Plan for federal ID badges gets mixed reviews
A new government standard for federal identification cards is getting mixed reviews from identification industry executives and privacy advocates.
The standard, released Feb. 25, sets rules for an ambitious "smart card" to be worn by all federal employees and contractors beginning in October. The cards will include photographs, agency serial numbers, personal ID numbers, two fingerprints and cryptographic keys.
Getting all that information on a chip card, as required by the standard, is the subject of some controversy. Advocates of competing optical-memory technology -- which can hold up to 2.8 megabytes of data -- insist that the standard will fail because integrated circuit cards, also known as smart cards, can only hold a maximum of 64 kilobytes of data.
"We think they're on a path that will lead to a backwater," said Steven Price-Francis, vice president of business development for LaserCard. Francis thinks the new ID card will need at least 200 kilobytes of memory to be useful.
Joe Anlage, president of a startup optical-reader company called American Laser, said the government standard requires too much data compression. "They have truncated file sizes for biometric ID to the point where they are essentially unusable," he said. Anlage also said smart-card projects at the Defense and Homeland Security departments have fallen into the same trap.
Smart-card advocates disagreed. "That's not supported by the facts," said Randy Vanderhoof, executive director of the Smart Card Alliance, made up of companies from many fields and government agencies that favor the use of smart cards. Smart cards have been successfully tested with full image and fingerprint files compressed to 20 kilobytes, he said.
"This is misinformation coming from an industry trying to fight for a spot in the market," Vanderhoof added.
The National Institute of Standards and Technology (NIST), which developed the standard, said card memory stopped being a problem after it dropped plans to include facial-scan data on the ID cards. "Storing two fingerprints on a card is not an issue," said Ed Roback, chief of NIST's computer-security division.
Roback also said federal agencies did not request optical-memory technology during the standard-setting process.
At least one privacy group is mostly pleased with the final standard. In particular, a requirement that each agency assign a senior official for privacy to conduct comprehensive privacy assessments is welcome, said Pam Dixon, executive director of the World Privacy Forum. "Coming from the feds, that's pretty big," she said.
But Ari Schwartz, associate director of the Center for Democracy and Technology, said the government has the whole process wrong. "It's backward to do the standards first and the [privacy] policy second," he said.
Roback said ID privacy policy should not be set for the entire government in one document. "Each agency has to do it in the context of their own environment," he said.
NIST plans to put the standard out for review again in about one year so new technology can inform the process, Roback said.