ID industry fighting Big Brother image
14 July, 2008
category: Biometrics, Contactless, Financial, Library, RFID
Biometric and smart card companies aim to educate lawmakers on how the technologies can be privacy enhancing and not privacy invasive
By Zack Martin, Editor
RFID. It’s hard to believe that four little letters can cause individuals to imagine such evil things. Mention RFID and people envision Big Brother or another type of all-seeing specter watching their every move. Biometrics evoke a similar fear among many individuals.
It’s difficult to pinpoint the exact moment when the controversy over identification technology began. Some Web sites point to high-tech identification technology and biometrics being foretold in the Bible and make a connection to the “Mark of the Beast.”
Then there was United Colors of Benetton. In 2003, the clothing retailer started placing radio frequency identification chips into clothing for supply chain management. This process change lead to concerns from some that the United Colors would be tracking customers once they leave the stores.
But a watershed moment was in 2005 when a Silicon Valley-area school equipped all its student ID badges with radio frequency identification tags. The technology was supposed to automate attendance, but instead it created a controversy over privacy rights and is used as an example of what not to do when deploying identification technology.
California State Sen. Joe Simitian, the Democratic lawmaker where the school is based, still has legislation pending that would restrict, if not prohibit, the use of RFID and contactless technology in many applications (see legislation column).
California
Identity Information Protection Act of 2007 (CA S 30)
Enacts the Identity Information Protection Act of 2007. Requires identification documents that are created, mandated, purchased, or issued by various public entities that use radio waves to transmit data, or enable data to be read remotely, to meet specified requirements. Requires public entities and authorized 3rd parties to protect those systems and data transmitted remotely by those identification documents from unauthorized access. Restricts the disclosure thereof.
Identification Documents (CA S 31)
Relates to the Information Practices Act of 1977. Provides that a person or entity that intentionally remotely reads or attempts to remotely read a person’s identification document using radio waves without his or her knowledge and prior consent shall be punished by imprisonment in a county jail, a fine, or both. Provides that a person who discloses or causes to be disclosed, specified operational system keys shall receive punishment by imprisonment, a fine, or both.
Department of Motor Vehicles: Personal Information (CA S 28)
Prohibits the Department of Motor Vehicles from issuing, renewing, duplicating, or replacing a driver license or identification card, if the license or card uses radio waves to either transmit personal information remotely or to enable personal information to be read from the license or card remotely.
Pupil Attendance: Electronic Monitoring (CA S 29)
Prohibits a public school, school district, and county office of education from issuing any device to a pupil that uses radio waves to transmit personal information or to enable personal information to be viewed remotely for the purposes of recording the attendance of a pupil at school, establishing or tracking the location of a pupil on school grounds, or both.
Michigan
Radio Frequency Identification Devices (MI H 5091)
Prohibits inclusion of radio frequency identification devices (RFID) or similar devices in driver licenses or other licenses.
International Civil Aviation Organization (MI HCR 42)
Memorializes Congress not to rely on the passport standards of the United Nation’s International Civil Aviation Organization in the creation of any “dual-purpose driver license initiative” in the United States, specifically as it would pertain to the incorporation of radio frequency identification chips into a state’s driver license.
Identification Security Enhancement Act (MI HR 98)
Memorializes Congress to repeal Title II of the REAL ID Act of 2005 and to support a return to a negotiated rulemaking process with the states, the Identification Security Enhancement Act of 2006.
New Hampshire
Tracking Devices (NH H 686)
Regulates the use of tracking devices in consumer products by requiring labels that inform consumers of their presence. This bill also restricts the circumstances under which the state may use electronic tracking devices, and prohibits a private citizen from electronically tracking another person without that person’s consent.
Rhode Island
State Affairs and Government (RI H 8027)
Restricts the use of radio frequency identification devices for the purpose of tracking the movement or identity of an employee, student or client as a condition of obtaining a benefit or services from such agency.
Simitian’s legislation has served as a rallying cry for the ID industry. Prior to it many vendors hadn’t given much thought to educating lawmakers on what their technology does or how it works before laws that banned it were proposed. Now many ID vendors have lobbyists who track the different bills and attempt to combat restrictive legislation.
