Identity, Privacy and Security perspectives on Ontario's proposed enhanced drivers licence EDL

1
Identity, Privacy and Security perspectives on
Ontario's proposed enhanced drivers licence (EDL)
ltlt

Andrew Clement Identity, Privacy and Security
Initiative Information Policy Research
Program Faculty of Information University of
Toronto

• Ontario Government Access
• Privacy Workshop 2008
• Toronto
• Oct. 8, 2008

2
Overview

• Introduction to Surveillance, Identity, Privacy
  and Security
• Unpacking Ontarios DL proposals
• Facial recognition screening
• RFID for border crossing
• Design alternatives
• Passport RFID-less EDL
• Next steps

3
Living in a Surveillance Society

• Surveillance
• Any focused attention to personal details for
  the purpose of entitlement, influence or control
  David Lyon
• Fast becoming the dominant organizing principle
  of late modern society.
• May be benign or harmful
• Raises thorny issues of privacy, security and
  identity

4
The New Transparency project Surveillance and
social sorting

• Questions
• What factors contribute to the general expansion
  of surveillance as a technology of governance in
  late modern societies?
• What are the underlying principles, technological
  infrastructures and institutional frameworks that
  support surveillance practice?
• What are the social consequences of such
  surveillance both for institutions and for
  ordinary people?

http//www.surveillanceproject.org/
5
Subprojects

• IRSP 1 The Role of Technology Companies in
  Promoting Surveillance Internationally
• IRSP 2 Digitally Mediated Surveillance From the
  Internet to Ubiquitous Computing
• IRSP 3 Surveillance Consequences of 9/11
• IRSP 4 Surveillance and Population Management

6
Coming events

• Workshops
• Population Management in Conflict zones (IRSP 4)
  Cyprus
• Surveillance Games, Vancouver
• Surveillance Technology Companies (IRSP 1) Open
  University
• Cyber surveillance (IRSP2) Toronto,
• Surveillance Ten Years After 9/11, (IRSP 3)
  Kingston
• Conference on Canadas Surveillance Society,
  Ottawa 2011

7
Identity, Privacy Security in a
Surveillance Society
Security
Privacy
Identity
Surveillance Society
8
Introducing IPSI the Identity Privacy and
Security Initiative

• IPSI aims to carry out a pioneering,
  interdisciplinary program of research, education,
  outreach, and industry collaboration, combining
  technological and policy perspectives. Supported
  by U of Ts Academic Initiatives Fund (AIF).
• Management Committee
• Dimitrios Hatzinakos (Chair)
• Professor, Dept of Electrical and Computer
  Engineering (ECE)
• Andrew Clement
• Professor Faculty of Information
• Kostas Plataniotis
• Associate Professor, Dept of Electrical and
  Computer Engineering (ECE)
• Leslie Dolman (Exec Dir)

9
Introducing IPSI Advisory Board

• Ann Cavoukian (Chair)
• Commissioner, IPC
• Ken Anderson
• Assistant Commissioner, IPC
• Richard Alvarez
• President and CEO,
• Canada Health Infoway
• Dean Barry
• Senior Policy Advisor,
• International Affairs Directorate,
• Public Safety of Canada
• Stefan Brands
• CEO Credentica, Microsoft
• Yim Chan
• Global Privacy Executive, Chief Privacy Office,
  IBM Canada

Richard Owens Partner Blake Cassels and Graydon
LLP Angela Power Senior Privacy Consultant,
Bell Canada Art Smith Founder and CEO, GS1
Canada George Tomko Biometrics Scientist, I PSI
Expert-in-Residence Lynne Zucker Director,
Education and Research, Sun Microsystems
10
Introducing IPSI Activities

• Public lectures series
• Graduate course and specialization
• JIE1001 Seminar in Identity, Privacy Identity
• Other events
• Public Information Forum on Ontarios proposed
  EDL, FI, July 16, 2008 (with IPC, FI, IPRP)
• Identity Rights Colloquium, Fac. of Law, October
  31, 2008 (with CILP)
• Research round tables (Spring 2009)
• Research Day (May 2009)

