As of June 1, 2009, Canadians and Americans alike require an Enhanced Drivers License (EDL), a NEXUS card, a FAST card, a passport, or a Secure Certificate of Indian Status to cross a Canadian-American land border. In Canada, only Ontario, Quebec, B.C. and Manitoba have moved ahead to develop provincial EDLs; the Saskatchewan, New Brunswick and Prince Edward Island governments have all decided not to provide these high tech, low privacy, cards to the constituencies (Source). To apply for an EDL in a participating province, all you need to do is undergo an intensive and extensive 30 minute face-to-face interview at your provincial equivalent of the Department of Motor Vehicles. Your reward for being verbally probed? A license that includes a Radio Frequency Identification (RFID) tag and a biometric photograph. The RFID tag includes a unique number, like your Social Insurance Number (SIN), that is transmitted to anyone with an RFID reader. These readers can be purchased off the shelf by regular consumers, and number your EDL emits is not encrypted and does not require an authentication code to be displayed on a reader. Effectively, RFID tag numbers are easier to capture than your webmail password.

EDLs are an incredibly expensive ’solution’ for individual Canadians to purchase, given that in Ontario alone an EDL will cost almost $30 more than a passport. Further, Manitobans have turned a cold shoulder to these cards; only a few thousand residents have adopted them out of an expected hundred thousand or so. In Ontario, my contacts have told me that the responsible ministry has yet to provide policy documents or manuals to the front line staff who are tasked with issuing these licenses. Without their scripts, how will these staff members play their parts in issuing each Canadian a little piece of the great North American security theater?

EDL programs are big ticket items that Canadian provinces are being pressured to pay for in order to satisfy the Western Hemisphere Travel Initiative (WHTI), a unilateral American policy directive. While fiscal conservatives might argue that in this period of reduced government incomes and ballooning debts, such big ticket items should be carefully evaluated, we might ask them why government should be any more careful of spending money on EDLs than it is in otherwise ’securing’ the border? As recently reported by Dean Beeby, $8.7 million dollars have been spent since 2006 on gates, barriers, fences, sirens and signs to catch people who are trying to illegally cross the border. The catch? Gates have fallen on cars. Cameras can’t actually catch the license plates of illegal night-time border crossers. Automated video analysis systems don’t work. It would seem as though the various props of our Broadway security show should be returned to the manufacturer as defective or even dead on arrival!

If broadcasting an equivalent of a radio-accessible SIN and high financial costs to individual Canadians weren’t enough, there are additional privacy-related issues with EDLs. While the Office of the Information and Privacy Commissioner/Ontario is promising that future generations of EDLs will integrate ‘privacy by design’ principles, insofar as future cards won’t broadcast their unique identification numbers without first being activated, the current licenses that are being deployed in that province are absolutely devoid of any real protections (the much touted ’security sleeve’ is demonstrably faulty). While integrating privacy by design is a positive step forward, Ontario is the only province that has publicly discussed this at length. Moreover, even in Ontario there has been little comment about the worries of government creating massive databanks of facial images that are designed to be rapidly searched. As it stands, facial recognition technologies are sub-par at meeting the expectations that the public has developed from watching 24, Heroes, and other works of science fiction. In fact, massive amounts of research needs to be done to improve accuracy rates of facial recognition technologies, and a large database to conduct tests on to develop the technology is just what the scientist ordered. Thus, while the facial images that are taken of individuals will be of minimal use to government agencies at the moment, we cannot assume that ‘privacy by technological incompetence’ will be something Canadians can rely on over the long term.

Perhaps most importantly, privacy advocates’ underlying worries about these cards have not been addressed. As I have previously noted,

“In the cases of both radio tags and biometric data, there exists a serious danger of function creep. As more and more members of the Canadian and American public carry these devices, increased pressures will extend how these documents are used, exceeding their initial purpose of securing American borders” (Source).

