The potential for ubiquitous surveillance that emerges with Enhanced Drivers Licenses (EDLs) could only be imagined by the Stasi in Communist East Germany, but is a genuinely looming specter for contemporary North American democracies. Provincial and state governments in North America are proposing to ‘enhance’ driver’s licenses in coming years by including a Radio Frequency Identification (RFID) chips in them. These ‘enhanced’ licenses emit unique identifiers and will be optional when they are first available to the public, though they will be required to enter the United States using a driver’s license beginning in July 2009. The proposed Enhanced Driver’s Licenses (EDLs) are intended to be associated with border security, but are also accompanied with concerns linked to individuals’ reasonable expectations of privacy.
Radio Frequency Identifiers and Migratory Efficiency
Radio Frequency Identification (RFID) chips are inserted into products every year. They emit unique identifiers, and increase supply chain efficiencies by enabling the discrete tracking of every item in the chain. RFIDs used in supply chains are usually ‘passive RFIDs’; they lack a battery or fuel cell to power the radio transceiver, instead emitting their respective identifier whenever in proximity to a reader. When restricted to supply chain systems there is little worry that passive RFIDs will infringe on people’s expectations of privacy; neither cattle, nor courier envelops, nor vehicle tires have any expectations of privacy.
The Canadian and American governments are inserting these passive RFID chips into EDLs. As it stands, RFID-enabled license will emit a random identifier whenever it comes into a reader device’s range. The number is unrelated to any other biometric information (e.g. birth date, color of eyes, height, first and last name, etc.) but is correlated with Canadian and American border-security databases. Whenever a person reaches a Canada/America land border crossing they will enter a ‘read’ zone. From this zone the EDL will emit its identifier, calling up the owner’s personal information on the border agent’s computer screen. This automatic data retrieval is intended to enhance border migration and security; migration by negating the need for the border agent to collect and scan identity documents, and security by establishing another measure to ensure that identity documents are state-issued.
Several advocacy groups disagree that the proposed EDLs will improve migratory efficiency or security. Border agents still must examine the individuals in any vehicle at a border; at most a few seconds will be shaved off individual crossings if border agents do not have to collect driver’s licenses. Any timesavings depend on passive readers functioning normally at border crossing. These readers are susceptible to covert ‘denial of service attacks’, which can disable the reader. In instances where a reader is disabled, an individual’s EDL is malfunctioning (i.e. not transmitting its identifier), or individuals are not using EDLs, there will be no timesavings benefit. Moreover, it is relatively easily to ‘clone’, or copy, an EDL’s RFID identifier using consumer products available electronics stores. The ease that this can be done with negates the suggestion that the RFID in EDLs can assist border agents in guaranteeing that EDLs are state-issued; the ease of mimicking identifiers will require border agents to inspect licenses manually and guarantee their legitimacy to maintain border security.
Personally Identifiable Information and Your Privacy
Canada’s provincial governments suggest that radio-shielding sleeves will limit the EDLs’ emissions – individual citizens will be required to be mindful to safeguard their own privacy, rather than government integrating privacy protections into the identity documents that they are providing to the public. In addition, they claim that because the unique identifier emitted from an ELD is randomly generated that it does not infringe on citizens’ privacy. In holding this position concerning EDL identifiers, the provincial governments are actively ignoring the recommendations and warnings from Canada’s provincial information and privacy commissioners, and their federal counterpart. Indeed, the Office of the Privacy Commissioner of Canada has noted that if an RFID identifier could act as a proxy for an individual were it associated with a particular individual, then the identifier itself becomes classified as ‘personal information.’ Given that the identifier in each EDLs is intended to be associated with a particular individual it is clearly deserving of the same protection as other pieces of personal information. This mandates that some form of privacy enhancing technology, such as encryption, be implemented before making EDLs available to the public. Through encrypting, or otherwise securing, the RFID identifier Americans and Canadians can be assured that EDLs will not experience instances of ‘function creep’ that would violate their reasonable expectations of privacy.
Encryption, Function Creep, and Tracking Individuals
The particular RFID technical standard the American government has chosen for EDLs (EPC Gen-2) cannot be secured using encryption that would adequately limit the risks of third parties capturing the identifier. This should, but does not seem to, be slowing provinces and states from issuing driver’s licenses that emit personal information whenever the license holder is within range of a reader device. As a result, anyone with reader equipment can collect the identifier associated with a license holder and correlate it with whatever biometric, consumer, or other data they have access to. This surveillance can be performed without a license holder ever being made aware that the number was captured, or that it was associated with other personal information. Encryption would limit who could read the identifier, thus limiting the risks of function creep.
Driver’s licenses hold incredibly detailed personal information, and when that information is combined with an RFID identifier it is possible to monitor individuals’ movements. When currently entering a nightclub, as an example, it is commonplace for a bouncer to ‘swipe’ your license to ensure that it is valid. Few realize that nightclubs commonly sell the information they collect from licenses to third parties. When correlating the license information with an RFID identifier it is possible for those third parties to clearly identify people as they move in society. In addition, once individuals receive an EDL, retail facilities more generally can correlate the number with information they can associate with the individual associated with the number (e.g. What are their shopping habits? What stores do they visit? Do they travel a great deal? What identifiers/people are commonly near to them?), massively expanding the possibilities for private surveillance of citizens. Given present data sharing arrangements, this data can then be transferred to Canadian and American authorities, giving the state an excellent perception of where, exactly, their citizens are in their daily activities. The possibilities of surveillance combined with the inadequate government ‘protections’ mean that EDLs, as presently planned, infringe upon citizens’ reasonable expectations to move through society without private and public bodies being able to comprehensively track their every movement. Governments should attend to the warnings uttered by Canadian privacy and information commissioners, and involve the public in any deliberations to institute EDLs, to limit the possibilities of EDLs being used to expand increasingly ubiquitous private and state surveillance of citizens’ movements.