GovernmentExecutive.com

A new government standard for federal identification cards is getting mixed reviews from identification industry executives and privacy advocates.

The standard, released Feb. 25, sets rules for an ambitious "smart card" to be worn by all federal employees and contractors beginning in October. The cards will include photographs, agency serial numbers, personal ID numbers, two fingerprints and cryptographic keys.

Getting all that information on a chip card, as required by the standard, is the subject of some controversy. Advocates of competing optical-memory technology -- which can hold up to 2.8 megabytes of data -- insist that the standard will fail because integrated circuit cards, also known as smart cards, can only hold a maximum of 64 kilobytes of data.

"We think they're on a path that will lead to a backwater," said Steven Price-Francis, vice president of business development for LaserCard. Francis thinks the new ID card will need at least 200 kilobytes of memory to be useful.

Joe Anlage, president of a startup optical-reader company called American Laser, said the government standard requires too much data compression. "They have truncated file sizes for biometric ID to the point where they are essentially unusable," he said. Anlage also said smart-card projects at the Defense and Homeland Security departments have fallen into the same trap.

Smart-card advocates disagreed. "That's not supported by the facts," said Randy Vanderhoof, executive director of the Smart Card Alliance, made up of companies from many fields and government agencies that favor the use of smart cards. Smart cards have been successfully tested with full image and fingerprint files compressed to 20 kilobytes, he said.

"This is misinformation coming from an industry trying to fight for a spot in the market," Vanderhoof added.

The National Institute of Standards and Technology (NIST), which developed the standard, said card memory stopped being a problem after it dropped plans to include facial-scan data on the ID cards. "Storing two fingerprints on a card is not an issue," said Ed Roback, chief of NIST's computer-security division.

Roback also said federal agencies did not request optical-memory technology during the standard-setting process.

At least one privacy group is mostly pleased with the final standard. In particular, a requirement that each agency assign a senior official for privacy to conduct comprehensive privacy assessments is welcome, said Pam Dixon, executive director of the World Privacy Forum. "Coming from the feds, that's pretty big," she said.

But Ari Schwartz, associate director of the Center for Democracy and Technology, said the government has the whole process wrong. "It's backward to do the standards first and the [privacy] policy second," he said.

Roback said ID privacy policy should not be set for the entire government in one document. "Each agency has to do it in the context of their own environment," he said.

NIST plans to put the standard out for review again in about one year so new technology can inform the process, Roback said.

COMMENTS

• Look, someone needs to make up their mind what the heck "THEY" are doing! About 18 months, maybe 2 years ago we were issued CAC cards and had to have passwords. We have never used the card and I have no idea what my password is, nor do 1000+ others. The password business is absurd. One is supposed to put their password in a safe place. Now you have to have a 8x10 laminated card for all your passwords. The user can't keep track, but the hackers have no problems. I find it sad that the folks who make big bucks to do this business in the DOD can't come up with a better way! I question their resolve and thinking process. Mike Kelley Posted March 2, 2005 8:48 AM
• I know we have the terrorist problems, but I cannot agree with the national ID program. We are a nation built on freedom of the individual and we need to save that ideal. In history, George Washington and the Continental Army were rebels and today would be labeled as terrorists, but they fought for our freedoms. We were told that the Social Security number would be used strictly to regulate the program, in fact if you look at my social security card it states not to be used for ID. So what does the government allow? The social security number to be used as your employee ID number. Now they want a national ID with our vital data, why not just use the microchip implant and I don't need to worry about someone stealing the card. It is time for everyone to stand up and stop the federal government from violating our rights. Time to say we are mad as hell and not going to take it anymore! GovExec.com reader Posted March 2, 2005 7:36 AM