Compliance

The DHS has a very specific privacy compliance process. The DHS Privacy Office is responsible for the assessment of all new or proposed Department activities in order to ensure responsible handling of personally identifiable information (PII) and to mitigate privacy risks.

The following explores the methods by which the Privacy Office ensures compliance in all departmental activities:

• Privacy Threshold Analysis (PTA) – The PTA is a required document that serves as the official determination by the Privacy Office in order to determine if a DHS program or system has privacy implications. Also, PTAs are used to determine of additional privacy compliance documentation is required. PTAs are designed into all DHS processes for technology investments and security. They expire every three years.

PTAs serve the following objectives:

• Identify privacy-sensitive programs and systems
• Demonstrate inclusion of privacy considerations during the review of a program or system
• Provide the Privacy Office with a record of the program or system, as well as its privacy requirements
• Demonstrate compliance with privacy laws and regulations
• Privacy Impact Assessment(PIA) – The PIA is a decision-making tool that is used to identify and mitigate privacy risks at the start, as well as throughout the development lifecycle of a program or system. PIAs aid the public in understanding what PII the DHS is collecting, why the information is being collected, and how it will be used, shared, accessed and stored.

PIAs are required for the following reasons:

• When developing or procuring any new DHS program or system that will handle or collect PII
• For budget submissions to the Office of Management and Budget (OMB) that affect PII
• With pilot tests that affect PII
• When developing program or system revisions that affect PII
• When issuing a new or updated rulemaking that involves collection, use and maintenance of PII
• System of Records Notice(SORN) – A `system of records’ is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual. A SORN is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (i.e. routine uses) and how to access or correct any PII maintained by the DHS.

DHS Privacy Office

The DHS Privacy Office is the first statutorily created privacy office in the Federal government. The Office operates under the direction of the Chief Privacy Officer, a position that is discussed in further detail in the following section. The mission of the Privacy Office is: “… to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the privacy community.”

The Privacy Office carries out the following activities:

• Requires compliance with the letter and spirit of Federal laws that protect privacy
• Centralizes FOI and Privacy Act operations to provide policy and programmatic oversight and to support operational implementation within the DHS components
• Provides education and outreach to build a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the DHS
• Provides transparency to the public through published materials, formal notices, public workshops and meetings

The Privacy Office is made up of the following operational teams:

• International Privacy Policy
• Departmental Disclosure and FOIA
• Privacy Compliances
• Privacy Policy (includes communications and training)
• Privacy Incidents and Inquiries
• Privacy Technology and Intelligence
• Legislative and Regulatory Analysis

Chief Privacy Officer, DHS

The Chief Privacy Officer (CPO) is a position within the DHS, appointed by the US Secretary of Homeland Security. The CPO also serves as the Chief Freedom of Information Act (FOIA) Officer at the DHS Privacy Office.

According to Section 222 of the Homeland Security Act of 2002, the CPO is primarily responsible for the privacy policy at the DHS. Duties include:

• Assuring that technologies used by the DHS to protect the US sustain, rather than erode, privacy protections related to the use, collection and disclosure of personal information
• Assuring that the DHS complies with fair information practices set out in the Privacy Act of 1974
• Conducting privacy impact assessments (PIA) of proposed rules at the DHS
• Evaluating legislative and regulatory proposals involving the collection, use and disclosure of personal information by the Federal government
• Preparing an annual report to Congress on DHS activities that affect privacy

Summary

This article takes a look at the privacy policies and practices at the US Department of Homeland Security (DHS). In addition to compliance with federal privacy legislation, the DHS also has its own privacy guidance, which include security methodologies, as well as a Privacy Office that is responsible for the oversight of systems and programs that deal with personally identifiable information. The article takes a closer look at the DHS Privacy Office, the first statutorily created privacy office in the US federal government, as well as the unique role of the Chief Privacy Officer/Chief Freedom of Information Act (FOIA) Officer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Approaches – Department of Homeland Security (II.A.e.ii.3.)

