Entries Tagged "identification"

Page 25 of 26

Fingerprint Library Cards

Biometric library cards are coming to Naperville, Illinois.

On the one hand, the library is just storing a data string derived from the fingerprint, and not the fingerprint itself. But I have a hard time believing the second paragraph below.

Library Deputy Director Mark West said the system will be implemented over the summer beginning with a public education campaign in June. West said he is confident the public will embrace the technology once it learns its limitations.

The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police.

Nor do I have any faith in this sentence:

Officials promise to protect the confidentiality of the fingerprint records.

Posted on May 23, 2005 at 7:44 AMView Comments

REAL ID

The United States is getting a national ID card. The REAL ID Act (text of the bill and the Congressional Research Services analysis of the bill) establishes uniform standards for state driver’s licenses, effectively creating a national ID card. It’s a bad idea, and is going to make us all less safe. It’s also very expensive. And it’s all happening without any serious debate in Congress.

I’ve already written about national IDs. I’ve written about the fallacies of identification as a security tool. I’m not going to repeat myself here, and I urge everyone who is interested to read those two essays (and even this older essay). A national ID is a lousy security trade-off, and everyone needs to understand why.

Aside from those generalities, there are specifics about REAL ID that make for bad security.

The REAL ID Act requires driver’s licenses to include a “common machine-readable technology.” This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn’t matter how well the states and federal government protect the data on driver’s licenses, as there will be parallel commercial databases with the same information.

Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver’s licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).

REAL ID requires that driver’s licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police—even undercover police officers. This seems like a major unnecessary security risk.

REAL ID also prohibits states from issuing driver’s licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses—which isn’t going to help anyone’s security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

REAL ID is expensive. It’s an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I’ve seen estimates that the cost to the states of complying with REAL ID will be $120 million. That’s $120 million that can’t be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver’s licenses, the security measures recommended by the 9/11 Commission Report. That’s already done. It’s already law.

REAL ID goes way beyond that. It’s a huge power-grab by the federal government over the states’ systems for issuing driver’s licenses.

REAL ID doesn’t go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver’s license will bring a new level of “show me your papers” checks by the government. Already you can’t fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I’ve already heard rumblings about requiring states to check identities against “government databases” before issuing driver’s licenses. I’m sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

Is there anyone who would feel safer under this kind of police state?

Americans overwhelmingly reject national IDs in general, and there’s an enormous amount of opposition to the REAL ID Act. This is from the EPIC page on REAL ID and National IDs:

More than 600 organizations have expressed opposition to the Real ID Act. Only two groups—Coalition for a Secure Driver’s License and Numbers USA—support the controversial national ID plan. Organizations such as the American Association of Motor Vehicle Administrators, National Association of Evangelicals, American Library Association, Association for Computing Machinery (pdf), National Council of State Legislatures, American Immigration Lawyers Association (pdf), and National Governors Association are among those against the legislation.

And this site is trying to coordinate individual action against the REAL ID Act, although time is running short. It’s already passed in the House, and the Senate votes tomorrow.

If you haven’t heard much about REAL ID in the newspapers, that’s not an accident. The politics of REAL ID is almost surreal. It was voted down last fall, but has been reintroduced and attached to legislation that funds military actions in Iraq. This is a “must-pass” piece of legislation, which means that there has been no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing.

Near as I can tell, this whole thing is being pushed by Wisconsin Rep. Sensenbrenner primarily as an anti-immigration measure. The huge insecurities this will cause to everyone else in the United States seem to be collateral damage.

Unfortunately, I think this is a done deal. The legislation REAL ID is attached to must pass, and it will pass. Which means REAL ID will become law. But it can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I’ll be there.

Posted on May 9, 2005 at 9:06 AM

RFID Passport Security

According to a Wired article, the State Department is reconsidering a security measure to protect privacy that it previously rejected.

The solution would require an RFID reader to provide a key or password before it could read data embedded on an RFID passport’s chip. It would also encrypt data as it’s transmitted from the chip to a reader so that no one could read the data if they intercepted it in transit.

The devil is in the details, but this is a great idea. It means that only readers that know a secret data string can query the RFID chip inside the passport. Of course, this is a systemwide global secret and will be in the hands of every country, but it’s still a great idea.

It’s nice to read that the State Department is taking privacy concerns seriously.

