The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

California Soon to Have RFID Driver Licenses

Leave a comment

A California bill, S.B. 397, would allow the Department of Motor Vehicles (DMV) to issue enhanced driver’s licenses (EDLs) and identification cards, that is, licenses and IDs containing radio frequency identification (RFID) technology.

Such EDLs would include a machine readable zone or barcode that could be electronically read from a distance. These cards would transmit an encrypted randomly assigned number, but would not contain any other personal data, biometric information, or number. They would only contain the information required by the federal Western Hemisphere Travel Initiative (WHTI) established by the Department of State and Department of Homeland Security.

Pro: Convenience and Speediness

The WHTI requires U.S. and Canadian travelers to present a passport or other document proving their identity and citizenship when entering the U.S.

Carrying an EDL would allow travelers to use the Ready Lanes already available at some port of entry, which make the process of entering the U.S. faster and easier. A summary of the bill made this month by the Assembly’s Appropriations Committee describes the process as “convenient and time-saving.” Four U.S. states, Michigan, New York, Vermont, and Washington are already issuing EDLs.

Con: Privacy and Security Risks

What may be the risks for privacy? The web site of the Department of Homeland Security (DHS) states that “[n]o personally identifiable information is stored on the card’s RFID chip or can be transmitted electronically by the card. The card uses a unique identification number that links to information contained in a secure Department of Homeland Security database. This number does not contain any personally identifiable information.”

S.B. 397 contains provisions addressing the security issues that the use of such cards may raise. It states that the DMV would include in the EDLs “reasonable security measures, including tamper-resistant features to prevent unauthorized duplication or cloning and to protect against unauthorized disclosure of personal information regarding the person who is the subject of the license, permit, or card.”

The American Civil Liberties Union of Northern California opposes the bill, and states that DHS has admitted that the personal information encoded on the RFID chip could be read from up to 30 feet away. Also, the EDLs do not include technological protections to prevent the personal information from being read without the individual’s knowledge or consent.

The ACLU mentions a scientific report which studied the security of the Washington EDLs. The authors of this report stated that RFID contained in such cards only have limited security features and, as such, could be surreptitiously scanned and reproduced.

A note from the ACLU of Washington, published that the time Washington state proposed to have EDLs, had noted that such cards do not have built-in security, and thus the Department of Licensing would had to provide users with a security sleeve designed to block the RFID transmission. Such sleeve indeed prevents a card to be scanned without authorization, but, as the EDL does not have an on/off switch, the card can broadcast information to compatible readers within its range if taken out of the protective sleeve by accident.

The site of the Washington State Department of Licensing informs users that the “[e]nhancements included in the EDLs… are industry best practices for security”, that is, “secure and isolated-dedicated (optic fiber) network connectivity; encryption of personal identifying information between Washington State and the Border Officer during transmission; closed and secure network design, including firewalls and limited and controlled access to the network, network equipment, and data centers.”

Big Data at the Borders

However, there is no clear information on whether data about travel is retained, and, if it is, for how long. As travel data is of particular interest to governments, there may be a temptation to store and analyze it. For example, the Australian Customs and Border Protection Service recently put in place a program using Big Data to analyze passenger information.  There is no such program yet in the U.S., and the EDLs cannot be used for air travel, but we should keep in mind that these cards may be used as intelligence/surveillance tools.

The California bill has been approved by the Senate, and is now under consideration in the Assembly. It is expected to pass. A Committee hearing is scheduled for next Friday, August 30th.

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s