The memorandum issued the following recommendations:

Data Breach Guidance to Agencies

The Office of Management and Budget should issue a memorandum guiding agencies on when and how notice must be given to individuals at risk for identity theft due to a security breach. The suggested memorandum, titled “Recommendations for Identity Theft Related Data Breach Notification” was released almost concurrently with the Task Force’s memorandum.

Development of Universal Police Report for Identity Theft Victims

Identity theft victims my require official police reports to contest fraudulent information on their credit reports. A universal identity theft police report ensures that all necessary information is collected. It also allows identity theft victims to print the report from online, fill it out and bring it to their local enforcement agency for verification. Currently, individuals may also file an official complaint with the Federal Trade Commission on the FTC website. A universal form of filing complaints, reduces the strain on law enforcement agencies and  allows streamlining of investigations.

Extending Restitution for Victims of Identity Theft

The Task Force recommended to Congress that defendants be required to pay their identity theft victims monetarily for the time lost due to investigating, responding to and correcting fraudulent activity on their credit reports. This created extra penalties for committing identity theft, as well as allowed some renumeration to be paid to identity theft victims for their troubles, in addition to settling any financial disputes related to the fraudulent activity.

Reducing Access of Identity Thieves to Social Security Numbers

All agencies in the public sector should limit the use of Social Security Numbers as an individuals main identifier in an information system. The Office of Personnel Management was instructed to assign employee identification numbers for common use to eliminate the widespread use of SSN as the primary identifier for government employees. The OPM was also instructed to develop policies for the appropriate use and protection of Social Security Numbers. Further more all agencies were asked to review their use of SSNs in physical and electronic records systems to eliminate and restrict its usage where possible.

Developing Alternative Methods of Authentication Identities

The Task Force recommended that agencies confer with privacy and security experts in the private sector to create and implement technologies that use identifiers such as biometrics to authenticate identity. Biometric identifiers are harder for identity thieves to replicate or abuse. Using biometric identifiers in order to access personally identifiable information would significantly increase the protection to sensitive data.

Improving Data Security in the Government

The Task Force asked that the Office of Management and Budget and the Department of Homeland Security work together to investigate privacy practices in the Federal government and develop a list of the top mistakes that affect an agency’s ability to adequately protect data. This document was published in 2007 under the title “Common Risks Impeding the Adequate Protection of Government Information.”

Improving the Agencies’ Ability to Respond to Data Breaches in the Government

Agencies were instructed to develop and publish a “routine use” policy for their systems of records under the Privacy Act. These “routine use” policies would allow agencies to share PII–without the prior consent of the individual–with other agencies in order to respond effectively to security breaches.

Summary

In 2006, the Presidential Identity Theft Task Force allowed the U.S. Government to quickly analyze federal information security practices and create appropriate recommendations and plans to increase protection. Of the seven recommendations put forth by the Identity Theft Task force in 2006, several have been fulfilled and/or implemented in to government practice. Today, the Task Force continues to discuss ways in which the U.S. Government can increase the protection of its data holdings to prevent unauthorized disclosure and expose citizens to the threat of identity theft. While only the Federal Government was required to implement many of the guidelines, they serve as a model for institutions in the private sector concerned with identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Recommendations of the Identity Theft Task Force, September 2006

1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)

Located on the southeast coast of North Carolina, Wilmington is far from a booming metropolis, with just under 100,000 residents estimated in 2007.  Along with the nearby Wrightsville Beach, the cities want to record license plate numbers for every vehicle that crosses the bridge between the two communities as well as a couple other locations within the area.  The tag details would be compared against the FBI’s National Crime Information Center database.

“A lot of people might say it’s Big Brother at work,” said John Carey, Chief of Police in Wrightsville Beach.  ”There is no expectation of privacy to a license plate number,” as it is essentially a vehicular public record.

