<< RIM CoP Workshop Toronto – June 16, Information Policy Research Program, 2 Identity, Privacy and Security Initiative & 3 Knowledge Media Design Institute Faculty of Information, University of Toronto Andrew Clement 1,2,3, with Alison Benjamin, 1,3 Krista Boa, 1 Joseph Ferenbok, 1,2,3 Dave Kemp, 1,3 Brenda McPhail, 1 Karen Smith 1,3 & Alex Tichine 2 Ontario's Enhanced Driver’s Licence: Implications for Records Management +
Overview Performing Identities research project Unpacking Ontario’s DL proposals –Science and Technology Studies perspectives –Facial recognition screening –RFID for border crossing Records management issues Discussion
Performing Identities An alternative approach to identity research Identity re-conceptualized –as multiple, partial, context-specific, performative Policy engagement –interact with and learn from policy actors and designers Public education Subject perspectives Ethnographically informed
Mock ID cards See: TotalTransparencySolutions.pbworks.com
SafeTBioID Prototype of SafeTBioID TM name card 2D barcode with full personal data for remote optical reading Personal risk factors A=Athletes Foot D=Internet Obsessive Disorder I=Insomnia L=Lung Cancer O=Overweight P=Pregnancy Public risk factors B=Anti-Social Behaviour F=Flatulence H=Hijacking L=Lung Cancer O=Overweight P=Pregnancy RFID tag with full personal data for remote wireless reading Biometric samples provided: B=Blood F=Feces H=Hair N=Finger Nail S=Saliva U=Urine Public risk score: 0-99=Safe =Caution =Watch out! =Lock up now High Public risk attendee T O T A L T R A N S P A R E N C Y S O L U T I O N S
Current Threat: EXTREME ID: 102 Threat score: 140 Bruce
Warning: Known Disguise Warning: Arab sympathizer? Warning: Itinerant/ Unstable? Previous addresses: 101 E Minnehaha Pkwy Minneapolis, MN Fair Oaks Ave #1 Oak Park, IL Army Navy Dr #807 Arlington, VA North Ave #16 Oak Park, IL W Pratt Blvd #1 Chicago, IL Hampshire Green Ln Silver. Sp. MD th St #Pvt, Brooklyn, NY 1090 La Avenida St, Mountain View, CA Born: January 15, 1963 Parents: Schneier, Rebecca (b. 1942) Schneier, Martin (b. 1935) Warning: Liberal sympathizer? 2008 Political Donations: Democratic Congressional Campaign Committee $1000 Moveon.Org $1000 Bruce Schneier
ID we carry - Dave
More Photo ID Art - Karen
ID stories
Ontario Enhanced Driver's Licence
Records management issues Unique RFID tag number – personal info? Protecting the RFID tag number? Creation of a large, biometric, on-line data base for facial recognition Inter-jurisdictional data sharing arrangements Lack of public information and consultation in development process Access to Information requests
[1]
RFID Properties (EPC Gen 2) RFID EDL numbers are unique personal identifiers readable at a range of up to 10m RFID unique numbers are an access key to database records that contain personal information RFID unique numbers are personal information!? This equipment can also: –duplicate EDL tags –turn tag on and off –‘kill’ tag to prevent further reading EPC Gen 2 is insecure and privacy invasive in EDLs cloning self-protection or denial of service?
