|
|
Executive Director's Letter
 Dear members and friends of the Alliance:
A phrase that is commonly used in the mainstream media to refer to the government’s actions in the Middle East is that “the United States is engaged in a fight for the hearts and minds of the citizens of Iraq,” so as to win them over to our government’s view of freedom. Likewise, I find the smart card industry engaged in a similar battle for the hearts and minds of the citizens of this country over their concerns for security and desire for privacy – and the appropriate application of technology to achieve both. Since anyone who reads a newspaper or watches television news magazines and the evening news knows that bad news stories outnumber good news stories by a wide margin, it can be expected that news stories about security and privacy-related topics will also focus on the bad rather than the good.
An example of this occurred last Friday when the ABC News show “20/20” did a story about identity theft. The segment began by talking about credit card thieves using pocket card readers to skim credit card numbers from unsuspecting consumers’ cards and then selling them on the Internet. That is a well known problem, but did the reporter use the opportunity to present a solution to this type of identity theft? No, that would turn a bad story into a good story. Instead of pointing out how new contactless credit cards help prevent this type of fraud by generating a unique number each time they are read by a point-of-sale terminal and by allowing cardholders to keep control of their cards instead of handing them over to the clerk to be swiped, the story goes down a “more bad news” track. The reporter brings up RFID technology from ExxonMobil Speedpass as the “next step in high-tech” payment that “makes life easier for the crooks.” Avi Ruben from Johns Hopkins is then interviewed to explain how his lab cracked the encryption in Speedpass so that, in theory, a thief could read a tag inside someone’s pocket and copy the ID number. And, since Ruben refers to all RFID as one common technology, he falsely concludes that “this new technology” (implying RFID with the same weak encryption, static account number, and lack of anti-tampering features) will be spreading to everything from regular credit cards to passports, putting all of our personal information at risk.
We, the Smart Card Alliance, will take the necessary steps to contact the reporter, correct the facts, and ask for a correction. But in the battle for the hearts and minds of the citizens, it appears that this battle, like the one in Iraq, will have no smell of victory any time soon. I did find one enlightened reporter, Laurie Sullivan, a writer for CMP Media, who wrote an article entitled, How Long Until Every United States Citizen Has A Smart Card In Their Pocket?, and who asks the question “ how long can we continue to use Social Security numbers and driver’s licenses for identification?” But, if you want to find good news about technology advances to improve security and privacy, don’t look to television news and newspapers.
It is not only the public’s heart and mind we are battling for, but also some corners of our Federal government as well. The Smart Card Alliance Identity Council recently published a position paper challenging the Department of Homeland Security’s position advocating EPC Gen 2 RFID technology over contactless (ISO/IEC 14443) chip technology for the proposed border crossing credentials that will be required by law for anyone returning from Canada, Mexico or the Caribbean and traveling without a passport after January 1, 2008. The paper advocates that DHS should put more emphasis on maintaining privacy and security for identity documents than on performance issues. Another Alliance public stand, this time at the DHS Data Privacy and Integrity Advisory Committee meeting in San Francisco in June, challenged a draft report by the Emerging Applications and Technology Subcommittee that proposed that DHS “disfavor” all forms of RFID – including secure contactless chip technology in the definition of RFID – on the premise that there was no good reason to use this technology for human identification. That subcommittee has received numerous public comments challenging its assertions and is expected to consider these comments before the final report and recommendations are published. Does anyone else see the irony of how one part of our government does the right thing to secure identities for millions of its own employees under HSPD-12, but doesn’t follow its own secure credentialing design for citizens crossing its neighbors’ borders?
The Smart Card Alliance has effectively shaped the hearts and minds of the people closest to the smart card industry by working together in small communities to educate and examine issues important to the stakeholders in each of our vertical markets. This is what our industry councils continue to do, with a great deal of success. For example, the Contactless Payments Council reached outside of its council membership to issuers and merchants and formed an advisory group. This advisory group met in a roundtable discussion at the CardTech SecurTech conference in May and formed four work groups to discuss issues and gain consensus on what is needed to further contactless payment adoption at merchants and card issuers. With representatives from merchants like Smoothie King and Arby’s and issuers like American Express, Bank of America, Wells Fargo, and Peoples Bank joining in discussion with payments infrastructure and processing companies, the group achieved a new level of industry engagement. Such high level discussions among payments industry stakeholders are unique and one of the Alliance’s biggest strengths. Discover Financial Services recently joined the Alliance and will add even more valuable issuer perspectives to the work groups that have formed. Likewise, the Physical Access Council, Transportation Council, and Healthcare Council are doing similar industry-building work that deserves much more detail than can be addressed in the limited space of this letter. I call your attention to the From the Alliance Office section of this newsletter where the great work of each council is summarized. Better yet, send me an email and sign up to participate in one or more of these councils. There is a group for every interest.
And for anyone who has spent the last few months under a rock or is totally out of touch with the market, the merger of Axalto and Gemplus was completed this month and the era of an exciting, new mega-organization, Gemalto, has begun. Gemalto will be featured in the July issue’s Member Profile.
On a final note, mark your calendars for the 2006 Fall Annual Conference, October 3 – 6, 2006 in San Diego, CA. Registration will open in July and more details about the conference program will be available over the summer. Enjoy the start of Summer 2006!
Randy Vanderhoof, Executive Director
|
 |