Chief Carey suggests the information in the NCIC is there for a reason, and this type of check won’t matter to most citizens.  What Carey doesn’t keep up with surrounds the NCIC database and accuracy reviews.  The NC Police expect to take the database contents as gospel.  Originally, the NCIC was only intended for major criminal offender information.  That was expanded in the late 90′s to include civil cases such as stalking or domestic abuse.  After 9/11, immigration and terrorist data began infiltrating the NCIC.  As the database’s scope expands, so to has the outcry.  Peace Activists found their way into the NCIC.  The New York Immigration Coalition appealed to the local city government to change their arrest policies. the Electronic Privacy Information Center has an online petition drive to allow NCIC citizen redress.  As databases age, they must be deconflicted and purged lest they lose their efficiency.

The most interesting point from a privacy rights standpoint is the persistence of the effort.  The cities expect to maintain the license tag information collected for about a year.  They do not say how frequently they will review the data or how often it will be compared against the NCIC.  From a general privacy policy standpoint, the Wrightsville and Willmington Police Departments are collecting information without specific knowledge of how they plan on using it, how often it will be accessed, or how long they will maintain the records.  It is unknown if they will have access policies or regulations/audits of how the information will actually be used.  These are all points a bank would have to address with their customers prior to embarking on a program with a third party marketing company.

“It’s not a legitimate use of this technology to be storing information on innocent citizens on the off chance that someday law enforcement might want to track this person down for some reason,” said Jennifer Rudinger, executive director of the American Civil Liberties Union of North Carolina.  “This is another example of how technology is getting ahead of our laws.”

Above all else, this is a very slippery slope.  What starts as an automated plate check for criminals could easily become detectives checking a suspects alibi on an open case, Private Investigator access for a divorce proceeding, or even noticing the mayor’s car has an extra passenger and blackmail or other corruption.  The New York City Police Department had problems with their NCIC access – what’s to stop local NC police officers from poking around?

Mr. Elefant, would you please tell me a little bit about your background?

I’ve been in and around payments for 20 plus years. I started a company called IC Verify which was the first PC payment software company in the 80’s doing credit cards, ATM / debit and check processing on personal computers. We rolled that out to 250K merchants in 21 countries with a half dozen languages. ICVerify was merged with CyberCash, and I became the vice chairman of CyberCash. After leaving CyberCash, I was involved in several other startups including a company called Price Radar in the online auction space, a digital content management and micro payments company called Yaga and then venture capital for the last five years before joining Heartland Payment Systems.

________________________________________

So the division you’re handling is the payment systems?
I am the executive director of end-to-end encryption. This position touches on many aspects of Heartland’s diverse business.

________________________________________

As far as the end-to-end encryption, first, what do you think of the media’s treatment of Heartland? From my perspective, with a little time in journalism, the story was ‘if it bleeds, it leads’… that seems to be the mantra and the announcements that went on with Heartland incident, the media absolutely had a field day. What was the actual severity of the breach, and was it as bad as the media portrayed?

We seem to be turning the tide. We’ve been proactive in leading industry change, sharing information and furthering the development of end-to-end encryption as a key element that will help the industry be more secure.
________________________________________

What do you think of the PCI DSS? Does it go far enough? Obviously, with Visa putting you guys and RBS on probation… What was the disconnect, and what do you think of the PCI DSS?

Heartland was PCI certified every year it was assessed. Yet our system was breached, showing that the standards did not fully protect data. It may well be that no set of standards ever could fully protect data in this environment — where motivated criminals develop ever more sophisticated ways to infiltrate systems. We are working on new approaches to enhance security.
_______________________________________

So it’s just the application itself has to be certified and you guys are going above and beyond that throwing in the end-to-end encryption to take care of everything that’s not currently called out in the PCI-DSS?

Yes. What we’re doing is from the time the digits leave the mag stripe, as they are read through that read head, they will be encrypted with very strong TRSM (Tamper Resistant Security Module) and AES encryption. Through the terminal, over the wires, through our hosts and through the card brands, the transaction will be encrypted – as long as the brands agree to do this.

________________________________________

As far as the price tag for a breach, what are we looking at as far as potential sanctions from the PCI, I’m not talking about specifically about Heartland, but in general terms if you can’t talk about Heartland, what are we looking at as a breach? We’re talking sanctions, breach notifications, brand harm – what do you see as the final price tag?

