Download
1 / 55
550 likes | 709 Views
Ontario's Enhanced Driver’s Licence: Implications for Records Management. <<. +. RIM CoP Workshop Toronto – June 16, 2009. Andrew Clement 1,2,3 , with Alison Benjamin, 1,3 Krista Boa, 1 Joseph Ferenbok, 1,2,3 Dave Kemp, 1,3 Brenda McPhail, 1 Karen Smith 1,3 & Alex Tichine 2.
E N D
Ontario's Enhanced Driver’s Licence: Implications for Records Management << + RIM CoP Workshop Toronto – June 16, 2009 Andrew Clement1,2,3, with Alison Benjamin,1,3 Krista Boa,1 Joseph Ferenbok,1,2,3 Dave Kemp,1,3 Brenda McPhail,1 Karen Smith1,3 & Alex Tichine2 1Information Policy Research Program, 2Identity, Privacy and Security Initiative & 3Knowledge Media Design Institute Faculty of Information, University of Toronto
Overview • Performing Identities research project • Unpacking Ontario’s DL proposals • Science and Technology Studies perspectives • Facial recognition screening • RFID for border crossing • Records management issues • Discussion
Performing IdentitiesAn alternative approach to identity research • Identity re-conceptualized • as multiple, partial, context-specific, performative • Policy engagement • interact with and learn from policy actors and designers • Public education • Subject perspectives • Ethnographically informed
Mock ID cards See: TotalTransparencySolutions.pbworks.com
Biometric samples provided: B=Blood F=Feces H=Hair N=Finger Nail S=Saliva U=Urine High Public risk attendee Prototype of SafeTBioIDTM name card Personal risk factors A=Athletes Foot D=Internet Obsessive Disorder I=Insomnia L=Lung Cancer O=Overweight P=Pregnancy RFID tagwith full personal data for remote wireless reading 2D barcode with full personal data for remote optical reading T O T A L T R A N S P A R E N C Y S O L U T I O N S Public risk factors B=Anti-Social Behaviour F=Flatulence H=Hijacking L=Lung Cancer O=Overweight P=Pregnancy Public risk score: 0-99=Safe 100-199=Caution 200-350=Watch out! 350-499=Lock up now
Current Threat: EXTREME Bruce ID: 102 Threat score: 140
Bruce Schneier Born: January 15, 1963 Parents: Schneier, Rebecca (b. 1942) Schneier, Martin (b. 1935) Warning: Known Disguise Warning: Arab sympathizer? Warning: Itinerant/ Unstable? Previous addresses: 101 E Minnehaha Pkwy Minneapolis, MN 55419 730 Fair Oaks Ave #1 Oak Park, IL 60302 1300 Army Navy Dr #807 Arlington, VA 22202 7115 North Ave #16 Oak Park, IL 60302 1935 W Pratt Blvd #1 Chicago, IL 60626 1711 Hampshire Green Ln Silver. Sp. MD 20903 17th St #Pvt, Brooklyn, NY 1090 La Avenida St, Mountain View, CA 94043 Warning: Liberal sympathizer? 2008 Political Donations: Democratic Congressional Campaign Committee $1000 Moveon.Org $1000
Records management issues • Unique RFID tag number – personal info? • Protecting the RFID tag number? • Creation of a large, biometric, on-line data base for facial recognition • Inter-jurisdictional data sharing arrangements • Lack of public information and consultation in development process • Access to Information requests
RFID Properties (EPC Gen 2) RFID EDL numbers are unique personal identifiers readable at a range of up to 10m RFID unique numbersare an access key to database records that contain personal information RFID unique numbers are personal information!? This equipment can also: • duplicate EDL tags • turn tag on and off • ‘kill’ tag to prevent further reading EPC Gen 2 is insecure and privacy invasive in EDLs cloning self-protection or denial of service?
Unpacking Ontario's Enhanced Driver's LicenceSome insights from STS (Science & Technology Studies)
guns don’t kill people people kill people
Gun + person You are different with a gun in your hand; the gun is different with you holding it. You are another subject because you hold the gun; the gun is another object because it has entered into a relationship with you. The gun is no longer .. the gun-in-the-drawer or the gun-in-the-pocket, but the gun-in-your-hand … … If we study the gun and the citizen [together] … we realize that neither subject nor object … is fixed. When the [two] are articulated … they become 'someone/something' else. Latour, Pandora’s Hope, pp. 179-180.
