At the Smart Card Alliance Annual Conference, government identity management programs took center stage as the Alliance kicked off its conference, which took place last week at the Boston Marriott Long Wharf.
Critical security initiatives have now entered the issuing phase and over the next year will put millions of smart card-based IDs in the hands of all maritime workers at the nation's seaports and all federal employees, program managers told conference attendees Tuesday. And the Registered Traveler program is now speeding frequent flyers through 12 airports nationwide, with more coming.
These and other highlights from conference speakers include:
Transportation Worker Identification Credentials (TWIC)
The Transportation Security Agency (TSA) and U.S. Coast Guard plan to issue secure Transportation Worker Identification Credentials (TWIC) to 750,000 maritime workers and merchant mariners at U.S. seaports took a big step forward.
"As of 9 am this morning our enrollment website was up, and real workers at the Port of Wilmington can begin the process of applying for the TWIC card," John Schwartz, assistant director of the TWIC Program Office announced yesterday. With credential issuing at this first port fully underway starting next Monday, TSA plans to move fast. "Our goal is to have 50 major ports up and running by January," Schwartz said. TSA plans to have all of the TWIC credentials issued within 15 months of this initial rollout.
The smart card-based TWICs are tamper-resistant biometric credentials containing the worker's fingerprint template to allow for a positive link between the card itself and the individual. Embedded in the card is a dual interface microprocessor chip, a small computer chip that can be read by either inserting the card in a slot in a "contact" card reader or by holding the card within 10 centimeters of a "contactless" card reader.
"The TWIC program, like the U.S. electronic passport program, is an excellent example of using smart card technology in a way that provides high security and protects personal privacy at the same time," said Randy Vanderhoof, executive director of the Smart Card Alliance.
Due to the harsh maritime environment, program managers wanted to use secure contactless technology for better reliability of cards and readers. At the same time, they wanted a high level of personal security. The solution was to encrypt the contactless transmission of the biometric template from the TWIC card to the reader.
The program is being implemented in two parts, first getting ID cards issued and then deploying readers at entry points to the ports. The next step is to pilot test readers in labs, with full operational tests planned for mid 2008.
GSA Shared Services and HSPD-12
As federal agencies come to grips with the reality of issuing PIV-II smart cards to comply with the looming HSPD-12 deadline, the shared services option developed by the General Services Administration has won a lot of recent converts--67 federal agencies representing 860,000 federal employees and contractors to be exact, according to Michael Butler, program manager for the project. GSA branded the program USAccess.
After making a contract award in April, the GSA began issuing cards in September. The program is on track to issue hundreds of thousands of cards in the coming year and meet the program's deadlines, Butler said.
"In little over four months GSA stood up this program and is now issuing cards," said Vanderhoof. "It's a real achievement and a testimony to GSA's partners and their team."
Pooling demand under a shared services contract benefited government agencies in terms of cost and investment, Butler reported. The GSA charges a $49 initial cost for PIV-II credentials, with an ongoing $3 per month infrastructure support cost.
"People are starting to get excited and ask what they can do with smart cards," said Butler. For example, the USDA recently demonstrated to him how newly issued PIV credentials can provide employees with a single, secure login to five different applications their employees routinely access. Until now, each application required a different user name and password, a real burden for users. "To see that demo from an agency that just got started is really a big deal," said Butler.
An estimated 1.8 million federal employees will get the new credentials, excluding the Department of Defense whose employees already have the smart card-based Common Access Card identity credential. Both programs deliver more secure credentials for identification, access to facilities and information system access.
Registered Traveler Takes Off
Want to get through airport security lines in 10 minutes or less? That's exactly what the smart card-based Registered Traveler expedited security lane access program delivers to America's frequent flyers.
"The actual time is two or three minutes right now in most airports, because the program is still new and not that many people are in the lines," said Bryan Ichikawa, solutions architect for Unisys, one of the system integrators providing Registered Traveler systems.
With 12 airports already live including JFK, Newark, San Francisco and San Jose, and other large airports expected soon including Dulles, Regan and Denver, the program has real momentum across the United States.
Privacy Advocates and Alliance Agree: RFID in Driver's Licenses Bad Idea
State plans to add RFID technology to driver's licenses "create border security and personal privacy concerns for citizens," said Neville Pattinson, vice president government affairs and standards for Gemalto North America and chair of the Alliance Identity Council. At issue is the fact that the RFID technology currently recommended by DHS for border crossing security "transmits an ID number 30 feet with no security basically, and it can be cloned easily, as we demonstrated on Capitol Hill recently. That's why we've been positioning secure contactless smart card technology as a better alternative," said Pattinson.
The Center for Democracy and Technology (CDT), a public interest, public policy not for profit organization focused on civil liberties and technology policies, has developed guidelines for privacy and security. Not surprisingly, the organization's views and those of the Smart Card Alliance align very closely on the subjects of privacy and security for technology choices in identity programs, and on the problems caused by using RFID technology for government issued identity credentials.
Sophia Cope, staff attorney and Ron Plesser Fellow for CDT, presented the organization's recommended guidelines for privacy and security sensitive policies, then went on to explain how DHS proposals for REAL ID, WHTI PASS card and enhanced driver's licenses violated them.
"Decentralization is more privacy friendly than centralization," said Cope, pointing out that the DHS proposals rely on a centralized database. "Centralized identity systems can lead to commercial and government abuse."
"Going back and slapping privacy and security on at the end will not be as effective as designing it in from the beginning," said Cope. But, she noted that is exactly what DHS is doing by proposing long range EPC Global Gen 2 RFID tags for identity programs. "In the case of enhanced driver's licenses, there has been no rule making at the federal level and no privacy impact analysis as required by federal mandates," said Cope.
Another consideration is notice. "DHS and Washington State are not adequately educating citizens about risks of long range RFID," said Cope.
As to REAL ID, one concern is that the proposed security features "get so watered down it becomes a farce, because in the end it is not any more secure than it is today," Cope said. "Technology choices must be made in the context of policy goals, and if the technology choice does not achieve the aim of the policy, it is a poor choice."
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.