While various RFID proponents have insisted that RFID tags cannot, in practice, be used to track user data, the web cookies that we download after visiting websites were never intended to let companies track us. Just last year however, the Wall Street Journal published an article revealing that, lo and behold, the company that will do no evil (i.e. Google) is using web cookies as an “Internet tracking technology that enables it to more precisely follow Web-surfing behavior across affiliated sites” (Source). RFID tags are meant to track cattle as they move around the world; surveillance is the reason for their very existence. Why would we ever assume that this technology would ultimately be used for some other purpose as soon as it were applied to human targets, when other evidence demonstrates that non-surveillance technologies are readily requisitioned to monitor our daily activities?

This worry about pervasive surveillance is something that Dr. Andrew Clement has discussed in various presentations through the Canadian IDentity Forum. He has noted that, despite government assurances, there is no evidence that real speed enhancements will be realized at the border. At most, Canadians can expect to pass through borders 5-10 seconds faster than they do right now. Moreover, while there are claims that EDLs are somehow ‘more secure’ than present licenses, this is just another part of the script in the Canadian/American security theater. You see, to qualify for an EDL, individuals must show foundational documents (e.g. birth certificates) to prove that they are who they claim to be; where a foundational document is successfully forged the ’security’ offered by the EDL is defeated. Moreover, the RFID tag can be copied, letting another person clone the tag’s unique number. When Ms. Daghum comes to the border with her cloned tag, she can have Ms. Ouziel’s profile brought up on the border guard’s screen. If Ms. Daghum physically appears like Ms. Ouziel, then a border guard could be fooled about the authenticity of the RFID tag based on the information called from government databases. The RFID is insecure and the biometric image currently unreliable — how, again, do these cards actually make us safer (as opposed to making us feel safer) from terror threats?

If high costs, minimal border-crossing efficiencies, unreliable biometric images, and easily duplicated RFID tag numbers aren’t enough to make you wonder about the capacity of EDLs to secure the border, I’ll leave you with two concluding points. RFID tags, and the data that they emit, contribute to what scholars such as David Lyon and Kevin Haggerty have termed ‘the surveillance society’, or a society where “[w]e are inadvertently handing over to centralized authorities an infrastructure of visibility the likes of which no society has ever seen before” (Source). Canadians regularly moan that they can’t protect their own privacy but, by refusing to adopt an EDL and using a passport instead, they will find that protecting their privacy is actually cheaper than buying into the surveillance society. Get a passport, and congratulate yourself on being a privacy advocate by taking yourself out to dinner on your EDL-related savings!

Second, as has been noted by Canadian civil liberties groups;

“[A] passport is an internationally recognized travel document that gives the holder certain rights, while a driver’s licence is not . . . If the U.S. decides to deport a Canadian while she is carrying her passport, she must be deported back to Canada.

A Canadian carrying a driver’s license could be deported to anywhere in the world” (Source).

We are all unfortunately aware of the horrors that can occur when suspected ‘terrorists’ are sent to places such as Syria. While Maher Arar’s case does demonstrate that a passport will not necessarily persuade American authorities to act in within the confines of law, an EDL will not legally persuade foreign authorities that you should be sent to Canada instead of a torture cell in Syria. Even in a world where a passport has diminished legal standing in the eyes of American authorities that diminished standing is better than the absolute lack of legal standing that EDL-holders are left with.

In summation, you’d be well advised not to take part in this most recent act of the Canadian-American security theater. You’ll pleasantly find that there’s a reduced entry fee to the security show with a passport (with money left over to buy a drink and snack!). Far more importantly, the passport might actually prevent the ushers/border guards from deporting you to a truly horrible place to ‘enjoy’ unspeakable acts of barbarity. Be your own privacy advocate, boycott the EDL, and buy yourself a passport if you want to cross a Canadian-American land border.

