At the Smart Card Alliance Annual Conference, government identity
management programs took center stage as the Alliance kicked off its
conference, which took place last week at the Boston Marriott Long
Wharf.

Critical security initiatives have now entered the issuing phase and
over the next year will put millions of smart card-based IDs in the
hands of all maritime workers at the nation's seaports and all federal
employees, program managers told conference attendees Tuesday. And the
Registered Traveler program is now speeding frequent flyers through 12
airports nationwide, with more coming.

These and other highlights from conference speakers include:

Transportation Worker Identification Credentials (TWIC)

The Transportation Security Agency (TSA) and U.S. Coast Guard plan to
issue secure Transportation Worker Identification Credentials (TWIC) to
750,000 maritime workers and merchant mariners at U.S. seaports took a
big step forward.

"As of 9 am this morning our enrollment website was up, and real
workers at the Port of Wilmington can begin the process of applying for
the TWIC card," John Schwartz, assistant director of the TWIC Program
Office announced yesterday. With credential issuing at this first port
fully underway starting next Monday, TSA plans to move fast. "Our goal
is to have 50 major ports up and running by January," Schwartz said.
TSA plans to have all of the TWIC credentials issued within 15 months
of this initial rollout.

The smart card-based TWICs are tamper-resistant biometric credentials
containing the worker's fingerprint template to allow for a positive
link between the card itself and the individual. Embedded in the card
is a dual interface microprocessor chip, a small computer chip that can
be read by either inserting the card in a slot in a "contact" card
reader or by holding the card within 10 centimeters of a "contactless"
card reader.

"The TWIC program, like the U.S. electronic passport program, is an
excellent example of using smart card technology in a way that provides
high security and protects personal privacy at the same time," said
Randy Vanderhoof, executive director of the Smart Card Alliance.

Due to the harsh maritime environment, program managers wanted to use
secure contactless technology for better reliability of cards and
readers. At the same time, they wanted a high level of personal
security. The solution was to encrypt the contactless transmission of
the biometric template from the TWIC card to the reader.

The program is being implemented in two parts, first getting ID cards
issued and then deploying readers at entry points to the ports. The
next step is to pilot test readers in labs, with full operational tests
planned for mid 2008.

GSA Shared Services and HSPD-12

As federal agencies come to grips with the reality of issuing PIV-II
smart cards to comply with the looming HSPD-12 deadline, the shared
services option developed by the General Services Administration has
won a lot of recent converts--67 federal agencies representing 860,000
federal employees and contractors to be exact, according to Michael
Butler, program manager for the project. GSA branded the program
USAccess.

After making a contract award in April, the GSA began issuing cards in
September. The program is on track to issue hundreds of thousands of
cards in the coming year and meet the program's deadlines, Butler said.

"In little over four months GSA stood up this program and is now
issuing cards," said Vanderhoof. "It's a real achievement and a
testimony to GSA's partners and their team."

Pooling demand under a shared services contract benefited government
agencies in terms of cost and investment, Butler reported. The GSA
charges a $49 initial cost for PIV-II credentials, with an ongoing $3
per month infrastructure support cost.

"People are starting to get excited and ask what they can do with smart
cards," said Butler. For example, the USDA recently demonstrated to him
how newly issued PIV credentials can provide employees with a single,
secure login to five different applications their employees routinely
access. Until now, each application required a different user name and
password, a real burden for users. "To see that demo from an agency
that just got started is really a big deal," said Butler.

An estimated 1.8 million federal employees will get the new
credentials, excluding the Department of Defense whose employees
already have the smart card-based Common Access Card identity
credential. Both programs deliver more secure credentials for
identification, access to facilities and information system access.

Registered Traveler Takes Off

Want to get through airport security lines in 10 minutes or less?
That's exactly what the smart card-based Registered Traveler expedited
security lane access program delivers to America's frequent flyers.

"The actual time is two or three minutes right now in most airports,
because the program is still new and not that many people are in the
lines," said Bryan Ichikawa, solutions architect for Unisys, one of the
system integrators providing Registered Traveler systems.

With 12 airports already live including JFK, Newark, San Francisco and
San Jose, and other large airports expected soon including Dulles,
Regan and Denver, the program has real momentum across the United
States.

Privacy Advocates and Alliance Agree: RFID in Driver's Licenses Bad Idea

State plans to add RFID technology to driver's licenses "create border
security and personal privacy concerns for citizens," said Neville
Pattinson, vice president government affairs and standards for Gemalto
North America and chair of the Alliance Identity Council. At issue is
the fact that the RFID technology currently recommended by DHS for
border crossing security "transmits an ID number 30 feet with no
security basically, and it can be cloned easily, as we demonstrated on
Capitol Hill recently. That's why we've been positioning secure
contactless smart card technology as a better alternative," said
Pattinson.

The Center for Democracy and Technology (CDT), a public interest,
public policy not for profit organization focused on civil liberties
and technology policies, has developed guidelines for privacy and
security. Not surprisingly, the organization's views and those of the
Smart Card Alliance align very closely on the subjects of privacy and
security for technology choices in identity programs, and on the
problems caused by using RFID technology for government issued identity
credentials.

Sophia Cope, staff attorney and Ron Plesser Fellow for CDT, presented
the organization's recommended guidelines for privacy and security
sensitive policies, then went on to explain how DHS proposals for REAL
ID, WHTI PASS card and enhanced driver's licenses violated them.

"Decentralization is more privacy friendly than centralization," said
Cope, pointing out that the DHS proposals rely on a centralized
database. "Centralized identity systems can lead to commercial and
government abuse."

"Going back and slapping privacy and security on at the end will not be
as effective as designing it in from the beginning," said Cope. But,
she noted that is exactly what DHS is doing by proposing long range EPC
Global Gen 2 RFID tags for identity programs. "In the case of enhanced
driver's licenses, there has been no rule making at the federal level
and no privacy impact analysis as required by federal mandates," said
Cope.

Another consideration is notice. "DHS and Washington State are not
adequately educating citizens about risks of long range RFID," said
Cope.

As to REAL ID, one concern is that the proposed security features "get
so watered down it becomes a farce, because in the end it is not any
more secure than it is today," Cope said. "Technology choices must be
made in the context of policy goals, and if the technology choice does
not achieve the aim of the policy, it is a poor choice."

The Smart Card Alliance is a not-for-profit, multi-industry association
working to stimulate the understanding, adoption, use and widespread
application of smart card technology.