"People are starting to get excited and ask what they can do with smart cards," said Butler. For example, the USDA recently demonstrated to him how newly issued PIV credentials can provide employees with a single, secure login to five different applications their employees routinely access. Until now, each application required a different user name and password, a real burden for users. "To see that demo from an agency that just got started is really a big deal," said Butler.
An estimated 1.8 million federal employees will get the new credentials, excluding the Department of Defense whose employees already have the smart card-based Common Access Card identity credential. Both programs deliver more secure credentials for identification, access to facilities and information system access.
Registered Traveler Takes Off
Want to get through airport security lines in 10 minutes or less? That's exactly what the smart card-based Registered Traveler expedited security lane access program delivers to America's frequent flyers.
"The actual time is two or three minutes right now in most airports, because the program is still new and not that many people are in the lines," said Bryan Ichikawa, solutions architect for Unisys, one of the system integrators providing Registered Traveler systems.
With 12 airports already live including JFK, Newark, San Francisco and San Jose, and other large airports expected soon including Dulles, Regan and Denver, the program has real momentum across the United States.
Privacy Advocates and Alliance Agree: RFID in Driver's Licenses Bad Idea
State plans to add RFID technology to driver's licenses "create border security and personal privacy concerns for citizens," said Neville Pattinson, vice president government affairs and standards for Gemalto North America and chair of the Alliance Identity Council. At issue is the fact that the RFID technology currently recommended by DHS for border crossing security "transmits an ID number 30 feet with no security basically, and it can be cloned easily, as we demonstrated on Capitol Hill recently. That's why we've been positioning secure contactless smart card technology as a better alternative," said Pattinson.
The Center for Democracy and Technology (CDT), a public interest, public policy not for profit organization focused on civil liberties and technology policies, has developed guidelines for privacy and security. Not surprisingly, the organization's views and those of the Smart Card Alliance align very closely on the subjects of privacy and security for technology choices in identity programs, and on the problems caused by using RFID technology for government issued identity credentials.
Sophia Cope, staff attorney and Ron Plesser Fellow for CDT, presented the organization's recommended guidelines for privacy and security sensitive policies, then went on to explain how DHS proposals for REAL ID, WHTI PASS card and enhanced driver's licenses violated them.
"Decentralization is more privacy friendly than centralization," said Cope, pointing out that the DHS proposals rely on a centralized database. "Centralized identity systems can lead to commercial and government abuse."
"Going back and slapping privacy and security on at the end will not be as effective as designing it in from the beginning," said Cope. But, she noted that is exactly what DHS is doing by proposing long range EPC Global Gen 2 RFID tags for identity programs. "In the case of enhanced driver's licenses, there has been no rule making at the federal level and no privacy impact analysis as required by federal mandates," said Cope.
Another consideration is notice. "DHS and Washington State are not adequately educating citizens about risks of long range RFID," said Cope.
As to REAL ID, one concern is that the proposed security features "get so watered down it becomes a farce, because in the end it is not any more secure than it is today," Cope said. "Technology choices must be made in the context of policy goals, and if the technology choice does not achieve the aim of the policy, it is a poor choice."
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.