Gun + person You are different with a gun in your hand; the gun is different with you holding it. You are another subject because you hold the gun; the gun is another object because it has entered into a relationship with you. The gun is no longer the … the gun-in-the-drawer or the gun-in-the-pocket, but the gun-in-your-hand … … If we study the gun and the citizen [together] … we realize that neither subject nor object … is fixed. When the [two] are articulated … they become 'someone/something' else. Latour, Pandora’s Hope, pp. 179-180.
ID + person You are different with an ID in your hand; the ID is different with you holding it. You are another subject because you hold the ID; the ID is another object because it has entered into a relationship with you. The ID is no longer the … the ID-in-the-drawer or the ID-in-the-pocket, but the ID-in-your-hand … … If we study the ID and the citizen [together] … we realize that neither subject nor object … is fixed. When the [two] are articulated … they become 'someone/something' else. With apologies to Latour, Pandora’s Hope, pp. 179-180.
Actor-Network Theory (ANT) Key concepts • Heterogeneous assemblage (of human & non-human actors) • Enrolment, alignment of actors into actor-networks • Black-box (once the enrolments are sufficiently strong, don’t need to know the internal operations) • Agency “…agency is reconceptualised as always a relational effect that can never be located in either humans or nonhumans alone. … Together these inquiries respecify agency from a capacity intrinsic to singular actors, to an effect of practices that are multiply distributed and contingently enacted across humans and things.” Lucy Suchman, Agencies in Technology Design: Feminist Reconfigurations, http://www.lancs.ac.uk/fass/sociology/papers/suchman-agenciestechnodesign.pdf
The actor-network of Ontario’s DL MTO ServOnt Vendors Highway Traffic Act Card devices FIPPA Wallets 85.6mm x54mm x0.76mm Drivers DB Police CPIC CBSA AAMVA CBP Others Others Bars Others Couriers Merchants Post office Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers
The actor-network of Ontario’s DL MTO ServOnt Others Vendors Others Bars Highway Traffic Act Card devices FIPPA Others Wallets 85.6mmx54mmx0.76mm Couriers Drivers DB Merchants Police Post office CPIC Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers CBSA AAMVA CBP
Main DL Actors Non-Human Actors Documents • Highway Traffic Act R.S.O. 1990 • Freedom of Information and Protection of Privacy Act R.S.O. 1990 Devices • Drivers Licence (DL) • Image capture and card production devices • Wallets Databases • Drivers DB • Canadian Police Information Centre (CPIC) Human Actors Canadian • Ontario Min. Of Transportation (MTO) • Service Ontario • Police officers • Canadian Border Service Agency (CBSA) • Vendors • Bars • Post offices • Couriers • Merchants • other orgs that ask for the DL Can/US • American Association of Motor Vehicle Administrators (AAMVA) US • US Customs and Border Protection (CBP)
Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) Proposed DL Current DL FRT
Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) RFID Proposed DL Proposed EDL Current DL FRT MRZ For WHTI deadline (June 2009)
Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) RFID Proposed DL Proposed EDL Current DL FRT MRZ For non-drivers (2010) Photo ID Photo ID
Unpacking the EDL/ID proposal in Bill 85, Photo Card Act, 2008 (June) Proposed DL Current DL FRT
The actor-network of Ontario’s DL MTO ServOnt Others Vendors Others Bars Highway Traffic Act Card devices FIPPA Others Wallets 85.6mmx54mmx0.76mm Couriers Drivers DB Merchants Police Post office CPIC Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers CBSA AAMVA CBP
The actor-network of Ontario’s DL MTO ServOnt Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers
The actor-network of DL + FRT MTO ServOnt Facial Images Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers
FRT - Facial Recognition Tech(aka Photo Comparison Technology) Image template Ontario DL(+ID) database ~10M records
FRT - Facial Recognition Tech(aka Photo Comparison Technology) IPC statements on biometrics: “Given the power and complexity of biometrics, my office has set out strict conditions under which the use of biometrics could be considered. No database of biometric information, … should be created without applying the minimum standards for the use of biometrics, as set out in the Ontario Works Act.” “….there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual” (Open letter, from Commissioner Cavoukian to Hon. D. Tsubouchi, April 5, 2001)
FRT - Facial Recognition Tech(aka Photo Comparison Technology) Ontario Works Act 1997 standards: • the biometric must be stored in encrypted form both on the card and in any database; • the encrypted biometric cannot be used as a unique identifier; • the original biometric information must be destroyed upon encryption; • the stored encrypted biometric can only be transmitted in encrypted form; • no program information is to be retained or associated with the encrypted biometric information; • there can be no ability at the technical level to reconstruct or recreate the biometric from its encrypted form; • there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual; • there can be no access to the biometric database by law enforcement without a court order or specific warrant.
