December 26, 2009

The National ID Card and Biometric ID

Flashback: No Real Debate for Real ID

Wired
Originally Published on May 10, 2005

Hundreds of civil liberties groups, immigrant support groups and government associations oppose the Real ID Act, a piece of legislation that critics say would produce a defacto national ID card, cost states millions of dollars, and punish undocumented immigrants.

Yet despite widespread opposition to the bill, it passed through the House last week and is expected to easily pass through the Senate on Tuesday.

The legislation is raising questions not only about privacy and costs but about the ways in which critical legislation gets passed in Congress.

That's because lawmakers slipped the bill into a larger piece of legislation -- an $82 billion spending bill -- that authorizes funds for the Iraq war and tsunami relief, among other things, and is considered a must-pass piece of legislation.

It's not the first time Congress has slipped contentious bills into larger legislation that is almost guaranteed to pass. In 2003, Congress augmented Patriot Act surveillance powers with wording slipped into the Intelligence Authorization Act, a bill that authorized funding for intelligence agencies.

Critics, such as the American Civil Liberties Union, say lawmakers slipped the Real ID Act into the relatively uncontroversial spending bill in order to avoid a congressional debate over the ID measure.
"The legislation was created in the backrooms of Congress without hearings and without any real understanding or thought about what was being created," said Barry Steinhardt, director of the ACLU's technology and liberty program...
Among other things, the legislation would force states to produce standardized, tamper-resistant driver's licenses that would include machine-readable, encoded data. States theoretically could choose not to comply with the standards, but residents of those states would not be able to use their license as identification to obtain federal benefits -- such as veteran's benefits or Social Security -- or to travel on airplanes.

The legislation doesn't specify what data states must encode in the driver's license. The secretary of transportation and Department of Homeland Security secretary have authority to designate the data.

The National Governors Association, the Council of State Governments, and the American Association of Motor Vehicle Administrators are among those who say the law creates unnecessary bureaucracy for drivers and imposes hardship and undue cost on state offices.

The legislation would require all drivers, including current license holders, to provide multiple documents to verify their identity before they could obtain a license or renew one. Drivers would have to provide four types of documentation, such as a photo ID, a birth certificate, proof that their Social Security number is legitimate, and something that verifies the applicant's full home address, such as a utility bill. The law would then compel Department of Motor Vehicle employees to verify the documents against federal databases and store the documents and a digital photo of the card holder in a database...

Civil liberties groups are concerned about the privacy implications of the bill. Although the bill states that licenses must be machine-readable, it does not state the kind of technology to be used.

Steinhardt said that officials would likely require states to embed a contactless RFID chip in licenses at some point, even if they didn't require this in the initial rollout of licenses. RFID chips can hold more data than magnetic stripes, but they can also allow someone with an RFID reader to collect information stored on a license from a distance without the license holder's knowledge.

The machine-readable part of the license will contain most of the information printed on the license front -- such as the holder's name, birth date, gender and digital photograph. But the Department of Homeland Security could add more data, such as digital fingerprints.

Proponents of the bill such as the nonprofit group NumbersUSA, could not be reached for comment. But the group's members have said in the past that the bill successfully balances security and privacy interests.

Among other things, the group argues that the bill does not create a national ID card because it allows individual states to issue the documents and does not force states to comply unless they want the documents to be accepted by federal agencies as proof of identity. In fact, they argue that the Real ID bill will make it unnecessary for the federal government to issue a national ID card.

Steinhardt disagrees.

"This is a national ID, there's no question about that," Steinhardt said. "It may be issued by the 50 states, but it's going to be the same documents, which will be backed up by a huge database."
Steinhardt says a standardized license would allow the government and businesses to track people and would essentially create a single national database, since states would be required to open their driver's license databases to other states. He expressed concern that businesses would also want to read and collect the data on driver's licenses.
"Everyone from 7-Eleven to the owner of your apartment building to a retailer and a bank are going to demand to see this document," Steinhardt said. "And they're going to be able to read all of the private data off of the machine-readable strip."
Currently, some business such as bars and restaurants scan the magnetic strip on driver's licenses to collect data on patrons for marketing purposes. But the practice is not widespread.

Steinhardt said that making the content and format of the data uniform would encourage retailers and others to harvest the information and create their own parallel database and sell the information to data brokers like ChoicePoint.

Talk about a standardized driver's license arose last year after the 9/11 Commission Report revealed the ease with which the World Trade Center terrorists obtained legitimate driver's licenses and moved around the country unthwarted.