Unpacking Ontario's Enhanced Driver's Licence Some insights from STS (Science & Technology Studies)
guns don’t kill people kill people
Gun + person You are different with a gun in your hand; the gun is different with you holding it. You are another subject because you hold the gun; the gun is another object because it has entered into a relationship with you. The gun is no longer.. the gun-in-the-drawer or the gun-in-the-pocket, but the gun-in-your-hand … … If we study the gun and the citizen [together] … we realize that neither subject nor object … is fixed. When the [two] are articulated … they become 'someone/something' else. Latour, Pandora’s Hope, pp
Gun + person You are different with a gun in your hand; the gun is different with you holding it. You are another subject because you hold the gun; the gun is another object because it has entered into a relationship with you. The gun is no longer the … the gun-in-the-drawer or the gun-in-the-pocket, but the gun-in-your-hand … … If we study the gun and the citizen [together] … we realize that neither subject nor object … is fixed. When the [two] are articulated … they become 'someone/something' else. Latour, Pandora’s Hope, pp
ID + person You are different with an ID in your hand; the ID is different with you holding it. You are another subject because you hold the ID; the ID is another object because it has entered into a relationship with you. The ID is no longer the … the ID-in-the-drawer or the ID-in-the-pocket, but the ID-in-your-hand … … If we study the ID and the citizen [together] … we realize that neither subject nor object … is fixed. When the [two] are articulated … they become 'someone/something' else. With apologies to Latour, Pandora’s Hope, pp
Actor-Network Theory (ANT) Key concepts Heterogeneous assemblage (of human & non-human actors) Enrolment, alignment of actors into actor-networks Black-box (once the enrolments are sufficiently strong, don’t need to know the internal operations) Agency “…agency is reconceptualised as always a relational effect that can never be located in either humans or nonhumans alone. … Together these inquiries respecify agency from a capacity intrinsic to singular actors, to an effect of practices that are multiply distributed and contingently enacted across humans and things.” Lucy Suchman, Agencies in Technology Design: Feminist Reconfigurations,
The actor-network of my Ontario DL +
The actor-network of Ontario’s DL Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers Wallets 85.6mm x54mm x0.76mm Police AAMVA CBSA CBP CPIC Bars Post office Couriers Merchants Others MTO ServOnt Highway Traffic Act Card devices Drivers DB Vendors FIPPA
The actor-network of Ontario’s DL MTO ServOnt Police AAMVA Highway Traffic Act Card devices Drivers DB Vendors Wallets Bars Post office Couriers CBSA Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers 85.6mmx 54mmx0. 76mm Merchants Others CBP CPIC Others FIPPA
Main DL Actors Human Actors Canadian Ontario Min. Of Transportation (MTO) Service Ontario Police officers Canadian Border Service Agency (CBSA) Vendors Bars Post offices Couriers Merchants other orgs that ask for the DL Can/US American Association of Motor Vehicle Administrators (AAMVA) US US Customs and Border Protection (CBP) Non-Human Actors Documents Highway Traffic Act R.S.O Freedom of Information and Protection of Privacy Act R.S.O Devices Drivers Licence (DL) Image capture and card production devices Wallets Databases Drivers DB Canadian Police Information Centre (CPIC)
FRT Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) Current DL Proposed DL
FRT Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) Current DL Proposed DLProposed EDL RFID MRZ For WHTI deadline (June 2009)
FRT Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) Current DL Proposed DLProposed EDL For non-drivers (2010) Photo ID RFID MRZ
FRT Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) Current DL Proposed DL
The actor-network of Ontario’s DL MTO ServOnt Police AAMVA Highway Traffic Act Card devices Drivers DB Vendors Wallets Bars Post office Couriers CBSA Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers 85.6mmx 54mmx0. 76mm Merchants Others CBP CPIC Others FIPPA
The actor-network of Ontario’s DL MTO ServOnt Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers
The actor-network of DL + FRT MTO ServOnt Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers Facial Images
FRT - Facial Recognition Tech (aka Photo Comparison Technology) Ontario DL(+ID) database ~10M records Image template
FRT - Facial Recognition Tech (aka Photo Comparison Technology) IPC statements on biometrics: “Given the power and complexity of biometrics, my office has set out strict conditions under which the use of biometrics could be considered. No database of biometric information, … should be created without applying the minimum standards for the use of biometrics, as set out in the Ontario Works Act.” “….there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual” (Open letter, from Commissioner Cavoukian to Hon. D. Tsubouchi, April 5, 2001)
FRT - Facial Recognition Tech (aka Photo Comparison Technology) Ontario Works Act 1997 standards: the biometric must be stored in encrypted form both on the card and in any database; the encrypted biometric cannot be used as a unique identifier; the original biometric information must be destroyed upon encryption; the stored encrypted biometric can only be transmitted in encrypted form; no program information is to be retained or associated with the encrypted biometric information; there can be no ability at the technical level to reconstruct or recreate the biometric from its encrypted form; there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual; there can be no access to the biometric database by law enforcement without a court order or specific warrant.
