Slashdot Mirror
RFID Drivers' Licenses Debated
meganthom writes "How would you feel about having an RFID chip in your driver's license? Virginia is considering just such a measure, largely because several of the 9/11 hijackers were licensed there. Civil rights advocates are obviously unhappy with this turn of events, and it seems the ACLU has already taken the case. Proponents claim it would help law enforcement determine that you are who you claim to be and would make forgeries less common. The Federal government is also considering uniform 'smart card' standards."
How soon until you can buy a pocket ID sniffer/cloner? Or the plans become available on the latest 'warez' site? Great. Just by walking down the street 20 people can steal my identity...
I don't particularily like the Big Brother idea, but I have no qualms about this. You carry your licence so that people know who you are, and this would just provide a better way to verify that information. It would also be a nice way to lower the costs of corporate identification systems. I have a few workstations I manage for students to use at my college in the Physics office. I had gotten some old card readers and just set people's passwords to the raw string of text that their driver's licence would read out. It worked really well to keep them secure and the make it easy for people to log in, and if RFID tags were in our driver's licences it would make keyless entry systems and RFID based computer security systems a lot less expensive to get started with if there was enough secure information on the RFID tag.
Of course there are problems with the fact of how much data would be on there. Could I walk past a pillar in a mall that would read my address and phone number off my licence and sign me up to receive unsolicited calls and mailings? Also, would the data be secure enough if it were to be implemented in a security system? If these concerns were taken care of (well, the security system one less so, probably actually not that feasible, that's just the old hobbiest ticking inside me), then I wouldn't have a problem at all with a more secure and harder to forge driver's licence.
A pickpocket's dream come true! You can steal from a passerby without laying a hand on them.
Can you imagine how quickly wallet manufacturers would come out with new wallets that either sandwich your drivers license between two pieces of metal (aluminum foil I guess) or shield the entire wallet? I don't usually get too excited about privacy issues because I don't believe we have any these days. But, it is way too easy to imagine thieves walking around with readers and harvesting drivers licenses numbers and info in crowds. A drivers license often has all you need to get a credit card, especially if your state uses your social security number as your drivers license number (do any states do that anymore?).
http://www.busyweather.com/
Will now be a New and Improved Canadian.
*sigh*
Anybody got some tin foil?
The House Between - Original Sci-Fi Series
Does that mean I will have to leave my driver's licence at home before robbing a bank ?
I doubt an RFID in a drivers licence is any kind of deterrent when you're prepared to hijack a plane and kill yourself and everyone else in it by crashing it into a building.
I think that RFID for some reason just always triggers a negative response from the
You'd think that the possibility for walk by ID theft would stop them from considering this. Either way, RFID tags aren't exactly difficult to counterfiet, and they do nothing more than take another step towards massive civilan survelience.
FUD time...
Proponents claim it would help law enforcement determine that you are who you claim to be and would make forgeries less common.
Yeah? It would make it easier for me to know who you are too. One enterprising geek on the subway could snag everyone's identities. You thought cell phone cloning was a problem? Hoo buddy.
Joe Geek might not be able to forge an ID, but he doesn't have to in order to snag someone's identity.
Might want to tin-foil coat that wallet...
Virginia government officials need to keep reading this until they get it:
THE 9/11 HIJACKERS HAD VALID DRIVERS LICENSES.
THE 9/11 HIJACKERS HAD VALID DRIVERS LICENSES.
THE 9/11 HIJACKERS HAD VALID DRIVERS LICENSES.
THE 9/11 HIJACKERS HAD VALID DRIVERS LICENSES.
Stop using the hijackings to justify your pet police state!
yeah all this may be great, but who is to say if the police pull you over and they scan it, well it is a computer and it is always right. so when people clone this could it be more "trusted"
I mean they are already proposing chips so you can breeze through airport checkin, but how long before that is cloned and people buzzword("terrorists") can breeze on through...
trusting technology to solve all problems is a problem
Or at least I wouldn't feel any worse than being required to carry around picture ID in the first place.
Is there some simple (metal?) case that you could slip your RFID-equipped license into that would block snoopers from scanning you until you deliberately removed the license from the case?
Just the other day I went to Beverages and More to buy some booze. The cashier asked me for ID, so I showed him my license inside the clear plastic flap of my wallet. He asked me to take it out, so I did so and handed it to him, not realizing what he was about to do... He swiped it through a mag strip reader! I have no idea what's on the strip, but now BevMo's computers have that information. If my street address is in there, it's probably going to be used to spam me with junk mail. But who knows how slimy they are? They might sell that information to life and health insurance underwriters, or worse. The possibilities are endless.
