initiative. The initiative, run by the two departments, will require everyone to present a passport or other approved biometric ID card when traveling to and from Canada, the Caribbean including Bermuda, Mexico and Panama.
The People Access Security Service (Pass) card for frequent border crossers, one of the first under development to conform with the initiative, is expected to debut in early 2007.
For the new Pass card, industry sources said DHS officials are leaning toward ultra-high-frequency RFID, which lets the cards be read at distances of up to 50 feet.
State Department officials prefer a border-crossing card similar to the e-passport, which can be read at a distance from a few inches to two feet, depending on the reader.
Last month, the American Electronics Association joined the fray, writing to both agencies that the card's RFID chip should conform to the International Standards Organization 1443 standard.
As with the chip for the upcoming e-passport, the ISO chip is read at close distances. The 1443 standard allows for privacy features such as strong encryption and mutual authentication between card and reader.
"The association said [the Homeland Security and State departments] ought to use a standard that is designed for identity management," said Marc-Anthony Signorino, director of technology policy for the association. "This needs to be structured from a privacy point of view."
On March 29, a few days after AeA's letter, the Information Technology Association of America wrote a letter advising the departments to proceed with procurement as soon as possible by setting requirements, but without necessarily choosing a specific technology.
"The association said the government should issue a request for proposals to contractors that does not call for a specific technology, allowing the marketplace to propose a variety of solutions from which to choose," said an ITAA press release.
"Privacy is of utmost priority, but the government will not meet that priority by choosing one technology over another at this stage," said Joe Tasker, ITAA senior vice president.
The ultra-high-frequency RFID card, designed for tracking goods at warehouses and in shipping containers, is so fast it can read dozens of cards simultaneously.
The U.S. Visit program, for example, has been testing ultra-high frequency RFID identification documents for foreigners at three border crossings. The requirement is for up to 50 simultaneous reads of chips passing the reader at up to 50 mph.
What the ultra-high-frequency RFID chips offer is "the ability to maintain the speed of commerce," said Greg Clawson, director of RFID for government programs for Symbol Technologies Inc. "The real issue is: Can you operate the border and maintain the commerce?"
Privacy concerns can be addressed by using an approach, now being tested for U.S. Visit, in which no personal identifying information is on the card or its RFID chip. Instead, the chip has an identifying number, which must be matched with a number in a secure database maintained by the department, Clawson said.
"The only person who knows what the number means is the person who operates the trusted database," he said.
However, a card imprinted with only a number could be used by a person other than the one to whom the card is issued. A safeguard against misuse would be to use biometric data in the secure database to verify the cardholder's identity, Clawson said.
Homeland Security and State department officials didn't respond to requests for comment.
ITAA's view is that industry groups should not recommend technologies to the government, but let government set requirements, and then offer solutions to fit them.
"You can pick one or the other technology," such as SO1443 or ultra-high-frequency RFID, for the Western Hemisphere card, said Jennifer Kerber, ITAA homeland security director. "Both technologies will work, and both can be made secure," she said.
However, AeA's Signorino warned against approving RFID technology use for identifying people without instituting privacy protections, such as strong encryption and mutual authentication with a reader. That may not be possible with ultra-high-frequency chips.
"The ultra-high-frequency chip is designed to be read," he said. "It screams, 'Read me! Read me!' The ISO1443 chip [can] be read only by the right reader."
If you use an ultra-high-frequency chip for an unintended purpose, it runs the risk of hurting consumer confidence in RFID technology in general, Signorino said.
Staff Writer Alice Lipowicz can be reached at firstname.lastname@example.org.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.