Decode Your Barcode, Get Your Personal Info

Chris writes "The Swipe Toolkit is a collection of web-based tools that sheds light on personal data collection and usage practices in the United States. The tools demonstrate the value of personal information on the open market and enable people to access information encoded on a driver's license or stored in some of the many commercial data warehouses. Check out the Data Calculator, which shows how much your personal info is worth, and how the data brokers get it. It's all part of the Swipe Project, which will be on exhibition at UC-Irvine in March."

When will the knock off start

[manganese4]

So when will the first knock off site appear asking you for simialr information but actually keep an image of it on their server?

I'm not sure I care about this.

[musingmelpomene]

In my opinion, we're less than 100 years away from basically a total lack of "privacy." I'm not entirely sure this is a terrible thing, but it will certainly have interesting ramifications for society.

Once people know that essentially no one's a saint, we'll all be a lot better off without the sanctimonious holier-than-thou crap we get so much of today.

I am honest in all my dealings except the occasional shoplift from Barnes & Noble. I'd be fine with a lack of privacy, because everyone would be under equal scrutiny. The thing that bothers me is unequal privacy - which we're at right now.

Once everyone's life is part of a public record, we're all equally screwed and we can build our society around a new, more honest paradigm.

Re:I'm not sure I care about this.

[metroid+composite]

A lot of privacy issues, videocameras in stores, monitoring what IPs have visited a certain site, et c. are already universal to everyone in the territory. I'm curious as to which privacies are unequally shared; most that I can think of depend purely on where you tread.

Re:I'm not sure I care about this.

[beakerMeep]

Yes but what if I don't want you to use my personal info to build your new society.

Why do people think that if nobody has any privacy that it naturally correlates with positive advancements toward open society? Wouldn't a lack of privacy be a boon to criminals and civilized society alike? Isn't this what we are seeing now with the rise of the internet?

I think the point is not whether or not privacy benefits society but whether or not an individual has a right to it. Personally, I like my privacy too a resonable extent because I don't like the idea that there are a bunch of people out there who compile profiles on me. Profiles that serve only a limited few purposes such as:

A) selling me products
B) stealing from me
C) arresting me
D) providing me medical treatment (see A)

While A and C could be good in some situations (ie I am a criminal or I got the right medical treatment because of a profile) I just don't see enough good in a total lack of privacy.

I think there will always be bad people in this world and if the data is out there and allowed to be shared it will be used for malice at some point but I think that's the key. As long as the data has strict sharing guidelines it can be beneficial. Without that, it does the individual AND HENCE the society very little good compared to the potential harm.

Re:I'm not sure I care about this.

[Planesdragon]

Why do people think that if nobody has any privacy that it naturally correlates with positive advancements toward open society? Wouldn't a lack of privacy be a boon to criminals and civilized society alike? Isn't this what we are seeing now with the rise of the internet?

Depends on how persuasive the lack of privacy is.

If it's essentially impossible to be private, then crime essentially vanishes. And, even better, if the "TIA" system works well enough, we'll see as the first change a massive drop in false accusations.

If privacy is still attainable by those who work at it, then crime will flourish under the system.

So, it should really be an "all or nothing" thing--that, as a most important safeguard, includes an automatic notification whenever someone wants to see your record.

Re:I'm not sure I care about this.

[photonX]

I think 100 years is *wildly* optimistic. The last 100 we went from literally a horse-and-buggy society straight into the Electronic Age, and from mainframes to handhelds in a quarter of that. I expect to see my every move tracked within the next 20, and DMV barcodes are tame next to face-recognition systems and rf tags.

I imagine that implantable chips have been discussed here before, probably ad nauseum, but it isn't much of a stretch to imagine that within a quarter century everyone under the age of 15 or 20 could be carrying one. In my country (USA) it will be called something like the Child and Infant Freedom and Protection Act, requiring implantation of ID tags in every newborn in the counry, and after that it's just a matter of time. After all, who's not all for protecting our children? And as long as they're already there, why not make it illegal to have them removed or deactivated--we have nothing to hide, do we?

If it's unpatriotic now to oppose the Patriot Act, how about a decade and a few more pre-emptive wars from now? We'll all be talking about the good old days when all we had to worry about were the barcodes on our drivers licenses.

