Jan 08, 2008This article was originally published by RFID Update.
January 8, 2008—The US Department of State last week published a Federal Register notice that sets its RFID passport card requirements, effective February 1 of this year. The new PASS Cards are an alternative to traditional passports and will contain an EPCglobal Gen2 standard UHF RFID chip intended to expedite border crossings. The cards are controversial because many feel the RFID chips lack enough security to safeguard identities and prevent cloning and other hacking.
The passport cards are being created as part of the Western Hemisphere Travel Initiative (WHTI) to expedite border crossings for US citizens entering the country by sea or land (not by plane) from Canada, Mexico, the Caribbean, and Bermuda. The PASS Cards are intended to give citizens who frequently cross the border for work or personal business a lower-cost option to traditional passports, sometimes called "passport books." The passport cards will be accepted at 39 points of entry that account for 95 percent of all US border crossings, Department of Homeland Security spokesperson Kelly Lundt told RFID Update. The contract to equip the locations will be put out for bid this month, and all facilities should be equipped and able to process RFID passport cards by the end of the year, according to Lundt.
PASS Cards will not provide all the same privileges as traditional passport books, and will use different, incompatible RFID technology than what is being used in the new e-passports. The cards will come with a protective sleeve to shield the chip from readers when the card is not in use.
At roadway border crossings there will be specially designated lanes with RFID readers set up to identify cardholders when they get within approximately 15 to 20 feet from the checkpoint. No personal identification will be encoded or transmitted using RFID. Instead, the readers will capture a unique ID number encoded in the RFID chip, which will trigger a database lookup of the cardholder's credentials. By the time the vehicle arrives at the checkpoint, the PC there should be displaying the cardholder's picture and necessary information. The border control agent will visually match the picture to the driver, review the card, and approve or detain the traveler as appropriate.
Many privacy advocates, technology experts, and individual citizens have objected to the proposed system. The State Department received more than 4,000 comments about the passport card proposal, most dealing with the choice of technology. A leading concern is the transmission of the unique ID number. Critics say the transmission is unencrypted and insecure, which could lead to IDs being captured and cloned by hackers. Proposed alternatives included using stronger encryption, holding passport cards to the same security standards as electronic passport books, and foregoing long-range UHF technology in favor of a contact-based system to limit the opportunity for interception.
Derwood Staeben, the US State Department's program manager for the WHTI, counters the concerns. "This is the key factor: there is no personal information on the RFID chip. There is nothing to skim," Staeben told RFID Update. "You could clone the chip, but to what purpose? Even if a hacker presents a cloned passport chip, the checkpoint computer screen is still going to display someone else's picture on it. The RFID chip doesn't replace the border control officer."
Randy Vanderhoof, executive director of the Smart Card Alliance, disagrees. "The argument has been made that 'It's just a number.' But the same thing could be said of your Social Security number or a credit card number. The number becomes meaningful when it's linked to an individual," Vanderhoof explained to RFID Update. "The passport card number is accessible to anyone with an RFID reader within 20 or 30 feet. They can figure out what car it came from, and then associate it to that license plate. It's not just about securing the number."
The Smart Card Alliance is an industry association that promotes smart card use, and has members that produce both contact and long-range RFID technology. It has provided information to the State Department and Department of Homeland Security since the card program was announced, according to Vanderhoof, and advocated that more secure contact-range RFID technology be used instead of long range Gen2.
The Center for Democracy and Technology submitted comments to the State Department that called the decision to use Gen2 "fatal." The Smart Card Alliance also submitted comments, and produced a white paper on the use and consequences of RFID border crossing documents.
The State Department said the passport cards don't need the same high level of security as the RFID chips in its electronic passports, which do store personal information. The Federal Register notice for passport card requirements notes the cards have a different "business model" than traditional passports, and thus different performance requirements.
The State Department's Staeben said the technology and procedures chosen for the PASS Cards are similar to those used in the FAST, NEXUS, and SENTRY programs, which have been running for several years to simplify border crossings for truck drivers and their vehicles. "RFID is not a new concept for credentials. This is the same technology we've been using since 1995," said Staeben, adding that there have been no known security breaches of the FAST, NEXUS, or SENTRY programs.
Four border states -- Arizona, New York, Vermont, and Washington -- are planning to offer drivers licenses with the same RFID technology as the PASS Card and have signed cooperative agreements with the Department of Homeland Security, according to Vanderhoof. He is concerned about the growing use of insecure RFID technology, and about potential confusion about what identification to present at borders, since citizens will have their choice of different passports and drivers licenses.
US citizens can apply for PASS Cards beginning February 1, 2008. The State Department has published a website with more information and downloadable application forms. The Smart Card Alliance and Center for Democracy and Technology also have more information and details about security and privacy concerns on their sites. This article from the Washington Post also provides a good summary of the program and its critics.