Anyway, I promptly ran my license through a degausser after that incident. If they start embedding RFID tags, I guess I'll have to take similar measures.
Loading...
200,000 volt stun gun will tune that puppy up.
I took my current DL and bulk erased the mag stripe, then threw it on the concrete and stood on it and twisted my foot, grinding the barcode up so that it is no longer machine readable.
Visually, my DL still functions, it shows my ID correctly, it just can't be read by a machine.
If they want to check it against some DB, they have to call it in the old fashioned way.
"Sir, your DL is damaged, you need to have it replaced" "Gee, imagine that, I guess I better do something about that huh?" and that's that.
Resistance is NOT futile.
More direct attacks on privacy and tracking all Americans, in the name of 9/11, with something that would have had absolutely no effect on preventing the 9/11 attack at all.
Perhaps a better idea would be to not give terrorists drivers licenses at all, or maybe not to give illegal alliens drivers licenses at all. Instead many states (including mine) have gone out of their way to make it easy for known illegal alliens to obtain drivers licenses! But somehow at the same time this is being used to justify making people cary one more thing that will make it extremely easy to track them.
Kind of makes you think that all those crackpots who question how and why World Trade Center Building 7 collapsed when it wasn't even hit by planes, the only skyscraper to ever collapse from such a fire before or since, might be on to something.
I'm an American. I love this country and the freedoms that we used to have.
How, EXACTLY, would the 9-11 attackers been stopped if they had been issued RFID drivers licenses? There is no sane connection. I can't think of any easier examples to prove that government and businesses are taking advantage of the 9-11 fear to lock us down. PATRIOT acts, car transponders, GPSed cell phones, RFID armbands, implants, RFIDed ID cards, biometrics... NONE OF THESE THINGS would have stopped those men from crashing those planes into the towers. But that attack is used to justify every possible wet dream of a police state.
Now, onto Project TinFoilHat. If issued such a card, I will build a Faraday cage into a belt pouch, and there their assine tracking device can sit until a POLICEMAN asks to see it. I know damned well they can build RFID detectors that can work at great distances; I will not cooperate and being tracked on a giant Ms. Pac Man screen by whomever can afford the equipment.
As for those of you who don't care about this, you are good Germans. What else can I say.
As it stands, I can walk into my local supermarket, purchase any number of items(using cash), and walk out. No one ever need know who I am. RFID Identity scanning would allow any number of people to know not only WHO I am, but WHERE I've been. That is the significant risk in allowing technology like this in place without proper security measures, both for the government, and for my personal protection. Iron out the security, make me feel safe, and I'll think about sticking an RFID tag in my wallet.
BUT, the licenses that the hijackers had were LEGAL licenses (i.e. they went through the process of getting a license and were granted one). The problem isn't the fact that the license itself is not secure, but the PROCESS which grants the license is NOT SECURE. FIX THE PROBLEM NOT A SYMPTOM.
That is just my 2 cents.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
US Federal officials announced today that, since some of the 911 hijackers were found to have used Route I-95 during their preparations for their terrorist attack, this highway would be permanently closed from 11am Tuesday to prevent its use in future atrocities.
Similarly, Oldsmobile saloons would also become proscribed items on the same date. Current owners of Oldsmobiles have until 15 October to hand them in to a Federal car pound.
Another thing to do would be to make a reader-detector, to see who is trying to scan your cards surreptitiously. That would be a great way to embarass people and businesses trying to play Big Brother, and you might even be able to get such snooping prohibited by law.
Sustainability and energy independence essay
About 2 seconds on re-heat should do it....
The quick brown fox jumped over the lazy dogs back 123456789
You know almost all of the 9/11 terrorist had valid state issued ID? Why would adding a RFID tag help stop terrorists? The can still go up and apply for a valid id just like everyone else.
I wonder if the inclusion of a driver's photograph on a license generated this much "panic". Was the very idea of putting a person's picture, address and data of birth on the same state-issue card interpreted as a trampling of civil liberties? Using a smart card as a driver's license and including things like driving, citizenship or criminal record on the card would make sense for law enforcement, provided some effort was made to hinder access. Getting this information for anybody is a trivial matter in the US. If every attempt to ensure some level of security is met with gnashing of teeth by the ACLU/EFF/et al these organizations are going to be completely ignored by policy makers (more than they already are)
RFID in drivers licenses means that the license information can be read from a short distance away, say in a turnstile or any other narrow entrance. This would enable someone to determine everyone who attends events, night clubs, etc. Someone with an appropriate RFID receiver could walk through a crowd and record who is present.
