Pointing Out Problems With PASS Cards
January 9, 2007
This year promises to be extremely busy on the tech policy front. One of our first acts of 2007 was to urge the Departments of State and Homeland Security to rethink a proposal for the creation of a high-tech ID card that could be used in place of a passport by Americans who make frequent trips to Canada, Mexico and the Caribbean. The PASS (People Access Security Service) card would use RFID (radio frequency identification) technology to identify citizens as they approach U.S. land border crossings. Theoretically, the cards would be a little cheaper than passport books, and would allow for swifter crossings, since citizens could be identified from many feet away. Sounds good in theory, but the RFID standard proposed for the PASS card was intended to track inventory, not to be used on cards linked to a wealth of sensitive personal data. This technology was designed specifically to be insecure to increase supply chain efficiency. Using if for something as sensitive as managing border crossings in a post-9/11 world raises serious questions about both privacy and security. In our comments, submitted this past weekend, we urge policy makers to determine whether it would be worth trying to fix the problems with the PASS card proposal. Addressing the security and privacy concerns associated with the PASS cards may make them nearly as expensive as the new electronic passports. Since cost savings has been cited as one of the key advantages of the cards, policymakers may want to rethink the program altogether. It is also unclear to us whether there is any great benefit in being able to identify a PASS cardholder from 20 feet away. Border agents will still need to get up close to make sure that the information on the face of the card and the information pulled from the back-end database matches the person crossing the border, so its likely that the promised convenience of the card may not materialize as expected.