After the horror of 9/11, many people in the United States and around the world wanted to know: How did the terrorists slip past U.S. border controls? And how can the U.S. government keep terrorists—and their tools of destruction—out in the future? Worst-case scenarios loomed. What if terrorists were able to create new, more effective terrorist cells on U.S. soil? And what if they could use the global supply chain to sneak weapons of mass destruction into a major city with potentially devastating effects?
These concerns aren’t far-fetched. The task of identifying who and what is entering the United States is daunting. Each year, roughly 23 million U.S. citizens travel back and forth between the United States and the bordering countries of Mexico and Canada; 15 million people visit the United States under the Visa Waiver Program; and millions more enter the country with a visa or to establish legal residency. And some 7 million containers pass through U.S. ports each year.
Better screening and tracking of the people and cargo that move in and out of the United States each day has become a cornerstone of the post-9/11 security strategy. In addition to the creation of the Department of Homeland Security (DHS), a plethora of bills have been passed and initiatives spearheaded to ratchet up security—from the controversial Patriot Act to the Real ID Act, Intelligence Reform and Terrorism Prevention Act, Secure Freight Initiative, SAFE Port Act, Western Hemisphere Travel Initiative, Homeland Security Act and Customs-Trade Partnership Against Terrorism. Their aim, simply, is to keep terrorists and their weapons out and everyone else safe.
If only securing the United States and outwitting terrorists were as simple as passing legislation. To implement some of the measures called for, lawmakers and law enforcement officials are increasingly looking to technology—from databases to biometrics, satellite surveillance devices, radiation detection equipment and radio frequency identification—to help get the job done.
The U.S. government along with other countries is pioneering the use of RFID to enhance security in two primary areas: ports and passports. Proponents say if the goal is to better monitor the cargo and people entering U.S. borders, RFID technology is a good fit within a multilayered security system. “RFID is being looked at from the federal level to the local municipal level as an enabler technology for security, especially in the post-9/11 world,” says Ellen Daley, vice president and research director for Forrester Research.
But using RFID to bolster security is controversial. There is concern that RFID tags and interrogators can’t be solely depended on to improve the security of cargo, because some studies show they aren’t tamper-proof. Privacy advocates also are concerned that RFID use in passports could actually hinder personal security by enabling identity theft or the illegal tracking of people.
Despite some controversy, the United States is integrating RFID into its security plans. And other countries are keeping a close eye on these developments to see if RFID can help secure their borders as well. RFID and security experts alike say global cooperation is needed to truly improve border controls around the world.
What’s Entering the Ports?
Before 9/11, according to the DHS, “very few” containers entering U.S. ports were screened for terrorist-related risks. But amid fears that terrorists could try to hit major U.S. seaport cities with bombs—in particular, radioactive devices—hidden in cargo containers, the task of inspecting the 7 million or so containers that pass through U.S. ports each year has become a top priority, and $10 billion has been earmarked to strengthen port security alone.
Today, under the U.S. Container Security Initiative, customs officials are stationed overseas at more than 40 ports and are using “intelligence and cutting-edge technologies” to prescreen roughly 90 percent of the 17,000 containers that arrive at the country’s 22 ports each day. The screening method for “high-risk” containers includes using “security criteria” to identify containers that may “pose a risk for terrorism,” and requiring that manifest information be provided 24 hours prior to the sea containers’ being loaded onto the vessel in the foreign port.
At the same time, under the Secure Freight Initiative, the DHS is upping efforts to scan U.S. cargo specifically for radioactive material. Currently, the department says 80 percent of U.S. cargo is being screened for radioactive emissions upon arrival in the country. Yet the DHS admits that it would be best to scan cargo before it lands in the United States. In late 2006, the DHS and Department of Energy announced plans to use radiation portal monitors to scan 7 percent of U.S.-bound containers, specifically for nuclear and radiological materials from six foreign ports in Honduras, Korea, Oman, Pakistan, Singapore and the United Kingdom. The DHS aims to eventually screen 30 percent of the containers headed for the United States for radioactive material.