FRT - Facial Recognition Tech (aka Photo Comparison Technology) Evidence for effectiveness? Protection against false positives? Redress? Will a template approach be used? Compliant with Ontario Works Act standards? Security of the database? (e.g. biometric encryption?) Data sharing? Strictly limited and transparent? Protection against function creep? Privacy Impact Assessment? –Independent? Public involvement?
The actor-network of DL + FRT MTO ServOnt Photo Card Act 2008 Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers Facial Images Image Templates ? FRT Vendors FRT software IPC MGS Biometric expert Ontario Works Act 1997 Ontario Legislature
The actor-network of DL + FRT MTO ServOnt Photo Card Act 2008 Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers Facial Images Image Templates ? FRT Vendors FRT software IPC MGS Biometric expert Ontario Works Act 1997 Ontario Legislature
FRT Introducing the RFID for the Enhanced DL Current DL Proposed DLProposed EDL RFID MRZ <<CANCLEMENT<<ANDREW<HOWARD<<< JK123456<5CAN M << For WHTI deadline (June 2009)
Introducing the RFID for the Enhanced DL Current DL Proposed EDL RFID For WHTI deadline (June 2009)
RFID - Radio Frequency ID chip 10m RFID reader US databases Unique identifier Border agent RFID reader ‘Rogue’ databases ‘Black hat’ EDL/ID cardholder CBSA database
DHS Secretary Michael Chertoff On the EDL: “[W]hen you’re coming up to the booth at the land port of entry, if you have to hand your card over and the inspector has to key in your name, that’s five seconds, 10 seconds, plus the possibility of an error. What the chip does is it allows, as you approach, the system to read it and then pop up your information on the screen.” “[I]t’s kind of a REAL ID with an additional feature […] a chip.” Arizona, Dec 6, 2007 see: To an international privacy conference: While some debate has taken place in Canada over the idea of a national ID card, Chertoff said Americans would never stand for it. "Their heads would explode," he said. CP, Montreal, Sep 26,
Canada’s Privacy Commissioners Expressed “their concern that any requirement imposed by the United States government for vicinity radio frequency identification technology (“RFID”): 1. permits surreptitious location tracking of individuals carrying an EDL; and 2. does not encrypt or otherwise protect the unique identifying number assigned to the holder of the EDL and would not protect any other personal information stored on the RFID” They called on the Government of Canada, and participating provinces and territories, “to take steps to ensure the security of personal information stored on EDL RFID tags and to prevent the possibility of surreptitious location tracking." Victoria, February 5,
RFID - Radio Frequency ID chip Why choose a notoriously insecure vicinity RFID (i.e.UHF EPC Gen 2), rather than a proximity RFID? (10m vs 10cm range)? What protection against covert sniffing, interception, or other identification attacks? Can the ‘protective sleeve’ possibly be effective? Why isn’t the unique RFID number treated as personal information? e.g. Why no encryption? What protections for Canadians’ data in US? Has DHS bullied Canada into an inferior approach?
Other rationales for including RFID? Integration with REAL ID, as de facto NA ID card? Population surveillance capability with Human ID at a distance (HumanID) - Total Information Awareness What protection against this function creep?