Breaches are expensive in all of those categories and more. The results of some past breaches are publicly available. I don’t’ know how to answer your question about a specific price tag. It’s still TBD.
________________________________________

A pretty consistent theme in my reading and at conferences is people saying, “The reason we’re doing all this security work is for compliance – we’re trying to comply with the governmental regulations rather than trying to do what’s in the best interest of protecting the customer.” Because there are risk tradeoffs, how do you weigh between the privacy of the user and the compliance with whatever regulation?

I think compliance and security go hand in hand. Compliance, though, is not enough in and of itself. That is why we are working to enhance the existing industry standards. We are also working with ANSI X9 F6 t to help create greater security around PAN’s as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Payments Processing Information Sharing Council (PPISC) to share threat information and protect the entire industry, business owners and consumers
________________________________________

So one of the reasons for the CIPP Guide website is to serve as a resource for the privacy professional certification. What do you think of certification programs, both in general as far as technology certifications go?

I think they’re very important. The education process that goes on within the industry has to be an ongoing one. It’s not a one-time thing. The industry changes and evolves, and the threat vectors change. This is a continuous process the industry needs to continue to support.
________________________________________

It definitely seems like you guys are moving in the right direction. As I said earlier, it’s unfortunate that the media gets a hold of these things, because, I seem to recall that the information that was lost was bad, but not so bad that it was going to bring about the end of the financial market.

We are trying to do things that benefit our business, the entire industry, merchants and consumers.

The complete interview with Mr. Steven Elefant, including more details on PCI and his thoughts on compliance is available in the CIPP Guide forums.

Ed. note:  Before the interview, Visa had revoked Heartland’s PCI compliant status as of March 13th, 2009.  According to Visa’s website, Heartland apparently regained their PCI compliant status as of April 30, 2009.  As of May 7, 2009, the Heartland breach reportedly cost over $12.5 Million.

Join the forum discussion on this post - (1) Posts

Missouri accepted $17 M in DHS grants last year to serve as the lead developer in a REAL ID verification hub.  That grant included an additional $1.2M to each of four other states (Florida, Indiana, Nevada, and Wisconsin) that, as the DHS announced, would use Missouri:

… as a central router to provide timely, accurate, and cost-effective verification to motor vehicle departments of an applicant’s source documents. States will be able to seamlessly verify the identity, lawful status and social security number of an applicant through this common interface.

What will happen to any unspent funds, and if there will be any penalties from the DHS for contract breach has yet to be determined.  What is know is part of HB 361 does deal with destroying personally identifiable information collected in the verification hub capacity.  Missouri is taking their privacy role seriously:

Any biometric data previously collected, obtained, or retained in connection with motor vehicle registration or operation, the issuance or renewal of driver’s licenses, or the issuance or renewal of any identification cards by any department or agency of the state charged with those activities shall be retrieved and deleted from all databases. 

A few of the less obvious biometric authentication information are specifically called out in the bill.  Facial patterns, voice, iris patterns, retinal scans and fingerprint information are all part of the popular lexicon, showing up in Hollywood blockbusters over the past couple of decades.  Personally, DNA really has no reason to even be thought of as an option for biometrics with a whole host of associated issues that will no doubt be addressed at a future time.  Those that are a curiosity: eye spacing, gait, and keystroke dynamics.  None of these on their own should be an authentication parameter, as eye spacing and gait are casually observable, and keystroke dynamics vary widely.  Someone hopped up on a Starbucks or late for a plane simply won’t press the buttons with the same lethargy for accurate measurements.  Using percentages (2 out of 3) to make a better educated guess with these types of observations does makes sense.  This is probably not as big of a deal with a “driver’s license”, but as we covered, opponents of REAL ID expect the card to become the next Social Security Number in terms of ubiquity and several features of the Act worry privacy professionals.