Ontario, and the rest of Canada, is being forced into including radio and biometric features in future drivers licenses by the United States government. As a consequence of the U.S. Western Hemisphere Travel Initiative (WHTI), all Canadians and Americans who cross into the U.S. at a land border with just a driver license will be required to present an Enhanced Drivers License (EDL) as of June 1, 2009. While the radio ‘feature’ is disturbing in its own right, insofar as it emits a unique identifier whenever brought into range of a reader, I want to focus on the biometric features of these cards, why they raise human rights and civil liberties concerns, and the risk of function creep associated with the biometric facets of EDLs.

WHTI-Mandated Biometrics

The EDLs that Canadians and Americans will need to enter the U.S. include a picture of a driver’s face that can be analyzed against an American-Canadian facial database. To enroll in the database, individuals must first have their images captured, after which the computer system converts the image to a biometric template that is stored in a shared American-Canadian database. Next, the biometric template is used to authenticate a person’s identity, ensuring that the biometric data that is provided recalls the precise template for the individual in question. Finally, and arguably the most concerning, the system performs an identification process, where the biometric data is compared to all of the records held in the database. This final stage allows for mass analysis of images in the database against incomplete facial templates, such as those derived from security cameras.

The WHTI-mandated biometrics are intended to guarantee the identity of individuals at the border while providing an extra level of difficulty in creating illegal identity documents. In theory, because these licenses crosscheck between the image provided, and the one entered into the government database, it is less likely that phony IDs can be used to cross the Canadian-American border. Beyond this security feature, the American and Canadian governments argue that placing these biometrics in identity documents will enable airports to process travelers more efficiently because of the redundancy in evaluating a person’s identity. The WHTI mandates are publicly stated as securing America while providing convenience to Americans and Canadians alike.

Current Issues with the Proposed Biometrics

Several issues arise when citizens provide their biometric information to central government agencies. To begin, there is the matter that biometric authentication relies on a statistical pattern recognition technology. We do not live in Jack Bauer’s nightmare world of 24, where computers accurately and easily identify faces against government databases; in the real world there is a likelihood that images will be misidentified. Such misidentifications can lead to an inability to move internationally, and given the ‘ease’ of removing oneself from the American and Canadian ‘no-fly’ lists it is likely that any immobility imposed by mistaken biometric associations will be long-term conditions. Inviting the possibility of such immobility is an affront to Canada’s commitment to the Universal Declaration of Human Rights, which mandates that “Everyone has the right to leave any country, including his own, and to return to his country” — the biometrics, as proposed, may deny Americans who have come to visit Canada from reentering their own nation, or prevent Canadians from enjoying their right of international movement. Regardless of America’s hesitance to sign the Declaration, Canada and her governments should attend to their obligations and resist the licensing changes on behalf of both Americans and Canadians.

In addition, there are concerns that the biometric proposals would fly in the face of privacy protections offered by Ontario’s Privacy and Information Commissioner, Dr. Ann Cavoukian. In her open letter to the Hon. D. Tsubouchi on April 5, 2001 she warned that, “…there must be no ability to compare biometric images from one data with biometric images from other databases or reproductions of the biometric not obtained from the individual.” Her caution was offered during a time that the Ontario government was considering issuing smart cards, and it still echoes today: people must be aware of all uses of their biometric data and consent to its use. In the case of Ontario, the government has been silent on the possibility of American authorities using the biometric information provided by the drivers license database for purposes beyond border screenings.

Finally, we live in a world where identity theft is becoming more sophisticated, more harmful, and more common. Were a person to successfully enroll in the biometric-program associated with the drivers license using another person’s identity, then the thief would have effectively stolen another person’s face for the purposes of computer-algorithm authentication. In a situation like this, how do we adjudicate when the correct person uses a license? The danger of ‘losing’ biometric information places innocent citizen at substantial risk of being accused of actions they are not responsible for. Research groups have demonstrated that there are substantial costs that follow from having one’s identity stolen, with costs reaching as high as thousands of dollars. How much will these costs skyrocket when biometric data is included in the information that thieves steal?