While such a system would make life easier and safer for police, it would make anonymity a thing of the past. How long would it be before our current representatives, who are completely gung ho on helping business, would allow businesses to use the RFID to identify customers entering and leaving businesses? The businesses could use the information to run credit checks. Businesses could determine how much money you have to spend the moment you walk in the door.
I don't know about the rest of you, but I think the potential abuses of this technology far outweigh the benefits.
It is a shame that we in the U.S. have reacted to 9/11 the way we have. The world is a dangerous place and it makes sense to put reasonable security procedures in place, but no amount of protection will protect us 100%. There will always be a risk, especially in a free society. Personally, I accept that risk and embrace it. That risk is the price of freedom.
The terrorists that attacked us sought to destroy our way of life and make us afraid. They win each time we accept another limitation on our freedom in the name of security. Don't let them win.
-All that is gold does not glitter - Tolkien
www.ra
The idea of seeing who is snooping your data by listening for retching noises is entertaining.
Sustainability and energy independence essay
what makes you think that the people passing this law won't also make it illegal to purposely block or interfere with the signal?
It seems to me that the proper course of action would be to prevent this from becoming law in the first place.
Proponents claim it would help law enforcement determine that you are who you claim to be and would make forgeries less common.
Hogwash. I'm a cop (and a Libertarian, believe it or not) and an RFID chip would not make one, single bit of difference with regards to verifying that someone is who their ID says they are. All an RFID chip would do is verify that the signal given to the RFID reader matches what the reader expects. Given than any signal can be intercepted and copied, that doesn't tell me anything.
Plus, I don't think we need to get any further down this slippery slope of training new police officers to rely on technology! My rookies learn how to talk to people, how to interview people, and how to try and determine whether or not people are being truthful! Good interviewing skills are what find deception, not good technology.
Besides, do you know how many very worn, very damaged driver licenses I get? They're legal, they're vaild and I can still use them to check ID.
THIS law enforcement officer neither NEEDS nor SUPPORTS the use of RFID chips.
Now, you attach 9/11 to it. No matter how disconnected. Fight it, and you clearly support terrorism.
The problem with this and all other National ID card ideas that have been proposed is that they are inherently secure, because they result in people treating a single piece of information as both public information and as a secret. As an example, concider your Social Security Number. This number is used for two purposes
1) It is a unique identifier that the government (and others) use to differentiate you from others.
2) It used as a means of authenticating that you are who you say you are.
This creates a problem, because in order for the SSN to be usefull as an identifier it will be handled out in view of the public, but in order for it to be used as a means of authentication it must be kept secret - which it is not! It frightens me how many entities act as though anyone who can rattle off my SSN, must be me.
What you are doing is exactly the same. My drivers license number is not private information, and using it as a password is highly insecure!
I would really like to see a standardized authentication system worked out that used a public key / private key / password system, on a smart card. Technically it could work the same as PGP signatures. The public key is is associated with a unique ID, and available on public servers. The encrypted private key exists only on a smart card and cannot be read off the card, and therefore all computation must be done on the card.
The entity wishing to recieve authentication (say safeway) would read my unique ID off the card and send it to the authenticator (say VISA) who would send back a challenge. I would then enter a password (likely pin number) into the local machine. Then the challenge and password would be fed into the card which would use then use the password to decrypt the private key and then sign the challenge with it, and feed out the response. Then safeway would send the responce to VISA who would check it with the public key and securely return their decision.
If computers came with a slot for the card, standard, it would provide for an easy-to-use secure method of authentication for anything that needs it. I could have a card the proves that I am Citizen #123-45-6789 and another that proves I am allowed use VISA card 1234-5678-9012-3456, and other that proves that I am gate_keeper2345@example.com. And having a standard secure method of authentication, could even increase privacy because then entities could choose to athenticate you on criteria other than knowing who you are so they can sue you if things go wrong.
I thought RFID would only transmit some unique identifier. In other words, the identity information is not stored in the RFID chip, but in a database in a server somewhere; the RFID only supplies the index key to the (presumably) correct record in the server.