Re:I'm not sure I care about this.

[atomicdragon]

I read that little comment and lost all respect for the guy and anything else he had to say.

Doesn't this demonstrate one of the needs for privacy? Whether he stole a book or not should not affect the validity of his point. Although some may need such information, such as an employer who could be putting themselves at risk, others have no real use for it.

I guess that just goes along with my answer to those that say "Only those with something to hide want privacy." Maybe I do have something to hide. It doesn't have to be something wrong, just something other people may misuses or have prejudice against, e.g. somebody's beliefs.

Re:DMCA the freakers!

Funny, BUT:

Can any lawyer or someone who has indepth knowledge of the DMCA tell us all if this is actually a valid idea? I would love to screw over these companies, and maybe they will fight the DMCA for us...

But...

There are attempts underway now to allow compilation of facts to be copyrighted. A compilation of facts about you could then, possibly, be your property.

lobbying work

[JimBobJoe]

Here in Ohio I've actually got a few legislators entertaining the idea of introducing (or at the very least co-sponsoring) legislation to prohibit machine readibility on driver's licenses.

I've done it by convincing them that machine readability will cause more fraud. How?

The experience is that when a human has a machine that does scanning, the human will take a quick glance at the photo (or no glance at all) and then swipe/scan the card...and the card will say X and the human will believe it. Based just on that, remagnetizing the card or even an overlay sticker over the barcode can be very successful.

Indeed, the only thing separating the cheap plastic card from being an other cheap plastic card is the hologram and other visual/tactile elements that humans detect, but machines don't. If humans have to examine the card in depth before scanning it, then there is little reason to actually have the scanning machinery.

Which is cool...because the Ohio BMV does pay a touch extra for the plastic card blanks with magnetic stripes, so getting rid of the stripes saves a touch of money...at least enough to keep the conservatives listening.

And then I hit the privacy arguments...which I save for last.

These things take time incidentally...especially here in Ohio where legislators are deathly afraid of making a mistake, and the full year calendar means that they can take their damn time doing things.

But I was quite honored the other day...as I walked by one of the senior administrators of the BMV she stopped talking...she didn't want me to hear anything she was saying. Quite the compliment.

Machine readability is also discused on my New Jersey driver license privacy site, listed below.

Death to magnetic stripes

[DoraLives]

licenses have magnetic stripes on the back

Mine does too. So the first thing I did with it after I got it was to lay it on a steel table at work and take a whacking big speaker magnet and just go to town on that thing. I've had law enforcement question me about the lack of data on that stripe, but so far a doofus look and a shrug of the shoulders has seen me on my way. Your mileage will vary.

Re:Death to magnetic stripes

Penna has a mag stripe also, and the scatter barcode on the application was easy to edit with a black rollerball pen. I'll have to check it out and see what I randomly changed. In Penna, the whole application was photographically shrunk, so that they had a "real" signature on the final card.

A de-gaussing coil works wonders on the magstripe.
Never had a LEO check the stripe, but I did get looks registering at a local auction when they scanned my license. Poor droid had to key it in by hand! Like my cash was no good!

Damn I guess I better post this anon, or uncle Jon Ashcroft will be looking for me.

Re:Death to magnetic stripes

[Stonent1]

I doubt killing the stripe is going to cause a big deal anyway. All they have to do is run your license number (or SSN, which is the same in many states)

I think this info is more along the lines of offline data. So in the instance that their database is down, they can still get some general data on you. Also, those 2d barcodes... Anyone remember the old Macintosh magazines that had those in the back and you scanned them in for free programs?

Re:Death to magnetic stripes

[annisette]

When I bought my portable music recording system it was from an old timer in the business.

He told me about recycling reel to reel tapes with a demagnitizer (or any tape for that manner), I bought one about 2x the size of a hockey puck, never used it but he told me it was a loaded gun around tapes and to be careful or you could nick another tape moving it around to the one you wanted to erase.

Re:Wow! My CueCat will be useful again!