But the question remains: How can all U.S.-bound containers be tracked to determine if a container was tampered with after it was screened abroad, or had dangerous materials placed in it once it arrived and sat in a U.S. shipping yard? This is where proponents say RFID could play an essential role in adding a much-needed layer to cargo security. For instance, battery-powered active RFID tags and sensors could allow customs agents and shippers to know not only where a container is in the supply chain, but whether a container had been tampered with or opened. If the container were suspect, customs officials could be alerted to carefully inspect the contents for terrorist-related contraband.
“After 9/11, it became not just about efficiency, but about improving the security of cargo,” says Lani Fritts, COO for Savi Networks, which, along with GE Security, has deployed an RFID system at three terminals at the Virginia Port Authority to track cargo, and bolster supply-chain efficiency and security. “Security is about putting layers of security in place. It’s about pinpointing the containers that are suspect, because there are only so many resources the customs authorities have.”
Companies have been exploring the use of RFID for port security not just due to perceived threats, but because supply-chain efficiency and import/expert security is already top of mind for leading corporations and industry consortiums around the globe. EPCglobal is undertaking the largest multiphase pilot to date to ultimately track transoceanic shipments between Hong Kong, Japan and Los Angeles with both active and passive RFID tags, as well as sensors to monitor elements such as temperature, light and humidity. The entire pilot is set to be completed by October 2007, and is expected to result in EPCglobal’s release of the standard for active tags while testing chain-of-custody tracking for containers.
“RFID is extremely well suited for [cargo tracking],” says Gay Whitney, EPCglobal’s director for standards. “The goals are to demonstrate how the technology can work, to validate that it works globally, to understand what level of information can be tracked from trading partner to trading partner through the chain of custody. To have that visibility throughout the life cycle of the transportation process also enables you to eliminate counterfeit product and diversion of product.”
IBM is one global company taking an early lead in working with active and passive RFID technologies to tag cargo, to enhance security, enable business processes and comply with the Customs-Trade Partnership Against Terrorism (C-TPAT), which calls for better supply-chain security of cargo in exchange for “green-lighted” status and faster processing through U.S. Customs. The program includes 6,000 of the world’s leading U.S. importers, which are working with the DHS to prescreen all of their cargo entering the country. The World Customs Organization (WCO) adopted a similar cargo security framework in 2006. C-TPAT doesn’t mandate the use of RFID, but once the EPCglobal active tag standard is released, companies could use RFID tags and sensors to comply with C-TPAT’s requirement that they put tighter security measures in place to expedite cargo processing.
Tracking cargo with RFID could give companies more control over their supply chains, which could improve security. “Freight at rest is freight at risk,” says Ann Breidenbach, director of sensor and actuator strategy for the IBM Software Group. “We’re excited about RFID because it gives you more control over all the items in your supply chain. IBM looks at RFID as being an enabling technology, not a solution by itself. The best uses are when it’s combined with other technologies.”
Debbie Turnbull, executive program manager of supply chain security for the IBM Import Compliance Office, adds that securing cargo is not only about stopping terrorist activity, it’s also good business: “It improves security, and we view security as a competitive differentiator.”
Who’s Coming and Going?
While some worry about how easy it is to enter the United States illegally from bordering countries, the fact is that the 9/11 terrorists all came through legal channels, primarily via tourist visas. With millions of people being cleared by U.S. Customs each year, officials are trying to figure out how to improve ID screening capabilities and still keep travelers moving smoothly.
“The solution is obvious,” Secretary of Homeland Security Michael Chertoff stated in his status report marking the security efforts five years after 9/11. “Secure identification that cannot be forged and cannot be exploited by terrorists is precisely what we need now, just as we needed it five years ago.”
The United States and other countries have determined that inlaying RFID chips in passports with biometric ID data is one way to speed up the screening process and more reliably confirm that passport holders are indeed who they say they are. According to the State Department, the RFID chips in so-called e-passports will securely store the same data visually displayed on the photo page of the passport, along with a digital photograph to enable biometric comparison through the use of facial recognition technology.
The State Department began issuing e-passports to U.S. citizens who applied for new passports or renewals toward the end of 2006. By mid-2007, e-passports are set to be issued for all new applications or renewals through all U.S. passport offices, so eventually all U.S. passports presumably will contain RFID.