This year Sensenbrenner introduced the legislation as a stand-alone bill, which passed in the House in February. In March lawmakers, anticipating trouble passing it through the Senate, slipped the act into the larger, must-pass spending bill. It's this bill that the Senate is expected to pass on Tuesday.
"The deal's been cut," Steinhardt said. "I would be stunned beyond belief if it didn't pass at this point."

What Will the REAL ID Act’s Driver’s License Restrictions Really Do?

National Immigration Law Center
May 2005
  • Repeal the federal driver’s license standards that were signed into law by President Bush just last December as part of the 9/11 Commission antiterrorism law.
  • Halt the process of consultation and rulemaking that has already begun under the 9/11 law.
  • Substitute new top-down rules that will stifle state innovation on security measures.
  • Make it impossible for many legal immigrants to get driver’s licenses through no fault of
  • their own.
  • Raise insurance rates; increase traffic fatalities.
  • Make us more vulnerable to terrorism and other crimes.
  • Distract from urgently needed immigration reforms.

Move to National ID Cards Delayed

Wired
December 14, 2009

The United States’ quest for a national identification database associated with driver’s licenses won’t be finished by year’s end.

The deadline was Dec. 31 for the states to create what would be the largest identification database of its kind under the auspices of the Real ID program. The law also mandates uniform anti-counterfeiting standards for state driver’s licenses.

picture-9

Map: ACLU

None of the states are in full compliance with the law, first adopted in 2005, requiring state motor vehicle bureaus to obtain and internally scan and store personal information like Social Security cards and birth certificates for a national database, according to the American Civil Liberties Union. About half the states oppose the mandate, or have said they would never comply.

Beginning Jan.1, the law was supposed to have blocked anybody from boarding a plane using their driver’s license as ID if their resident state did not comport with the Real ID program. But the Department of Homeland Security is set to extend, for at least a year, the deadline of the Real ID program that has raised the ire of privacy advocates.

Homeland Security officials point to the 9/11 hijackers’ ability to get driver’s licenses in Virginia using false information as justification for the proposed $24 billion program.

The American Civil Liberties Union and the Electronic Frontier Foundation suggest the plan is misguided, and might pave the way for requiring such IDs to vote or purchase prescription drugs.

“Our biggest concern is that it is a national ID card. It changes the relationship between the citizen and the state,” Chris Calabrese, the ACLU’s legislative counsel, said in a telephone interview. “We see it as a potential mission creep, and an individual’s rights can be curtailed because of this.”
Richard Esguerra, the EFF’s residence activist, said in a telephone interview Monday and in a recent blog post that the giant database, if it ever comes to fruition, “threatens citizens’ personal privacy without actually justifying its impact or improving security.”

Following Criticism, Netanyahu Defers Vote on Biometric Database Law

Haaretz
November 16, 2009

Israeli Prime Minister Benjamin Netanyahu on Monday postponed a vote on a controversial law that would set up a biometric database with information about every citizen of the country, following heavy criticism.

Netanyahu decided to impede the vote, which reached second and third readings and was expected to be approved by the Knesset on Monday, making this the third time the vote on the legislation has been postponed in the last few weeks.

The database would be used to issue "smart" identity cards.

The bill would require all Israeli identity cards and passports to be "smart" documents, containing an electronic chip with the holder's fingerprints and facial scan. That information would then be stored in a biometric database.

Opponents argue that such a database constitutes a real threat to Israelis' welfare, as the data could too easily pass into the wrong hands. For instance, criminals might obtain an innocent person's biometric data, and somehow plant them at a crime scene to cover their own tracks, or enemy states might obtain the data and use them to identify Israeli agents operating on their soil.

This argument is based in part on the latest State Comptroller's Report, which found that items included in the extremely sensitive Population Registry database - which includes every Israeli's ID number, address, and other personal and family information - were leaked to the Internet because the Interior Ministry had not protected it properly. Nor were police ever able to finger the culprits in this activity.

Under such circumstances, say opponents of the bill, what grounds are there for believing the government would do a better job of protecting the biometric database? Moreover, they charge, such a database would turn the government into "Big Brother."

Biometric bill vote delayed by two years

Chips in Official IDs Raise Privacy Fears

The Associated Press
August 4, 2009

Climbing into his Volvo, outfitted with a Matrics antenna and a Motorola reader he’d bought on eBay for $190, Chris Paget cruised the streets of San Francisco with this objective: to read the identity cards of strangers, wirelessly, without ever leaving his car.

It took him 20 minutes to strike hacker’s gold.

Zipping past Fisherman’s Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians’ electronic U.S. passport cards embedded with radio frequency identification, or RFID tags. Within an hour, he’d “skimmed” the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet.

