Decode Your Barcode, Get Your Personal Info
Chris writes "The Swipe Toolkit is a collection of web-based tools that sheds light on personal data collection and usage practices in the United States. The tools demonstrate the value of personal information on the open market and enable people to access information encoded on a driver's license or stored in some of the many commercial data warehouses. Check out the Data Calculator, which shows how much your personal info is worth, and how the data brokers get it. It's all part of the Swipe Project, which will be on exhibition at UC-Irvine in March."
So when will the first knock off site appear asking you for simialr information but actually keep an image of it on their server?
I make my face look like this and concerned words come out.
Here in Ohio I've actually got a few legislators entertaining the idea of introducing (or at the very least co-sponsoring) legislation to prohibit machine readibility on driver's licenses.
I've done it by convincing them that machine readability will cause more fraud. How?
The experience is that when a human has a machine that does scanning, the human will take a quick glance at the photo (or no glance at all) and then swipe/scan the card...and the card will say X and the human will believe it. Based just on that, remagnetizing the card or even an overlay sticker over the barcode can be very successful.
Indeed, the only thing separating the cheap plastic card from being an other cheap plastic card is the hologram and other visual/tactile elements that humans detect, but machines don't. If humans have to examine the card in depth before scanning it, then there is little reason to actually have the scanning machinery.
Which is cool...because the Ohio BMV does pay a touch extra for the plastic card blanks with magnetic stripes, so getting rid of the stripes saves a touch of money...at least enough to keep the conservatives listening.
And then I hit the privacy arguments...which I save for last.
These things take time incidentally...especially here in Ohio where legislators are deathly afraid of making a mistake, and the full year calendar means that they can take their damn time doing things.
But I was quite honored the other day...as I walked by one of the senior administrators of the BMV she stopped talking...she didn't want me to hear anything she was saying. Quite the compliment.
Machine readability is also discused on my New Jersey driver license privacy site, listed below.
Mine does too. So the first thing I did with it after I got it was to lay it on a steel table at work and take a whacking big speaker magnet and just go to town on that thing. I've had law enforcement question me about the lack of data on that stripe, but so far a doofus look and a shrug of the shoulders has seen me on my way. Your mileage will vary.
Is it fascism yet?
Why do people think that if nobody has any privacy that it naturally correlates with positive advancements toward open society? Wouldn't a lack of privacy be a boon to criminals and civilized society alike? Isn't this what we are seeing now with the rise of the internet?
I think the point is not whether or not privacy benefits society but whether or not an individual has a right to it. Personally, I like my privacy too a resonable extent because I don't like the idea that there are a bunch of people out there who compile profiles on me. Profiles that serve only a limited few purposes such as:
A) selling me products
B) stealing from me
C) arresting me
D) providing me medical treatment (see A)
While A and C could be good in some situations (ie I am a criminal or I got the right medical treatment because of a profile) I just don't see enough good in a total lack of privacy.
I think there will always be bad people in this world and if the data is out there and allowed to be shared it will be used for malice at some point but I think that's the key. As long as the data has strict sharing guidelines it can be beneficial. Without that, it does the individual AND HENCE the society very little good compared to the potential harm.
meep
I was working on an application where the client wanted to be able to swipe a drivers license and get all the user data - name, address, height, weight, etc for quick data entry. We investigated and found that each state has different formats, and not all states put all that info on their cards in mag or bar code formats. We hoped to get all of this info quickly when people test drive a car.
:)
We would have had to develop a different format for each state and in some cases resorted to scanning and OCR. In they end they decided they can type it in themselves rather then pay for development.
I did learn that serveral states were considering a standard format. Believe me that marketing companies are DROOLING over the day when every person has their Multi-Pass type card.
Very interesting to see the dollar amounts though. There should be a column for that on the 1040's.
BTW, to the person who mentioned a use for cue-cat - I have about 50 of them and they don't work that great. They are about 5 bucks on ebay, or free if you take the left overs from your local radio shacks.
At some point, some time ago, there was a report about the bars in Boston scanning in the 2D codes on the back of licenses and then using it to send junk mail. The bars in New York City do the same thing. They won't let you in without "scanning" your license to be sure it isn't fake. They place it under a blacklight in a reader and it gets scanned. The club then has a record of every person, their address, description, birth date and drivers license that entered the club. On commercial licenses in some states, your Social Security Number is also encoded, so they'd have that, too.
Remember that, and think twice if the place you're about to enter really needs a complete copy of all the information on your driver's license. I've refused to provide it and taped over the back so noone can scan it quickly before I realize they're trying to. I haven't been refused access to anywhere yet.
Portable versions of Firefox, GIMP, LibreOffice, etc
I took my DL and dropped it on the concrete, stood on it and twisted it on the concrete to render the bar code un-readable.
Then I took a LARGE degausser and nuked the mag-stripe into absolute oblivion.
And everytime I present my DL to any institution at their request/demand, I degauss it all over again, just to be sure in case they reprogrammed the mag-stripe.
When I go to the bank they have to use the phone and verify my license by reading the numbers over the phone since it is no longer machine readable.
Same thing when Mr. Busy Body policeman pulls me over to see if I have illegal farts in my pants or something. They tell me my license is "not working right" and that I need to have it replaced. I just tell them yeah, I dropped it and it got ran over in the driveway and that I am going to take care of it right away.. Yeah right.
Soo sorry, I don't play their game, I play the game my own way..
Also, if I were stopped by the police on the way home this data could declare me guilty of DUI before proven innocent. Pretty bad since my girlfriend coaxed the beer away for herself before I could drink it.
I'm surprised these 2D barcodes don't have digital signatures encoded in them to verify the authenticity of the data. I think it'd cut down on the number of fake IDs used.
d 000630.pdf (2000 edition) or http://www.aamva.org/Documents/stdAAMVADLIDCardSpe cs_092003.pdf (2003 edition). Among other things, it also spells out recommended security measures.
Many places are now using the 2D barcode to verify your age, but in many jurisdictions (such as Oregon), when you change your address, they issue you a plain STICKER with your new PDF417 barcode printed on it. Anyone with knowledge of the AAMVA standard could create their own barcode sticker, making them any age they want. This is precisely why digital signatures are needed.
When someone asks for your ID, they'd scan it into a device, which would use the issuing jurisdiction's public signature to verify the digital signature on the barcode. Assuming the data is authentic, it'd then display the encoded data on a display. The person checking your ID would compare the data on the display to that printed on the front of your ID. If both match, you can be fairly certain the ID is legit.
Of course, there'd probably have to be a law prohibiting places from storing your personal data without your explicit consent.
If you're curious about the exact data format of the barcodes and magstripes, check out the AAMVA DL/ID standard at http://www.aamva.org/Documents/stdAAMVADLIDStandr
I live in South Africa - one of many countries that use the GSM mobile standard. Here I have a pay-as-you-go SIM card, meaning that I am almost anonymous.
Going on a month business trip to Australia - I plan on doing the same thing - get a pay-as-you-go card, so I take my GSM phone over.
Go to the corner store - "Starter pack please".
"Sorry Sir, we need you to fill out all this information - Gov regulations, sorry."
Name, passport number, other phone numbers, drivers licence, DOB, blah blah.
I fill it all out.
"After they verify the information, your SIM card will be turned on"
Every single piece of info was wrong, yet my phone came on the next day.
Cheers, Andy!
Andy Rabagliati