[afidel]

I used mine to keep track of my customers DLT tapes. Since we were up to a library of ~500 tapes and were changing them out at a rate of 25 every 10 days or so it really paid off. In fact I had my brother write a little VBA app on top of Access to keep track of their container and position. That way when the library needed new tapes I could take the reports from Veritas and pick out the tapes that were ready to be reused and know right where they were. Before doing this it took me about 3 hours a week to change out tapes, after organising things it was down under an hour.

It also came in usefull when we were pulling out over 400 PC's from a client site, recording all those asset tags by hand would have been a LOT more tedious than just stacking em and scanning. Picking in up was definitly the best $0 and 10 minutes of my life I ever spent =)

I've done this

[PetoskeyGuy]

I was working on an application where the client wanted to be able to swipe a drivers license and get all the user data - name, address, height, weight, etc for quick data entry. We investigated and found that each state has different formats, and not all states put all that info on their cards in mag or bar code formats. We hoped to get all of this info quickly when people test drive a car.

We would have had to develop a different format for each state and in some cases resorted to scanning and OCR. In they end they decided they can type it in themselves rather then pay for development.

I did learn that serveral states were considering a standard format. Believe me that marketing companies are DROOLING over the day when every person has their Multi-Pass type card.

Very interesting to see the dollar amounts though. There should be a column for that on the 1040's. :)

BTW, to the person who mentioned a use for cue-cat - I have about 50 of them and they don't work that great. They are about 5 bucks on ebay, or free if you take the left overs from your local radio shacks.

Been Out For A While

[CritterNYC]

At some point, some time ago, there was a report about the bars in Boston scanning in the 2D codes on the back of licenses and then using it to send junk mail. The bars in New York City do the same thing. They won't let you in without "scanning" your license to be sure it isn't fake. They place it under a blacklight in a reader and it gets scanned. The club then has a record of every person, their address, description, birth date and drivers license that entered the club. On commercial licenses in some states, your Social Security Number is also encoded, so they'd have that, too.

Remember that, and think twice if the place you're about to enter really needs a complete copy of all the information on your driver's license. I've refused to provide it and taped over the back so noone can scan it quickly before I realize they're trying to. I haven't been refused access to anywhere yet.

Swipe this big bro....

[pair-a-noyd]

I took my DL and dropped it on the concrete, stood on it and twisted it on the concrete to render the bar code un-readable.

Then I took a LARGE degausser and nuked the mag-stripe into absolute oblivion.
And everytime I present my DL to any institution at their request/demand, I degauss it all over again, just to be sure in case they reprogrammed the mag-stripe.

When I go to the bank they have to use the phone and verify my license by reading the numbers over the phone since it is no longer machine readable.
Same thing when Mr. Busy Body policeman pulls me over to see if I have illegal farts in my pants or something. They tell me my license is "not working right" and that I need to have it replaced. I just tell them yeah, I dropped it and it got ran over in the driveway and that I am going to take care of it right away.. Yeah right.

Soo sorry, I don't play their game, I play the game my own way..

Used at Six-Flags theme park

[danwiz]

I was at Six-Flags theme park last summer and they scanned my Connecticut driver's license to determine if I was of legal age for a $4 cup of beer. They trusted the scanner and didn't even bother looking at the birthdate on the front. I now have concerns that my purchase info is in the company's database. If (or when?) this data is sold it could affect my health/life/auto insurance, privacy, etc.

Also, if I were stopped by the police on the way home this data could declare me guilty of DUI before proven innocent. Pretty bad since my girlfriend coaxed the beer away for herself before I could drink it.

Re:ALL YOUR INFO....

[BandwidthHog]

To eat for the same price as my neighbor I had to give my info to the grocery store.

I don't buy anything that's 'on sale' via their cards. Even if it's only a 10 cent difference. I go to their competitor for those items. If all stores in my town were holding boneless skinless chicken breasts hostage to the cards, well, I can eat hamburger (or steak) tonight.

Haven't checked the site lately, but nocards.org used to have a good FAQ on why you shouldn't just give bogus info to get one of those cards.

I got my barcode on my leg

[MajorDick]

I got a barcode of my DOB and SSN tatooed on my leg, I needed a 'cover up" tat for scar and (Yes I did the unimaginable and had my Ex's name tatooed on me :) Anyhow about 8 years ago I wanted to get the mess on my leg covered up, I thought about all kinds of stuff but needed something fairly solid, Soooo, barcode it was , (my cuecat will even read it :)

Re:Moron

[Ateryx]

...I go online and notice that California doesn't have a 2d barcode on the back of their licenses.