The actor-network of EDL/RFID MTO ServOnt Photo Card Act 2008 Drivers DB EDL RFID Priv Comm MGS Ontario Legislature Police AAMVA CBSA CBP DHS US Congress CBP DB CBSA DB IRPTA WHTI REAL ID MOU “US public” Secure Flight.. ICEPIC.. Passenger Protect Protective Sleeve convenie nt cheap fast Passport bulky costly slow RFID reader SPP RFID vendors
The actor-network of EDL/RFID MTO ServOnt Photo Card Act 2008 Drivers DB EDL RFID Priv Comm MGS Ontario Legislature Police AAMVA CBSA CBP DHS US Congress CBP DB CBSA DB IRPTA WHTI REAL ID MOU Smartcard AllianceACLU“US public” Secure Flight.. ICEPIC.. EPIC Passenger Protect Contact- less Smart Card ACT Protective Sleeve CoC North American National ID card “Canadian public”BTA ICLMG privacy protective secure surveillanc e enabling Passport bulky costly slow secure versatile RFID reader SPP RFID vendors convenie nt cheap fast On/Off switch
Main EDL/RFID Actors (Human) Human Actors Canadian Ontario Min. Of Transportation (MTO) Service Ontario Police officers Canadian Border Service Agency (CBSA) Vendors Bars Post offices Couriers Merchants other orgs that ask for the DL Ontario Legislature Min of Gov Services (CIPO) Information and Privacy Commissioner (IPC) Biometric expert FRT vendor(s) Human Actors - cont Privacy Commissioners (PC) Advanced Card Association of Canada ACT (industry lobby org) International Civil Liberties Monitoring Group (ICLMG) Council of Canadians (CoC) Consumer Council of Canada (CCC) GS1 Canada (Industry stds. body) Can/US American Association of Motor Vehicle Administrators (AAMVA) Binational Tourism Alliance (BTA) US US Customs and Border Prot’n (CBP) Smart Card Alliance (ind. lobby) American Liberties Union (ACLU) Digimarc (vendor of US EDLs) L-I Identity Solutions (identity product conglomerate)
Main DL/RFID Actors (Non-Human) Non-Human Actors Documents Highway Traffic Act R.S.O Freedom of Information and Protection of Privacy Act R.S.O Ontario Works Act 1997 Photo Card Act 2008 (Bill 85) US Intelligence Reform and Terrorism Prev’n Act (IRTPA) 2004 Western Hemisphere Travel Initiative (WHTI) REAL-ID Act (US, 2005) Smart Border Agreement and Action Plan (US+CA) Security and Prosperity Partnership (SPP) Memorandum of Understanding (MOU) US+CAN, CAN+Ont Privacy Impact Assessment (PIA) Threat Assessment (TA) Non-Human Actors cont. Devices Drivers Licence (DL) * Image capture and card production Wallets FRT software Enhanced Drivers Licence (EDL) RFID (EPC Gen 2 RFID Tags) Tag number Protective sleeve On/off switch Contactless Smart Card (CSC) REAL ID card NEXUS card PASS card Passport Biometric passport National ID card
Main EDL/RFID Actors (Non-Human) Non-Human Actors cont. Databases Drivers DB Drivers facial image DB Drivers facial image template DB ?? Canadian Police Information Centre (CPIC) Immigration and Customs Enforcement Pattern Analysis and Information Collection System (ICEPIC) includes: –Treasury Enforcement Communications System, –Student and Exchange Visitor Information System, –National Security Entry Exit Registration System, –U.S. Visitor and Immigrant Status Indicator Technology program Non-Human Actors cont. Databases (cont.) Secure Flight? Passenger Protect? Distances 10m (range of RFID) 10cm (range of CSC) Borders: US/Canada Dates: Sept 11, 2001 (9/11) Jan 23, 2007 (WHTI implemented for US/Can air travel) June 2009 (WHTI implemented for US/Can land/sea travel)
Evaluating the EDL/ID proposals - the Oakes Four Part Test The burden of proof must always be on those who claim that some new intrusion or limitation on privacy is necessary. Any proposed [security, identity] measure must meet a four-part test: 1. Necessary: It must be demonstrably necessary in order to meet some specific need 2. Effective: It must be demonstrably likely to be effective in achieving its intended purpose. In other words, it must be likely to actually make us significantly safer, not just make us feel safer. 3. Proportionate: The intrusion on privacy must be proportional to the security benefit to be derived. 4. Minimal: and it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose. Privacy Commissioner of Canada, Nov’02, derived from Oakes ? ? ? ?
Summary - EDLs are a bad idea Four-part test Necessary Effective Proportionate Minimal FRT RFID ? Passport Stop! Think again Still preferable Stop! Think again
Records management issues Unique RFID tag number – personal info? EDL Applicants Guide: “The chip … contains a unique identification number only and does not contain any personal information” p.4 IP Commissioner: “WRONG” Privacy by Design, p. 209 Protecting the RFID tag number? Creation of a large, biometric, on-line data base for facial recognition Effectiveness? Redress? Scope creep? Oversight? Inter-jurisdictional data sharing arrangements Details not yet available, What oversight?
Records management issues Lack of public information and consultation in development process Bare minimum of public info, Legislative hearings ill-informed and pro forma, No feedback on regulations consultation, Access to Information requests Professional handling – timely, courteous, efficient,… Many (excessive?) redactions of key info
[IPRP] Information Policy Research Program Check out the FAQ, webcasts, videos and on-line discussion forum at : IDforum.ca