FRT - Facial Recognition Tech(aka Photo Comparison Technology) • Evidence for effectiveness? • Protection against false positives? Redress? • Will a template approach be used? • Compliant with Ontario Works Act standards? • Security of the database? (e.g. biometric encryption?) • Data sharing? Strictly limited and transparent? • Protection against function creep? • Privacy Impact Assessment? • Independent? Public involvement?
The actor-network of DL + FRT MTO MGS ServOnt IPC Biometric expert Ontario Legislature Photo Card Act 2008 Ontario Works Act 1997 Facial Images Image Templates ? Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers FRT software FRT Vendors
The actor-network of DL + FRT MTO MGS ServOnt IPC Biometric expert Ontario Legislature Photo Card Act 2008 Ontario Works Act 1997 Facial Images Image Templates ? Drivers DB Ontario DL Facial Image DL Number Name, Address Date of birth Sex, Height Dates of issue/expiry more numbers FRT software FRT Vendors
Introducing the RFID for the Enhanced DL RFID Proposed DL Proposed EDL Current DL FRT MRZ <<CANCLEMENT<<ANDREW<HOWARD<<< JK123456<5CAN4701010M0809100<< For WHTI deadline (June 2009)
Introducing the RFID for the Enhanced DL Proposed EDL Current DL RFID For WHTI deadline (June 2009)
RFID - Radio Frequency ID chip RFID reader ‘Rogue’ databases ‘Black hat’ 10m RFID reader US databases Unique identifier Border agent CBSA database EDL/ID cardholder
DHS Secretary Michael Chertoff On the EDL: “[W]hen you’re coming up to the booth at the land port of entry, if you have to hand your card over and the inspector has to key in your name, that’s five seconds, 10 seconds, plus the possibility of an error. What the chip does is it allows, as you approach, the system to read it and then pop up your information on the screen.” “[I]t’s kind of a REAL ID with an additional feature […] a chip.” Arizona, Dec 6, 2007 see:http://www.dhs.gov/xnews/releases/pr_1197041144284.shtm To an international privacy conference: While some debate has taken place in Canada over the idea of a national ID card, Chertoff said Americans would never stand for it. "Their heads would explode," he said. CP, Montreal, Sep 26, 2007 http://www.cbc.ca/canada/montreal/story/2007/09/26/qc-homeland0926.html
Canada’s Privacy Commissioners Expressed “their concern that any requirement imposed by the United States government for vicinity radio frequency identification technology (“RFID”): 1. permits surreptitious location tracking of individuals carrying an EDL; and 2. does not encrypt or otherwise protect the unique identifying number assigned to the holder of the EDL and would not protect any other personal information stored on the RFID” They called on the Government of Canada, and participating provinces and territories, “to take steps to ensure the security of personal information stored on EDL RFID tags and to prevent the possibility of surreptitious location tracking." Victoria, February 5, 2008 http://www.privcom.gc.ca/media/nr-c/2008/res_080205_e.asp
RFID - Radio Frequency ID chip • Why choose a notoriously insecure vicinity RFID (i.e.UHF EPC Gen 2), rather than a proximity RFID? (10m vs 10cm range)? • What protection against covert sniffing, interception, or other identification attacks? • Can the ‘protective sleeve’ possibly be effective? • Why isn’t the unique RFID number treated as personal information? e.g. Why no encryption? • What protections for Canadians’ data in US? • Has DHS bullied Canada into an inferior approach?
