Critics wary about biometric smart cards

Opponents worry about job loss and invasions of privacy

Federal workers and privacy advocates are worried about a presidential directive requiring all federal employees and contractors to carry biometric smart cards to access federal buildings and computer systems.

At a Jan. 19 public meeting in Washington, D.C., they expressed fears that the new identity card mandate could mean greater personal surveillance and even loss of employment.

Policy officials will address those concerns as they write the rules for issuing and using the new federal ID cards, Karen Evans, administrator for e-government and information technology at the Office of Management and Budget, told an audience of more than 150 at the meeting.

"We want to make sure we adequately protect the information of employees," she said.

Officials have received

1,900 written comments from the public about a proposed governmentwide standard for the biometric smart cards, indicating a high level of interest among federal employees, IT vendors, and security and privacy advocates, Evans said.

She acknowledged critics' concerns that the smart card mandate imposes difficult demands. Those demands include the possibility that agencies would need to shift funds to pay for the cards and rush to be prepared to issue them by October. "We will be here to help you make those deadlines," Evans said.

Officials at agencies that have already issued smart cards to employees and companies that have developed cards to meet those agencies' standards worry that they may need to scrap their current systems and start over.

The presidential directive, Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors, requires National Institute of Standards and Technology officials to develop the biometric smart card standard for governmentwide federal identity cards. Critics say NIST's proposed technical standard is incompatible with the Government Smart Card Interoperability Standard that several large federal agencies and their smart card vendors have adopted.

But some of the greatest concerns involve the potential intrusion into employees' privacy. For those reasons, Evans said, "we want to build privacy technology into the card."

Privacy advocates say the president's smart card directive is unusual and ambitious in seeking to create a uniform

card standard and policies suitable for employees because agencies — such as the Defense Department compared to the Railroad Retirement Board — are so diverse, said Ari Schwartz, associate director of the public interest group Center for Democracy and Technology.

Schwartz said government officials made a mistake by issuing a proposed technical standard for the cards before writing and publicizing the policies for using them. "Agency employees and the public are confused," he said. "Is this part of a bigger plan?" Without knowing all the ramifications of using the cards, he added, "everyone is going to assume the worst."

Some policy experts at the meeting advised OMB officials to incorporate generally accepted principles of information privacy into their policies. Such principles include disclosing to employees and contractors how personal information collected and stored on the cards will be used and how they can appeal authorities' decisions to revoke or refuse to issue an identity card, said Dan Chenok, vice president and director for policy and management strategies at SRA International.

Some of the privacy fears smart card critics raise are unfounded, said Robert Atkinson, vice president and director of the Technology and New Economy Project at the Progressive Policy Institute. But legitimate concerns should be addressed, he added.

For example, Atkinson said the standard that government officials must complete by late February should not permit personal data, such as the credential identifier associated with each card, to be sent unencrypted to the card reader.

But Atkinson disagreed with privacy advocates who want to limit the uses of the federal ID cards. The cards, he said, should be designed to accommodate new applications such as a pass for federal employees who ride the subway to work.

For others, expanding use of the cards beyond their original purpose poses a serious threat to cardholders' privacy. Pam Dixon, executive director of the World Privacy Forum, suggested that Congress may need to pass legislation to limit the uses of the cards to accessing federal buildings, computer networks and information systems.

Dixon also favors policies that restrict any analysis of the card systems' back-end data that could trace the movement of employees in federal buildings. Federal employee union officials are concerned that data collected on card usage could be misused to punish employees for visiting the employee union office, for example.

A National Treasury Employees Union representative said new policies should permit employees who use authorized pseudonyms for their personal safety to have their cards issued under their pseudonyms. IRS employees, for example, many of whom have been threatened or assaulted, have a statutory right to use a pseudonym. n

Who's who in the federal government

The federal government's planned personal identity verification system will be based on smart card technology with embedded biometric identifiers and will include the following elements:

Law enforcement fingerprint checks.

Personal identity background checks.

Personal identity smart cards.

Smart card readers at access points to federal buildings and computer systems.

Biometric readers at those access points.

Identity registration repositories.

Public-key infrastructure and certificate status servers.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.