The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Our organization includes as its members all of the identification application technology providers and all of the industry segments that use smart card technology, including twenty-two federal government and other non-federal agencies. Our organization invests heavily in education on the appropriate uses of technology for identification and strongly advocates the use of smart card technology in a way that protects privacy and enhances data security and integrity. To be true to these principles we must regularly educate potential users about the differences between secure chip technology and other forms of identification technologies like RFID, barcode, optical stripe, and magnetic stripe.
We first would like to commend DHS for the report's conclusion that DHS should consider best practices and implement specific safeguards for protecting the individual's privacy and for protecting the security of data used by the identity application in programs that identify and track individuals. It has been and still is the Smart Card Alliance's position that privacy and security need to be a priority for any identity system and that these need to be designed into the entire identity system, regardless of the technology used for the identity token itself.
We do, however, disagree with the report's conclusion to "disfavor" all RFID technologies for applications involving human identification. We believe that the report defines RFID too broadly and, therefore, this recommendation will unduly restrict appropriate and secure applications of smart cards with RF technology that can meet the strictest privacy and security requirements.
The report also uses the terms human identification and tracking interchangeably (for example, section IV is titled "The Legal Basis for RFID Use in Human Identification," but contains content describing human tracking) and assumes that an identification program using RF technology would be for both identification and tracking. We feel strongly that the report should not suggest that future DHS uses of technology for identifying human beings be linked to tracking human beings. The vast majority of identity applications do not track individuals, but have the goal to accurately and securely verify an individual's identity. These two applications of technology have very different purposes and require conscious policies to be put in place to protect the individual's privacy.
There are a wide range of RF technologies used for a variety of applications - each with different operational parameters, frequencies, read ranges and capabilities to support security and privacy features. For example, the RFID technologies that are used to add value in manufacturing, shipping and object-related tracking operate over long ranges (e.g., 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. Contactless smart cards, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip.
The contactless smart chip includes a smart card secure microcontroller and internal memory and has unique attributes other RF technologies lack, i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF with a contactless reader. Applications using contactless smart cards support security features that ensure the integrity, confidentiality and privacy of any personally identifiable information stored or transmitted, including strong information security, strong device security and the ability to support authenticated and authorized information access. Leveraging these capabilities builds privacy and data integrity into the entire identification system, not only the identity token itself. The new Department of State epassport is a good example of the use of contactless smart card technology in a secure identity application. The contactless chip embedded in the epassport securely stores the individual's personal information, supports secure authenticated access to that information and allows the new security functionality to be manufactured in the international passport book form factor.
The report, as currently written, presents general conclusions and assessments of RFID without taking into account the differences in RF technologies used in identity applications. The Smart Card Alliance recommends that DHS include these differences clearly within the report and conduct separate analyses of contactless smart cards and longer-range RFID technology prior to issuing the final report. Presented in such a way, we believe that the report would support the conclusion that both contactless and contact smart cards perform better than other digital technologies for human identification purposes. We also believe that this analysis would clearly show that the conclusion to "disfavor" all RF technology is overly restrictive and that RF-based contactless smart card technology should not be included in the DHS definition of RFID technology that is "disfavored."
The Smart Card Alliance appreciates the opportunity to provide input to DHS on the important topics of privacy and security in identification systems. We would be happy to provide assistance with any technology analysis and provide material that provides additional details supporting our comments above. Additional information about the use of smart cards in identity applications and the differences between RFID and contactless smart card technology can be found on the Smart Card Alliance web site.
