[Politech] ACLU testimony before Virginia legislature on RFID tags in licenses [priv]

From: Declan McCullagh (declan@private)
Date: Mon Oct 18 2004 - 07:13:00 PDT


Testimony Before the Virginia Legislature on House Joint Resolution 162, 
Considering the Creation of Smart Driver’s Licenses

Madam Chairwoman, members of the committee, thank you for inviting me to 
come before you today to testify about HJR 162.

My name is Chris Calabrese.  I am the Counsel for the American Civil 
Liberties Union’s Technology and Liberty Program.

The ACLU is a nationwide, non-partisan organization with nearly 400,000 
members dedicated to protecting the individual liberties and freedoms 
guaranteed in the Constitution and laws of the United States.  The 
Technology & Liberty Program’s mandate is to analyze the impact of new 
technologies on our civil liberties.

I am going to talk today about the numerous very real and practical 
problems associated with placing RFID chips in drivers’ licenses.  They 
include:
the major security problems associated with allowing identity to be read 
remotely
the costly infrastructure that must be built in order to utilize these chips
the probable lack of effectiveness of RFID chips in improving security, and
the wide-ranging civil liberties violations made possible by RFIDs.

As you know, RFID tags are tiny computer chips connected to miniature 
antennae that can be placed on or in physical objects.  The chips 
contain enough memory to hold an individual’s unique identification 
information and a digital photograph or other biometric. When an RFID 
reader emits a radio signal, nearby tags respond by transmitting their 
stored data to the reader. With passive RFID tags, which do not contain 
batteries, read-range can vary from less than an inch to 20-30 feet, 
while active (self-powered) tags can have a much longer read range.

While these chips can have beneficial uses, installing them in drivers’ 
licenses would be a grave mistake.

Many unresolved security problems remain
RFID technology is very new.  Its use involves a number of complex 
engineering questions that center around the safety and security of the 
information on the chip.  Many of these questions have not yet been solved.

The federal government is currently experimenting with the use of RFID 
chips in passports.  In a recent round of testing conducted by the 
National Institute of Standards and Technology (NIST) in Morgantown, WV 
a number of flaws in RFID chips were discovered.  Those flaws included 
smart card readers that couldn’t detect chips, readers that could detect 
chips but couldn’t read them, and readers that did not know what 
information to display.  But perhaps worst of all, government testers 
found that some readers were able to read the information on these RFID 
chips from a distance of up to 30 feet.

Private individuals have also found it easy to exploit this security 
vulnerability and read RFIDs at a distance.  At a computer security 
conference in August, a computer programmer demonstrated a program 
called RFDump.  This program enabled anyone with a card reader and a 
laptop to read data from up to 3 feet away.  I have attached two 
newspaper articles that describe these problems in more detail.

The idea that a chip could be read from a distance is a security 
nightmare.  Personal information including your photograph, home 
address, date of birth and signature would be available to anyone with a 
reader.  The potential for criminal conduct is staggering.  It would 
actually make some criminal conduct much easier, identity theft in 
particular.

Identify theft is one of the fastest growing crimes in America. 
According to the Federal Trade Commission more than 3,300 Virginians 
were victims of this crime last year and the average loss was $6,700 per 
victim.  Rapid deployment of RFIDs in drivers’ licenses would lead to an 
explosion in this type of crime.

Identity thieves would never need to physically steal your documents. 
Instead they would be able to secretly and electronically pickpocket 
your information right through a wallet, pocket, backpack, or purse. 
You would never know that you had been robbed.  Worse, identity thieves 
would have even more incentive to rob you for your license itself 
because the presence of a chip would presumably make it more attractive 
and valuable as an identity document.

In recent years a number of states have updated their laws, such as 
shielding voter registration information, in order to make it harder for 
stalkers to find out personal information.  Now with a simple electronic 
reader such a criminal could easily learn this personal information.

Solutions have been proposed to some of these problems but none have 
been perfected – let alone tested – in the context of driver’s licenses. 
  For instance, an RFID chip’s signal can be shielded by placing it 
inside a foil wrapper.  That solution may work for a booklet that needs 
to be opened, like a passport, but it is hardly practical for a drivers’ 
license.

Alternatively, the information on the chip could be protected through 
computer encryption.  It is unclear how this process would work, 
however.  How large a chip would it take to store this additional 
information?  What kind of infrastructure would it take to verify 
information and distribute the encryption key to officials, such as law 
enforcement, who would need it?  And how would you ensure that these 
keys do not fall into the wrong hands?

RFIDs present other technical problems beyond remote reading.  In order 
for them to be useful as identity documents, the information on these 
chips must be secured in some way.  If it is not, then anyone with some 
technical expertise can alter or replace the information on the cards.

