On the one hand, experts would say that the development and roll out of the Transit Workers Identity Cards (T.W.I.C.) and the Common Access Credential (C.A.C.) are sailing along and show how our post-September 11th security is being strengthened. Yet, there continue to be publicized issues concerning the effectiveness of these programs, as well as the technologies deployed. Further, even if the federal identity credential programs are actually “on track,” questions about the implementation of the Real ID Act of 2005 on a state and local level remain (more detailed discussion below). Specifically, the estimated costs to the states to implement the Real ID Act of 2005 exceed $11 billion. A number of states are balking at this new pass along mandate. Beyond that, some people question the privacy of such steps. Add to that the on-going debate about the format that the RFID (Radio Frequency Identity Chip) should take in the new e-passports and you have quite a mixed picture. Is a National ID card in our future? If it is, whose version will win out?
What is all of the controversy over? To an extent, it probably all comes down to money. But this battle (or perhaps, better, a debate) is both a matter of National Security and a question of two separate technological approaches to providing secure identification cards for travelers and workers.
Of course, the stakes are quite high, not only from a security point-of-view, but also because of the massive amounts of money being spent,(past, current and projected into the future). According to an industry report from Morgan Keegan written in 2005, the estimated size of the market for tracking and identifying individuals was approximately $5.8 billion, projected to grow by approximately 22% annually and reaching $10.7 billion by 2007. The report projected the demand for ID documents to grow by more than 40% annually.
So, what are the questions about the TWIC? According to a recent article in Washington Technology, Error rates cause havoc for TWIC roll-out
Two problems are paramount. First, there are worries that TWIC smart cards, which use a personal identification number and must be inserted into a reader, won’t work properly in the harsh, salty air of marine environments. DHS officials, in response, withdrew the card readers from the initial TWIC deployment. They now are working with industry and port authority officials to develop standards for contactless TWIC readers to avoid the problems of corrosion from salt air and water.
Second, serious concerns are surfacing about the 1 percent system error rate inherent in FIPS (Federal Information Processing Standards Publication) 201. That figure reflects a 1 in 100 false acceptance rate, and 1 in 100 false rejection rate. Those rates are published in the National Institute of Standards and Technology’s Special Publication 800-76, incorporated in the FIPS 201 standard.
What does this mean? Compliance with the FIPS 201 standard (1% error rate) might have no appreciable impact when a single worker is attempting to access a building. However, that same error rate when applied to port facilities could lead to havoc and significant delays (consider a facility processing 300 trucks per hour therefore having to deal with three errors during that single timeframe). Reference should also be made to the related HSP 12 (Homeland Security Directive 12 – “Policy for a Common Identification Standard for Federal Employees and Contractors”).
"We've got vehicles backed up five to seven deep, so you'd have to pull someone out of line and let them through, because you cannot back out. And some of the ports have only one lane," said Lisa Himber, vice president for the Maritime Exchange for the Delaware River and Bay. "We'd certainly be concerned about the potential for a lot of false reads, and one in 100 is a pretty large number."
Additionally, the Department of Defense is in the process of rolling out its Common Access Card (C.A.C.). Many people believe that the C.A.C. came about as a result of September 11th, and yet the original forms of the C.A.C. were released in early 2001. The existing C.A.C. covers all Department of Defense “populations and has a multiplicity of uses:
· As the identity card for all DoD personnel.
· As the Geneva convention card for Active Duty military and other OCONUS personnel.
· As the benefits and privileges card for Uniformed Services and DoD Civilian personnel.
· As an ePurse for cashless transactions, which was evidenced in a recent pilot between DMDC, the U.S. Treasury, and the Marine Corps.
· For logical access to DoD networks, websites, applications, and computers. Also, the CAC will enable logical access to other Federal resources that are interoperable with FIPS 201.
· For physical access to DoD facilities and bases worldwide. Also, the CAC will facilitate physical access to other Federal installations that are interoperable with FIPS 201.
· For non-repudiation to promote data and information sharing.
· To digitally sign e-mail and other electronic forms for paperless office transactions.
· To encrypt e-mail and other documents for security and privacy purposes.
· To authenticate to multiple data sources through backend transactions, which is the real power of the CAC. The use of the credential plus multi-factor authentication promotes more efficient information sharing and more secure collaboration.
· To protects the release of private information. Personal information cannot be accessed on the chip without the cardholder providing his/her PIN.
Before going on to the discussion of contact versus contactless identity credentials, one additional piece of information should be known:
The next generation CAC, which will roll out by Oct. 27, will be a dual interface card containing both contact and contactless technologies. Contactless pilots are in place in different parts of the country with different areas of the armed services testing the technology in CAC environments.
The card will contain two fingerprints, a photograph, and the cardholder unique identifier (CHUID), she said. It will also allow for electronic signature verification.
But not everyone will be credentialed immediately. It will take three years–the card's specified lifespan–before everyone enjoys the benefits of the dual interface CAC, says Ms. Prince. "We have a legacy system and we're not going to flip to the new one right away. As your card expires you'll get a new card."
"We see the contactless technology revolutionizing the physical access component of the card, while the contact side will continue to be used for logical access," she said. "What we'll see is a flattening of physical access options. They will become more standard. The key is interoperability, utilizing the CHUID."
This means that the combination of the contact and contactless technologies would enable the use of the same credential at one facility where different levels of identity authentication was warranted. At the front gate, it might be possible to simply “wave” the card in front of a reader (contactless) while further into the facility, it might be required for the credential holder to either enter a PIN code, or slide the card through a reader (contact) (or both).
