Testimony Before the Virginia Legislature on House Joint Resolution 162, Considering the Creation of Smart Driver’s Licenses Madam Chairwoman, members of the committee, thank you for inviting me to come before you today to testify about HJR 162. My name is Chris Calabrese. I am the Counsel for the American Civil Liberties Union’s Technology and Liberty Program. The ACLU is a nationwide, non-partisan organization with nearly 400,000 members dedicated to protecting the individual liberties and freedoms guaranteed in the Constitution and laws of the United States. The Technology & Liberty Program’s mandate is to analyze the impact of new technologies on our civil liberties. I am going to talk today about the numerous very real and practical problems associated with placing RFID chips in drivers’ licenses. They include: the major security problems associated with allowing identity to be read remotely the costly infrastructure that must be built in order to utilize these chips the probable lack of effectiveness of RFID chips in improving security, and the wide-ranging civil liberties violations made possible by RFIDs. As you know, RFID tags are tiny computer chips connected to miniature antennae that can be placed on or in physical objects. The chips contain enough memory to hold an individual’s unique identification information and a digital photograph or other biometric. When an RFID reader emits a radio signal, nearby tags respond by transmitting their stored data to the reader. With passive RFID tags, which do not contain batteries, read-range can vary from less than an inch to 20-30 feet, while active (self-powered) tags can have a much longer read range. While these chips can have beneficial uses, installing them in drivers’ licenses would be a grave mistake. Many unresolved security problems remain RFID technology is very new. Its use involves a number of complex engineering questions that center around the safety and security of the information on the chip. Many of these questions have not yet been solved. The federal government is currently experimenting with the use of RFID chips in passports. In a recent round of testing conducted by the National Institute of Standards and Technology (NIST) in Morgantown, WV a number of flaws in RFID chips were discovered. Those flaws included smart card readers that couldn’t detect chips, readers that could detect chips but couldn’t read them, and readers that did not know what information to display. But perhaps worst of all, government testers found that some readers were able to read the information on these RFID chips from a distance of up to 30 feet. Private individuals have also found it easy to exploit this security vulnerability and read RFIDs at a distance. At a computer security conference in August, a computer programmer demonstrated a program called RFDump. This program enabled anyone with a card reader and a laptop to read data from up to 3 feet away. I have attached two newspaper articles that describe these problems in more detail. The idea that a chip could be read from a distance is a security nightmare. Personal information including your photograph, home address, date of birth and signature would be available to anyone with a reader. The potential for criminal conduct is staggering. It would actually make some criminal conduct much easier, identity theft in particular. Identify theft is one of the fastest growing crimes in America. According to the Federal Trade Commission more than 3,300 Virginians were victims of this crime last year and the average loss was $6,700 per victim. Rapid deployment of RFIDs in drivers’ licenses would lead to an explosion in this type of crime. Identity thieves would never need to physically steal your documents. Instead they would be able to secretly and electronically pickpocket your information right through a wallet, pocket, backpack, or purse. You would never know that you had been robbed. Worse, identity thieves would have even more incentive to rob you for your license itself because the presence of a chip would presumably make it more attractive and valuable as an identity document. In recent years a number of states have updated their laws, such as shielding voter registration information, in order to make it harder for stalkers to find out personal information. Now with a simple electronic reader such a criminal could easily learn this personal information. Solutions have been proposed to some of these problems but none have been perfected – let alone tested – in the context of driver’s licenses. For instance, an RFID chip’s signal can be shielded by placing it inside a foil wrapper. That solution may work for a booklet that needs to be opened, like a passport, but it is hardly practical for a drivers’ license. Alternatively, the information on the chip could be protected through computer encryption. It is unclear how this process would work, however. How large a chip would it take to store this additional information? What kind of infrastructure would it take to verify information and distribute the encryption key to officials, such as law enforcement, who would need it? And how would you ensure that these keys do not fall into the wrong hands? RFIDs present other technical problems beyond remote reading. In order for them to be useful as identity documents, the information on these chips must be secured in some way. If it is not, then anyone with some technical expertise can alter or replace the information on the cards. The federal government has concluded that the best way to provide this security is to use a technology known as digital signatures. This