Embedding identity documents — passports, drivers licenses, and the like — with RFID chips is a no-brainer to government officials. Increasingly, they are promoting it as a 21st century application of technology that will help speed border crossings, safeguard credentials against counterfeiters, and keep terrorists from sneaking into the country.

But Paget’s February experiment demonstrated something privacy advocates had feared for years: That RFID, coupled with other technologies, could make people trackable without their knowledge or consent.

He filmed his drive-by heist, and soon his video went viral on the Web, intensifying a debate over a push by government, federal and state, to put tracking technologies in identity documents and over their potential to erode privacy.

Putting a traceable RFID in every pocket has the potential to make everybody a blip on someone’s radar screen, critics say, and to redefine Orwellian government snooping for the digital age.

“Little Brother,” some are already calling it — even though elements of the global surveillance web they warn against exist only on drawing boards, neither available nor approved for use.

But with advances in tracking technologies coming at an ever-faster rate, critics say, it won’t be long before governments could be able to identify and track anyone in real time, 24-7, from a cafe in Paris to the shores of California.

The key to getting such a system to work, these opponents say, is making sure everyone carries an RFID tag linked to a biometric data file.

On June 1, it became mandatory for Americans entering the United States by land or sea from Canada, Mexico, Bermuda and the Caribbean to present identity documents embedded with RFID tags, though conventional passports remain valid until they expire.

Among new options are the chipped “e-passport,” and the new, electronic PASS card — credit-card sized, with the bearer’s digital photograph and a chip that can be scanned through a pocket, backpack or purse from 30 feet.

Alternatively, travelers can use “enhanced” driver’s licenses embedded with RFID tags now being issued in some border states: Washington, Vermont, Michigan and New York. Texas and Arizona have entered into agreements with the federal government to offer chipped licenses, and the U.S. Department of Homeland Security has recommended expansion to non-border states. Kansas and Florida officials have received DHS briefings on the licenses, agency records show...

ID Cards for India: 1.1 Billion Citizens Will Go into Second Largest Citizens' Database

Daily Mail
June 28, 2009

India is planning to provide its 1.1 billion-plus citizens with ID cards. Entrepreneur, Nandan Nilekani has been chosen to lead the ambitious project which will be the second largest citizens' database in a democracy, with China being the biggest.

The government believes the scheme, which will be finalised over three years, will aid the delivery of vital social services to the poorest people who often lack sufficient identification papers. It also sees the scheme as a way to tackle increasing amounts of identity fraud and theft and, at a time of increased concern over the threat of militant violence, to boost national security and help police and law officials.

Like Britain's £5billion ID cards plan, due to roll out in 2011/12, India's scheme is not without controversy. Observers have raised questions including how the cards will actually improve the delivery of services and also concerns that the scheme could be disruptive.

In an interview in The Independent today, associate fellow of the Asia programme at Chatham House, Charu Lata Hogg, said: 'It cannot be denied that the system of proving identity in India is complicated and confusing. But a system of national ID cards can technically introduce a new route to citizenship. 'This could be used as a security measure by the government which leaves migrant workers, refugees and other stateless people in India in limbo without access to public services, employment and basic welfare.'

Bill Gates working with India on identity card project

NSA’s New Data-Mining Facility

San Antonio Current
June 21, 2009

...America’s top spy agency has taken over the former Sony microchip plant and is transforming it into a new data-mining headquarters — oddly positioned directly across the street from a 24-hour Walmart — where billions of electronic communications will be sifted in the agency’s mission to identify terrorist threats.
“No longer able to store all the intercepted phone calls and e-mail in its secret city, the agency has now built a new data warehouse in San Antonio, Texas,” writes author James Bamford in the Shadow Factory, his third book about the NSA. “Costing, with renovations, upwards of $130 million, the 470,000-square-foot facility will be almost the size of the Alamodome. Considering how much data can now be squeezed onto a small flash drive, the new NSA building may eventually be able to hold all the information in the world...”

Radio Chip Coming Soon to Your Driver's License?

Homeland Security seeks next-generation REAL ID

WorldNetDaily
February 28, 2009

Privacy advocates are issuing warnings about a new radio chip plan that ultimately could provide electronic identification for every adult in the U.S. and allow agents to compile attendance lists at anti-government rallies simply by walking through the assembly. The proposal, which has earned the support of Janet Napolitano, the newly chosen chief of the Department of Homeland Security, would embed radio chips in driver's licenses or "enhanced driver's licenses." "Enhanced driver's licenses give confidence that the person holding the card is the person who is supposed to be holding the card, and it's less elaborate than REAL ID," Napolitano said in a Washington Times report.

