Archives

Security vs. Privacy in France – Part 3

This is part 3 of the discussion “Sécurité ou Vie Privée ?” (ed: Security or Private Life) moderated by Mathieu Vidard (MV).  Part 1 and Part 2 may be found here and here.

MV – Sir, did you have a question?

Man – What I would like to touch on, is not really a question but a topic: the human traceability inside Paris. It would be related to automated identification with RFID and biometrics.

MV – SL, isn’t it a topic you’re interested in?

SL – Indeed, this matters a lot to me. This kind of device, like a RFID chip in a biometric passport, comes from security needs. Since the 2001 attacks, it’s clearly all about protecting our countries from international terrorism so security measures are strengthened, particularly concerning our ids and at the borders. Does cropping our privacy guarantee our safety? There are very generic answers, clever surveys from philosophers, etc. about this issue. I’m not getting further into it but basically what we encounter very quickly is that these devices that are supposed to bring us safety are producing security risks. For instance, this is especially flagrant with RFID chips within passports. There are endless security issues, which means we don’t know how to secure these electronic devices properly. These issues exist because of lots of technical reasons and economic reasons as well. The technology is not mature enough presently for offering a satisfying result. On this point, we could accept the situation, as traveling documents have never really been fully secure even when it was only about a piece of paper. Convincing oneself about it would just require checking out how often the formats of such documents are renewed, for adding additional security assets. In this current configuration, we are forcing the introduction of a device which encompasses vulnerabilities and we don’t necessarily look for how to fix them because these agreements made about adding RFID chips in passports are agreements made at an international level and the United States of America was not insisting on a satisfying level of security. Another reason is that adequate investments in cryptology were not accepted. Such investment would have enabled securing these passports, or securing them further anyway. All this might look circumstantial, but the truth is that offering security means at the expense of security itself, is still annoying.

Woman – Excuse-me, just a short question… What exactly do you call vulnerability?

SL – Well, I’m going to provide you with a basic example with regards along with passports: two or three months ago, Elvis Presley crossed the Netherlands border.

JMM – I have another instance: two years ago, computer scientists created a bomb prototype which explodes exclusively nearby American passports. If you’re American and you’ve got the passport, the bomb explodes, if you’re not and you don’t own such passport, nothing happens.

MV – IFP, what about about RFID chips as we’re referring to it in the frame of Paris, as our guest was probably thinking of the Navigo pass and the occasions we have of using it?  What does the CNIL say about the data which are embedded in these chips?

IFP – Before talking about RFID I just would like to react in relation to the passports and to confirm that all discussions we have about them are not national. Of course, some decisions of standardization were taken at the international level and France had to take part in these discussions and to adapt its own (transport) titles. We made choices which are more maximalist than the ones made on the international scene, which is absolutely true but every country is heading to this kind of traveling documents. On another hand, in response to SL, I would like to mention that the market is not only originated by the state. There is a global market, there is a market of fear and technologies are there to respond to this market. All of us (individuals, states, companies) are accomplices of this market. Here is an example: the CNIL was recently seized about an organization taking care of disabled seniors with extremely reduced mobility. There is a bus picking up these people and some of them lose themselves because of being disoriented. Their families asked us about providing them with electronic tagging, instead of employing someone who would make sure each individual gets off the bus exactly at the place where he or she is supposed to. As things are kept simple this way, without worries, we would be automatically warned each time something would go wrong, each time someone would accidentally leave a perimeter of movement. We must realize, all of us are sustaining this market one way or another from our different fears. As a result, if in our opinion this market is too broad, we all (and the state particularly) have to assess our real needs about RFID.

MV - At the local level…

IFP – At the local level, of course, the CNIL is extremely vigilant relatively to this new technology allowing smart labeling. We might find it anywhere. It would allow theoretically any item communicating with you. You are in the street, you go before a poster and this poster sends you a message onto your phone asking you if you’d like to receive an advertisement or you walk before a shop, a chain store, you receive a short message and you might be interested in opting in for some services since you might get some discount in this shop… These technologies are obviously attractive for the general public. The CNIL doesn’t have a general solution for RFID but case-by-case answers depending on the variety of existing applications.

MV -Fine! We are about to see what is linked to citizen rights with SL concerning personal data in this chips. JMM, you had a reaction to share before moving forward with the next question?

JMM -About traceability at the level of Paris, there are camcords but they are not “smart” currently, not in the public area, at least. They are not paired with software capable of individual identification. But the RATP (Autonomous Operator of Parisian Transports) also has camcords belonging to its realm including buses, that are connected to a face recognition system, which is officially not activated yet. When will they activate it? Will they activate it? I don’t know. Anyway, you were referring earlier to the state of the art in terms of biometric recognition with video surveillance. It is not perfect yet. There are still many failures but many researchers are working on it. The other issue consists in the RFID chip contained in the Navigo pass which was imposed on everybody without any explanation. As a journalist, I was wondering why and I never received any answer. Nobody is telling why it was enforced. The Navigo pass stores the three last distances you have traveled. The data are deleted after 48 hours or 24 hours whereas the CNIL permits keeping them for 3 days at most. Each time the CNIL asks for some data on behalf of the police, the RATP needs an approval from a rogatory commission. The time needed to transfer this approval lets the data be deleted. Therefore, officially the RATP cannot reply positively to any police request. Today the infrastructure exists and it is all about making decisions for more traceability, keeping the data longer, activating the smart video surveillance systems and transforming the public RATP area into an even more totalitarian sphere. I said it is just about making decisions as the FNEG (National DNA File) was originally created for fighting against multi-recidivist sexual criminals and pedophiles, highly violent people. In few years, this file was extended to nearly all the crimes and derelicts. I believe that there are presently 125 or 135 crimes or derelicts which are concerned with the FNEG. So few years are enough for extending something dedicated to multi-recidivist criminals to the entire population. Maybe a particularly odious crime in the RATP area would trigger the activation of the smart video surveillance system and the traceability of anybody. It’s perhaps a political decision which might come from a news item and it depends also on the business. It’s a bit expensive. The technology is already inside the RATP anyway.

Share

1 comment to Security vs. Privacy in France – Part 3

  • pass navigo

    [...] permette la d©mat©rialisation du billet de train embarqu© dans le Pass Navigo. …Security vs. Privacy in France Part 3 CIPP Guide… frame of Paris, as our guest was probably thinking of the Navigo pass and the occasions we have [...]

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>