Real ID Act’s recommended 2D barcode security isn’t good enough, says smart card industry
08 May, 2007
category: Government, Library
The 40-page proposal’s recommendations fall short of endorsing highly secure contactless ID chips
By Marisa Torrieri, Contributing Editor
State governments may be fuming over the Real ID Act’s tight implementation deadlines and a lack of federal funding, but smart card developers are taking issue with its security requirements – or lack thereof.
On March 1, the Department of Homeland Security filed a notice of proposed rulemaking for the “Real Act of 2005,” which sets forth minimum document requirements for driver license and identification card issuance for United States citizens. This most recent revision pushes the deadlines back for states to start issuing these driver licenses.
Under the new proposal, states may file for an extension by Feb. 1, 2008, to start issuing Real ID-compliant licenses on Jan. 1, 2010. By May 10, 2013, all licenses and ID cards held by individuals must be compliant.
Though the proposal outlines measures for card application and issuance, state governments are complaining that it doesn’t call for additional funds to offset the cost of upgrading existing card reader systems (referred to as Machine-readable Technology, or “MRT”). Section 202 (b) (9) of the Act requires states to include a common MRT with defined minimum data elements for the driver licenses and identification cards. The proposed regulation would mandate the use of the PDF-417 2D bar code as the common MRT technology standard.
According to smart card industry folks, the PDF-417 2D standard isn’t much more sophisticated than the existing ID technology.
The proposed 2D standard, says Neville Pattinson, vice president of government affairs and standards for Gemalto, would be easily thwarted, and wouldn’t make the cards much better than they are today. In fact, it would defeat the main purpose of the Act: to raise the level of difficulty of counterfeiting the card and stopping fraudulent behavior.
“Adding a smart card chip to an identity document, as many U.S. programs already do, is the proven way to increase the difficulty to fraud the document, to protect the privacy of the machine-reader zone, and to ensure the ID is being used by the bearer and to open up the possibility to enable e-government services using digital credentials in the chip,” says Mr. Pattinson. “Printed bar codes are frankly obsolete and non-workable in today’s increasingly demanding and capable digital society.”
But Jonathan Frenkel, director of law enforcement and information sharing policy for DHS and one of the government staff members who helped draft the proposal, said the Real ID Act’s security requirement is only intended to establish a minimum standard.
“The proposed rule actually identified a variety of technologies that DHS considered to satisfy the common machine readable technology requirement of the law, and went through the rationale of why DHS chose a 2D barcode standard,” Mr. Frenkel said. “Of course anyone who disagrees is free to file comments saying why they believe a different technology should be the one used as the minimum across the country. Nothing in the proposed rule would prevent the state from adding additional technologies beyond those minimum standards.”
Cost was a factor in determining the minimum technology requirements to impose upon states, Mr. Frenkel said.
But Mr. Pattinson said the benefits – genuinely secure IDs instead of ones that give consumers a false sense of security – outweigh the additional costs. Furthermore, the cost for immensely better security only amounts to a few dollars more per card.
“Smart card technology adds a small additional cost to the cards,” says Mr. Pattinson. “You’re talking about $3 more to add that chip … if it’s a higher end chip, it’s $4 more.”
Furthermore, the cost of the driver license itself is very small compared to the back end costs of building the system and infrastructure, says Tres Wiley, director of eDocuments at Texas Instruments, Inc.
If the final rule won’t change minimum technology standards, another favorable option for states might be to let the citizen decide if they want to pay a few extra dollars for the additional functionality beyond the 2D bar codes. Cards in number of other countries use chip-based technologies for multiple purposes.
“The whole purpose for the Real ID was to improve the security, and the 2D barcode doesn’t materially improve the security of the driver license,” says Mr. Wiley. “Secondly, there’s a golden opportunity to lay out some requirements for chip-based ID cards so states can add functionality.”
Additional resources:
To see a copy of the Real Act of 2005 Notice of Proposed Rulemaking, visit http://a257.g.akamaitech.net/7/257/2422/01jan20071800/edocket.access.gpo.gov/2007/pdf/07-1009.pdf