Other rationales for including RFID? • Integration with REAL ID, as de facto NA ID card? • Population surveillance capability with Human ID at a distance (HumanID) - Total Information Awareness http://w2.eff.org/Privacy/TIA/hid.php What protection against this function creep?
The actor-network of EDL/RFID MTO MGS ServOnt Priv Comm Ontario Legislature Photo Card Act 2008 Passenger Protect convenient cheap fast bulky costly slow Drivers DB Police CBSA DB EDL RFID Passport CBSA AAMVA MOU CBP RFID reader Protective Sleeve SPP CBP DB Secure Flight.. IRPTA ICEPIC.. WHTI REAL ID DHS US Congress RFID vendors “US public”
The actor-network of EDL/RFID MTO MGS ServOnt Priv Comm ACT BTA CoC “Canadian public” Ontario Legislature Photo Card Act 2008 Passenger Protect bulky costly slow secure versatile ICLMG privacy protective secure convenient cheap fast surveillance enabling Drivers DB Police CBSA DB EDL RFID Contact-less Smart Card North American National ID card Passport CBSA AAMVA MOU CBP RFID reader Protective Sleeve SPP On/Off switch CBP DB Secure Flight.. IRPTA ICEPIC.. WHTI REAL ID DHS US Congress RFID vendors Smartcard Alliance ACLU EPIC “US public”
Main EDL/RFID Actors (Human) Human Actors - cont • Privacy Commissioners (PC) • Advanced Card Association of Canada ACT (industry lobby org) • International Civil Liberties Monitoring Group (ICLMG) Council of Canadians (CoC) • Consumer Council of Canada (CCC) • GS1 Canada (Industry stds. body) Can/US • American Association of Motor Vehicle Administrators (AAMVA) • Binational Tourism Alliance (BTA) US • US Customs and Border Prot’n (CBP) • Smart Card Alliance (ind. lobby) • American Liberties Union (ACLU) • Digimarc (vendor of US EDLs) • L-I Identity Solutions (identity product conglomerate) Human Actors Canadian • Ontario Min. Of Transportation (MTO) • Service Ontario • Police officers • Canadian Border Service Agency (CBSA) • Vendors • Bars • Post offices • Couriers • Merchants • other orgs that ask for the DL • Ontario Legislature • Min of Gov Services (CIPO) • Information and Privacy Commissioner (IPC) • Biometric expert • FRT vendor(s)
Main DL/RFID Actors (Non-Human) Non-Human Actors Documents • Highway Traffic Act R.S.O. 1990 • Freedom of Information and Protection of Privacy Act R.S.O. 1990 • Ontario Works Act 1997 • Photo Card Act 2008 (Bill 85) • US Intelligence Reform and Terrorism Prev’n Act (IRTPA) 2004 • Western Hemisphere Travel Initiative (WHTI) • REAL-ID Act (US, 2005) • Smart Border Agreement and Action Plan (US+CA) • Security and Prosperity Partnership (SPP) • Memorandum of Understanding (MOU) US+CAN, CAN+Ont • Privacy Impact Assessment (PIA) • Threat Assessment (TA) Non-Human Actors cont. Devices • Drivers Licence (DL) * • Image capture and card production • Wallets • FRT software • Enhanced Drivers Licence (EDL) • RFID (EPC Gen 2 RFID Tags) • Tag number • Protective sleeve • On/off switch • Contactless Smart Card (CSC) • REAL ID card • NEXUS card • PASS card • Passport • Biometric passport • National ID card
Main EDL/RFID Actors (Non-Human) Non-Human Actors cont. Databases • Drivers DB • Drivers facial image DB • Drivers facial image template DB ?? • Canadian Police Information Centre (CPIC) • Immigration and Customs Enforcement Pattern Analysis and Information Collection System (ICEPIC) includes: • Treasury Enforcement Communications System, • Student and Exchange Visitor Information System, • National Security Entry Exit Registration System, • U.S. Visitor and Immigrant Status Indicator Technology program Non-Human Actors cont. Databases (cont.) • Secure Flight? • Passenger Protect? Distances • 10m (range of RFID) • 10cm (range of CSC) Borders: • US/Canada Dates: • Sept 11, 2001 (9/11) • Jan 23, 2007 (WHTI implemented for US/Can air travel) • June 2009 (WHTI implemented for US/Can land/sea travel)