11
The Performing Identity project
Security
Privacy
Identity
Surveillance Society
12
Evaluating the EDL/ID proposals - the Oakes Four
Part Test

• The burden of proof must always be on those who
  claim that some new intrusion or limitation on
  privacy is necessary. Any proposed security,
  identity measure must meet a four-part test
• Necessary It must be demonstrably necessary in
  order to meet some specific need
• Effective It must be demonstrably likely to be
  effective in achieving its intended purpose. In
  other words, it must be likely to actually make
  us significantly safer, not just make us feel
  safer.
• ProportionateThe intrusion on privacy must be
  proportional to the security benefit to be
  derived.
• Minimal and it must be demonstrable that no
  other, less privacy-intrusive, measure would
  suffice to achieve the same purpose.
• Privacy Commissioner of Canada, Nov02,
  derived from Oakes

?
?
?
?
13
The actor-network of my Ontario DL

14
The actor-network of Ontarios DL
Others
Others
Bars
Others
Couriers
Merchants
Post office
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers
15
The actor-network of Ontarios DL
MTO
ServOnt
Others
Vendors
Others
Bars
Highway Traffic Act
Card devices
FIPPA
Others
Wallets
Couriers
85.6mmx54mmx0.76mm
Drivers DB
Merchants
Police
Post office
CPIC
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers
CBSA
AAMVA
CBP
16
Main DL Actors

• Human Actors
• Canadian
• Ontario Min. Of Transportation (MTO)
• Service Ontario
• Police officers
• Canadian Border Service Agency (CBSA)
• Vendors
• Bars
• Post offices
• Couriers
• Merchants
• other orgs that ask for the DL
• Can/US
• American Association of Motor Vehicle
  Administrators (AAMVA)
• US
• US Customs and Border Protection (CBP)

• Non-Human Actors
• Documents
• Highway Traffic Act R.S.O. 1990
• Freedom of Information and Protection of Privacy
  Act R.S.O. 1990
• Devices
• Drivers Licence (DL)
• Image capture and card production devices
• Wallets
• Databases
• Drivers DB
• Canadian Police Information Centre (CPIC)

17
Unpacking the EDL/ID proposal in Bill 85,
Photo Card Act, 2008 (June)
Current DL
Proposed DL
FRT
18
Unpacking the EDL/ID proposal in Bill 85,
Photo Card Act, 2008 (June)
Current DL
Proposed DL
Proposed EDL
FRT
MRZ
For WHTI deadline (June 2009)
19
Unpacking the EDL/ID proposal in Bill 85,
Photo Card Act, 2008 (June)
Current DL
Proposed DL
Proposed EDL
FRT
MRZ
For non-drivers (2010)
Photo ID
Photo ID
20
Unpacking the EDL/ID proposal in Bill 85,
Photo Card Act, 2008 (June)
Current DL
Proposed DL
FRT
21
The actor-network of Ontarios DL
MTO
ServOnt
Others
Vendors
Others
Bars
Highway Traffic Act
Card devices
FIPPA
Others
Wallets
Couriers
85.6mmx54mmx0.76mm
Drivers DB
Merchants
Police
Post office
CPIC
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers
CBSA
AAMVA
CBP
22
The actor-network of Ontarios DL
MTO
ServOnt
Drivers DB
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers
23
The actor-network of DL FRT
MTO
ServOnt
Facial
Images
Drivers DB
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers


24
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)
Image template
Ontario DL(ID) database 10M records
25
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• IPC statements on biometrics
• Given the power and complexity of biometrics, my
  office has set out strict conditions under which
  the use of biometrics could be considered. No
  database of biometric information, should be
  created without applying the minimum standards
  for the use of biometrics, as set out in the
  Ontario Works Act.
• .there must be no ability to compare biometric
  images from one database with biometric images
  from other databases or reproductions of the
  biometric not obtained from the individual
• (Open letter, from Commissioner Cavoukian to
  Hon. D. Tsubouchi, April 5, 2001)