REAL ID is a plan for a federal identification system standardized across the nation that so alarmed governors many states have adopted formal plans to oppose it. However, a privacy advocate today told WND that the EDLs are many times worse...

Real ID Mandate Resisted in Virginia

The Associated Press
January 3, 2009

Since the law's enactment in 2005, at least 42 states have considered anti-Real ID legislation, and more than half have passed measures either forbidding their states from participating or urging Congress to amend or repeal the law. At least five states have gone in the other direction, passing bills bringing their programs into compliance. Critics say they expect other states to join Virginia this year to fight against Real ID.

The program was born out of the commission that looked into the terrorist attacks of Sept. 11, 2001. It recommended that the U.S. improve its system of issuing identification documents because the hijackers had numerous licenses and state IDs. Congress approved legislation requiring states to issue licenses and ID cards that meet certain security standards.

The new IDs will be required for federal purposes, such as boarding an airplane or entering a federal building. Other federal identification, including passports and military IDs, also will be accepted.
“The bottom line is that citizens of states who do not move forward with the Real ID mandate from Congress will see real consequences,” said Laura Keehner, a spokeswoman for the Department of Homeland Security, which is in charge of the program.
States had until May 2008 to implement Real ID, but the department extended that until Dec. 31, 2009. If they need more time and have met certain benchmarks, states can request an extension until May 11, 2011.

The opposition has centered around cost and privacy concerns. Homeland Security originally estimated it would cost states $14 billion to implement the program, but in January it loosened the restrictions and said the added flexibility would bring the cost to under $4 billion. Homeland Security and other agencies have given out about $500 million in grants, but state officials say that’s not enough.

Critics also claim that Real ID diminishes privacy, and they object to a national ID that would have to be shown for everyday identification purposes...

The Bill Nobody Noticed: National DNA Databank

Natural News
December 18, 2008

In April of 2008, President Bush signed into law S.1858 which allows the federal government to screen the DNA of all newborn babies in the U.S. This was to be implemented within 6 months meaning that this collection is now being carried out. Congressman Ron Paul states that this bill is the first step towards the establishment of a national DNA database.

S.1858, known as The Newborn Screening Saves Lives Act of 2007, is justified as a "national contingency plan" in that it represents preparation for any sort of public health emergency. The bill states that the federal government should "continue to carry out, coordinate, and expand research in newborn screening" and "maintain a central clearinghouse of current information on newborn screening... ensuring that the clearinghouse is available on the Internet and is updated at least quarterly". Sections of the bill also make it clear that DNA may be used in genetic experiments and tests. Read the full bill: http://www.govtrack.us/congress/bill.xp ...

Twila Brase, president of the Citizens' Council on Health Care warns that this new law represents the beginning of nationwide genetic testing. Brase states that S.1858 and H.R. 3825, the House version of the bill, will:
  • Establish a national list of genetic conditions for which newborns and children are to be tested.

  • Establish protocols for the linking and sharing of genetic test results nationwide.

  • Build surveillance systems for tracking the health status and health outcomes of individuals diagnosed at birth with a genetic defect or trait.

  • Use the newborn screening program as an opportunity for government agencies to identify, list, and study "secondary conditions" of individuals and their families.

  • Subject citizens to genetic research without their knowledge or consent ...

How RFID Tags Could Be Used to Track Unsuspecting People

Average consumers may not realize how many RFID tags they carry around. The devices are embedded in personal items and even some clothing.

Scientific American
August 26, 2008

If you live in a state bordering Canada or Mexico, you may soon be given an opportunity to carry a very high tech item: a remotely readable driver’s license. Designed to identify U.S. citizens as they approach the nation’s borders, the cards are being promoted by the Department of Homeland Security as a way to save time and simplify border crossings. But if you care about your safety and privacy as much as convenience, you might want to think twice before signing up.

The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen.

Although such “enhanced” driver’s licenses remain voluntary in the states that offer them, privacy and security experts are concerned that those who sign up for the cards are unaware of the risk: anyone with a readily available reader device—unscrupulous marketers, government agents, stalkers, thieves and just plain snoops—can also access the data on the licenses to remotely track people without their knowledge or consent. What is more, once the tag’s ID number is associated with an individual’s identity—for example, when the person carrying the license makes a credit-card transaction—the radio tag becomes a proxy for that individual. And the driver’s licenses are just the latest addition to a growing array of “tagged” items that consumers might be wearing or carrying around, such as transit and toll passes, office key cards, school IDs, “contactless” credit cards, clothing, phones and even groceries.

