1. Identity, Privacy and Security perspectives on Ontario's proposed enhanced drivers licence (EDL)
2. Overview Introduction to Surveillance, Identity, Privacy and Security
Unpacking Ontario’s DL proposals
Facial recognition screening
RFID for border crossing
Design alternatives
Passport & RFID-less EDL
Next steps
3. Living in a Surveillance Society Surveillance:
“Any focused attention to personal details for the purpose of entitlement, influence or control” David Lyon
Fast becoming the dominant organizing principle of late modern society.
May be benign or harmful
Raises thorny issues of privacy, security and identity
4. The New Transparency project: Surveillance and social sorting Questions:
What factors contribute to the general expansion of surveillance as a technology of governance in late modern societies?
What are the underlying principles, technological infrastructures and institutional frameworks that support surveillance practice?
What are the social consequences of such surveillance both for institutions and for ordinary people?
5. Subprojects IRSP 1: The Role of Technology Companies in Promoting Surveillance Internationally
IRSP 2: Digitally Mediated Surveillance: From the Internet to Ubiquitous Computing
IRSP 3: Surveillance Consequences of 9/11
IRSP 4: Surveillance and Population Management
6. Coming events Workshops:
Population Management in Conflict zones (IRSP 4) Cyprus
Surveillance Games, Vancouver
Surveillance Technology Companies (IRSP 1) Open University
Cyber surveillance (IRSP2) Toronto,
Surveillance: Ten Years After 9/11, (IRSP 3) Kingston
Conference on “Canada’s Surveillance Society,” Ottawa 2011
7. Identity, Privacy & Security� in a Surveillance Society
8. Introducing IPSI� the Identity Privacy and Security Initiative IPSI aims to carry out a pioneering, interdisciplinary program of research, education, outreach, and industry collaboration, combining technological and policy perspectives. Supported by U of T’s Academic Initiatives Fund (AIF).
Management Committee:
Dimitrios Hatzinakos (Chair)
Professor, Dept of Electrical and Computer Engineering (ECE)
Andrew Clement
Professor Faculty of Information
Kostas Plataniotis
Associate Professor, Dept of Electrical and Computer Engineering (ECE)
Leslie Dolman (Exec Dir)
9. Introducing IPSI � Advisory Board Ann Cavoukian (Chair)
Commissioner, IPC
Ken Anderson
Assistant Commissioner, IPC
Richard Alvarez
President and CEO,
Canada Health Infoway
Dean Barry
Senior Policy Advisor,
International Affairs Directorate,
Public Safety of Canada
Stefan Brands
CEO Credentica, Microsoft
Yim Chan
Global Privacy Executive, Chief Privacy Office, IBM Canada
10. Introducing IPSI � Activities Public lectures series
Graduate course and specialization
JIE1001 Seminar in Identity, Privacy & Identity
Other events
Public Information Forum on Ontario’s proposed EDL, FI, July 16, 2008 (with IPC, FI, IPRP)
Identity Rights Colloquium, Fac. of Law, October 31, 2008 (with CILP)
Research round tables (Spring 2009)
Research Day (May 2009)
11. The Performing Identity project
12. Evaluating the EDL/ID proposals� - the Oakes Four Part Test The burden of proof must always be on those who claim that some new intrusion or limitation on privacy is necessary. Any proposed [security, identity] measure must meet a four-part test:
Necessary: It must be demonstrably necessary in order to meet some specific need
Effective: It must be demonstrably likely to be effective in achieving its intended purpose. In other words, it must be likely to actually make us significantly safer, not just make us feel safer.
Proportionate:The intrusion on privacy must be proportional to the security benefit to be derived.
Minimal: and it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose.
Privacy Commissioner of Canada, Nov’02, derived from Oakes It's 'Oakes'see: http://en.wikipedia.org/wiki/R._v._Oakes
Letter from Radwanski to Justice Minister mentioning the'four part test':http://www.privcom.gc.ca/media/le_021125_e.aspIt's 'Oakes'see: http://en.wikipedia.org/wiki/R._v._Oakes
Letter from Radwanski to Justice Minister mentioning the'four part test':http://www.privcom.gc.ca/media/le_021125_e.asp
13. The actor-network of my Ontario DL
14. The actor-network of Ontario’s DL
15. The actor-network of Ontario’s DL
16. Main DL Actors Human Actors
Canadian
Ontario Min. Of Transportation (MTO)
Service Ontario
Police officers
Canadian Border Service Agency (CBSA)
Vendors
Bars
Post offices
Couriers
Merchants
other orgs that ask for the DL
Can/US
American Association of Motor Vehicle Administrators (AAMVA)
US
US Customs and Border Protection (CBP)
17. Unpacking the EDL/ID proposal� in Bill 85, Photo Card Act, 2008 (June)
18. Unpacking the EDL/ID proposal� in Bill 85, Photo Card Act, 2008 (June)
19. Unpacking the EDL/ID proposal� in Bill 85, Photo Card Act, 2008 (June)
20. Unpacking the EDL/ID proposal� in Bill 85, Photo Card Act, 2008 (June)
21. The actor-network of Ontario’s DL
22. The actor-network of Ontario’s DL
23. The actor-network of DL + FRT
24. FRT - Facial Recognition Tech�(aka Photo Comparison Technology)
25. FRT - Facial Recognition Tech�(aka Photo Comparison Technology) IPC statements on biometrics:
“Given the power and complexity of biometrics, my office has set out strict conditions under which the use of biometrics could be considered. No database of biometric information, … should be created without applying the minimum standards for the use of biometrics, as set out in the Ontario Works Act.”
