Hacker and researcher Chris Paget has demonstrated the ability to read the globally unique serial numbers on RFID chips in passport cards and electronic drivers licenses in the purses and pockets of pedestians on the street from a passing car, at least 30 feet (9 m) away, and to make cloned copies that broadcast the same ID numbers, using a laptop computer and commercial surplus hardware bought on eBay for $250.
(Comments of the Identity Project at a workshop on “What’s on the agenda in the USA and Canada?” at the annual conference on Computers, Privacy, and Data Protection, Brussels, 16-17 January 2009)
Two major issues have emerged in the last year in relation to personal data about travel: (1) The overall goal of the government of the USA in its various policy initiatives on “travel security” has become increasingly clear. The USA is seeking to establish a global norm that:
Maryland’s governor and transportation secretary have announced that they will seek legislation to change the state’s long-standing policy on driver’s license registration and require proof of legal residence before issuing the cards to state residents. Maryland is hoping to make this change as it begins implementing the federal REAL ID national identification system. The governor had rejected a previous proposal for a two-tier system that would have allowed the issuance of a lower-tier license to individuals unwilling to show such proof.
According to the Maryland Motor Vehicle Association’s site, REAL ID implementation means that. “Effective January 1, 2010, individuals applying for a new license will be required to show documentation to prove that they are in the United States legally.” Driver’s license applicants will have to show “Documents such as Social Security Card, U.S. Birth Certificate, U.S. Naturalization of Citizenship, Valid U.S. Passport, Valid Foreign Passport with Visa, U.S. Permanent Residency Card” or other documents to prove their legal presence in the United States.
We have previously detailed the many privacy and security problems that arise from requiring such documentation for a state driver’s license, but let’s focus on the immigration issue that Maryland is attempting to address. Read More
The New York Times has a story today about Arizona Gov. Janet Napolitano’s nomination as Obama’s Secretary of Homeland Security. The story states that in this new position, Napolitano would have to lead the REAL ID program, a national identification scheme that DHS is attempting to foist on the states. As governor of Arizona, Napolitano signed legislation to join 10 other states in rejecting this national ID program.
The substantial civil liberty problems inherent in this scheme to create a national database of the country’s driver’s license and state ID cardholders won’t disappear if Napolitano replaces Michael Chertoff as the head of DHS. Napolitano should stick to her beliefs and reject this system. As governor, Napolitano focused on the high cost of implementing this national ID system to the states, and these costs will remain substantial if the new administration implements the system created under Chertoff.
In The Identity Project’s recommendations to the Obama transition team, we urged the repeal of REAL ID. Besides the civil liberty problems, REAL ID also has security problems. Those of us who have been following the REAL ID issue, as well as other identification-based security programs, know that there is no sure way for an individual to prove his or her identity based merely on documents that can be easily forged. Therefore, REAL ID would create a system that people would trust even though they shouldn’t — because criminals and terrorists can spend the time and money necessary to forge these “trusted” ID cards.
REAL ID is a fundamentally flawed national ID system for which there is no fix. It must be repealed, and Napolitano should halt the implementation when she takes office.
USA Today has a story on the new long-range RFID scanners reading ID cards as individuals drive toward the border.
“By the time a car stops at the Customs booth, the agent will have the photos and information of everyone in the car. If a name is on a watch list or database, the person will be taken in for questioning. The system will be “more efficient,” says Thomas Winkowski of Customs and Border Protection.”
DHS claims that the unsecured wireless transmissions will make border crossing more efficient, but why is Homeland Security choosing speed over security.
As we’ve explained before, there are numerous privacy and civil liberty problems connected with using RFID tags in identification documents. Off-the-shelf readers can easily skim the data.
Currently, the RFID-enabled ID cards only transmit a unique number to allow border agents to pull up an individual’s file. However, the Department of Homeland Security could easily add more data to the ID card, especially if the agency can convince people to use the RFID-enabled card as an “all-in-one” identification document – where you could use it when you go to the bank, grocery store, gym, school, and more. Read More
The Obama Administration promises change, and invites suggestions for their agenda.
