Alliance Activities : Publications : Border Identity Technology

The Consequences to Citizen Privacy and National Security in Adopting RFID Technology for Border Crossing Identity Documents

The Department of Homeland Security (DHS) is currently promoting the incorporation of radio frequency identification (RFID) technology in several border crossing documents that will be used to verify the identity of citizens re-entering the United States. The Smart Card Alliance Identity Council developed this white paper to discuss the security, privacy and operational issues with using RFID in human identification systems. The paper provides an overview of the use of RFID for supply chain applications, describes how RFID is proposed to be used in the DHS program, identifies key vulnerabilities with RFID systems that could be exploited, and proposes an alternative secure smart card-based solution for these border crossing identity programs.

RFID in the Supply Chain

Many people reading this white paper will already be familiar with RFID devices. These simple low-cost tag devices are positioned to revolutionize the supply chain by providing up-to-the-minute tracking information about the location of the products to which they are attached. As the RFID tags make their way through the product manufacturing and distribution system, readers at key locations can interrogate the tag and hence follow the associated products’ progression. Each tag is created with one mission in mind: to faithfully transmit the tag’s unique serial number to the surrounding vicinity each and every time the tag is stimulated by a suitable RF source.

During the design of this simple architecture for RFID tags, there was no need to give significant thought to the security, privacy or confidentiality of the tag’s ID number nor was consideration given to what the tag was going to be attached. After all, the tag merely provides basic identification information to a specific tracking system. In order to be meaningful, the back-end system must contain the information which ties each specific tag to information about what it has been attached to and where it is now located.

This is the basis of a fundamental architectural problem if RFID technology is applied to applications outside of its original design.

RFID and Human Identity Applications

Consider the following evolution of an application using the RFID tag system design. This time, the same RFID tag is given to a human for identification purposes. The tag is able to faithfully transmit its unique number each time it is stimulated, in some cases up to a designed distance of 30 feet. An identification system would register the presence of the RFID tag’s number and use it to index directly into a central database containing the enrolled identities of the tag holders. By using only the tag’s unique number, a corresponding database entry would be accessed which provides some personal identifying information of the tag holder.

This application of RFID tags seems reasonable. Assign a unique tag for each identity; present the tag and the corresponding identity record is retrieved. No actual personal identification information is contained in the storage-restricted tag. Without automation for identity verification, the system will obviously rely on a visual and potentially verbal human verification process between the tag holder presenting the tag and the person attempting to verify identity.

Unfortunately there are several privacy and security shortcomings to this approach. One such vulnerability arising from this technology is directly related to the fundamental RFID card architecture. RFID tags transmit the tag number “in the clear,” even if a password is required to read the tag. This exposes the tag number to interception during wireless communications. Once the tag number is intercepted, it is relatively easy to directly associate the number with an individual. This enables tracking an individual surreptitiously. Another privacy issue concerns the ability for an impostor to assume a genuine identity by cloning a person’s RFID tag. If this is done, then it is possible to make an entire set of movements posing as somebody else without their knowledge. A further privacy concern is associated with maintaining all of the identity information in a centralized database and assuming the information will remain accessible to only authorized individuals.[1]

RFID Use in Border Crossing Documents: Issues and Vulnerabilities

DHS is currently promoting the use of RFID tags for several citizen identification programs. The Western Hemisphere Travel Initiative (WHTI) passport card (or PASS card), which is being positioned as a land border crossing citizen credential as an alternative to a Department of State issued passport, intends to incorporate RFID technology. A second related program, the emerging enhanced driver’s license is also slated to incorporate the same RFID technology. The DHS claim that RFID technology is secure and reliable continues to influence states to accept the technology, regardless of the risks outlined in this paper.
RFID technology cannot provide the necessary security to protect our borders. The proposed RFID technology does not include appropriate or adequate privacy safeguards for U.S. citizens. RFID technology has been designed for warehouse supply chain and inventory management applications [2]–i.e., tracking pallets, tubes of toothpaste and dog food–not for human identification card applications.
The RFID technology proposed for the enhanced driver’s license does not have any security features which protect the transmitted information. Because there is no security designed into the chosen RFID tags, tags can easily be copied and duplicated (as demonstrated recently by the Smart Card Alliance and Secure ID Coalition on Capitol Hill) to create fraudulent driver’s licenses and border crossing documents. Adding external paraphernalia to the card (i.e., a protective RF sleeve) will not solve the national security threat that RFID technology poses when used for human identification purposes.