26
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• Ontario Works Act 1997 standards
• the biometric must be stored in encrypted form
  both on the card and in any database
• the encrypted biometric cannot be used as a
  unique identifier
• the original biometric information must be
  destroyed upon encryption
• the stored encrypted biometric can only be
  transmitted in encrypted form
• no program information is to be retained or
  associated with the encrypted biometric
  information
• there can be no ability at the technical level to
  reconstruct or recreate the biometric from its
  encrypted form
• there must be no ability to compare biometric
  images from one database with biometric images
  from other databases or reproductions of the
  biometric not obtained from the individual
• there can be no access to the biometric database
  by law enforcement without a court order or
  specific warrant.

27
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• Another noted Ontario biometrics expert
• "Biometrics, if used as currently marketed by
  most biometric vendors where the biometric
  template is used as the token of identification
  or verification will further erode privacy and
  jeopardise our freedoms. The simple fact is that
  template-based biometrics are not privacy
  friendly. Any time you base verification or
  identification on comparison to a stored template
  you have a situation which, over time, will
  compromise privacy either by business or
  government, in response to the next national
  emergency
• Tomko, George, "The Fundamental Problem with
  Template-based Biometrics", presentation at the
  12th Conference on Computers, Freedom and
  Privacy, San Francisco, 16 April, 2002.

28
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• Evidence for effectiveness?
• Protection against false positives? Redress?
• Will a template approach be used?
• Compliant with Ontario Works Act standards?
• Security of the database? (e.g. biometric
  encryption?)
• Data sharing? Strictly limited and transparent?
• Protection against function creep?
• Privacy Impact Assessment?
• Independent? Public involvement?

29
The actor-network of DL FRT
MTO
MGS
ServOnt
IPC
Biometric expert
Ontario Legislature
Photo Card Act 2008
Ontario Works Act 1997
Facial
Images Image Templates ?
Drivers DB
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers


FRT software
FRT Vendors
30
The actor-network of DL FRT
MTO
MGS
ServOnt
IPC
Biometric expert
Ontario Legislature
Photo Card Act 2008
Ontario Works Act 1997
Facial
Images Image Templates ?
Drivers DB
Ontario DL Facial Image DL Number Name,
Address Date of birth Sex, Height Dates of
issue/expiry more numbers


FRT software
FRT Vendors
31
Introducing the RFID for the Enhanced DL
Current DL
Proposed DL
Proposed EDL
FRT
MRZ
ltltCANCLEMENTltltANDREWltHOWARDltltlt JK123456lt5CAN470101
0M0809100ltlt
For WHTI deadline (June 2009)
32
Introducing the RFID for the Enhanced DL
Current DL
Proposed EDL
RFID
For WHTI deadline (June 2009)
33
RFID - Radio Frequency ID chip
10m
RFID reader
US databases
Unique identifier
Border agent
CBSA database
EDL/ID cardholder
34
DHS Secretary Michael Chertoff

• On the EDL
• When youre coming up to the booth at the
  land port of entry, if you have to hand your card
  over and the inspector has to key in your name,
  thats five seconds, 10 seconds, plus the
  possibility of an error. What the chip does is it
  allows, as you approach, the system to read it
  and then pop up your information on the screen.
• Its kind of a REAL ID with an additional
  feature a chip.
• Arizona, Dec 6, 2007  seehttp//www.dhs.gov/xnews
  /releases/pr_1197041144284.shtm
• To an international privacy conference
• While some debate has taken place in Canada over
  the idea of a national ID card, Chertoff said
  Americans would never stand for it.
• "Their heads would explode," he said.
  CP, Montreal, Sep 26, 2007
• http//www.cbc.ca/canada/montreal/story/2007/09/26
  /qc-homeland0926.html