The bill does give some justification as to the motives behind the change of heart, apparently seeing the REAL ID activities as complicating state’s rights.  As a verification hub, Missouri could be seen as potentially infringing on the rights of other states, or acting as an agent of the US Federal Government.  In all, the MO state legislators decreed:  

No citizen of this state shall have his or her privacy compromised by the state or agents of the state. The state shall within reason protect the sovereignty of the citizens the state is entrusted to protect.

Update:  Follow the current progress of HB 361 through the Missouri Governor’s desk on the MO State House of Representatives site.

The PASS ID Act currently circulating in Washington would give states even more time (4 additional years) than the 2008 DHS extensions until 2017, additional flexibility in the design and implementation and, most importantly, money to meet federal REAL ID requirements.  PASS ID would allow continued use of current driver’s licenses for commercial airline travel and for federal building entrance for the foreseeable future.  Under the REAL ID Act, states not meeting a list of license upgrades would have to bring their US passport after January 2010 to catch a plane or head into a federal building.

The Homeland Security Secretary, Janet Napolitano said last Wednesday, “We’ve been, over the last weeks, meeting with governors of both parties to look at a way to repeal Real ID and substitute something else that…accomplishes some of the same goals. And we hope to announce something on that soon.”  Napolitano was the previous governor of Arizona, and signed a bill prohibiting the state’s compliance with REAL ID.  A total of 18 states since 2005 have passed anti-REAL ID legislation, calling the act an unfunded mandate violating state’s rights.  Of the 18 states that passed non-binding resolutions or prohibiting statues, 12 cited privacy as rationale for the disaccord. 

A former 9/11 Commission counsel and National Security Policy Director at the Center for Immigration Studies produced a scathing analysis of the Pass ID proposal, saying it is “a complete gutting of REAL ID,” and “leaves the 9/11 Commission secure ID recommendations in the dust, setting minimum standards that the 9/11 hijackers could easily have bypassed”.  The Director of Information Policy Studies at the libertarian Cato Institute, thinks PASS ID will not go far enough to eliminate all state concerns.  “The structure of it is obviously Real ID, with some of the sharpest corners taken off.”

Will the new legislation alleviate the most significant privacy violations?  Montana will likely have a say, already passing a refusal to comply law due, among other reasons, to the REAL ID Act’s violating the “right to privacy, as secured by Article II, section 10, of the Montana Constitution, of thousands of residents of Montana”.  Other states, including Michigan and Pennsylvania have followed suit without further concessions or privacy guarantees from DHS.   This is a direct confrontation over state’s rights, with privacy considerations anchored front and center.

We were coming down to the wire. States across the country already have plans in place, funding spent or even implementations of the REAL ID, where Radio Frequency Identifiers (RFID) were embedded into Passports and state drivers licenses. Congress originally passed the REAL ID Act in 2005, expecting to modernize everything from DMV visits to border crossing checkpoints. The original implementation deadline was 2008, but it was extended to 2013 and then 2017 when only a handful of states were close to even completing evaluation studies.  The Department of Homeland Security maintains a site discussing the reasons and benefits of the project.

One of the states that was on track: Michigan.  Michigan Rep. Paul Opsommer wants to make sure on time doesn’t mean insecure:

“Michigan entering into a federal agreement to put unencrypted, long range RFID computer chips into our driver’s licenses presents a huge privacy risk with very little benefit.  I don’t think we need RFID in our licenses period, but even if we did, there is absolutely no reason it couldn’t be short range and encrypted. The federal government has made some bad technology choices that they now want to cram down the rest of our throats. Canada is totally rethinking this whole program from the ground up, and so should Michigan.”

Indeed, Michigan’s northern neighbors decided their implementation of RFID enhanced drivers licenses needed rethinking. The Saskatchewan Province enhanced drivers licenses (EDLs) were scheduled for approval by a June 1, 2009 deadline set by the United States.  That is the date travelers from Canada must present border crossing documents – either Passports or EDLs. The problems surround privacy included in Bill 72, and inadequate time before enactment for impact studies by the Privacy Commissioner. Privacy watch guards point out that the RFID tags used in EDLs may be read from at least 30 feet away, there are questions regarding security protections for the database holding the personal information and the storage in these databases of more information than necessary.  There are similar questions for Bill 85 in Ontario, several of which the Province’s Information and Privacy Commissioner reviewed.

