|
|
Executive Director's Letter
 Dear members and friends of the Alliance:
Cherry blossoms weren’t the only things emerging from a long dormant period and blooming in Washington, DC this spring. One of the longest standing federal smart card identity programs – TWIC, the Transportation Worker Identification Credential program, has finally made its way out of the myriad of political obstacles, government appropriations battles, program management reorganizations, and technical evaluations. It now appears ready to move forward, at least at seaports around the country. This week, the Federal Register posted the notice of proposed rulemaking from the Department of Homeland Security on behalf of the Transportation Security Administration and the U.S. Coast Guard. This notice describes the specific details for the program covering merchant mariners who require unescorted access to secure areas at maritime facilities and onboard vessels, requiring them to submit to a comprehensive criminal background check and apply for a FIPS 201-compliant TWIC smart card. The cost of the card will be $139, which includes the cost of the background check. Jack Schwartz, program manager for TWIC, spoke at the May IAB meeting and stated that the U.S. Coast Guard will start issuing cards by the end of 2006 and that an estimated 850,000 cards would be issued over an 18 month period. TSA expects to put out an RFP shortly for management of the TWIC program’s identity management backend.
When it comes to the Department of Homeland Security, you have to balance the positive with the negative when it comes to its far-reaching security initiatives. DHS has a number of different smart card-related initiatives floating around different sub-agencies within its massive organization. If the TSA TWIC rollout is one of the positives, then the US-VISIT’s proposed Western Hemisphere Traveler Initiative (WHTI) PASS card program can potentially be a negative. As I reported last month, Jim Williams, Director of the US-VISIT program, spoke at the Alliance’s Smart Cards in Government Conference and stated that DHS intended to use Electronic Product Code (EPC) Gen 2 RFID tag technology in the proposed “passport light” traveler card for citizens. Starting in January 2008, this card would be used by citizens returning from Canada, Mexico, Panama and the Caribbean to establish their identity if they did not have a U.S. passport. He cited the operational objective for reading these cards at a distance of up to 30 feet as the justification for DHS recommending the UHF RFID “vicinity” technology over the more secure contactless (ISO/IEC 14443) chip technology found in State Department-issued electronic passports, NIST federal standard FIPS 201-compliant federal employee ID cards, and the TWIC program sponsored by TSA, another DHS department. With deadlines approaching for a technology decision that would certainly raise privacy and data security concerns if implemented as planned, Congress rushed through a bill delaying the WHTI implementation timeline by 16 months, until June 2009, to give more time to review the impact of the traveler card on commerce. The Smart Card Alliance Identity Council is working on a position paper it hopes to complete in a few weeks commenting on the WHTI project and recommending that DHS strongly consider secure, proven contactless smart chip technology instead of a long-range RFID technology that was never intended for use in personal identification cards.
Another DHS-triggered controversy emerged recently regarding RFID and its use within DHS-sponsored programs to identity and track individuals. A draft report, The Use of RFID for Human Identification , was released for public comment by the DHS Emerging Technology Applications and Technology Subcommittee of the DHS Data Privacy and Integrity Advisory Committee last week. The report broadly defines radio frequency technology by assuming that all types of RF-enabled technology are the same, and therefore summarily discards any value for its use in human identification systems, citing the security and privacy concerns that may result. In addition, the report, for unknown reasons, refers to DHS potentially using RFID technology for both identifying and tracking individuals. Since identification and tracking of individuals have very different connotations and require conscious policies to be put in place that will either protect or expose an individual’s private information, we were very concerned by their inclusion as combined purposes for the use of RFID throughout this report. The Smart Card Alliance submitted written comments on the draft report crediting the committee for being concerned about privacy and security but also criticizing the spirit and content of the report on the grounds of discrediting all uses of radio frequency technology without recognizing that there are major difference between RFID and contactless chip technology. We have asked to testify at the public hearing that the DHS privacy committee is holding on the report in San Francisco on June 7th.
Some additional good news involving DHS and smart cards is coming from the Office of National Capital Region Coordination and its First Responder Partnership Initiative. This program is advocating a first responder ID card , called FRAC (First Responder Authentication Card), that is leveraging the new federal standard FIPS 201-compliant identity card for use in emergency response coordination efforts among numerous first responder categories within federal, state, and local agencies. Under the DHS plan, all first responders will submit to background checks and identity vetting procedures defined by FIPS 201 and will be issued FIPS 201-compliant color-coded identity credentials that identify them as first responders at an emergency scene. This would expedite getting emergency personnel on the scene faster so that lives can be saved and infrastructure restored quickly in the case of a terrorist incident or natural disaster like Hurricane Katrina. What makes FRAC significant for our smart card community relative to other federal identity programs is that it focuses not only on an individual’s identity, but more importantly, on the individual’s attributes. In an emergency, it is more important to know what you are than who you are. Emergencies happen in remote locations and must depend on portable handheld identity verification devices with no online support. Having an identity credential that also says what attributes the individual possesses, such as firefighting, law enforcement, hazardous materials, medical, communications, public health, or emergency management skills, adds a valuable utility. FRAC demonstrates best why smart card technology is the only identity technology that works under these conditions and makes a strong case for why state governments need to be on the same identity platform as federal agencies. It doesn’t stretch the imagination very far to see why states should start issuing FIPS 201-compliant identity cards across their organizations as well. The state-level departments that are most equipped to manage identity documents today are the same departments that issue driver’s licenses. REAL ID skeptics about the value of having smart card-equipped drivers licenses - are you paying attention?!!
A final bit of government news that I picked up recently has to do with the timelines for HSPD-12 implementation. In what was referred to as a “pre-decisional vision” (very creative term for “this might happen”), it was announced that federal agencies that choose to join in a shared services approach for issuing PIV cards may NOT have to begin issuing FIPS 201 end state PIV cards by October 2006. Since the infrastructure for a government-wide shared services model does not exist today, agencies may be excused from meeting the same deadline that other agencies issuing their own PIV cards must meet. Such “pre-decisional vision” statements are further evidence of a government-wide enterprise struggling to hold together a confederation of conflicting priorities among controlling agencies as the clock continues to countdown.
I’ll conclude with a quick wrap-up on the CardTech SecurTech Conference held in San Francisco this month. Despite moving the venue from New Orleans after Hurricane Katrina, the CTST conference was bigger and better attended than any recent conferences. With the conference clearly shifting toward emphasizing payments markets and emerging mobile technologies rather than focusing on government and security, I felt that there was a new energy and buzz around the event. The paid conference program attendees came out in big numbers to support the Smart Card Alliance Foundations in Card Technology for Payments workshop, filling the all-day session with over 200 attendees. And despite the downsizing of some of the exhibits, the number and quality of the exhibiting companies were excellent. With the huge success of the Smart Cards in Government Conference in April and the big turnout for CTST only two weeks later, it shows that the North American smart card market is alive and thriving. It’s not too early to start thinking about the next big event, the 2006 Smart Card Alliance Annual Conference, October 3 – 6, at the Hyatt Regency La Jolla in San Diego. Like Miami last year, this promises to be another great conference.
Randy Vanderhoof, Executive Director
|
 |
