May 17 2010

What happens when you “show” ID?

It’s tempting to think that when you show a business or government agency your identity credentials, all that happens is an ID “check”.  They verify that your ID is genuine, and that it shows that you are in a category of people who are authorized to cross a border, buy alcohol, operate a motor vehicle, or whatever.  And then you’re on your way.

What’s wrong with this?  Demands for ID are wrong, but what’s also wrong with this picture is that, increasingly often, this isn’t all that’s happening.

A new product announcement shows how much more than “verification” is sometimes going on behind the scenes.  A press release from Uveritech announces their new North American franchise to distribute a document authenticator made by L-1 Identity Solutions, the prime contractor for producing US drivers licenses as well as many countries’ passports.

L-1’s website describes the desktop device as, “A combined hardware and software product that automatically authenticates a wide range of documents, including passports, visas, immigration cards, driver’s licenses and military ID cards.”  But the product description shows that it performs much more than mere “authentication”, including scanning, optical character recognition (conversion of the image of the document to text), and reading of RFID chips in passports, enhanced drivers’ licenses, and other documents, as well as:

  • “Automatically Cross Reference Smartchip data in the MRZ [Machine Readable Zone].
  • “Collect and organize data and images from document transactions through the configurable options in the embedded relational database….
  • “Print and/or send … executable files with the images….
  • “Seamlessly integrate with any existing government or commercial network infrastructure, (i.e. Australian Customs, ABN AMRO, Brazilian Border Police.)”

So what’s being advertised under the rubric of “authentication” is actually automated capture of information about you (not just the visible data but also the machine-readable data in the magnetic stripe, lines of OCR type, and/or RFID chip, using L-1’s expertise in document and data formats derived from its role as government contractor ), conversion of this information about you to standardized digital format, loading of this data into an embedded relational databases, and “seamless[] integrat[ion]” of that database “with any existing government or commercial network infrastructure”.

Still feeling sanguine that it’s “just a quick check” of your ID, after which you can be on your way without further concern for future repercussions as long as you’ve been allowed to pass?

There’s no mention of what the user of this “authenticator” might do with the data they collect and retain.  State drivers licensing agencies, and L-1 in its role as their contractor, are somewhat restricted in their legal ability to disclose drivers license data obtained from the government. But there are no restrictions whatsoever on what a bank, bar, or other business can do with information it collects from your ID credentials — even if you show those credentials to satisfy a government requirement.  So L-1 could, entirely legally, aggregate the data from ID presented to all of the users of its network of authentication/scanning/data capture workstations to crowd-source a parallel database of drivers license, passport, etc. data — which they would be legally free to use, sell, or disclose to others without your knowledge or consent.  And of course they can augment the data from your ID itself with data about why, where, and when you showed that ID, such as to buy a drink at a certain bar in a certain place at a certain time and date.  Aggregated, they can get your drinking or bar-attendance pattern for all the bars that use this device and network.

This device is also puts the lie to the claim made to us by the US State Department that only government agencies, not businesses, would ever have the motivation or ability to read the data on RFID chips in passports and other ID.

As the capabilities of this latest ID check product exemplify, inherent in every ID checkpoint is the surveillance potential for logging of ID checks to create permanent dossiers about our individual behavior and movements, and the potential for control of what we can do, where we can go, etc. based on our ID credentials and those individual dossiers.  And because those records are permanent, there’s always the possibility that activities that are currently permitted without penalty will, sometime in the future, come to be the basis for restrictions or sanctions.

With today’s automated systems for data capture — document scanners, surveillance cameras, OCR software, RFID chip readers — and cheap data storage, it’s almost never about just about “showing” ID.

One thought on “What happens when you “show” ID?

  1. Pingback: Monday, May 24, 2010 « The Jeff Farias Show

Leave a Reply

Your email address will not be published. Required fields are marked *