Since they’ve asked, here are the first things we think the new administration should do to restore our right to travel, and to address the issues of ID requirements and identity-based government surveillance and control of travel and movement.
Some of these can be accomplished with the stroke of a pen on Inauguration Day in January, through Presidential proclamations and directives to Executive staff and agencies. Others can be ordered by the President, but will require a slightly longer process to comply with administrative notice and comment requirements for changes to (and, in many cases, withdrawal of) Federal regulations. Others will require legislation, which we urge the Presidential transition team and members of Congress to begin drafting so they can take action early in the new Congressional session. If asked, we would be available to advise and participate in this process. Finally, Senators should question nominees for Executive appointments —especially those nominated to be the new Secretary of Homeland Security and the Administrator of the TSA – about how they will address specific, important issues from the day they take office. These questions are detailed below (and also available here in PDF format).
Executive Orders:
Now that the TSA has released their final rule for the Secure Flight program, which would extend DHS control and surveillance of airline passengers to domestic flights, what happens next (after the final rule is published in the Federal Register, which normally happens within a week or so)?
Under the laws appropriating the funds for TSA and DHS operations, the next step should be review by the Government Accountability Office (GAO). Section 522 of the Homeland Security Appropriations Act 2005 provides:
None of the funds provided by this or previous appropriations Acts may be obligated for deployment or implementation, on other than a test basis, of the Computer Assisted Passenger Prescreening System (CAPPS II) or Secure Flight or other follow on/successor programs, that the Transportation Security Administration (TSA), or any other Department of Homeland Security component, plans to utilize to screen aviation passengers, until the Government Accountability Office has reported to the Committees on Appropriations of the Senate and the House of Representatives that: [10 specified criteria have been met]. Read More
The lawyer for Legrand Jones had argued that it’s not a crime to refuse to identify yourself to police. Attorney William Ferrell said police were stopping people without cause during the July protest to gather information and discourage demonstrators. Under state law, it’s not a crime to refuse to identify oneself to police. “The Washington Supreme Court struck down Washington’s former ‘stop and identify’ statute,” Ferrell wrote in court filings. “In doing so, they made the following observation, a detainee’s refusal to disclose his name, address, and other information cannot be the basis of an arrest.”
Ferrell also said the case was important in the context of citizens’ freedom of speech. “Police were stopping people for real or imaginary criminal activities and asking for identification,” he said. “It was a tactic to gather intelligence. “It goes without saying that is has a chilling effect on people’s First Amendment rights and might keep people from going to protests.”
It is unclear whether the city will appeal the ruling.
Edward Hasbrouck of the Identity Project will be on the Katherine Albrecht Show today from 5-6 p.m. Eastern Time (2-3 p.m. Pacific time), talking about Secure Flight. The Katherine Albrecht Show is syndicated nationally on the Genesis Communications Network. You can also listen to the show live online, and we’ll be taking listener questions on the air. If you missed the live broadcast, the archive of this hour of the show is available here as a downloadable mp3 podcast.
Even before the Secure Flight proposal goes into effect (and before there is any experience of whether it can be implemented or how it will work), the TSA is proposing to extend its air travel control and surveillance principles from passenger airlines to general aviation and all-cargo flights.
On October 9, 2008, the TSA issued a press release and a Notice of Proposed Rulemaking (NPRM) for a so-called “Large Aircraft Security Program” (LASP) for unscheduled and noncommerical flights. LASP is explicitly modeled on Secure Flight, but with an additional twist: Instead of being required to submit personal information about each passenger to, and receive permisison from, the TSA, operators of “large” general aviation and cargo aircraft will be required to submit this data to, and get permisison from, a new class of private commercial data aggregation companies: “Watch-List Service Providers”.