A group of smart card and smart chip vendors are launching a campaign to talk up the security and privacy features of their products, even as researchers raise questions about their use in passports.
Smart card makers Gemalto and Oberthur Card Systems, as well as chip makers Infineon Technologies, Philips Semiconductors and Texas Instruments, on Wednesday launched the Secure ID Coalition to promote the use of secure smart card standards as a way to protect privacy.
The group, debuting at the National Conference of State Legislators this week, was formed because the message about the security features of contactless smart cards is "not getting through very clearly," said Tres Wiley, director of e-documents for Texas Instruments.
Earlier this month, at the Black Hat conference in Las Vegas, German security researcher Lukas Grunwald demonstrated a way to copy information from his passport's RFID (radio frequency identification) chip to another smart card. And as the U.S. Department of State geared up this month to start issuing passports with smart cards included, Bruce Schneier, chief technology officer of Counterpane Internet Security, predicted the new passports could eventually be hacked and allow for surreptitious tracking.
But members of the SecureID Coalition said some security concerns are overblown. Even if a thief was able to copy the information on a passport's smart card, he wouldn't be able to change it because the information will be encrypted, they said. The encrypted photograph on the smart card wouldn't match the thief's face if he tried to use it to cross a border, they noted.
"Adding a chip to a document ... really ties the user to the document, especially when it's used in conjunction with biometrics," said Neville Pattinson, director of marketing and government affairs for Gemalto.
Another goal of the coalition is to educate policymakers about the difference between smart cards and traditional RFID chips. Traditional RFID chips, often used to tag products as they move through a supply chain, are designed to be scanned easily and quickly, while smart card vendors have paid more attention to security and privacy, Wiley said.
"RFID was traditionally done to tag things, pallets, cartons, domesticated animals," he said. "It was the layering of security on top of that RF pipe that really made it appropriate for an identity application."
SecureID Coalition members have endorsed a set of privacy rights, including the consumer's right to be confident that ID documents have been appropriately secured; and the consumer's right to know what data is contained in electronic ID documents, how that data will be collected and transmitted, and when and why the RF device is being read,
At the state legislator conference, SecureID Coalition members will attempt to "demystify" smart card technology, Pattinson said. The group will talk to lawmakers about efforts in some states to slow the use of smart card technology in identification documents, he said.