Government in the Cards
Government identity management programs took center stage at the Smart Card Alliance just weeks ago. Critical security initiatives have now entered the issuing phase and over the next year will put millions of smart card-based IDs in the hands of all maritime workers at the nation’s seaports and all federal employees. It’s the biggest boost to the smart card industry in the U.S.
And the Registered Traveler program is now speeding frequent flyers through 12 airports nationwide, although the takeoff of the program has been slow.
The Transportation Security Administration (TSA) and U.S. Coast Guard plan to issue secure Transportation Worker Identification Credentials (TWIC) to 750,000 maritime workers and merchant mariners at U.S. seaports took a big step forward this week.
“As of (now), real workers at the Port of Wilmington began the process of applying for the TWIC card,” John Schwartz, assistant director of the TWIC Program Office told attendees at the Alliance event.
The smart card-based TWICs are tamper-resistant biometric credentials containing the worker’s fingerprint template to allow for a positive link between the card itself and the individual. Embedded in the card is a dual interface microprocessor chip, a small computer chip that can be read by either inserting the card in a slot in a “contact” card reader or by holding the card within 10 centimeters of a “contactless” card reader.
“The TWIC program, like the U.S. electronic passport program, is an excellent example of using smart card technology in a way that provides high security and protects personal privacy at the same time,” Randy Vanderhoof, executive director of the Smart Card Alliance, told the Zalud Report.
Due to the harsh maritime environment, program managers wanted to use secure contactless technology for better reliability of cards and readers. At the same time, they wanted a high level of personal security. The solution was to encrypt the contactless transmission of the biometric template from the TWIC card to the reader.
GSA Shared Services and HSPD-12As federal agencies come to grips with the reality of issuing PIV-II smart cards to comply with the looming HSPD-12 deadline, the shared services option developed by the General Services Administration has won a lot of recent converts -- 67 federal agencies representing 860,000 federal employees and contractors to be exact, according to Michael Butler, program manager for the project. GSA branded the program USAccess.
After making a contract award in April, the GSA began issuing cards in September. The program is on track to issue hundreds of thousands of cards in the coming year and meet the program’s deadlines, Butler said.
Pooling demand under a shared services contract benefited government agencies in terms of cost and investment, Butler reported. The GSA charges a $49 initial cost for PIV-II credentials, with an ongoing $3 per month infrastructure support cost.
“People are starting to get excited and ask what they can do with smart cards,” said Butler.
Registered Traveler Takes OffWant to get through airport security lines in 10 minutes or less? That’s exactly what the smart card-based Registered Traveler expedited security lane access program delivers to America’s frequent flyers.
“The actual time is two or three minutes right now in most airports, because the program is still new and not that many people are in the lines,” said Bryan Ichikawa, solutions architect for Unisys, one of the system integrators providing Registered Traveler systems.
State plans to add RFID technology to driver’s licenses “create border security and personal privacy concerns for citizens,” said Neville Pattinson, vice president government affairs and standards for Gemalto North America and chair of the Alliance Identity Council. At issue is the fact that the RFID technology currently recommended by DHS for border crossing security “transmits an ID number 30 feet with no security basically, and it can be cloned easily, as we demonstrated on Capitol Hill recently. That’s why we’ve been positioning secure contactless smart card technology as a better alternative,” said Pattinson.
The Center for Democracy and Technology (CDT), a public interest, public policy not for profit organization focused on civil liberties and technology policies, has developed guidelines for privacy and security.
Sophia Cope, staff attorney and Ron Plesser Fellow for CDT, presented the organization’s recommended guidelines for privacy and security sensitive policies, then went on to explain how DHS proposals for REAL ID, WHTI PASS card and enhanced driver’s licenses violated them.
“Decentralization is more privacy friendly than centralization,” said Cope, pointing out that the DHS proposals rely on a centralized database. “Centralized identity systems can lead to commercial and government abuse.”
“Going back and slapping privacy and security on at the end will not be as effective as designing it in from the beginning,” said Cope. But, she noted that is exactly what DHS is doing by proposing long range EPC Global Gen 2 RFID tags for identity programs. “In the case of enhanced driver’s licenses, there has been no rule making at the federal level and no privacy impact analysis as required by federal mandates,” said Cope.
As to REAL ID, one concern is that the proposed security features “get so watered down it becomes a farce, because in the end it is not any more secure than it is today,” Cope said.