In another effort to both speed up and improve passport screening, Congress mandated that 27 countries participating in the Visa Waiver Program (VWP), which allows visitors to enter the United States for up to 90 days without visas, had to create machine-readable passports (MRPs) by 2005. MRPs, which have RFID chips, allow data in the passport to be scanned automatically. The chip stores a copy of the holder’s personal information along with an additional biometric ID, such as a digital photo. As of October 2006, 24 countries whose citizens can travel to the United States without visas—including Australia, France, Japan and the United Kingdom—had embedded RFID tags in passports, according to the International Civil Aviation Organization.
RFID readers have been installed in several U.S. international airports, including New York’s John F. Kennedy, Washington Dulles, San Francisco, Los Angeles, New Jersey’s Newark Liberty and Honolulu. The DHS hopes to expand the VWP to other nations. In addition, some countries, such as Malaysia and Turkey, that don’t participate in the VWP are putting RFID chips in passports to improve the authentication process.
By 2009, it will no longer be acceptable for a U.S. resident to use a government-issued photo ID, such as a driver’s license, along with a birth certificate to re-enter the United States from Canada, Mexico, Bermuda or the Caribbean. Instead, under the Western Hemisphere Travel Initiative (WHTI), the State Department and DHS announced plans in October 2006 to offer the People Access Security Service (PASS) card to the tens of millions of U.S. citizens who cross the border by land or sea frequently from those countries each year. Under the current plan, the PASS card would contain an RFID tag, which would have a unique ID number that would be transmitted via an RFID reader to a Customs and Border Protection Department database containing passport data about the cardholder such as name and place of birth.
RFID tags are also being tested in I-94A forms, which the DHS issues to visitors who have nonimmigrant visas, are subject to the Visa Waiver Program, or are Mexican Border Crossing Card holders planning to stay in the country longer than 30 days. The RFID tags in those forms are being piloted in five U.S. border ports in Arizona, New York and Washington state, and will be used to automatically record border entries and exits.
Protection vs. Privacy
Though U.S. e-passports are being distributed now, PASS cards have been stalled due to privacy concerns. The announcement of both e-passports and PASS cards almost instantly raised the hackles of privacy advocates, including the American Civil Liberties Union, Citizens Against Government Waste and the Electronic Privacy Information Center.
Consumer privacy advocates argue that PASS cards and other government-issued IDs with RFID could make people subject to unprecedented surveillance. The controversy surrounds whether federally issued ID cards containing RFID tags can also be read by unauthorized parties—from identity thieves to terrorists—who could potentially gain access to a person’s sensitive data and “ID” them, too. There is also fear that RFID in passports could be used to track people’s whereabouts once they leave an airport or customs. And there are questions about the security of the data stored on e-passports and PASS cards. For instance, at the Black Hat conference in Las Vegas in August 2006, the German computer security company DN-Systems demonstrated how it could easily copy data from an RFID chip in a passport.
The U.S. government says that to prevent skimming—reading an RFID tag surreptitiously—e-passports can be read only at 4 inches (10 centimeters) or less, and have metallic material incorporated into the cover to block a tag from being read when a passport is closed (something it’s promising for PASS cards, too). The RFID chips are also locked down by what’s known as Basic Access Control, similar to a PIN used for ATM or credit card transactions, and should be readable only with a Customs security device. But as proposed, PASS cards could be read from a greater distance—up to 20 feet away—and privacy advocates say the anti-skimming measures for both IDs aren’t strong enough.
Even the DHS’s own Data Privacy and Integrity Advisory Committee subcommittee report in May 2006, The Use of RFID for Human Identification, stated that RFID is not a cure-all for fake passports or to quell long lines at borders and airports, and could pose risks to privacy while not vastly improving homeland security. The initial draft report stated that “RFID appears to offer little benefit when compared with the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security.”
A revised version of the report adopted on Dec. 6, 2006, was less damning of RFID, though it still laid out privacy concerns and recommended safeguards for RFID-enabled IDs. “On the one hand, there is the potential for benefits in terms of greater accuracy, speed and efficiency when deploying an RFID-enabled system to identify individuals,” the report states. “On the other hand, there are a variety of concerns about the use of such systems, including the potential for unauthorized access to the data on the RFID-enabled device, or the data when in transit between the device and reader.” And the report goes on to say that there is concern that RFID-enabled IDs could lead to the potential for widespread surveillance of individuals, including U.S. citizens, without their knowledge or consent.