Frank Moss, deputy assistant secretary for passport services, told Wired News on Monday that the government was “taking a very serious look” at the privacy solution in light of the 2,400-plus comments the department received about the e-passport rule and concerns expressed last week in Seattle by
participants at the Computers, Freedom and Privacy conference. Moss said recent work on the passports conducted with the National Institute of Standards and Technology had also led him to rethink the issue.

“Basically what changed my mind was a recognition that the read rates may have actually been able to be more than 10 centimeters, and also recognition that we had to do everything possible to protect the security of people,” Moss said.

The next step is for them to actually implement this countermeasure, and not just consider it. And the step after that is for us to get our hands on some test passports to see if they’ve implemented it well.

Posted on April 28, 2005 at 8:30 AMView Comments

UK National IDs

The London School of Economics recently published a report on the UK government’s national ID proposals. Definitely worth reading.

From the summary:

The Report concludes that the establishment of a secure national identity system has the potential to create significant, though limited, benefits for society. However, the proposals currently being considered by Parliament are neither safe nor appropriate. There was an overwhelming view expressed by stakeholders involved in this Report that the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence. The current proposals miss key opportunities to establish a secure, trusted and cost-effective identity system and the Report therefore considers alternative models for an identity card scheme that may achieve the goals of
the legislation more effectively. The concept of a national identity system is supportable, but the current proposals are not feasible.

Posted on April 5, 2005 at 12:14 PMView Comments

Voting and IDs

Very interesting story this morning on NPR, about new voter ID requirements in the state of Georgia.

Controversy Surrounds Georgia Voter ID Proposal

Minorities and the elderly in Georgia strongly oppose a proposal to require photo IDs for voters at the polls. Both groups say the plan, if enacted, would restrict their access to the polls. Supporters say they don’t want to stop anyone from voting, just safeguard the integrity of the election process. Susanna Capelouto of Georgia Public Broadcasting reports.

Those who advocate photo IDs at polling places forget that not everyone has one. Not everyone flies on airplanes. Not everyone has a drivers license. If a photo ID is required to vote, it had better be 1) free, and 2) easily available everywhere to everyone. Otherwise it’s a poll tax.

Posted on March 24, 2005 at 4:05 PMView Comments

Smart Water

No, really. It’s liquid with a unique identifier that is linked to a particular owner.

Forensic Coding combined with microdot technology.

SmartWater has been designed to protect household property and motor vehicles. Each bottle of SmartWater solution contains a unique forensic code, which is assigned to a household or vehicle.

An additional feature of SmartWater Instant is the inclusion tiny micro-dot particles which enable Police to quickly identify the true owner of the property.

The idea is for me to paint this stuff on my valuables as proof of ownership. I think a better idea would be for me to paint it on your valuables, and then call the police.

Posted on February 10, 2005 at 9:20 AMView Comments

Flying on Someone Else's Airline Ticket

Slate has published a method for anyone to fly on anyone else’s ticket.

I wrote about this exact vulnerability a year and a half ago.

The vulnerability is obvious, but the general concepts are subtle. There are three things to authenticate: the identity of the traveler, the boarding pass, and the computer record. Think of them as three points on the triangle. Under the current system, the boarding pass is compared to the traveler’s identity document, and then the boarding pass is compared with the computer record. But because the identity document is never compared with the computer record—the third leg of the triangle—it’s possible to create two different boarding passes and have no one notice. That’s why the attack works.

Posted on February 8, 2005 at 9:11 AMView Comments

DHS Biometric ID Cards

The Department of Homeland Security is considering a biometric identification card for transportation workers:

TWIC is a tamper-resistant credential that contains biometric information about the holder which renders the card useless to anyone other than the rightful owner. Using this biometric data, each transportation facility can verify the identity of a worker and help prevent unauthorized individuals from accessing secure areas. Currently, many transportation workers must carry a different identification card for each facility they access. A standard TWIC would improve the flow of commerce by eliminating the need for redundant credentials and streamlining the identity verification process.

I’ve written extensively about the uses and abuses of biometrics (Beyond Fear, pages 197-200). The short summary is that biometrics are great as a local authentication tool and terrible as a identification tool. For a whole bunch of reasons, this DHS project is a good use of biometrics.

Posted on January 19, 2005 at 8:55 AMView Comments

1 23 24 25 26

Sidebar photo of Bruce Schneier by Joe MacInnis.