Function Creep

In the case of the American-mandated drivers licenses, there is a considerable worry of function creep that could ensue after they are distributed to the public. Interpol has recently announced that they want to begin using a facial recognition database to catch suspects by using a facial recognition system at borders, and various law enforcement agencies in Canada and the United States have similarly expressed an interest in this mode of discovering and identifying suspects. Imagine how much safer society might be; by using a massive government-sponsored facial database it would be far easier to identify dangerous elements in society!

While this might, initially, sound like a positive thing there are (at least) two associated dangers with this kind of function creep. First, any such use of the biometric data for these purposes would exceed the intent that the data was collected for — citizens should always be notified, and be required to give their consent, when their biometric data might be used for either private or public purposes. Second, and perhaps of even greater concern, biometric analyses are not wholly accurate. Accuracy rates plummet when less than ideal images are used in facial comparisons — the images taken from a security camera, for example, provide poor templates to search against the database. Searching the drivers license database with poor templates would risk implicating a great number of people as ‘suspects’ in a crime, based on poorly constructed computer-algorithms. The prospect of being a suspect on the basis of a computer foul-up is a less than heartening thought to the innocent.

Voltaire famously wrote, “It is better to risk saving a guilty man than condemn an innocent one.” We should heed his sound advice, and rethink the deployment of identity cards that will almost inevitably condemn the innocent to hardships in our governments’ incessant drives to ‘secure’ the societies that they govern from the guilty.

While this issue has recently been sensationalized in the media, I have yet to find a source addressing the actual technologies that will (likely) drive these ‘black boxes’. I want to address that deficiency, calling attention to the Deep Packet Inspection (DPI) technologies that will presumably be responsible for examining, categorizing, and heuristically evaluating the data flowing across British ISPs’ networks. In this piece, I want to briefly explain how DPI technology works, its technical limitations, and modes of actively evading its surveillance powers. Evading DPI-enabled surveillance is essential to participate in free, unsurveyed discourse in the contemporary digital environments that Western citizens find themselves within.

DPI Technologies

ISPs are uniquely situated to survey all of the data traffic that their customers are involved in. ISPs, unlike Google, Yahoo!, or Microsoft, act as gateways that individuals must pass through to access the Internet-at-large. Thus, any attempt to comprehensively survey an individual’s online activities must occur at the ISP-level. While simultaneously monitoring millions of customers might seem a Herculean task, or one firmly situated in the realm of science fiction, networking hardware vendors such as Cisco, L-1, Ellacoya Networks, and Procera Networks have risen to the challenge, producing devices that can survey, filter, alter, and censor content in real time, as it passes through ISPs’ networks.

Packets of data traversing the Internet are composed of two parts: a header and a payload. The header holds the general addressing information – where the packet is going, what order it should arrive at its destination in, and so on. The payload holds information about the application that sent the packet, as well as the particular contents of the packet itself – in the case of email, each packet holds the address that it should be delivered to, a bit of information that notes that an email application sent the packet, and some of the email’s text. Metaphorically, a packet can be thought of in the terms of postal mail: the header corresponds with the address on the outside of the envelope, and the payload the letter itself.

DPI equipment lets ISPs examine the header information as well as the payload. This means that ISPs can examine the text of email, instant messages, cellular phone text messages, and unencrypted Voice over Internet Protocol (VoIP) communications, in real time, as these messages are transmitted. Given the present state of available networking equipment that the world’s networking vendors have made available to the market, I strongly expect that the UK government’s ‘Black Boxes’ are, in essence, DPI devices that capture data as it moves across UK ISPs’ networks, and will transmit the contents of those packets to government databases while analyzing packets’ contents to identify if they are carrying ‘questionable’ payloads.

The Effectiveness of DPI

The Internet Evolution actually tested DPI equipment provided by Ellacoya and Ipoque earlier this year. In their tests, they found that these vendors’ devices could not filter ‘unwanted’ content 100% of the time – the applications targeted by the devices continued to function, although at reduced speeds, in spite of the censoring and filtering heuristics that the devices employ. This suggests that attempting to capture unencrypted Voice over Internet Protocol conversations, as an example, will never be fully successful because some packets associated with a conversation will not be correctly identified, captured, and saved in meaningful ways by the UK government’s ‘black boxes’. Moreover, and pertaining to the following section, the tests that the Internet Evolution performed suggest that data-encryption strategies can prevent the capture and filtering of data traffic.