ID vendors have now focused on state lawmakers, which takes a lot of time and money, explained one lobbyist who works for the smart card industry. Biometrics technology has also come under fire from some state legislators. In 2007, a law passed in Illinois prohibiting the use of biometrics in schools without parental consent. A similar law has been passed in Iowa and another is being proposed in Arizona.
The industry says there are two obstacles that identification vendors have to overcome for people to accept these different technologies. First is the misconception of the actual use of these technologies because of how they have been portrayed and defined in films and the mainstream media. Second, and arguably more importantly, vendors need to make sure the technology is being used properly, and that it ensures privacy rather than jeopardize it.
ID 101
The most common term bandied about, especially in the mainstream media, is RFID. Lawmakers and the media use this term as a catch all for any type of technology that uses radio frequency waves to transmit data so information can be read remotely, whether it’s from 30 feet or 30 centimeters. “It’s difficult to challenge some of the statements because they’ll say ‘I read it in the Washington Post,'” says Kathleen Carroll, director of government relations at HID Global, an Irvine, Calif.-based ID vendor.
Carroll’s job is to keep track of all legislation dealing with RFID and to talk to legislators in areas where bills are pending. She says educating legislators and the media is an issue, and the industry needs to come up with a single message. “Yes these technologies communicate via radio waves but so do cell phones and car radios,” she says. “They need to be educated on the differences of the technologies. “If you look at this different legislation it’s all the same; these legislators truly believe it’s privacy invasive.”
The smart card industry argues that its technology should not be labeled as RFID, but instead should be referred to as contactless smart cards. These microprocessors are used in electronic passports and many of the contactless payment technologies used by banks. The information stored on a contactless smart card chip can only be read from a short distance and is typically encrypted.
RFID, on the other hand, typically transmits information from a much greater distance, measuring in feet instead of inches. Also, RFID tags have small memory capacities. The data being sent is typically a serial number that corresponds with information stored in a database. RFID has its roots in supply chain management and the tracking of pallets and supplies, though retailers eventually want to use the technology to track single items and merchandise and have it replace bar codes.
But not everyone agrees that the long-read technology is for product tagging only. Both the Pass Card, issued by the U.S. Department of State, and the Enhanced Driver Licenses, issued by Washington State and being considered by states, both use long-range RFID. These new documents can be used in place of a passport book at land border crossings between the U.S., Canada and Mexico. The card transmits a unique identification number that links to the cardholder’s information stored in a database that is accessed by border control.
As a cardholder approaches the border crossing, the card is placed on the dashboard and is read as he approaches the checkpoint. When the car pulls up to the border official, he will already have reviewed the information, and there is little left to do before the passenger can go on his way.
Additionally, RFID technology has been used in education. A suburban Chicago school is using the technology to let students leave campus for lunch. The University of Washington in Seattle is experimenting with RFID to track faculty, students, staff and supplies in its computer science building (See ID applications that scare the public).
The smart card industry insists that using RFID chips in personal ID projects compromises security. It says contactless smart card technology should be excluded from the proposed legislation because it helps protects privacy. Also, associating contactless technology with RFID could be problematic if implementers of the latter technology run into privacy problems. “If you have a failure with an RFID project it’s going to taint all the future projects,” says one industry lobbyist.
RFID advocates say the technology is safe because it cannot be used to track individuals outside of a network. For example, if a retailer uses RFID in clothing to track supplies, the likelihood of that tag being read outside of the store is small, says Carroll. “The infrastructure to read the tag outside the store isn’t there,” she says.
ID technology hurt by “Minority Report”
Misrepresentation of the technology in the news media is one issue, another is how it’s portrayed in films and on television. The biometrics industry in particular feels as though it has been poorly represented, says Walter Hamilton, chairman of the International Biometric Industry Association. Movies like “Minority Report” and television shows like “Alias” focus on biometrics being used to track individuals or that they can be taken and then used to impersonate the individual. “A lot of fear and distrust have been fostered by Hollywood,” Hamilton says.
In “Minority Report” characters iris patterns’ were read by video cameras, resulting in advertisements tailored specifically to them. When Tom Cruise’s character was on the run, he had to get an iris transplant in order to evade the authorities. A number of episodes of “Alias” featured Jennifer Garner’s character capturing someone else’s biometric and using the data to access to a secure space or computer files. The likelihood that these things happen in real life are slim, but the movies have influenced how individuals think about the technology now, says Hamilton.