My experience was actually the exact opposite. I checked my id (new as of March 2003, so less than one year old), and saw no 2d barcode. Figured, what the hell, and decided to look to see what good 'ol Minnesota has for privacy (overall not too bad, only a few, separate mess ups.) I saw that Minnesota indeed does have a 2-d barcode, however it is nowhere on anyones licences that I checked made this year (I couldn't find anyone w/ a new licence as of this year). Either this site is 1)up to date, Minnesota started regulations as of the first of the year, or 2) has incorrect information.

Swipe Project needs Accurint

[Animats]

The Swipe Project should sign up for Accurint, so that when you put in your card, you get your whole dossier. That would show people how much is known about them.

New Career?

[GoodbyeBlueSky1]

Alright, I didn't see any posts on this and I know I was wondering:

I know it'd be damn near impossible to find someone who'd qualify for all of these, but nevertheless the total I came up with was $277.60 for the various types of info. And I'd imagine most of us could get at least $100 (SSN, Cell #, DOB, etc. all add up).

Now, I didn't see this on any of the sites but is this a one-time lifetime-rights-sold deal or maybe ... a monthly gig? Could I supplement my income at the expense of marketing scum?

Join the revolution

No digital sigantures?

[supersat]

I'm surprised these 2D barcodes don't have digital signatures encoded in them to verify the authenticity of the data. I think it'd cut down on the number of fake IDs used.

Many places are now using the 2D barcode to verify your age, but in many jurisdictions (such as Oregon), when you change your address, they issue you a plain STICKER with your new PDF417 barcode printed on it. Anyone with knowledge of the AAMVA standard could create their own barcode sticker, making them any age they want. This is precisely why digital signatures are needed.

When someone asks for your ID, they'd scan it into a device, which would use the issuing jurisdiction's public signature to verify the digital signature on the barcode. Assuming the data is authentic, it'd then display the encoded data on a display. The person checking your ID would compare the data on the display to that printed on the front of your ID. If both match, you can be fairly certain the ID is legit.

Of course, there'd probably have to be a law prohibiting places from storing your personal data without your explicit consent.

If you're curious about the exact data format of the barcodes and magstripes, check out the AAMVA DL/ID standard at http://www.aamva.org/Documents/stdAAMVADLIDStandrd 000630.pdf (2000 edition) or http://www.aamva.org/Documents/stdAAMVADLIDCardSpe cs_092003.pdf (2003 edition). Among other things, it also spells out recommended security measures.

Re:Moron

[Yottabyte84]

I picked up a reader (by ID Innovations) for $30 on ebay not to long ago

Writers will cost you at least $300 on ebay.

Who is driving that cellphone ?

[andyr]

Folks,

I live in South Africa - one of many countries that use the GSM mobile standard. Here I have a pay-as-you-go SIM card, meaning that I am almost anonymous.

Going on a month business trip to Australia - I plan on doing the same thing - get a pay-as-you-go card, so I take my GSM phone over.

Go to the corner store - "Starter pack please".

"Sorry Sir, we need you to fill out all this information - Gov regulations, sorry."

Name, passport number, other phone numbers, drivers licence, DOB, blah blah.

I fill it all out.

"After they verify the information, your SIM card will be turned on"

Every single piece of info was wrong, yet my phone came on the next day.

Cheers, Andy!

Re:Who is driving that cellphone ?

During my research on information quality I interviewed a database marketer from South Africa (now working here in Australia). Since Australia does not have an SSN or similar, he found his job a lot harder. He mentioned that in SA the SSN is not just a key but has quite a bit of info encoded in it - including race!

Can anyone confirm this?

Re:Use the "Fletch" Approach to disappear....

[MImeKillEr]

Just because the number the OP posted isn't accepted by the SSA, this doesn't mean that it won't work for Randall's or any other place with a 'loyalty' card. It's not like this is a credit card and requires an SSN that matches your personal info.

I'd take it one step further - start a group to swap owner loyalty cards to munge their marketing data up.