Representative Opsommer’s concerns are not unfounded. The proposed Michigan licenses contain an unencrypted RFID chip with a range of at least 30 feet. There is a new, unique Citizen ID number included that some privacy pundits believe could be the 21st century Social Security Number. Also, there are no laws in Michigan preventing unauthorized access or storage of the card data.

Four researchers from the University of Washington and the encryption company RSA presented a paper in October 2008 performing a vulnerability assessment and documenting clonable information on passport cards (PASS cards) and Washington State Enhanced Drivers Licenses.  The researchers demonstrated:

“that the publicly readable data in both types of identity document can be straightforwardly cloned after a single read.”  The cards “are subject to reading at a distance of at least 50 meters under optimal scan conditions (down a long hallway, but still operating within FCC limits).” 

There are two other items to consider with these cards: a ‘kill’ command, and ‘lock codes’ for writable memory areas.  The EDLs tested were susceptible to the kill command, effectively voiding the RFID and likely the card for cross border use.  The EDLs also did not use lock codes and therefore could be further invalidated through electronic tampering.  The PASS cards were not vulnerable to lock code attacks, but there are conflicting reports on the kill capabilities.

The range on the cards should also be of concern. In 2006, Wired Magazine interviewed Jonathan Westhues, who demonstrated a homemade RFID reader.  The test involved an RFID card typically used for entering buildings.  That particular example required Westhues to pass “within a few inches” of the card holder.  There were several factors involved, including the type of cards used in the demonstration and the reading device and antennae rigged together.  A similar example by Chris Paget was a bit different.    Paget, a researcher with IOActive, drove around San Francisco with a $250 Motorola card reader and an antennae attached to the roof of a car.  The video shows the team nabbing details from two US Passport cards (PASS cards).  EDLs and PASS cards are distributed with protective sleeves intended to shield the cards from this sort of remote scanning.  The University of Washington researchers found that, while cards in a well maintained sleeve were not readable, the RFID credentials in a crumpled sleeve were accessible. Real world use suggests the sleeves were often lost or simply disposed of.

What about security features, such as PINs or encryption? Yes, they do work.  Sort of.  Adam Laurie, a British security expert, cracked the UK passport encryption and remotely read it’s credentials while still in the original mailing envelope.  Security consultant Lukas Grunwald of Germany demonstrated forging German passport’s at the Blackhat security conference, providing documents that successfully passed through an electronic passport reader.  Similar vulnerabilities have been found in Czech e-passports.  Some of these problems stem from not understanding the technology, implementing the technologies improperly, or simply ignoring the security features as unnecessary.  

“I personally believe that RFID is very unsuitable for tagging people,” Paget said. “I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped.”

There are other problems beyond cloning.  With a unique ID on each card, there is the risk that people may be tracked, similar to the usage of cell phones in Britain to track customers and their shopping habits.  The ubiquitous nature of a drivers license provides more data; not everyone has a cell phone or carries it with them all the time.  This tracking is less likely to happen with shorter range cards, or those that implement security features.  And laws in place will stifle legal tracking of this sort, and the possibility of creating separate “marketing id” type databases based on EDL ID numbers.  Washington State Department of Licensing spokesperson Gigi Zenk says that laws have been passed prohibiting third parties from accessing RFID information without the owner’s consent.

It comes down to an increasing reliance on technology.  Let’s remain cognisant of how important the information on these cards is or can become.  As we put more technology in, we as a society expect that the output has to be better.  That said some of the biggest problems in information security and privacy are social engineering – pretending to be someone you’re not.  Implementing more technology should assist not replace the manual processes that successfully root out thieves and criminals.  ”I think we are in the growing-pains phase,” says Johns Hopkins University computer science professor and security researcher Avi Rubin. “This happens with a lot of technologies when they are first developed.”  Let’s aim to not let the growing-pains become chronic disease.