GAITHERSBURG, Md. – As part of the Bush administration's effort to tighten security at federal facilities, millions of federal employees and contractors will later this year start receiving ID badges with chips storing information such as digital fingerprints (search).
The "smart card" (search) IDs will have security features designed to keep outsiders from breaking into federal buildings or computer systems.
But some computer security experts say the new standard was rushed through a six-month-long development process after President Bush issued a smart card directive last year.
For instance, a biometric (search) standard more stringent that fingerprints, such as scans of a user's iris, was not used, said Susan Landau, a staff engineer for Sun Microsystems and a member of a National Institute of Standards and Technology advisory panel that reviewed the standard.
"The tight timeline made it impossible to use forward-looking biometric technology that is higher quality," Landau said.
Smart cards, which often resemble credit cards, come with a chip that acts like a small computer, storing information, which could be anything from a users' fingerprint to a timecode of when they last entered the building. Some cards can transfer information from the card to a reader through an embedded antenna.
The technology for the cards was developed before planners could look at the long-range implications of what they were creating, said Ari Schwartz, associate director of the Center for Democracy and Technology, a privacy advocacy group.
"That is completely backward," he said of the process used to draft the standards. "You should have the policy first and say, 'What do we want and what should the limits be on what can be done with the card?'"
Some federal workers fear the cards will be used to track employees, since they would have to swipe a card at the door to get into their offices. The NIST standards said the IDs won't be used to create a central database to keep tabs on workers.
Still, Colleen Kelly, president of the National Treasury Employees Union, which represents 150,000 federal employees at several agencies, said she is leery.
"We want to know if employees are going to be tracked every time they go through a door, or into the restroom. We're just not clear," she said.
The new cards will look like a normal ID badge, with a photo, the holder's name and agency, a serial number and expiration date. Each must have a chip able to store 64 kilobytes of information, including two digital fingerprints, a personal identification number and other features designed to identify the user and protect the stored data.
Depending on the security level, a user can either show the card to a guard or use the wireless feature to swipe it across a reader to get into a building. Computer systems could be accessed by sliding the card into a reader attached to desktop units. In some cases, fingerprints would be checked to see if they match those stored on the card.
The standard features will make it easier for workers to get into different government buildings, said Ed Robach, head of the computer security division at NIST.
"These minimal requirements would provide a high degree of trust across the agencies," he said.
The new IDs won't all look the same and each agency has the freedom to add functions that officials think are needed or for different levels of security clearance. Several agencies already use smart cards, including the Defense Department, which has issued 3.1 million Common Access Cards workers used for everything from accessing computers to paying for meals in mess halls.
Schwartz said it is unclear whether the card's wireless capability could be used by hackers to tap into personal information on a worker's card. NIST said it will advise workers to keep cards in an electronically opaque sleeve to prevent anyone else from accessing it.