DHS plan to use RFID for PASS program sparks controversy
Decision allows border guards to screen travelers while they wait in line, but critics say privacy is at risk from digital pick-pocketers; DHS will issue protective sleeves, and no private information will be stored on the cards; Smart Card Alliance says the decision to store data on government computers magnifies, not mitigates, the risk
Last weeks’ DHS decision to use RFID instead of RF smartcard technology for its new PASS cards reignited the ongoing debate over privacy and the risk of digital pick-pocketing. The PASS cards, intended for use at border crossings, are the linchpin of the Western Hemisphere Travel Initiative and will be issued to American citizens crossing the northern and southern borders who do not have or wish to have a passport. DHS officials chose RFID, which has a longer range, because they wanted the ability to screen passengers while they waited in line to cross the border (RFID is also in use for the FAST, NEXUS, and SENTRI trusted traveler programs).Yet it is this same long range capability that has privacy advocates worried. After all, if DHS can read the data, so too can thieves.
That, at least, is the argument. In response, DHS has pointed out that not only will passengers be issued a protective sleeve for their wallet-sized PASS card, the card itself will not store any personal information. Instead, users will be issued an identification number that security officials will use to pull up information from internal networks, meaning that a thief could not learn anything useful unless he also had access to DHS computers.
Naturally, the Smart Card Alliance, an industry group advocating the widespread adoption of RF technology (as distinct from RFID), disagrees. “Using long range RFID technology is a major step backwards for government-issued identity credentials,” said executive director Randy Vanderhoof. “These RFID tags simply don’t have the security features necessary to protect the border and also maintain citizen privacy.” One problem, Vanderhood explains, is that because all of the passenger data will be contained on government servers, a security breach could have tremendous consequences. “The government does not have a good track record when it comes to managing and protecting databases, as evidenced by recent data breaches at the Department of Veteran’s Affairs,” said Vanderhoof. Even more disturbing, no third party standards body has been involved in defining the passport card program in order to develop specifications for how to protect and use information. Instead, the DHS is relying on private industry contractors to design, implement and operate the program. “They are going to be making it up as they go along,” said Vanderhoof.
-read more in this Government Technology report; read more in this Smart Card Alliance news release
