The Credential Conundrum

Which is better: a complex credential and identity management system with multiple technologies and standards, or a streamlined, one-size-fits-all approach? How about the trade-offs of speed versus security?Disputes over which technology standards should become the norm for identity management programs, or whether the existing menagerie of standards should be retained, have inflamed privacy disputes and spurred industry rivalries.Today, the federal government has multiple identification and credential programs designed to combat terrorism (see box), mostly run by different agencies using different technologies, security standards and processes.It's the best possible solution to protect privacy and improve security, said Kathy Kraninger, director of the Homeland Security Department's Screening Coordination Office.Officials at SCO now are working to sort the various identity management and credential programs into three categories, and identify the preferred standards and technologies for each group, Kraninger said.DHS' technology leadership originally created SCO to consolidate all DHS identity and credential programs into a central organization. But the office has evolved as a support organization for several credential and identity management programs run by other agencies and departments.The technologies used in the various credential programs have raised standards-based issues that enmesh security, funding and legislative mandates, she said.For example, the federal Real ID law, which effectively mandates a secure biometric driver's license that will also serve as proof of citizenship or legal residence, brings together several such issues.Under the proposed Real ID implementation regulations, the licenses themselves would carry biographic data using a nonsecure, two-dimensional bar code.Most states now use the two-dimensional bar code technology, which complies with PDF, a machine-readable technology pattern developed by Symbol Technologies.The PDF-417 bar codes can be read using a commercially available scanner.DHS has acknowledged that the bar code standard's lack of security poses challenges for states as motor vehicle departments roll out their Real ID credentials and the related back-end systems. Similar issues have arisen regarding the data storage standards that apply to the People Access Security Service, or PASS, card program. That joint State Department and DHS program is preparing to issue wallet-size documents that citizens will be able to use to re-enter the country via land ports after trips to Western Hemisphere countries.The program forms an element of State's Western Hemisphere Travel Initiative, a policy to require returning citizens to show secure biometric credentials, such as passports, when they re-enter the country.Citizens have been required to show a passport when re-entering this country from countries in the Western Hemisphere via an airport or cruise ship since Jan. 1.The PASS program is developing a card-format 'passport-lite' for use when re-entering via land borders.State and DHS launched the PASS card project as a cheaper, more convenient alternative to passports that would be especially helpful to residents of border areas who cross into Canada and Mexico frequently.The PASS card program has faced brickbats from lawmakers in both the House and Senate who charge that it will be a costly burden on border region residents. The Real ID program has prompted a campaign to convince state legislatures to condemn the federal requirement.State and DHS, meanwhile, have launched a pilot to test whether Real ID driver's licenses issued by Washington state could also meet the requirements to function as PASS cards.That pilot brings two standards arenas into collision: those used now to issue driver's licenses and the stricter document security standards used by State to prevent passport forgery.Opponents of the Real ID card program have vociferously denounced the technology standards involved as a threat to citizens' privacy rights.'The Real ID is unworkable because it's fundamentally flawed,' said attorney and privacy technology specialist Melissa Ngo, senior counsel and director of the identification and surveillance project at the Electronic Privacy Information Center.'The Real ID wants to be the one ID for everything,' said Ngo, who argued that the purpose behind the new credential standard is to create a single national identity card, which could then be an easy target for terrorists.Privacy activist Jim Dempsey, policy director at the Washington-based Center for Democracy and Technology, sees potential security issues with the radio frequency identification (RFID) technology standard proposed for the PASS cards.Information on an RFID card can be read from a distance, 'making it more likely that data can be acquired for unauthorized purposes,' he said.Dempsey also condemned DHS' proposed use of the PDF-417 standard for Real ID driver's licenses.'The Real ID card can be scanned by commercial entities and essentially used to track individuals and compile information about them,' Dempsey said.Funding is another issue preventing identification and credential programs from being as secure as they could be, said Steve Cooper, former DHS chief information officer.'In some cases, there is not enough money in one fell swoop to put a secure credentialing program in place,' Cooper said.The American Red Cross, where Cooper currently is CIO, is not able to fully be a part of DHS' credential programs because the nonprofit organization lacks the funds, he said.Stephen Price-Francis, vice president of business development at LaserCard, the Mountain View, Calif.-based contractor producing Mexican laser visas and U.S. green cards used by noncitizens, said the lack of a uniform standard and technology infrastructure undermines credential security.'While a number of machine-readable technologies are discussed for the border and security environments, the practical reality today is that most ID documents are inspected visually by human beings,' Price-Francis said. The existing crazy-quilt standard framework will remain 'until a ubiquitous infrastructure for automatic document authentication exists,' he said.Other groups representing industry interests see technology standardization as a way to improve security and lower costs.The Smart Card Alliance strongly advocates using smart cards instead of RFID technology for identification and credentialing of human beings, said the organization's executive director, Randy Vanderhoof.Smart cards have a limited range from which their data can be accessed, and data on the cards can be secured from eavesdropping via an encryption technique known as Basic Access Control.State adopted smart cards and Basic Access Control for the electronic passports it now is distributing to citizens.The e-passports use the International Standards Organization 1443 standard that Vanderhoof's group advocates for all federal identification management programs, including the PASS card and Real ID driver's licenses.'Having one group of citizens with electronic passports using one security credential and having the rest of the citizens being less secure with an entirely different [PASS or Real ID] technology platform doesn't live up to protecting citizens,' Vanderhoof said.'In addition, using two different types of technologies for identification and credentialing creates a double standard and two different technology platforms to support at the border,' he said.'We are working very hard to educate the DHS and the [Customs and Border Protection] about the error in their present selection' of using RFID for identity management and credential programs, said Neville Pattinson, vice president of government affairs and standards at Gemalto North America.But Kraninger sees serious security issues with using only a single technology standard. 'We should not, for privacy issues, try to bring [information] into one national ID card system. If you choose one way to operate, then you are driving to a universal ID card,' she said.For each identity management program, DHS determines what personal information would be included, and what business processes and physical features the card would need. From that, it decides on technologies and standards, Kraninger said.