Now, onto the controversy: between Contactless and Vicinity (Contact) Read Cards. While this discussion relates to the planned passport, the parallels are direct. Recently, the SmartCard Alliance responded to the Department of State Federal Register Notice, “Card Format Passport; Changes to Passport Fee Schedule”
The Department of State published a Federal Register notice on October 17, 2006, announcing the technology chosen for the proposed new passport card that is planned to be issued as part of the Western Hemisphere Travel Initiative. This notice states that the proposed passport card would use “vicinity read” radio frequency identification (RFID) technology that conforms to ISO/IEC 18000-6, Type C, “Radio frequency identification for item management–Part 6,” rather than the ISO/IEC 14443-based “proximity read” secure contactless smart card technology that is being used for the new electronic passports (ePassports).
We believe that vicinity read RFID technology is inappropriate for implementing a secure identification card that is used to verify a citizen’s identity. Our concerns are that the passport card decision to use vicinity read RFID technology does not consider the following issues:
1. Lack of Security Safeguards.
2. Potential for Tracking and Citizen Distrust.
3. Expansion in the Number of Unique Identity Documents and Required Border Infrastructure.
4. Reliance on Real-Time Access to Central Databases and Networks.
5. Questionable Throughput Expectations for Proposed Operational Scenario.
6. Operational Issues with Vicinity Read RFID Tags in Vehicles.
7. Inadequate Open Discussion of Implementation Approach.
Details and a complete download of the response from the SmartCard Alliance can be found here
Other related articles on this subject can be found here:
Smart Card Alliance Criticizes Passport Card Plans
Contactless technology seen as safer, more private than RFID
Alliance Criticizes RFID Passport Card Plans
Contactless technology seen as safer, more private than RFID
Industry group asks gov to reconsider RFID as Pass Card technology
This overview of the issues relating to these identity card programs can conclude with a discussion of the controversies surrounding the implementation of the Real ID Act of 2005. What is it (if you didn’t read the Wikipedia article on the subject? In one big nutshell, the Real ID Act 2005, one of the responses to the attacks of September 11th is an overt step toward a National Identification Card in the United States. This is a pretty decent overview of the Act, FAQ: How Real ID will affect you from CNET News and written about a year-and-a-half ago.
Once (and if) you overcome the angst of whether the United States should have a National ID Card, which could end up being a uniformly configured drivers’ license, the issue today is the costs of implementing the Act, which will be borne by the individual states. That is where the estimated $11 billion comes in, and it could be more. To start the confusion, you can look at this summary exhibit from the National Conference of State Legislatures
On May 11, 2005, President Bush signed into law the “REAL ID Act of 2005,” which was attached to the “Emergency Supplemental Appropriation for Defense, the Global War on Terror, and Tsunami Relief, 2005” (H.R. 1268, P.L. 109-13). Title II of REAL ID—“Improved Security for Driver’s License’ and Personal Identification Cards”—repeals the provisions of a December 2004 law that established a cooperative state-federal process to create federal standards for driver’s licenses and instead directly imposes prescriptive federal driver’s license standards.
Senators Threaten To Repeal Real ID Act Unless Changes Are Made
The lawmakers are likely to take the issue up again during the 110th Congress. Sen. Daniel Akaka, a Hawaii Democrat, and Sen. John Sununu, a New Hampshire Republican, are pushing for individual privacy protections and lower costs for state governments. If the Department of Homeland Security will not agree to changes that reduce the burden on state governments and increase privacy protections for citizens, Akaka said he would try to have the national ID law repealed.
He pointed to a study by the National Governors' Association that concluded states would have to spend $1.42 billion to meet the act's requirement that state governments electronically verify all documents people use when obtaining drivers licenses. A re-enrollment requirement would cost about $8 billion in five years, he said. The whole program would cost $11 billion, according to the governors' association.
"In addition to the cost imposed on states, Real ID imposes an unrealistic timeframe," he said. "Under the law, states must have Real ID compliant systems in place by May 2008. Yet implementing regulations have not been issued."
That's because states would have to adopt new electronic systems for verifying documents like birth certificates and would have to link those systems to other states to meet requirements for residents born elsewhere. The act would hinder or entirely stop online and mail order renewals, creating backups at motor vehicle departments, Akaka said.
Passing the costs of the Real ID Act along to the states is a problem. Even if the ultimate solution is to use the drivers’ licenses as a uniform identification card, the costs of compliance with the Act will be borne by the states. Many people do not realize that drivers’ licenses are not a profit center for the states, no matter how much we pay for renewals. Take a look at how much more you are already paying for your next renewal compared to your last. Chances are that it might have even doubled. That is the cost of better security (not necessarily foolproof or forge proof security). The other pressing issue connected to the Real ID Act is privacy (what information is being collected, how is it treated, where and how is it stored). As could be expected, the Department of Homeland Security’s position is that the Act protects privacy.
From the same article:
"Despite these obvious threats to Americans' privacy, the Real ID Act fails to mandate privacy protections for individuals' information nor does it provide states with the means to implement data security and anti-hacking protections that will be required to safeguard the new databases mandated by the Act," Akaka said.
The equation consists of security and privacy and costs. Those are the issues. How much security do you want (or do we need) and is there a trade-off with privacy? Is it worth it? These are personal value judgments. Pragmatically, the question is who will pay for it? At this point, from top to bottom, from federal to state level, there still seem to remain an awful lot of questions.