Stupid tags don’t make smart cards

Possibly as early as the beginning of next year, Canadians and Americans will be breezing across the border between British Columbia and the state of Washington with pilot trials of RFID-enabled drivers’ licences, as a replacement to passports or other travel documents.

The major benefits of travel documents tagged with RFID technology are speed, cost and simplicity. Within 20 feet of a reader, a unique identifier on the card triggers a database lookup that populates the border official’s screen with information about the approaching traveller.

But cards that can be read at a distance are inherently insecure, and the EPC Gen2 RFID technology that will be used in the proposed pilot trials does not allow data encryption.

See the technology:

Watch this five-minute video to see how RFID and biometrics combine security on to a card.

Watch this five-minute video to see how RFID and biometrics combine security on to a card.

As one U.S. security expert said, the RFID tag is stupid. “It gives up its number immediately to an off-the-shelf reader product and it can recreate that tag immediately. It’s like putting your password on a Post-It note next to your computer.”

At a minimum, he said, any machine-readable identity card should be intelligent enough to decide whether it should allow itself to be read or not.

Using a “dumb” card means there must be a smart, quickly accessible database to support the border agent, and that means detailed information about Canadian citizens available to U.S. border guards. And, for that matter, anyone else in the U.S. bureaucracy who can gain access to it.

“This information database will be accessible by a huge community of people internally and there is an interesting GAO report (U.S. Government Accountability Office) about U.S.-Visit computer systems, which have yet to do a privacy impact assessment. It’s also not clear whether their backend systems are robust enough to protect stacks of information,” the U.S. expert said.

Technology and privacy insiders are also critical of an assessment of EPC Gen2 for personal identity documents, conducted by the U.S. National Institute of Standards and Technology (NIST).

According to one, “NIST produced a sham report on their card architecture. All the reports and guarantees they produced were about the best way to do this in a supply chain environment.”

The NIST analysis, according to the critics, looked at standards and practices that are entirely appropriate for a warehouse environment and generally inappropriate for identity management.

Critics of the proposed drivers’ licence pilot trials point to a failed project at the southern U.S. border as an example of what might be expected. Under a similar pilot program, I-94 type visas were equipped with RFID tags, mostly for use at the U.S.-Mexico border.

“They had hugely low read rates. It did not work as promised and yet here they are, full speed ahead on the northern border, with the same technology, trying to do it again.

“They keep claiming this meets so-called operational requirements, but the speed and range benefits they want aren’t even real.”

“Smart” cards could put data directly on the card, under the control of the citizen. As with a passport or other travel documents, the only information available at a border point would be the citizen’s eligibility to travel. All the border officer really needs to ascertain is whether the person is on a watch list and whether the identity document is a valid one.

RFID tags don’t carry certificates and they can’t do authentication. “These things wouldn’t even get a second look by a private entity looking to upgrade to something more secure and reliable. We don’t understand why the government is even giving it a first look, when they’re talking about something as sensitive as border security.”

The U.S. appears to be experimenting with all kinds of identity documents. The proposed e-passport is contact-less, with a computer chip in the back cover. Real ID, the de facto national identity card disguised as a driver’s licence and bitterly opposed by many states, uses barcode technology.

Only the Western Hemisphere Travel Initiative calls for the RFID technology that B.C. and Washington will use, as does the Pass card for U.S. citizens returning from Canada, Mexico and the Caribbean.

Speeding up cross-border traffic without sacrificing security is obviously a worthwhile objective. Clearly the Province of B.C. would like to have a fast, reliable system in place for the 2010 Olympic Games, so they are first out of the starting blocks to keep pace with the Americans.

On both sides of the border, the RFID tag on a driver’s licence is, so far, an optional extra, issued under a trial project. It’s up to officials to sell the technology to citizens and make it work. On the positive side, there are plenty of viable alternatives if it fails.

Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. He can be contacted at

Related content:

U.S. Homeland Security revives air passenger screening program

Palm readers to the rescue in Australia

Spotlight on Michael Tschichholz, e-Government Competence Center, Germany

Privacy, link analysis and counter-terrorism

Britain weaves biometric cloak for tighter border controls

Rethinking the ID registry

Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now