technology uses a private code or “key” to scramble the information, and a widely distributed “public” key that can be used to descramble it and make sure that it hasn’t been changed. This process requires that every time a card is read the person doing the reading (or the reader itself) must contact a central database and find out what the particular public code is that deciphers the information on the particular chip in question. Finally, because RFID technology is so new, there are no long-term test results demonstrating how long RFID chips last and how high their failure rate is. It is unclear as to how durable these chips will be. Drivers subject their licenses to all types of wear and tear – from accidentally running them through the washing machine to subjecting them to extremes of hot and cold. If RFIDs are anything like other electronics, they will not hold up consistently under this type of treatment. RFIDs in driver’s licenses will require a costly infrastructure Of course all of these technical problems will be very costly to solve. Even more costly will be upkeep of the infrastructure necessary to maintain this system. At a minimum, the state of Virginia will have to pay to figure out how to protect the information so it cannot be read from distances of up to 30 feet. This is a problem that the federal government and international authorities have not solved. It will then have to create an entire infrastructure to support this system. That involves buying the chips themselves, redesigning the Virginia driver’s license to hold them, and then placing them in the $1.4 million Virginia licenses issued every year. It involves buying readers and placing them everywhere – from police cars to DMVs – that they might be needed. These readers cost anywhere between $700 and $1100 each. The DMV must then build the internal IT system necessary to program these chips and maintain the public and private codes necessary to assure the accuracy of this information. Finally there will have to be a way for every person using a reader to gain access to the public key necessary to access the chips. I have attached a chart, labeled Appendix A, that lists this infrastructure. Believe it or not, these are the minimum standards that would be necessary to secure the information on these chips. It is likely that as time passes greater and most expensive security will be necessary because RFIDs have enormous commercial potential as a way to track products. Wal-Mart is already experimenting with using them in shipping pallets. So it is very likely that as these chips become commonplace, the technology for modifying and altering them will also become more widely understood, not only by legitimate businesses, but by criminals as well. RFIDs in driver’s licenses unlikely to be effective at making us safer But perhaps more significant than any of these problems is the simple truth that even if it were possible to overcome all these problems, placing RFID chips in driver’s licenses would do nothing to improve these documents as tools to demonstrate identity or help law enforcement. RFID will do nothing to solve one of the biggest problems with identity documents – fraud at the point of origin. This is a problem that Virginia is familiar with. A driver’s license or RFID chip will only display the information placed on them by the Department of Motor Vehicles. But if an individual uses a false birth certificate or other “feeder document” to gain a driver’s license, that will simply be reflected in the RFID. Similarly, if a DMV employee is corrupt, they can easily distribute legitimate licenses that are completely fraudulent. Further, many people do not carry any identification at all or claim to not have a license if stopped by police. RFIDs will do nothing to solve this problem. Nor will a chip help identify a person with an out-of-state license. As I noted before, there is no single standard for RFID chips, and in government tests even chips that were suppose to be created using the same standards had major reader problems. It is likely that even if other states adopted smart chips they would use different venders. That would mean these chips are not interoperable with other state’s readers, rendering them worthless. RFIDs raise enormous privacy concerns RFID also present a host of civil liberties problems beyond the ones I have discussed because they enable people to be remotely tracked. Pocket ID readers could be used by government agents to sweep up the identities of everyone at a political meeting, protest march, or Islamic prayer service. A network of automated RFID listening posts on the sidewalks and roads could even reveal the location of all people in the U.S. at all times. However, there is no point in discussing these problems in detail until it can be demonstrated that there is actually a security benefit to installing these chips. If you would like to learn more you can visit our website at HYPERLINK "http://www.aclu.org/news/..\\..\\..\\Documents%20and%20Settings\\ccalabrese\\Local%20Settings\\Temporary%20Internet%20Files\\OLK8D\\WINDOWSTEMPwww.aclu.orgprivacy" \t "_blank" www.aclu.org/privacy. In sum, the use of RFID chips in driver’s licenses is likely to be a costly proposition that involves significant technological hurdles, and has little practical value. It is also likely to make Virginia drivers both less safe and less free. I thank the Committee again for its time and would respectfully urge you to release a negative report on the possibility of placing RFID chips in drivers’ licenses. PAGE _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 08:18:54 PDT