As proposed by DHS, the simple RFID-enabled land border identity cards have many vulnerabilities and will be open to attacks from hackers, identity thieves and possibly even terrorists. Such attacks include skimming, cloning and denial of service. DHS is aware of these potential attacks and corresponding vulnerabilities, but has decided to proceed without addressing them. The DHS objective appears to be the rapid implementation of the WHTI program in accord with their legislative mandate, regardless of the risks to the nation inherent in their technology selection.

There are some further issues in specifying this technology in the current environment.

There are several other areas where testing might be expected to reveal issues.

The long range nature of the RFID tag introduces exploitable system vulnerabilities.

Additional attacks are enabled by the vulnerabilities inherent in the RFID technology.

Alternative Solution for Secure Border Crossing Documents

There are already several identification card programs in use within the Federal government today that satisfy the tough challenges of enhancing security, protecting privacy and facilitating fast throughput. One only has to look at the implementation of secure RF identification technology in the Department of State’s ePassports and FIPS 201 Personal Identity Verification (PIV) cards being issued to Federal employees and contractors for shining examples of how to protect privacy, verify identity, and electronically authenticate the document along with its bearer. The ePassport and PIV card carry the entire identity credential electronically, facilitating offline identity authentication using the ID.

Understanding that DHS has architected a border crossing solution using a passport card with a simple RFID tag number that is linked with the citizen’s identity information maintained in a central database, the Smart Card Alliance recommends an alternative secure solution:

Use an inexpensive ISO/IEC 14443 proximity contactless smart card that supports secure transmission of the tag number during wireless communications. In addition to secure transmission, this secure contactless technology can also be used to electronically authenticate the ID.

Secure contactless smart cards are already widely used in transportation applications such as ticketing, contactless credit and debit cards, and secure physical access applications. These cards do not have to carry the full identity credential, just the database index number (the tag number) as desired by DHS. Yet they are capable of ensuring the confidential communication of the number between card and reader, reducing the risk of cloning and counterfeiting. Being proximity-based (4-inch range), a reader can be mounted by the side of the border crossing lane which will allows the card(s) to be ‘tapped’ to register the citizen(s) prior to pulling up to the CBP agent. A second benefit of this fully secured transmission capability is the elimination of the RF shielding envelopes that are being proposed to counter the weaknesses of long-range RFID-based vicinity tags (30-foot range).


The Smart Card Alliance is very concerned about a potential backlash and public outcry resulting from citizen identification applications that do not incorporate the necessary security features to protect the identity information and privacy of the cardholder. There is a simple solution to this problem that can avoid citizens from being put at risk. The solution requires using the more sophisticated smart card technology that can incorporate critical security features including shorter read-range of the card, encryption, and electronic authentication of the document, as well as more likely being able to support security technologies specified in the future. Smart card technology would not impede or slow down border crossing applications and would be a valuable aid to the CBP officer in verifying identities. The challenges of reliably reading a number of long-range passive RFID tags that are held within vehicles will make it difficult for DHS to realize the efficiencies assumed for the currently-selected vicinity-read RFID technology.

The Smart Card Alliance strongly recommends that DHS and border states contemplating the issuance of an enhanced driver’s license incorporating passport card functionality consider doing so in a pilot using smart card technology. This pilot could use the same database pointer architecture previously defined for the passport card, but use a secure smart card chip to store the unique citizen identifier. Such a pilot would provide a factual basis for comparing the relative operational efficiencies of RFID and smart card technologies in a system that adequately protects citizen privacy and enhances border security.

PASS cards: Smart card technology is better than RFID


[1] Documented cases of database breaches can be found at

[2] Intermec, Supply Chain RFID: How It Works and Why It Pays.

[3] DHS Data Privacy & Integrity Advisory Committee, The Use of RFID for Human Identity Verification, December 6, 2006

[4] Washington Post, Computer Glitch Causes Delays at LAX, August 12, 2007

About the Smart Card Alliance Identity Council

The Smart Card Alliance Identity Council is focused on promoting the need for technologies, legislation, and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.

Click here for additional information about the Identity Council.