The federal government has concluded that the best way to provide this 
security is to use a technology known as digital signatures.  This 
technology uses a private code or “key” to scramble the information, and 
a widely distributed “public” key that can be used to descramble it and 
make sure that it hasn’t been changed.  This process requires that every 
time a card is read the person doing the reading (or the reader itself) 
must contact a central database and find out what the particular public 
code is that deciphers the information on the particular chip in question.

Finally, because RFID technology is so new, there are no long-term test 
results demonstrating how long RFID chips last and how high their 
failure rate is.  It is unclear as to how durable these chips will be. 
Drivers subject their licenses to all types of wear and tear – from 
accidentally running them through the washing machine to subjecting them 
to extremes of hot and cold.  If RFIDs are anything like other 
electronics, they will not hold up consistently under this type of 
treatment.

RFIDs in driver’s licenses will require a costly infrastructure
Of course all of these technical problems will be very costly to solve. 
  Even more costly will be upkeep of the infrastructure necessary to 
maintain this system.

At a minimum, the state of Virginia will have to pay to figure out how 
to protect the information so it cannot be read from distances of up to 
30 feet.  This is a problem that the federal government and 
international authorities have not solved.

It will then have to create an entire infrastructure to support this 
system.  That involves buying the chips themselves, redesigning the 
Virginia driver’s license to hold them, and then placing them in the 
$1.4 million Virginia licenses issued every year.  It involves buying 
readers and placing them everywhere – from police cars to DMVs – that 
they might be needed.  These readers cost anywhere between $700 and 
$1100 each.  The DMV must then build the internal IT system necessary to 
program these chips and maintain the public and private codes necessary 
to assure the accuracy of this information.  Finally there will have to 
be a way for every person using a reader to gain access to the public 
key necessary to access the chips.  I have attached a chart, labeled 
Appendix A, that lists this infrastructure.

Believe it or not, these are the minimum standards that would be 
necessary to secure the information on these chips.  It is likely that 
as time passes greater and most expensive security will be necessary 
because RFIDs have enormous commercial potential as a way to track 
products.  Wal-Mart is already experimenting with using them in shipping 
pallets.  So it is very likely that as these chips become commonplace, 
the technology for modifying and altering them will also become more 
widely understood, not only by legitimate businesses, but by criminals 
as well.

RFIDs in driver’s licenses unlikely to be effective at making us safer
But perhaps more significant than any of these problems is the simple 
truth that even if it were possible to overcome all these problems, 
placing RFID chips in driver’s licenses would do nothing to improve 
these documents as tools to demonstrate identity or help law enforcement.

RFID will do nothing to solve one of the biggest problems with identity 
documents – fraud at the point of origin.  This is a problem that 
Virginia is familiar with.  A driver’s license or RFID chip will only 
display the information placed on them by the Department of Motor 
Vehicles.  But if an individual uses a false birth certificate or other 
“feeder document” to gain a driver’s license, that will simply be 
reflected in the RFID.  Similarly, if a DMV employee is corrupt, they 
can easily distribute legitimate licenses that are completely fraudulent.

Further, many people do not carry any identification at all or claim to 
not have a license if stopped by police.  RFIDs will do nothing to solve 
this problem.

Nor will a chip help identify a person with an out-of-state license.  As 
I noted before, there is no single standard for RFID chips, and in 
government tests even chips that were suppose to be created using the 
same standards had major reader problems.  It is likely that even if 
other states adopted smart chips they would use different venders.  That 
would mean these chips are not interoperable with other state’s readers, 
rendering them worthless.

RFIDs raise enormous privacy concerns
RFID also present a host of civil liberties problems beyond the ones I 
have discussed because they enable people to be remotely tracked. 
Pocket ID readers could be used by government agents to sweep up the 
identities of everyone at a political meeting, protest march, or Islamic 
prayer service.  A network of automated RFID listening posts on the 
sidewalks and roads could even reveal the location of all people in the 
U.S. at all times.  However, there is no point in discussing these 
problems in detail until it can be demonstrated that there is actually a 
security benefit to installing these chips.  If you would like to learn 
more you can visit our website at  HYPERLINK 
"http://www.aclu.org/news/..\\..\\..\\Documents%20and%20Settings\\ccalabrese\\Local%20Settings\\Temporary%20Internet%20Files\\OLK8D\\WINDOWSTEMPwww.aclu.orgprivacy" 
\t "_blank" www.aclu.org/privacy.

In sum, the use of RFID chips in driver’s licenses is likely to be a 
costly proposition that involves significant technological hurdles, and 
has little practical value.  It is also likely to make Virginia drivers 
both less safe and less free.

I thank the Committee again for its time and would respectfully urge you 
to release a negative report on the possibility of placing RFID chips in 
drivers’ licenses.


PAGE
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 08:18:54 PDT