RFID tags have been likened to barcodes that broadcast their information, and the comparison is apt in the sense that the tiny devices have been used mainly for identifying parts and inventory, including cattle, as they make their way through supply chains. Instead of having to scan every individual item’s Universal Product Code (UPC), a warehouse worker can register the contents of an entire pallet of, say, paper towels by scanning the unique serial number encoded in the attached RFID tag. That number is associated in a central database with a detailed list of the pallet’s contents. But people are not paper products. During the past decade a shift toward embedding chips in individual consumer goods and, now, official identity documents has created a new set of privacy and security problems precisely because RFID is such a powerful tracking technology. Very little security is built into the tags themselves, and existing laws offer people scant protection from being surreptitiously tracked and profiled while living an increasingly tagged life.

Beyond Barcodes

The first radio tags identified military aircraft as friend or foe during World War II, but it was not until the late 1980s that similar tags became the basis of electronic toll-collection systems, such as E-ZPass along the East Coast. And in 1999 corporations began considering the tags’ potential for tracking millions of individual objects. In that year Procter & Gamble and Gillette (which have since merged to become the world’s largest consumer-product manufacturing company) formed a consortium with Massachusetts Institute of Technology engineers, called the Auto-ID Center, to develop RFID tags that would be small, efficient and cheap enough to eventually replace the UPC barcode on everyday consumer products.

But the possibility that the security of such cards could be compromised is just one reason for concern. Even if tighter data-protection measures could someday prevent unauthorized access to RFID-card data, many privacy advocates worry that remotely readable identity documents could be abused by governments that wish to tightly monitor and control their citizens.

China’s national ID cards, for instance, are encoded with what most people would consider a shocking amount of personal information, including health and reproductive history, employment status, religion, ethnicity and even the name and phone number of each cardholder’s landlord. More ominous still, the cards are part of a larger project to blanket Chinese cities with state-of-the-art surveillance technologies. Michael Lin, a vice president for China Public Security Technology, a private company providing the RFID cards for the program, unflinchingly described them to the New York Times as “a way for the government to control the population in the future.” And even if other governments do not take advantage of the surveillance potential inherent in the new ID cards, ample evidence suggests that data-hungry corporations will.

Living a Tagged Life

According to the patent, here is how it would work in a retail environment: an “RFID tag scanner located [in the desired tracking location]… scans the RFID tags on [a] person…. As that person moves around the store, different RFID tag scanners located throughout the store can pick up radio signals from the RFID tags carried on that person and the movement of that person is tracked based on these detections…. The person tracking unit may keep records of different locations where the person has visited, as well as the visitation times.”

Protecting the Public

If RFID tags can enable an amusement park to capture detailed, personalized videos of thousands of people a day, imagine what a determined government could do—not to mention marketers or criminals. That is why my colleagues in the privacy community and I have so firmly opposed the use of RFID in government-issued identity documents or individual consumer items. As far back as 2003, my organization, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)—along with the Privacy Rights Clearinghouse, the Electronic Privacy Information Center, the Electronic Frontier Foundation, the American Civil Liberties Union, and 40 other leading privacy and civil liberties advocates and organizations recognized this threat and issued a position paper that condemned the tracking of human beings with RFID as inappropriate.

In response to these concerns, dozens of U.S. states have introduced RFID consumer-protection bills—which have all been either killed or gutted by heavy opposition from lobbyists for the RFID industry. When the New Hampshire Senate voted on a bill that would have imposed tough regulations on RFID in 2006, a last-minute floor amendment replaced it with a two-year study instead. (I was appointed by the governor to serve on the resulting commission.) That same year a California bill that would have prohibited the use of RFID in government-issued documents passed both houses of the legislature, only to be vetoed by Governor Arnold Schwarzenegger.

On the federal level, no high-profile consumer-protection bills related to RFID have been passed. Instead, in 2005, the Senate Republican High Tech Task Force praised RFID applications as “exciting new technologies” with “tremendous promise for our economy” and vowed to protect RFID from regulation or legislation.

Meanwhile the RFID train is barreling forward. Gigi Zenk, a spokesperson at Washington’s licensing agency, recently confirmed that there are 10,000 enhanced licenses “on the street now—that people are actually carrying.” That’s a lot of potential for abuse, and it will only grow. The state recently mustered a halfhearted response, passing a law that designates the unauthorized reading of a tag “for the purpose of fraud, identity theft, or for any other illegal purpose” as a class C felony, subject to five years in prison and a $10,000 fine. Nowhere in the law does it say, however, that scanning for other purposes such as marketing—or perhaps “to control the population”—is prohibited. We ignore these risks at our peril.

No comments:

Post a Comment