Executive Director's Letter

Dear members and friends of the Alliance,

This month’s news coming out of Washington really has me asking myself: “Is anyone really paying attention to what is happening?”  As many of you know, we have consistently taken a very firm stance when it comes to discussing our Federal government’s role in defining new recommendations and security solutions to protect our borders and prevent the proliferation of weak identification documents and poorly designed identity systems from jeopardizing security and threatening citizen privacy.  What was made public this month in two reports issued by the Government Accountability Office (GAO) makes our concerns about the risks associated with the ID itself seem insignificant.  A much bigger cause for concern may be the administration of the credentials or the personal information databases they link to.  For those unfamiliar with this government agency, the GAO is the investigative arm of the U.S. Congress and serves as a watchdog to report to Congress and the public on what federal agencies say they will do, and what they actually do..

The Smart Card Alliance position on identity credentials, which can be found in many different documents publicly accessible from the Alliance web site, applies to multiple DHS-led identity programs.  These include the proposed REAL ID-compliant driver’s license, the PASS card to be used by citizens without passports who re-enter the U.S. at land and sea borders from Canada, Mexico, and the Caribbean, and, the latest incarnation from DHS,  the enhanced driver’s license that combines REAL ID and PASS card border crossing features into a state-issued driver’s license for border states (currently proposed in Washington, Vermont and Arizona).  So as not to belabor the point raised countless times before, the preference publicly expressed in DHS documents currently defines long-range RFID technology as the machine readable technology (MRT) for PASS cards and enhanced driver’s licenses used as border crossing credentials (BCC) and 2D barcode as the common MRT for REAL ID compliant driver’s licenses.  Both MRT technologies are bad for security and bad for citizen privacy.  (If you don’t understand why they are bad, you should read the Alliance’s Government position papers.). The Alliance has taken issue not only with the credentials themselves, but with the complete ecosystem that is yet to be defined, but that will one day support these inherently weak credentials.

The first GAO report, Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program, points out many flaws in the DHS implementation of US-VISIT program’s use of databases to manage sensitive, personally identifiable information.  This program encompasses the pre-entry, entry, status management, and exit of foreign national travelers who enter and leave the United States at 285 air, sea, and land ports of entry.  The GAO report states:

These weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information, including personally identifiable information, and disrupt the operations of the US-VISIT program. They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. These risks are not confined to US-VISIT information. The CBP mainframe and network resources that support US-VISIT also support other programs and systems. As a result, the vulnerabilities identified in this report could expose the information and information systems of the other programs to the same increased risks.

The weaknesses uncovered by GAO in DHS's management of sensitive data about foreign visitors accessible by employees involved with the US VISIT program has to set off alarm bells for anyone who recognizes that similar databases have to be created and managed for the WHTI border crossing PASS cards to be used by U.S. citizens.  Is anyone else asking these questions to our elected officials in Washington?

Even the ePassport, the one program that uses a secure credential, is not being used securely at U.S. borders. A second GAO report released this month entitled, BORDER SECURITY: Security of New Passports and Visas Enhanced, but More Needs to Be Done to Prevent Their Fraudulent Use, points out many shortcomings, including the fact  that DHS has not followed through with implementing ePassport readers at border entry points.  The GAO report states,

Officers in primary inspection—the first and most critical opportunity to identify fraudulent travel documents at U.S. ports of entry—are unable to take full advantage of the security features in passports and visas. These officers rely on both their observations of travelers and visual and manual examination of documents to detect fraudulent documents. However, the Department of Homeland Security (DHS) has not yet provided most ports of entry with the technology tools to read the new electronic passports and does not have a process in place for primary inspectors to utilize fingerprints collected for visas, including BCCs, at all land ports of entry. Moreover, DHS has provided little regular training to update its officers on the security features and fraud trends in passports and visas.

After the State Department invested hundreds of millions of dollars in new secure, smart card-enabled ePassports, border security officers are still looking at the pictures and visually checking the validity of the travel documents – the security equivalent of flashing your ID badge to the security guard as you report to the office.

More troubling is the response from a DHS official included in the report that seemingly discounts the need for more ePassport readers.  Instead of reading personal information from the chip, DHS is seeking expanded access to the government’s own passport application and issuance database to compare the passport holder’s photograph and biometric data stored in the database with the data “printed within the passport” - not the electronically stored, sealed and delivered electronic data file delivered electronically to a reader.  So much for binding the credential to the passport holder!  Instead, let's connect every border officer to the central State Department database and do everything online – holy database in the sky!

While no one seems to be listening to these alarm bells now, there's still time to affect these decisions and get policy makers to listen and do the right thing.  It's critical that we continue our efforts as an organization to communicate with and educate all of the stakeholders involved in implementing these programs.  Education is crucial!  With more and more knowledgeable people in the Federal government, other groups will start pushing for higher standards of privacy and security, such as GAO did in their recent reports.  Most critically, we must collectively continue to present the facts to the policy makers and architects of identity systems at DHS and get them to move past their 20-year love affair with RFID tagging technology and move on to technology that provides the security and privacy that our citizens and visitors deserve -- and should demand. 

If you want to hear more about the troubles with 2D barcode and REAL ID and find out what DHS thinks about smart cards, visit www.etopiamedia.net and listen to two interviews by Marc Strassman at Etopia News including a long, and somewhat rambling interview of myself, followed by Marc’s interview with Darrel Williams, Director of REAL ID Policy Development at DHS.  Marc may have a future on the investigative television news series, 60 Minutes.

Don’t forget – come to the Smart Card Alliance 2007 Annual Conference in Boston, October 9-11.

Randy Vanderhoof
Executive Director
rvanderhoof@smartcardalliance.org

Copyright 2006-2007· Smart Card Alliance · 191 Clarksville Rd. · Princeton Junction, NJ 08550
Phone: (800) 556-6828 info@smartcardalliance.org · www.smartcardalliance.org