RFID and Privacy
Yesterday morning I was sent an article written by Michigan House Representative Paul Opsommer regarding the Department of Homeland Security’s push to implement Enhanced Drivers’ Licenses:
The Department of Homeland Security is coming to Detroit to push their new “Enhanced Drivers License” (EDL) program on Tuesday as a way to make Michigan licenses compliant with the federal Western Hemisphere Travel Initiative (WHTI). If you don’t pay to enhance your license, you’ll need a passport in order to continue going across the Canadian and Mexican borders in June (you’ll still need a passport to fly).
Opsommer argues that it would make better sense to lower the price of a passport instead of trying to graft the purpose of a passport on to a drivers’ license. Then, he gets to the heart of the DHS proposal:
Instead, they’re offering to “enhance” our license by having a security interview, paying more, and then getting a wireless RFID chip in your license. While the first two requirements seem reasonable, if the part about the wireless RFID chip has you scratching your head, you’re not the only one. We already wisely don’t issue licenses to illegal aliens, but with the enhanced license you have to be able to not just prove your citizenship, but prove it via a wireless chip. Everyone who applies will have a new unique federal ID number assigned to them in addition to their current Social Security Number. The wireless chip then carries that new number, which can be wirelessly scanned by common readers up to 30 feet away, even while it’s still in your wallet.
In theory this will get you through the border faster, but then you are left with an unencrypted chip in your license for the other 12 hours a day you carry it.
He says the following about the privacy implications:
There is currently nothing in the law prohibiting the government from using this to track people away from the border, and also nothing in the law that would prohibit banks, hospitals, hotels, or others from linking you with the number and using it for their own marketing purposes or selling it.
Technically, this technology never tracks people, it only tracks the license. The assumption is that the license is being carried by the license holder when out in public, thereby being a good proxy for tracking the person. However, wallets and purses can be left at home, lost, or stolen, at which point the assumption breaks down.
For the sake of argument, let’s assume that the RFID-chipped license will be carried by the owner 99% of time. This is the equivalent of forgetting one’s license three or four times a year, which is not uncommon for most of the folks I know. In cases where identity verification is considered critical, such as at a border crossing, a 99% accuracy rate isn’t good enough. Therefore, the system isn’t designed to operate by reading the license alone:
Enhanced drivers licenses will make it quicker and easier to cross the border back into the United States because they will contain
- a vicinity Radio Frequency Identification (RFID) chip that will signal a computer to pull up your biographic and biometric data for the CBP Officer as you pull up to the border, and
- a Machine Readable Zone (MRZ) or barcode that the CBP officer can read electronically if RFID isn’t available.
If the system is working as designed, it will accurately identify the person carrying the chip only when a person (or computer) can compare the features of the holder with the features on file. In any other case, the identity of the holder cannot be known for sure. That, however, doesn’t prevent someone from relying on the assumption that a license is always carried by the license holder and not another person.
This is an important point to make before addressing Opsommer’s argument about a “more secure” form of RFID license. In his comment above, Opsommer uses the word unencrypted to imply “less secure”. This is not the case. To fulfill the identification role specified by DHS, the government reader would need to be able to decrypt the encrypted value returned by the chip with no other information. This requires the use of an encryption algorithm that produces a unique encrypted number for each unencrypted number submitted to it.
The tracking opportunity is the same in either case. People are running around with unique RFID signatures that can be read from up to 30 feet away. The first piece of information a would-be tracker would get is the RFID signature. Once the signature is encountered, the tracker can start gathering information about the holder of the RFID-chipped license. The interesting thing to consider here is that a third-party tracker piggy-backing on the DHS-sponsored license system would not need to match the ID number to a pre-established identity, meaning the encrypted value is just as useful for third-party tracking as the unencrypted value.
Imagine that a supermarket chain wanted to track its customers using the RFID signature of a drivers’ license. They set up a scanner to read in the area where a patron would stand to interact with the checker and read the license every time payment was accepted. It would be possible to track a patrons buying habits by linking the data saved from the register to the RFID signature. In the case a club card was used, the drivers’ license would be linked back to the name on that. If a check or credit card was used to pay, that financial information could then be linked to the RFID signature. The store would now have an entire identity built around the unique signature that has nothing to do with the DHS database.
