Rights Chipped Away: RFID and Identification Documents

1
Rights Chipped Away RFID and Identification
Documents

• Nicole A. Ozer
• Technology Civil Liberties Policy Director
• ACLU of Northern California
• www.aclunc.org/tech
• nozer_at_aclunc.org

2
Technology and Civil Liberties ProgramACLU Of
Northern California

• To ensure that as technology advances, civil
  rights do not get left behind.

3
ACLU Privacy and Tech Work

• Stop government from having greater and more
  invasive tools at disposal to spy on innocent
  Americans.
• Curtail strengthening of the existing
  surveillance infrastructure.
• Preempt next generation surveillance.
• Curb function of private sector as source for
  government information.

4
RFID Technology

• What is it?
• Why do we care?
• What are we going to do about it?

5

• There are more than 200 million of these
  security devices RFID used worldwide with not
  an instance
• of a security breach.
• Roxanne Gould, Senior Vice President, CA
  Government Public Affairs, American Electronics
  Association (AeA) August 7, 2005 to OC Register.
• RFID technology secures our privacy,
• prevents theft, and saves lives.
• -AeA Website, January 2, 2007

6
Getting Out the Facts

• Less than 100, off the Internet.
• Read. Smaller and stronger- up to 69 feet by
  Flexilis
• Privacy/Tracking, Personal Safety, Financial
  Security
• Clone in fraction of second.
• Personal and Public Safety
• Imperative to educate government and public about
  vulnerabilities

7

• No Secret -
• Personal Information Vulnerable
• Cracked the British e-passport (2006)
• Cracked RFID credit cards (2006)
• Cracked the Sacramento Capitol Cards (2006)
• http//www.youtube.com/watch?v4jpRFgDPWVA
• Cracked the VeriChip- RFID chip approved for
  implantation in humans (2006)

8

• Cracked the RFID chips used in Dutch e-passport
  (2006)
• Cracked Exxon Mobil gasoline passes and
  automobile anti-theft devices (2005)
• Cracked encryption key for chips used in GSM
  devices (2003)
• Cracked security on chips used in German phone
  cards, 34 million loss (1998)

9
RFID Technology Hits Home in California

• First public school in the nation to force
  children as young as 5 years old.
• Parents, searching for help, contacted the ACLU

10
Sutter Galvanizes Support for Legislation

• Introduction of landmark legislation to address
  RFID tags in identification documents
• Right to Privacy
• Right to Personal Safety
• Right to Financial Security
• Model for others

11
(No Transcript)
12

• Government should not be forcing individuals to
  carry documents that transmit their personal
  information without their knowledge and consent
  that open them up to threats to privacy, safety,
  and financial security.
• We should be able to maintain our current level
  of control over the personal information on our
  ID documents, like drivers licenses.
• Just like you put locks on your doors to keep
  your things from being stolen, you need
  protections on the use of RFID in identification
  documents to keep personal information secure.

13

• Others Echo Concerns
• Since legislation was first introduced, attitudes
  have shifted about the impact of RFID technology
  on privacy, personal and public safety, and
  financial security.
• Government Accountability Office
• DHS Privacy Integrity Committee
• Independent researchers who specialize in RFID
  technology
• Segments of technology industry itself

14

• Privacy/Tracking Concerns
• GAO Key privacy concerns include tracking an
  individuals movements and profiling an
  individuals habits, among others
• DHS Privacy and Integrity Committee widespread
  surveillance of individualswithout their
  knowledge or consent.
• AeA Perversely maximize the possibilityof an
  illicit actor tracking a person at very long
  rangeswould potentially threaten individual U.S.
  citizen privacy.