35
Canadas Privacy Commissioners

• Expressed their concern that any requirement
  imposed by the United States government for
  vicinity radio frequency identification
  technology (RFID)
• 1. permits surreptitious location tracking of
  individuals carrying an EDL and
• 2. does not encrypt or otherwise protect the
  unique identifying number assigned to the holder
  of the EDL and would not protect any other
  personal information stored on the RFID
• They called on the Government of Canada, and
  participating provinces and territories, to take
  steps to ensure the security of personal
  information stored on EDL RFID tags and to
  prevent the possibility of surreptitious location
  tracking."
• Victoria, February 5, 2008
• http//www.privcom.gc.ca/media/nr-c/2008/res_0802
  05_e.asp  

36
RFID - Radio Frequency ID chip

• Why choose a notoriously insecure vicinity RFID
  (i.e.UHF EPC Gen 2), rather than a proximity
  RFID? (10m vs 10cm range)?
• What protection against covert sniffing,
  interception, or other identification attacks?
• Can the protective sleeve possibly be
  effective?
• Why isnt the unique RFID number treated as
  personal information? e.g. Why no encryption?
• What protections for Canadians data in US?
• Has DHS bullied Canada into an inferior approach?

37
Other rationales for including RFID?

• Integration with REAL ID, as de facto NA ID card?
• Population surveillance capability with Human ID
  at a distance (HumanID) - Total Information
  Awareness
• http//w2.eff.org/Privacy/TIA/hid.php
• What protection against this function creep?

38
The actor-network of EDL/RFID
MTO
MGS
ServOnt
Priv Comm
Ontario Legislature
Photo Card Act 2008
Passenger Protect
convenient cheap fast
bulky costly slow
Drivers DB
Police
CBSA DB
EDL RFID
Passport
CBSA
AAMVA
MOU
CBP
RFID reader
Protective Sleeve
SPP
CBP DB
Secure Flight..
IRPTA
ICEPIC..
WHTI
REAL ID
DHS
US Congress
RFID vendors
US public
39
The actor-network of EDL/RFID
MTO
MGS
ServOnt
Priv Comm
ACT
CoC
Canadian public
BTA
Ontario Legislature
Photo Card Act 2008
Passenger Protect
bulky costly slow secure versatile
ICLMG
privacy protective secure
convenient cheap fast
surveillance enabling
Drivers DB
Police
CBSA DB
EDL RFID
Contact-less Smart Card
North American National ID card
Passport
CBSA
AAMVA
MOU
CBP
RFID reader
Protective Sleeve
SPP
CBP DB
Secure Flight..
IRPTA
ICEPIC..
WHTI
REAL ID
DHS
US Congress
RFID vendors
Smartcard Alliance
ACLU
US public
EPIC
40
Main EDL/RFID Actors (Human)

• Human Actors
• Canadian
• Ontario Min. Of Transportation (MTO)
• Service Ontario
• Police officers
• Canadian Border Service Agency (CBSA)
• Vendors
• Bars
• Post offices
• Couriers
• Merchants
• other orgs that ask for the DL
• Ontario Legislature
• Min of Gov Services (CIPO)
• Information and Privacy Commissioner (IPC)
• Biometric expert
• FRT vendor(s)

• Human Actors - cont
• Privacy Commissioners (PC)
• Advanced Card Association of Canada ACT (industry
  lobby org)
• International Civil Liberties Monitoring Group
  (ICLMG) Council of Canadians (CoC)
• Consumer Council of Canada (CCC)
• GS1 Canada (Industry stds. body)
• Can/US
• American Association of Motor Vehicle
  Administrators (AAMVA)
• Binational Tourism Alliance (BTA)
• US
• US Customs and Border Protn (CBP)
• Smart Card Alliance (ind. lobby)
• American Liberties Union (ACLU)
• Digimarc (vendor of US EDLs)
• L-I Identity Solutions (identity product
  conglomerate)