So, I don't see why RFID suddenly makes stealing people's identities so much easier as half the posts on here are claiming. You'd still have to hack into the db to know what the details of that person are if you randomly stole the code from the RFID chip.
--RJ
Virginia government officials need to keep reading this until they get it:
THE 9/11 HIJACKERS HAD VALID DRIVERS LICENSES.
I agree; RFID licenses won't help.
That said, what do you (and the rest of the "I'm too cool to worry about terrorists" crowd) propose? The same people who are against measures like this are also generally against anything that would have prevented them from getting valid licenses.
I'm genuinely curious. I don't believe for a million years that the Kerry crowd is going to tighten up borders or anything substantive like that after they revoke Patriot Act stuff, so what exactly do they intend to do?
After reading through other responses, the use of RFID appears to cut both ways. (Much like our personal use of firearms, it's all in the application.)
On the good side, reliable RFID could speed your way through computer-mediated transactions, particularly in authenticating access to facilities or systems, paying bills, driving through toll booths (EZpass comes to mind) and similar transactions.)
On the bad side, if someone steals your token (either physically or through cloning), they can do all these things, too. Also, instant ID could be used to exclude you from events if the gatekeepers have access to the database.)
"I'm sorry sir, but you can't come inside. Our system shows that you attended a Kerry rally this morning, so I'm afraid the Secret Service now considers you a threat to President Bush('s re-election)."
As with any good security schema, you need more than one element to make it secure. RFID in your driver's license is only a physical token; you need either a password/PIN or some biometric (or both) to provide additional authentication..)
What will be crucial is what information the RFID system stores and transmits and under what circumstances. For commercial transactions, maybe the RFID DL will just contain your name and a link to a database with the rest of the info needed to complete the transaction. If you've buying something at Radio Shack, they should only get verification of who you are, not your phone number or address (though they will most assuredly lobby for access to that info). If you're applying for a mortgage, the bank would probably be authorized access to more detailed information..)
And you should have the absolute right to both control how much autonomic access anyone has to your Privacy Act protected data and to turn off the RFID function whenever you want..)
However, as with any form of ID, people don't have to transact business with you if you won't provide the authentication they want. Life is full of distasteful little trade-offs.
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
Sounds like your keycard and reader aren't talking with RFID.
Hint: if your keycard has a large embedded coil of wire in it, it probably operates through magnetic induction.
HF RFID has a range of at least a couple feet and UHF RFID is more like 10-20 feet.
On the other hand a smart card would be ok depending on the type of info on it. I don't see anything wrong w/ having a smart card that holds the data no my drivers license so I can insert it in somethign instead of holding it while the casher tries to figure out where the "date" field is to see if I'm ok to buy the beer. My first worry on this front is that the data on the smart card would be too trusted. People would assume that because it is electronic and possibly encrypted it would be more valid than the info on the front of the card. The other worry is that power hungry law makers and law enforcement would want to store more data on the card just because they had the additional space that is much less visible than the printed front. I don't care if my card has digitally stored anything that is on the front or back of the drivers license in human understandable format, but if my drivers license now carries, say, my fingerprint, my mental health, my criminal record, etc, then I would be strictly against it.
I do security
So what? Someone sniffs my wallet and gets #14960315. As long as they put stuff on there like just the DL number (not SSN), someone would need the rest of the DL to be able to make a fake, which would have allowed them to do it before. Or, they'd need access to the DMV database to get info, in which case they could have done it before.
From what I see, as long as they don't list SSN, DOB, address, or other personally identifying information on it, there are no privacy problems. It lets someone see a mostly useless number from a few feet away.
Learn to love Alaska
OK, hypothetical question: let's say that there was a way to make an RFID unreable by random passers-by (ie: you actually had to hand someone your card). One possible way I'm thinking of would be to have a reader that is a slot into which you insert your card. This would prevent some random dude from reading your card using a portable reader in the subway.
Let's also say that all the card stores is an ID number (ie: not your address, birthday etc; all that would have to be securely queried from the Dept of Transportation).
If both of these hypotheticals were in place, would you feel that this was still unreasonable? I'm neither trolling nor starting a flame war, I'm just curious if people object more to the perceived lack of security or the potential abuse of power from "the man".
If you are worried about "the man", please explain why this is worse that a barcode or magnetic stripe (again, assuming the security measures mentioned above).
"Reality is merely an illusion, albeit a very persistent one " -Albert Einstein
Cavity Search
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
Not really. To a limited extent, yes, but not as much as you might expect.
