Federal ID cards need more thought

In response to the Perspectives column written by Phil Libin, "":

We are writing in response to Phil Libin's CNET News.com column on May 17, 2005, "Technology alarmism in spades." In it, Mr. Libin criticized the Electronic Privacy Information Center's April 2005 Spotlight on Surveillance report, "Homeland Security ID Card Is Not So Secure," which is an evaluation of the Department of Homeland Security's Access Card (DAC). Mr. Libin also posted a longer criticism of the report on his blog, "Vastly Important Notes." Mr. Libin's column and blog entry contain several errors, and EPIC takes this opportunity to refute his criticisms.

Mr. Libin's most significant error is his assertion that the DAC's ISO 14443 technology is not Radio Frequency Identification (RFID). However, technology experts, the industry and CNET News.com itself, label ISO 14443 as RFID.

RFID is a generic category that encompasses many types of chips: Some are passive (they are dormant until read at close range); some are active (they are always ready to be read at a greater distance); some offer plaintext or encrypted data in addition to authentication mechanisms (ISO 14443 A&B). What they have in common is that they use radio waves to request and transmit data, as opposed to contact cards, which require physical contact with a reader to receive and transmit information.

ISO 14443 is RFID. The flaws stated in the EPIC report regarding RFID are applicable to ISO 14443. First, tests have proved that ISO 14443 chips can be read at up to 30 feet away, not merely a few inches away. Second, the ISO 14443 specifications state that the contents of the chips can be encrypted; it is not the case that they must be encrypted, much less encrypted well. Finally, to assume that because the contents of an ISO 14443 chip are safe from prying eyes because they are encrypted is as foolish as assuming that a house is able to withstand a stiff wind simply because it is built. It is as important to take into consideration how a cryptographic system is implemented as it is what components the system is built from. A hastily built house of straw offers significantly less protection from intruders than one that is carefully built of brick.

Mr. Libin stated that the DAC does not use Bluetooth. Mr. Libin is correct, and we apologize for the error. However, the Department of Homeland Security, as reported in Mr. Libin's column and the CIO Insight article Mr. Libin previously referenced, is considering using Bluetooth-enabled cardholders for the DAC. The problems that the EPIC report stated concerning Bluetooth are applicable to these cardholders. The central security flaw is in using Bluetooth at all in connection with the DAC. If the Bluetooth transmissions are not encrypted, it has been proved that anyone can access those transmissions from up to a mile away. If they are encrypted, it would be harder to access the transmissions, but as with anything, not impossible.

Bluetooth is designed to enable two implementing devices to communicate with each other. As the use of weak (8-128-bit) encryption is optional, the technology itself could be vulnerable to unauthorized eavesdropping and proxy attacks. As such, it is inappropriate to use Bluetooth in conjunction with an ID card intended for securing government resources.

Mr. Libin stated in his column that with the DAC, "[e]very time you scan your finger, the system only tries to match it to the already enrolled fingerprint securely stored on your card." If DHS keeps an entire photo-realistic scan of your fingerprint in electronic format, that is a significant security flaw because new fingerprints can be created from that scan without you or your finger ever being there. It would be more secure for DHS to store a mathematical calculation (called a hash), which is based upon a scan.

Mr. Libin asked what it means for a biometric to be stolen. The above fingerprint example is one way a biometric can be stolen. Another answer also lies in a previous EPIC report that Mr. Libin cited in his column. The problem is that Mr. Libin cited only part of a paragraph; the rest, which contains the answer to his question, states:

It would be difficult to remedy identity fraud when a thief has identification with a security-cleared federal employee name on it, but the thief's biometric identifier. Or, in a more innocuous scenario, the identities of employees with different security clearances and their biometric identifiers are mismatched in their files due to human or computer error. Allowing employees access to their records would help ensure the accuracy of the information collected and used.

Mr. Libin's answer to EPIC's question of what happens if a biometric is stolen is to revoke the invalid card and issue a new card. EPIC agrees with this solution; however, there is the potential problem of the difficulty with which an employee would be able to prove his identity and that the biometric is false to his employer, and then receive a new card.

Mr. Libin and EPIC have a difference of opinion concerning the DAC's use of PINs. Mr. Libin stated that this is just another authentication choice for the system. But, the use of a short (4 to 6 character) PIN allows for a complete circumvention of biometrics as an authentication device. It is the weakest link that breaks an otherwise secure system.

Finally, we would like an explanation as to why Mr. Libin made a full disclosure of his relationship with the Department of Homeland Security on his blog, but not on the CNET News.com column. Column readers as well as blog readers need to know all possible conflicts of interest. From the blog:

"Full disclosure: although I am not directly involved in the DHS card program, DHS is a customer of ours and we are working on several products that will make use of the card. In other words, I may be biased but I kind of know what I'm talking about."

The main point of the EPIC report is that the federal government is spending a tremendous amount of money on these new systems of identification with little consideration of the security or privacy risks. The report seeks to highlight these problems. Mr. Libin stated, "Indeed, an ID card that uses RFID and Bluetooth is a really bad idea." We agree with him. Such an ID card, like the DAC as initially proposed by the government, used with a Bluetooth cardholder, is a really bad idea.

Bruce Schneier
CIO, Counterpane Internet Security
EPIC Advisory Board Member

Melissa Ngo
EPIC Staff Counsel