15

• Personal and Public Safety Concerns
• highly susceptible to forgery. (AeA)
• Basic RFID technology does not have necessary
  technological protections to eliminate the risk
  of terrorists, criminals, or illegal
  aliensspoofing or counterfeiting PASS cards to
  enter the United States undetected. (Smart Card
  Alliance)

16
Recognizing whats at stake

• Taging junior high school kids becomes a
  form of indoctrination into an emerging
  surveillance society that young minds should be
  learning to question Widespread adoption of
  human-tracking devices should never be embraced
  without serious and prolonged discussion at all
  levels of society.
• - Editors, Scientific American

17
Whats at Stake for the Other Side?

• LOTS of Money
• 1.94 billion dollars in 2005
• 7.26 billion estimated by 2008
• 24.5 billion estimated by 2015
• Access cards for financial, security, safety
  markets are the anticipated volume growth
• Big electronics players and smaller niche
  companies

18
Part of Much Larger Surveillance Infrastructure

• Real ID
• Video Surveillance
• NSA Spying
• Travel Databases

19

• Whats Being Done
• 50 RFID- related bills in 30 states
• Identity Information Protection Act
• Landmark legislation
• Pushing debate around RFID in ID docs on National
  level
• SB 768 passed Senate (30-7) and Assembly (49-26)
  with strong bipartisan votes
• Vetoed in final hours by Governor
• Re-introduced in first days of new session. SB
  30. Urge support.
• (also see SB 28, 29, 31 on RFID)
• Push back on REAL ID
• Computer security researchers were being able to
  educate the government and public with important
  demos.

20
Rational Protections for All California IDs

• ALL CALIFORNIA IDs MUST MEET 3 BASIC TECH NEUTRAL
  OUTCOME STANDARDS
• Tamper Resistant Features The ID implements
  tamper resistant features in order to prevent
  duplication, forgery, or cloning of the ID.
• Authentication The ID implements an
  authentication process to try to ensure that the
  identification document was legitimately issued
  by the issuing entity, is not cloned, and is
  authorized to be read.
• Notice All individuals issued an RFID-embedded
  government ID document are given notice about
  RFID technology, the privacy and security
  implications, and how they can protect their
  information.
• Limited exceptions built into all.

21
Additional protections for IDs with multiple
uses, public schools and public transportation,
confer public benefit

• BASIC STANDARDS PLUS ONE OR MORE TECH NEUTRAL
• secondary verification and identification
  procedure that does not use radio waves
• security protection such as mutual authentication
• security protection such as encryption
• security protection such as an access control
  protocol

22
ID Docs with Personal Information

• BASIC PLUS ALL OF THE FOLLOWING
• ID implements robust encryption to protect
  against the unauthorized reading of transmitted
  information
• ID implements mutual authentication to ensure as
  best as possible that only those who are supposed
  to have access to the data stored on the ID can
  read it
• ID implements an additional security feature to
  ensure that the ID cannot be read unless the IDs
  holder specifically authorizes that reading
• IDs holder is notified
• That the ID can communicate information using
  radio waves.
• That the use of shield devices can help mitigate
  the privacy and security risks.
• The location of readers intended to be used to
  read the ID.
• The information that is being collected or stored
  regarding the individual in a database

23
Cost/Benefit Analysis

• Costs of unprotected RFID potentially
  astronomical to privacy, personal and public
  safety, and financial security
• Costs of protections are negligible according to
  HID
• Anyone with a budget to put in a standard
  proximity-based access control system can afford
  to put in a smart card system instead.

24
Where are we now?

• SB 768 passed Senate (30-7) and Assembly (49-26)
  with strong bipartisan votes
• Vetoed in final hours by Governor
• Re-introduced in first days of new session. SB
  30.
• (also see SB 28, 29, 31 on RFID)
• www.aclunc.org/tech, www.aclunc.org/techblog

25
Nothing Always Appropriate

• Bootstrapping protections may not be right choice
• Basic characteristics dont change- water stays
  wet even if you try to contain it, RFID transmits
  information at a distance even if you try to wrap
  it up.
• 2D barcodes, optical scanning

26
Stay Tuned

• www.aclunc.org/tech
• www.aclunc.org/techblog
• www.aclu.org