Brittle Technology
Dr. Ari Juels describes the People Access Security Service (PASS) as brittle. This term, while pejorative, is extremely descriptive, and perhaps right on point. Consider one of his four points:
The PASS card will come with a radio-opaque sleeve to protect against skimming when the card is not in use. But what are the chances of bearers retaining and using these sleeves? By way of the Enhanced Driver’s Licenses (EDL) program, the PASS chip is wending its way into other identity documents, such as the Washington state driver’s license. Are the owners of these cards also expected to use protective sleeves? Will state governments be as well equipped to manage EDL as DHS is to manage PASS? And who ultimately will have access to the PASS database? How will it be protected?
Those with the liberty to ignore other considerations can easily quibble with any technical design. And the effectiveness of passenger identification at border control as a national security tool is hardly obvious. Discussions with colleagues and DHS staff have left me with no question that DHS earnestly sought to achieve the strongest possible privacy and security within the budgetary and political constraints of WHTI. The PASS card may prove adequate, though not ideal.
He concludes:
…the PASS system is a brittle one. Adopted and adapted by other organizations–such as state agencies issuing driver’s licenses–its security could well degrade. Cloning of PASS cards by imposters is a worry. Cloning of the PASS architecture by state governments and other organizations is a serious worry too.