Evading DPI Surveillance

It seems that every day we hear about a new data scandal in the UK; some new database is accidentally leaked, putting the information of hundreds, thousands, or millions of UK citizens at risk of being used for nefarious purposes. The suggestion that all citizens’ digitized conversations and online actions be captured and stored by the UK government only heightens worries: what will happen when (not if) this proposed database is breached? How much information will be accessible to criminals?

Fortunately, UK citizens can prevent their government’s DPI equipment from ever capturing conversations or online actions, and thus simultaneously limit exposure to the risks of identity theft and ubiquitous government surveillance. A core weakness of DPI equipment is that it cannot read the contents of fully encrypted communications. This means that when you send or receive encrypted data packets that the government’s devices will be unable to capture the contents of your email, your VoIP sessions, or your instant messages.

Encryption isn’t something that is terribly hard to set up; Voltage Security has a product that will let Windows users encrypt their sent email at a low annual cost. By default, Skype encrypts its data traffic to prevent surreptitious snooping of your private conversations, actually providing more privacy than talking on the phone. When it turns to instant messaging, there are several open source clients such as Trillian (for Windows) and Adium (for OS X and Linux) that have built-in encryption and compatibility with all major messaging services. Finally, when browsing websites, access the ‘https’ versions of the sites whenever possible to encrypt data traffic to and from the websites.

Why Hide from Her Majesty?

You may be asking: why should I bother with this encryption nonsense? I don’t have anything to hide – as a law-abiding citizen I find it offensive, but not necessary ‘dangerous’, that my government is snooping on me. Only criminals have something to hide!

The collection and centralization of large amounts of personal data gives criminals a single point that they can attack to access to vast swathes of information about law-abiding citizens. As the UK government persistently demonstrates, it cannot be trusted to secure the citizen data that it holds. By continuing to predominantly send unencrypted messages, you greatly enhance the chances that your personal information could be used to open lines of credit, create phony identification documents, and generally cause mischief in your good name. Encrypting your data, hiding your personal thoughts and communications from the proposed UK ‘black boxes’, is essential to prevent your identity being stolen, and ensures that you can continue to engage in free speech without worrying feeling the chilling effects of persistent government surveillance. Protecting your communications isn’t about hiding because you’re a criminal: it’s about limiting criminals from taking advantage of your good name while protecting your enshrined right of free speech.

Radio Frequency Identifiers and Migratory Efficiency

Radio Frequency Identification (RFID) chips are inserted into products every year. They emit unique identifiers, and increase supply chain efficiencies by enabling the discrete tracking of every item in the chain. RFIDs used in supply chains are usually ‘passive RFIDs’; they lack a battery or fuel cell to power the radio transceiver, instead emitting their respective identifier whenever in proximity to a reader. When restricted to supply chain systems there is little worry that passive RFIDs will infringe on people’s expectations of privacy; neither cattle, nor courier envelops, nor vehicle tires have any expectations of privacy.

The Canadian and American governments are inserting these passive RFID chips into EDLs. As it stands, RFID-enabled license will emit a random identifier whenever it comes into a reader device’s range. The number is unrelated to any other biometric information (e.g. birth date, color of eyes, height, first and last name, etc.) but is correlated with Canadian and American border-security databases. Whenever a person reaches a Canada/America land border crossing they will enter a ‘read’ zone. From this zone the EDL will emit its identifier, calling up the owner’s personal information on the border agent’s computer screen. This automatic data retrieval is intended to enhance border migration and security; migration by negating the need for the border agent to collect and scan identity documents, and security by establishing another measure to ensure that identity documents are state-issued.