In part due to privacy concerns, the PASS card program will not be implemented until the National Institute of Standards and Technology certifies that the PASS card program meets or exceeds the International Standards Organization (ISO) security standards, and can ensure that the U.S. government has incorporated into the architecture “the best available practices to prevent the unauthorized use of information on the card,” according to legislation regarding the implementation of the WHTI. Additionally, the State Department extended the period for public comments until January 2007.
On another front, state officials and privacy advocates are concerned about the cost of complying with the 2005 Real ID Act, designed to improve identification security by creating national standards for the issuance of state driver’s licenses and identification cards. It mandated the adoption of electronic verification systems, which could include RFID, by 2008. A comprehensive analysis of the Real ID Act by the National Governors Association, National Conference of State Legislatures and the American Association of Motor Vehicle Administrators estimated that states would have to spend more than $11.1 billion over five years to comply with the new rules. The groups are calling for wide-sweeping changes to the mandate and complain that they don’t have the guidance or funds to implement it.
The Electronic Frontier Foundation also says that a national ID program would be a threat to personal privacy and won’t improve security. As of December, Sen. Daniel Akaka (D-Hawaii) and Sen. John Sununu (R-N.H.) said they would propose legislation to repeal the act.
Mike Liard, an ABI research analyst focused on RFID, says the debate over RFID in identification cards and passports also signifies that the government and its vendors need to do a better job of allaying travelers’ privacy concerns and explaining how e-passports and PASS cards will work and what happens to the data: “RFID is getting closer to consumers’ hands—the marketplace needs to understand how it relates to [security] post-9/11.”
Security Experts Debate RFID’s Effectiveness
Though RFID is now a part of numerous initiatives to increase overall border security, experts are still debating how effective RFID will be as part of the bigger picture. Barry Wilkins, who is vice president of global supply-chain security for Pinkerton Consulting & Investigations and was a consultant to the International Cargo Security Council on implementing C-TPAT, also helped test RFID within a cargo security pilot at Seattle and Tacoma, Wash., ports. The pilot was part of the DHS’s $58 million Operation Safe Commerce port program, which funds business initiatives designed to enhance security for international cargo containers.
Wilkins believes that using RFID to secure containers would give inspectors better information to do a better job of targeting containers. “The bolt seal that is currently used on containers is very vulnerable,” Wilkins says. “In the long term, the only way to address those vulnerabilities is an intrusion detection device. There might be a light or acoustic detection sensor tied to an advanced container security device that gets read by an RFID reader.”
But Roger Johnston, head of the Vulnerability Assessment Team at Los Alamos National Laboratory, says the RFID products his lab has tested can’t prevent cargo tampering because they are not tamper-proof themselves. “We take a pretty radical position that RFID [tags and readers] are not security devices,” he says. “We’ve opened up a lot of RFID products and looked at whether they have tamper protection, and most don’t; the ones that do aren’t that sophisticated.”
One problem, Johnston says, is that RFID is being deployed in the supply chain first and foremost for inventory management. “Security is difficult under the best of circumstances. With RFID, there is no security built in in the first place, so it’s not surprising that it’s not particularly secure. You have to design the security from the start, thinking about what the bad guys want to accomplish, who they are, what they want and what they are capable of.” He worries that RFID could be seen as a panacea and could actually decrease security if, for example, fewer containers are manually checked.
Ultimately, analysts, security experts and industry insiders agree that in the post-9/11 world, RFID is only one potential piece of the security puzzle. Whether it’s deployed to secure ports or passports, to be effective at all, they say, it must be used as part of a multilayered security system, not threaten personal privacy, be vulnerability- tested and standards-based, and include a return on investment for end users.
“It’s not just about terrorism but loss prevention and risk management,” says Savi’s Fritts. “Five years after Sept. 11, we’re at a point where these various things that have been in motion—regulatory efforts, commercial benefits and standards—are coming together and are real.”
Wilkins agrees that for RFID—or any technology—to enable national security, it needs to be a part of a larger, multifaceted approach: “Any technology without good policies, procedures and practices doesn’t work by itself.”
Illustration by John MacDonald.