Countless movies and TV shows also have portrayed the use of copied fingers to gain access somewhere. This has lead to a belief that fingerprint images are easily copied and can be used for illegal activities.
A recent effort by hackers who are against the use of biometrics has kept this thought going as well. In April, the Chaos Computer Club, a group of German hackers, published German Secretary of the Interior Wolfgang Schäuble’s fingerprints. They plan to publish more fingerprints as well, including that of German Chancellor Angela Merkel. The group published the fingerprint as a show of opposition to Germany’s increasing push to use biometrics in e-passports. Schäuble’s fingerprints were captured from a glass he drank from at a panel discussion.
The club published 4,000 copies of their magazine “Die Datenschleuder” including a plastic foil reproducing the minister’s fingerprint – ready to glue to someone else’s finger. The club also has a page on its site detailing how to make fake fingerprints. A ministry spokesman alluded to possible legal action against the club.
British civil rights groups No2ID and Privacy International are copying the Germans. The groups are offering $2,000 for the fingerprints of British Prime Minister Gordon Brown and Home Secretary Jacqui Smith.
IBIA’s Hamilton downplays these efforts. Even if someone captures another individual’s biometric information, what are they going to do with it? There’s also the fact that individuals leave their biometric information behind and the information is not top secret. “There’s a flawed logic behind this,” he says. “People believe biometric data is a secret and it isn’t.”
The chance that someone can steal someone else’s biometric, create copies, and then use them is small, Hamilton says. Much has been made of the possibility of fooling a biometric scanner. In the past, fingerprint sensors have been spoofed by creating gelatin molds of a finger and iris scanners by holding up a large, detailed picture of a user’s iris to the scanner. The industry has known these spoofs are an issue and they have taken measure to fix them.
“Most of the biometric scanners not only measure the pattern, but they check to see if the sample has characteristics of living tissue,” he says. “You have fingerprint sensors that check the electrical frequency of skin and iris scanners that look for incidental movement.”
Helping privacy, not hindering it
The argument most commonly used as to why biometrics shouldn’t be used in public schools relates to privacy concerns. Hamilton argues that when used correctly, biometrics are a privacy-enabling technology. Using fingerprints for school lunch programs is one of the most successful biometric applications with probably thousands of deployments, Hamilton says.
The positives of a biometric school lunch program outweigh the negatives, Hamilton says. Students don’t have to remember a code, student ID or money for a fingerprint system. It also provides anonymity for those students receiving subsidized school lunch programs. “Kids aren’t pulling a special card out and they’re not subject to ridicule from other students,” he says. “It has great benefits in terms of convenience because kids have their biometric with them at all times.”
Hamilton agrees that schools need to protect biometric data. The IBIA has a set of principles that companies should abide by when deploying biometric systems, including encrypting the data and making sure it doesn’t fall into the wrong hands. “Biometric data has to be protected, it shouldn’t be shared or disclosed without the knowledge or consent of the owner,” he says.
But even if the biometrics fall into someone else’s hands, it’s likely to cause less damage than losing a Social Security or credit card number, Hamilton argues. “Being able to hack into someone’s password, or get someone’s PIN is pretty simple,” he contends. “It’s very difficult, however, if not improbable, to take another person’s biometric and use that to mimic his identity to access sensitive information.”
“The technology is supposed to protect privacy, it’s not something to thwart privacy. I’m amused at people who have a fear of technology. If I lost my credit card tomorrow and the issuer was using biometrics to authenticate the purchases, I couldn’t care less if I lost my card.”
Hamilton admits that there are applications for biometrics that are worrisome, for example, when the technology is used to track individuals. This was an application that worried many after the terrorist attacks of Sept. 11. Some vendors hyped the technology, saying it could pick a terrorist out of a crowd at a sporting event or at an airport. “The technology isn’t that robust,” Hamilton says.
In the end, it all comes down to how the different ID technologies are deployed. “Technology can be implemented in a variety of different ways,” Hamilton says. “It’s engineered to be privacy neutral but it’s the application that determines whether there are privacy implications.”