I use what I suspect are the same key cards that the grandparent (great grandparent?) poster uses at work. Most of the readers require nearly physical contact. The ones on the garage downstairs, however, to avoid people having to get out of their car, can read those same badges from... I believe 24 inches, if memory serves. Basically, as soon as I get my badge near the car window, it beeps.
The device is passive. It reacts to an RF (or in the case of most badges, magnetic) signal by modulating that signal and bouncing it back. The range, AFAIK, is limited mainly by the transmission power of the reader. Granted, there are other issues, like the ability to get something resembling line-of-sight to the RFID tag (i.e. curvature of the Earth limits), the ability to distinguish between a potentially large number of RFID tags within that range, and multipath distortion problems, but those still won't prevent a range of several feet under most conditions.
There's probably also some fairly high power limit beyond which you would smoke the card if you got too close to the reader, but if you lower that limit enough on your cards to force all RFID readers to only work in close proximity, odds are the devices would have a high failure rate just from "natural" phenomena... like standing too close to your microwave or even walking outside on a day when you can see the aurora borealis.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If you want an example of this, cut out a small piece of aluminum foil, one inch by four or so. Tune a hand-held AM radio to a strong station. Now put the foil over the housing near the loopstick antenna; the reception will die. Doesn't take much, does it?
Sustainability and energy independence essay
"Virginia is considering just such a measure, largely because several of the 9/11 hijackers were licensed there."
because wouldn't everyone agree that it would have been just so much better if the 9/11 hijackers had Virginia drivers licenses with RFID chips embedded in them when they flew into the WTC. Sigh. Putting RFID chips in drivers licenses doesn't make it any harder for someone (terrorist or not) to get a drivers license. It wouild make just about as much sense to say "Virginia is considering just such a measure because tasty smoked ham is made in Virginia. There's no correlation between the two, but every effect must have a cause, so we'll use ham." I'm thinking that the "logic" here is that if they know someone is a terrorist, they can use RFID chip scanners to find them more easily. But if you know someone's a terrorist, then maybe you should arrest them when they come to pick up their driver's license in the first place, or when they get their airline ticket, or when they get pulled over by a cop for speeding, or at any other time when they actually present their driver's license and/or name. This is a solution to a problem we'd love to have. If someone could solve the problem of figuring out who's a terrorist, and the only obstacle was in finding them, then maybe this would be usefull. As it is, this is a solution to a problem that doesn't exist.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
This is were we call on crackers to crack the system and tell us how...thereby rendering rfid's useless...and suddenly not worth the money.
I know you can crack them, but I want a wizard
-- A cat is no trade for integrity!
VA Senators
VA Delegates
You can use the "Whose my legislator?" page to find out your employees, I mean representatives, if you don't know.
considering how easy it is to rewrite RFID information, as demonstrated at defcon this year.
Sorry, doesn't fly.
First of all, RFIDs don't have much, if any, processing capability. They respond to a magnetic field and spit out a number. Yes that number my be encrypted with a private key, but the number itself always stays the same. If someone can get the encrypted number from my license then they can pretend to be me without ever decrypting it.
If the RFID simply stores a random unique ID that identifies "Fred", then encrypting it will only result in a different random unique ID that identifies "Fred".
Another option would be to encode the actual data, or a hash of the data, into the number. (Name, address, SS, etc) But the result would still be a static identifying number that anyone could collect. In this case the encryption may make it harder to forge the card, but the same thing could be done with a barcode without the same privacy concerns. So really RFID isn't making forgery difficult, the encryption is.
Think of the fun that someone could have if they got a hold of the private key used to encrypt everyone's ID. Yes it might be practicaly impossible to find it by brute force, but that doesn't prevent human error or corruption from letting it leak.
The only reason for RFID is convienence because nobody has to touch the card to verify your ID. But if nobody touches the card, RFID by itself is way to easy to forge.
I could get all the information I need to forge your ID just by walking past with a scanner. If someone bothered to look at my forgery they could compare the printed information to the information in the database and I may be caught. But if someone is going to handle the ID anyways, why not use a barcode or a magnetic strip?
Encryption is no magic bullet for privacy, and RFID does nothing that can't be done just as well or better with other means.
XML is the best data format; unless your data needs to be read or written by a human or a computer.
Its important to remember this, otherwise our plan to take over the world will fail. (Oops, did I say that out loud?)