Taking this hypothetical to the next level, imagine that a diverse array of businesses such as banks, hospitals, hotels, casinos, restaurants, and bookstores began employing similar tracking techniques. Each would build an identity around the unique signature of the chip. The bank would know one’s financial habits. The hospital would know one’s health problems. The hotel would know when one visited. The casino would know when one gambled. The restaurant would know what one ate. The bookstore would know what one read. And the supermarket from before would know what one bought.
At that point, there would be an opportunity for an information clearinghouse to buy tracking data keyed to the unique RFID signature from different sources and build an amazingly detailed profile of the license holder/carrier. The clearinghouse would know everything from their name, telephone number, and address to the fact that they bought a box of 24 donuts on Tuesday despite having diabetes.
In the extreme, it would be possible for the government itself to leverage the work of the clearinghouse by purchasing the data and crossing it with the DHS database. This scenario is both technically possible and consistent with previous DHS behavior. Encryption would make no difference in this case because DHS can already decrypt the RFID signature. Imagine what the government could do with all that information about how a citizen lives his life?
Remember that this detailed profile grew out of exposure to a single unique signature. The businesses doing the tracking started knowing nothing about the person other than the unique number emitted by their RFID-chipped license. The only measure of safety encrypting the number provides is that the RFID tag could not be used to query the DHS database. Of course, since one’s name would be revealed in one of many transactions, even this layer of protection is transitory since the DHS database would contain both name and ID number.
Back to Rep. Opsommer’s article, he laments the situation by saying the following:
[A]t the very least they need to offer enhanced licenses in two varieties, one that has RFID and one that doesn’t, and then let taxpayers decide which they want to choose. DHS has instead chosen a take it or leave it approach that bullies taxpayers with fiscal coercion and a one-size-fits-all policy that doesn’t allow Michigan to use more secure forms of RFID or to skip the chips altogether. Since an EDL will also technically be a limited passport, how the biometric data on the computer system gets shared with the governments of Canada and Mexico is also important.
I would submit to Representative Opsommer that encryption simply doesn’t matter. Any RFID license that can be read without the holder’s consent is a threat to privacy. Metallic sleeves and other devices that shield the license are not good enough, since they can be lost or forgotten. The Ontario government has found a good solution to this problem, though. They are looking at an Enhanced Drivers’ License that can be read only when someone holds it a certain way:
The design activates the RFID chip when someone places their finger on the corner of the card.
A mechanical switch – with moving parts – would be too frail, says Kerry Krause, vice-president of marketing at Impinj. So they took a different approach.
“With our technology, all you have to do is touch it,” he says. “The tag is only readable when a person is holding the driver’s licence and pinching it in the right spot. Your fingers are completing a circuit and turning it on.”
Such a license offers true privacy, as the person holding it has to take an explicit action for it to be read. Anything short of this is simply a privacy violation waiting to happen.
Update – 4/22 @ 1:35 PDT – Thanks to Jeff Molby in the comments for pointing out that the government leveraging privately-collected tracking data is already happening. Post updated with this information.
Update – 4/22 @ 6:21 PDT – Commenter “Encryption could matter” mentioned the use of push-button technology. I’ve found info on this and it has been added.
* Note that I don’t mention licenses with changing values. Temporal encryption, in which the license include a one-time code that was encrypted along with the ID code, the result would be an ever-changing output that could only be correctly comprehended by a system set up to decrypt and process the output. In a clock-based system such as RSA’s SecurID, for example, a random code is generated for a specific period of time and then discarded, replaced by a new code. The clocks on the authentication server and the token are in sync, and the authentication server will confirm that the code generated was correct for the time it was entered.
The disadvantage of using a one-time code is that the license becomes much more complex, increasing cost while decreasing durability. Also, the centralized authentication servers needed for this model open the door to system-wide shutdowns or privacy breaches since they present a single point of exploitation. On balance, this option would be more secure, but still not “safe” given the chance of a single, large-scale breach of privacy.