“….there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual”
(Open letter, from Commissioner Cavoukian to Hon. D. Tsubouchi, April 5, 2001)
26. FRT - Facial Recognition Tech�(aka Photo Comparison Technology) Ontario Works Act 1997 standards:
the biometric must be stored in encrypted form both on the card and in any database;
the encrypted biometric cannot be used as a unique identifier;
the original biometric information must be destroyed upon encryption;
the stored encrypted biometric can only be transmitted in encrypted form;
no program information is to be retained or associated with the encrypted biometric information;
there can be no ability at the technical level to reconstruct or recreate the biometric from its encrypted form;
there must be no ability to compare biometric images from one database with biometric images from other databases or reproductions of the biometric not obtained from the individual;
there can be no access to the biometric database by law enforcement without a court order or specific warrant.
27. FRT - Facial Recognition Tech�(aka Photo Comparison Technology) Another noted Ontario biometrics expert:
"Biometrics, if used as currently marketed by [most] biometric vendors – where the biometric template is used as the token of identification or verification – will further erode privacy and jeopardise our freedoms. The simple fact is that template-based biometrics are not privacy friendly. Any time you base verification or identification on comparison to a stored template you have a situation which, over time, will compromise privacy – either by business or government, in response to the next national emergency”
Tomko, George, "The Fundamental Problem with Template-based Biometrics", presentation at the 12th Conference on Computers, Freedom and Privacy, San Francisco, 16 April, 2002.
28. FRT - Facial Recognition Tech�(aka Photo Comparison Technology) Evidence for effectiveness?
Protection against false positives? Redress?
Will a template approach be used?
Compliant with Ontario Works Act standards?
Security of the database? (e.g. biometric encryption?)
Data sharing? Strictly limited and transparent?
Protection against function creep?
Privacy Impact Assessment?
Independent? Public involvement?
29. The actor-network of DL + FRT
30. The actor-network of DL + FRT
31. Introducing the RFID for the Enhanced DL
32. Introducing the RFID for the Enhanced DL
33. RFID - Radio Frequency ID chip
34. DHS Secretary Michael Chertoff On the EDL:
“[W]hen you’re coming up to the booth at the land port of entry, if you have to hand your card over and the inspector has to key in your name, that’s five seconds, 10 seconds, plus the possibility of an error. What the chip does is it allows, as you approach, the system to read it and then pop up your information on the screen.”
“[I]t’s kind of a REAL ID with an additional feature […] a chip.”
Arizona, Dec 6, 2007 see:http://www.dhs.gov/xnews/releases/pr_1197041144284.shtm
To an international privacy conference:
While some debate has taken place in Canada over the idea of a national ID card, Chertoff said Americans would never stand for it.
"Their heads would explode," he said. CP, Montreal, Sep 26, 2007
http://www.cbc.ca/canada/montreal/story/2007/09/26/qc-homeland0926.html
35. Canada’s Privacy Commissioners Expressed “their concern that any requirement imposed by the United States government for vicinity radio frequency identification technology (“RFID”):
1. permits surreptitious location tracking of individuals carrying an EDL; and
2. does not encrypt or otherwise protect the unique identifying number assigned to the holder of the EDL and would not protect any other personal information stored on the RFID”
They called on the Government of Canada, and participating provinces and territories, “to take steps to ensure the security of personal information stored on EDL RFID tags and to prevent the possibility of surreptitious location tracking."
Victoria, February 5, 2008
http://www.privcom.gc.ca/media/nr-c/2008/res_080205_e.asp
36. RFID - Radio Frequency ID chip Why choose a notoriously insecure vicinity RFID (i.e.UHF EPC Gen 2), rather than a proximity RFID? (10m vs 10cm range)?
What protection against covert sniffing, interception, or other identification attacks?
Can the ‘protective sleeve’ possibly be effective?
Why isn’t the unique RFID number treated as personal information? e.g. Why no encryption?
What protections for Canadians’ data in US?
Has DHS bullied Canada into an inferior approach?
37. Other rationales for including RFID? Integration with REAL ID, as de facto NA ID card?
Population surveillance capability with Human ID at a distance (HumanID) - Total Information Awareness
http://w2.eff.org/Privacy/TIA/hid.php
What protection against this function creep?
38. The actor-network of EDL/RFID
39. The actor-network of EDL/RFID
40. Main EDL/RFID Actors (Human) Human Actors
Canadian
Ontario Min. Of Transportation (MTO)
Service Ontario
Police officers
Canadian Border Service Agency (CBSA)
Vendors
Bars
Post offices
Couriers
Merchants
other orgs that ask for the DL
Ontario Legislature
Min of Gov Services (CIPO)
Information and Privacy Commissioner (IPC)
Biometric expert
FRT vendor(s)
41. Main DL/RFID Actors (Non-Human)
42. Main EDL/RFID Actors (Non-Human)
43. Passport as an alternative to EDL Extend life of Canadian passport to 10 years
as in the US, UK, etc. i.e. <$9/year ?
Lower price of passport?
Auditor Gen says they are over-priced
Ontario subsidize cost for border area residents?
Passport as a citizenship right?
Speed up and ease issuing?
Temporary passport offices in border cities
‘Passport Fairs’ as in US
Speed up border crossing with passport?
Use the Machine Readable Zone (needed anyway)?
44. RFID - Radio Frequency ID chip
45. RFID-less EDL (& passport)
46. EDL/RFID vs Passport?? Considering:
Cost
Convenience of acquisition and use
Privacy
Security
Usefulness
Governance
National sovereignty
will the EDL/RFID serve Ontarians better than the passport?
47. Summary - Questions & cautions
48. Next steps Legislative review of Bill 85
in Standing Committee on General Government
Public participation
Social impact assessments
Systems design
Concept and prototype design
Field testing
On-going accountability and oversight
