Smart Card Alliance opposes RFID-based enhanced driver's licneses

DHS has cooperated with several states, including Arizona, Vermont, and Washington, to launch programs to develop and issue enhanced state driver’s licenses that could be used as acceptable alternative documents for crossing the U.S. land and sea borders. The Smart Card Alliance says that it has serious privacy and security concerns for U.S. citizens participating in these programs based on the direction DHS has been recommending for the enhanced driver’s license technology. The alliance says it suppports state efforts to boost security at borders while facilitating trade and tourism, but that it also believes that ensuring the privacy and security of U.S. citizens is a primary requirement and that the technology chosen for an enhanced driver’s license must also address this critical privacy requirement.

The interesting thing is that among members of the alliance are companies associated with each of the two contening tehcnologies at the heart of the debate over border crossing cards. Some of the alliance members provide the technology favored by DHS — long-range radio frequency identification (RFID) products; other members provide the technology the alliance itself recommends — the secure RF contactless smart cards. Even as manufacturers of RFID, the alliance attests to the fact that long-range RFID, the most likely technology to be selected by DHS, is an inappropriate technology for human identity documents.

Within the Western Hemisphere Travel Initiative (WHTI) specification and in the Washington and Arizona enhanced driver’s license projects, DHS has proposed a long-range vicinity-read RFID technology solution. This proposal raised serious privacy, security, and operational functionality issues among industry experts in responses to the Department of State’s Federal Register Notice for the WHTI passport card. Industry concerns include:

— Lack of strong cryptographic features in long-range RFID-based cards, making it relatively easy for criminals to read the unprotected, static citizen identifiers from the cards and create fraudulent documents

— Reliance on real-time access to central databases and networks in order to verify every individual’s identity, leading to vulnerabilities to infrastructure failures and attacks or to network and system security breaches

— Challenges of reliably reading large numbers of long-range RFID tags at crowded border crossing points, making it unlikely that desired operational efficiencies will be achieved

— The ability for criminals to use inexpensive long-range RFID readers to detect the citizen’s electronic identity from a distance, putting U.S. citizens carrying the enhanced driver’s license at risk of having their movements tracked

Note that recent Government Accountability Office (GAO) reports have identified both performance and security issues with the DHS implementation of the US-VISIT program, which uses the same long-range RFID technology and architecture that has been proposed for WHTI-compliant documents. “The only broadly deployed, proven technology existing today that meets the objectives of increased border security, citizen privacy and efficient border crossing is contactless smart card technology — the technology that is being used for ePassport,” the alliance argues.

The Smart Card Alliance argues further that RFID technology was designed for automating the tracking of products and pallets through a supply chain, not for validating human identities. The alliance, therefore, urges states which are considering enhanced driver’s licenses programs to challenge the DHS-selected technology and consider contactless smart card technology instead.