41
Main DL/RFID Actors (Non-Human)

• Non-Human Actors
• Documents
• Highway Traffic Act R.S.O. 1990
• Freedom of Information and Protection of Privacy
  Act R.S.O. 1990
• Ontario Works Act 1997
• Photo Card Act 2008 (Bill 85)
• US Intelligence Reform and Terrorism Prevn Act
  (IRTPA) 2004
• Western Hemisphere Travel Initiative (WHTI)
• REAL-ID Act (US, 2005)
• Smart Border Agreement and Action Plan (USCA)
• Security and Prosperity Partnership (SPP)
• Memorandum of Understanding (MOU) USCAN,
  CANOnt
• Privacy Impact Assessment (PIA)
• Threat Assessment (TA)

• Non-Human Actors cont.
• Devices
• Drivers Licence (DL)
• Image capture and card production
• Wallets
• FRT software
• Enhanced Drivers Licence (EDL)
• RFID (EPC Gen 2 RFID Tags)
• Tag number
• Protective sleeve
• Contactless Smart Card (CSC)
• REAL ID card
• NEXUS card
• PASS card
• Passport
• Biometric passport
• National ID card

42
Main EDL/RFID Actors (Non-Human)

• Non-Human Actors cont.
• Databases
• Drivers DB
• Drivers facial image DB
• Drivers facial image template DB ??
• Canadian Police Information Centre (CPIC)
• Immigration and Customs Enforcement Pattern
  Analysis and Information Collection System
  (ICEPIC) includes
• Treasury Enforcement Communications System,
• Student and Exchange Visitor Information System,
• National Security Entry Exit Registration System,
• U.S. Visitor and Immigrant Status Indicator
  Technology program

• Non-Human Actors cont.
• Databases (cont.)
• Secure Flight?
• Passenger Protect?
• Distances
• 10m (range of RFID)
• 10cm (range of CSC)
• Borders
• US/Canada
• Dates
• Sept 11, 2001 (9/11)
• Jan 23, 2007 (WHTI implemented for US/Can air
  travel)
• June 2009 (WHTI implemented for US/Can land/sea
  travel)

43
Passport as an alternative to EDL

• Extend life of Canadian passport to 10 years
• as in the US, UK, etc. i.e. lt9/year ?
• Lower price of passport?
• Auditor Gen says they are over-priced
• Ontario subsidize cost for border area residents?
• Passport as a citizenship right?
• Speed up and ease issuing?
• Temporary passport offices in border cities
• Passport Fairs as in US
• Speed up border crossing with passport?
• Use the Machine Readable Zone (needed anyway)?

44
RFID - Radio Frequency ID chip
10m
RFID reader
US databases
Unique identifier
Border agent
CBSA database
EDL/ID cardholder
45
RFID-less EDL ( passport)
?
any distance
MRZ reader
Unique identifier/ passport
US databases
Border agent
Note Can also work
with passports
EDL/ID/passport cardholder
ltltCANCLEMENTltltANDREWltHOWARDlt JK123456lt5CAN4701010M
0809100lt
46
EDL/RFID vs Passport??

• Considering
• Cost
• Convenience of acquisition and use
• Privacy
• Security
• Usefulness
• Governance
• National sovereignty
• will the EDL/RFID serve Ontarians better than the
  passport?

Most unlikely!
47
Summary - Questions cautions
Examine closely
Stop! Think again
Still preferable
RFID
FRT
Passport
?
?
?
?
?
?
?
?
?
?
?
?
48
Next steps

• Legislative review of Bill 85
• in Standing Committee on General Government
• Public participation
• Social impact assessments
• Systems design
• Concept and prototype design
• Field testing
• On-going accountability and oversight

49
Check out the FAQ, webcast and on-line discussion
forum at IDforum.ca
IPRP
Information Policy Research Program