Caution urged for licenses containing data chips
New Washington state driver's licenses to be issued next year need better security to protect against unauthorized tracking of individuals...
Seattle Times business reporter
New Washington state driver's licenses to be issued next year need better security to protect against unauthorized tracking of individuals, technical experts and privacy advocates said Thursday.
The voluntary "enhanced" licenses and ID cards contain a computer chip and antenna used to store and transmit data remotely through radio waves. The so-called RFID technology is becoming increasingly common in transportation systems.
The new driver's licenses were proposed by Gov. Christine Gregoire as an alternative to federal mandates requiring people traveling between the U.S. and Canada to carry passports.
But to comply with requirements of the U.S. Department of Homeland Security, the licenses had to contain RFID tags, said Antonio Ginatta, the governor's executive policy adviser.
The properties of RFID that make it convenient also make it inherently insecure, said experts at a policy roundtable on RFID held Thursday at the University of Washington Law School.
RFID tags are essentially like bar codes in that they typically store a unique identifying number. But unlike bar codes, RFID tags have the ability to be read silently, from a distance, while moving, in the dark and even through material.
That means one difference between the current license and the new one is that with the RFID tag, information on the license can be read remotely without the owner knowing about it.
"Now if I show my license, somebody has to ask me for it and I can see what they do with it," said Christina Drummond, director of the state ACLU's Technology and Liberty Project. "With RFID licenses, we wouldn't necessarily have that ability."
The enhanced Washington driver's license does not have personal information in the chip. It's designed to transmit a code that customs officials can then use to pull up records from the Department of Licensing database.
But because it sends out a unique number when queried, the RFID license could serve as the basis for tracking individuals. The card can be read from more than 3 feet away.
Security and privacy advocates suggested the license be engineered so it would have to touch an RFID reader to transmit information, contain a switch to disable it or be housed in a metal case, since RFID does not transmit through metal.
New U.S. passports also have RFID chips inside, though security complaints prompted design changes. Now metal threads in the cover prevent reading of the data unless the cover is open.
"Is there really any reason to read an RFID tag in a driver's license without touching it?" asked UW computer-science professor Gaetano Borriello. "I can't think of any. Why are we even putting an antenna that allows long-range reading of a driver's license? It's just silly."
Security expert Dan Kaminsky advocated a system that lets the user control when information is released. RFID tags can easily be reverse-engineered and replicated, and a huge market exists for information on people's travel and buying habits, he said.
As the technology advances, the ACLU is pushing for legislation in Washington to protect consumer privacy. It would include five elements:
• Require notice and consent before third parties can collect personal information.
• Require government and business to gather and keep only information relevant to services provided.
• Protect individuals' rights to move freely without being tracked.
• Protect the security of unique numbers used to identify people in electronic transactions.
• Hold businesses and government liable for invasions of privacy if they fail to protect personal information.
"It's risky at best not to pursue stronger legislation," said Evan Welbourne, who has been researching issues around RFID through an interdisciplinary group at UW. "The question shouldn't be whether to ban RFID or not, but how do we deploy and regulate it in a way that is effective and privacy-protecting?"
Kristi Heim: 206-464-2718 or email@example.com