Industry group urges caution on U.S. plan for RFID-enabled ID cards

Computerworld - A government plan to use radio frequency identification (RFID) chips in a proposed passport card program for U.S. citizens is drawing fire from some quarters. The identification cards would be needed by residents who don't have passports for verifying their identity at land and sea border crossings.

The Smart Card Alliance, a nonprofit industry body representing several large vendors of smart-card and RFID technologies, this week formally urged the government to reconsider a decision to use RFID technology in personal ID verification cards. The alliance cited security and privacy concerns for its stance.

It was responding to an Oct. 17 notice in the Federal Register in which the U.S. Department of State announced plans to use RFID chips for a proposed new passport card to be issued as part of the Western Hemisphere Travel Initiative, or WHTI.

Under WHTI, all Americans traveling to Mexico, Canada, the Caribbean and Bermuda will be required to show some form of personal identification approved by Department of Homeland Security when entering the U.S. The identification could be in the form of a passport or the proposed new passport card and is intended to shore up security at the nation's borders. Passengers traveling by air between the different countries will be required to show such proof of identity starting Jan. 1, 2007, while those traveling by land and sea have until January 2008.

In its notice, the State Department said it would use "vicinity read" RFID technology in the cards rather than the "proximity read" contactless smart-card technology being incorporated into new ePassports. The goal is to have credit-card-size passport cards that can be read from at least 20 to 30 feet away by customs and border-protection officials to speed up the authentication process.

There are several problems with that approach, said Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J.

For instance, long-range RFID technologies are vulnerable to snooping and forgery, Vanderhoof said. Cards built using such chips will have no built-in security features for verifying their authenticity, he added. In contrast, the contactless smart cards used in ePassports support encryption and digital certificate technologies for securing data and verifying authenticity. Because that technology differs from what is being used in the ePassports, U.S. border infrastructures will need to be updated, Vanderhoof explained.

An equally big concern is the potential privacy threat posed by RFID-enabled cards, said David Williams, vice president for policy at Citizens Against Government Waste (CAGW) in Washington.

While there is a need to enhance border security, "we do not believe RFID is the best way to do this," Williams said. People carrying such RFID-enabled identity cards could unknowingly be exposed to greater surveillance, he said. Individuals with such cards are also likely to have less control over when they want to be identified and what information is read, stored and shared.