Several advocacy groups disagree that the proposed EDLs will improve migratory efficiency or security. Border agents still must examine the individuals in any vehicle at a border; at most a few seconds will be shaved off individual crossings if border agents do not have to collect driver’s licenses. Any timesavings depend on passive readers functioning normally at border crossing. These readers are susceptible to covert ‘denial of service attacks’, which can disable the reader. In instances where a reader is disabled, an individual’s EDL is malfunctioning (i.e. not transmitting its identifier), or individuals are not using EDLs, there will be no timesavings benefit. Moreover, it is relatively easily to ‘clone’, or copy, an EDL’s RFID identifier using consumer products available electronics stores. The ease that this can be done with negates the suggestion that the RFID in EDLs can assist border agents in guaranteeing that EDLs are state-issued; the ease of mimicking identifiers will require border agents to inspect licenses manually and guarantee their legitimacy to maintain border security.

Personally Identifiable Information and Your Privacy

Canada’s provincial governments suggest that radio-shielding sleeves will limit the EDLs’ emissions – individual citizens will be required to be mindful to safeguard their own privacy, rather than government integrating privacy protections into the identity documents that they are providing to the public. In addition, they claim that because the unique identifier emitted from an ELD is randomly generated that it does not infringe on citizens’ privacy. In holding this position concerning EDL identifiers, the provincial governments are actively ignoring the recommendations and warnings from Canada’s provincial information and privacy commissioners, and their federal counterpart. Indeed, the Office of the Privacy Commissioner of Canada has noted that if an RFID identifier could act as a proxy for an individual were it associated with a particular individual, then the identifier itself becomes classified as ‘personal information.’ Given that the identifier in each EDLs is intended to be associated with a particular individual it is clearly deserving of the same protection as other pieces of personal information. This mandates that some form of privacy enhancing technology, such as encryption, be implemented before making EDLs available to the public. Through encrypting, or otherwise securing, the RFID identifier Americans and Canadians can be assured that EDLs will not experience instances of ‘function creep’ that would violate their reasonable expectations of privacy.

Encryption, Function Creep, and Tracking Individuals

The particular RFID technical standard the American government has chosen for EDLs (EPC Gen-2) cannot be secured using encryption that would adequately limit the risks of third parties capturing the identifier. This should, but does not seem to, be slowing provinces and states from issuing driver’s licenses that emit personal information whenever the license holder is within range of a reader device. As a result, anyone with reader equipment can collect the identifier associated with a license holder and correlate it with whatever biometric, consumer, or other data they have access to. This surveillance can be performed without a license holder ever being made aware that the number was captured, or that it was associated with other personal information. Encryption would limit who could read the identifier, thus limiting the risks of function creep.

Driver’s licenses hold incredibly detailed personal information, and when that information is combined with an RFID identifier it is possible to monitor individuals’ movements. When currently entering a nightclub, as an example, it is commonplace for a bouncer to ‘swipe’ your license to ensure that it is valid. Few realize that nightclubs commonly sell the information they collect from licenses to third parties. When correlating the license information with an RFID identifier it is possible for those third parties to clearly identify people as they move in society. In addition, once individuals receive an EDL, retail facilities more generally can correlate the number with information they can associate with the individual associated with the number (e.g. What are their shopping habits? What stores do they visit? Do they travel a great deal? What identifiers/people are commonly near to them?), massively expanding the possibilities for private surveillance of citizens. Given present data sharing arrangements, this data can then be transferred to Canadian and American authorities, giving the state an excellent perception of where, exactly, their citizens are in their daily activities. The possibilities of surveillance combined with the inadequate government ‘protections’ mean that EDLs, as presently planned, infringe upon citizens’ reasonable expectations to move through society without private and public bodies being able to comprehensively track their every movement. Governments should attend to the warnings uttered by Canadian privacy and information commissioners, and involve the public in any deliberations to institute EDLs, to limit the possibilities of EDLs being used to expand increasingly ubiquitous private and state surveillance of citizens’ movements.