Comment: To RFID or not to RFID, that is the question

The Vancouver Sun has an article that was written by Phil Chicola, U.S. Consul General in Vancouver. Entitled “To RFID or not to RFID, that is the question,” it is yet another part of the ongoing propaganda war surrounding the embedding of RFID chips in regular consumer products. In the recently released Canadian Border Services Agency (CBSA) Privacy Impact Assessment of the Enhanced Drivers License (EDL) program, we find that,

An effective external communications strategy will be developed by the [Provinces and Territories] with the assistance of the CBSA to ensure that the Canadian public is made aware of the significant privacy safeguards that will be put in place and the constraints that will be imposed on any subsequent use of personal information, especially sharing with the U.S. in consideration of the U.S.A. Patriot Act (29).

What this has amounted to in Ontario has been a persistent insistence by government officials that because the Radio Identifier that EDLs emit is not tied to any *other* piece of government information (e.g. the RFID number is not generated from an association with your driver license number, birth certificate, etc.) that the identifier isn’t personal information. Thus, while you will be broadcasting a number from your drivers license to anyone with a reader, that isn’t ‘personal’. Let’s turn to the Vancouver Sun article, and see how it squares up with the Canadian propaganda, shall we?

[EDLs] were created for frequent travellers, easy access and fast use. As you wait in your car to cross the border, having the kind of document that can only be read when you hand it over to the border official does not speed up the crossing. So this type of chip can be read by the border official’s machine from several feet away — even when you are in the next car waiting to cross. One thing that’s important to note though, this kind of card has NO PERSONAL DATA embedded in the chip.

Instead, it has a number which, when read by the right database, connects the user with his other personal data. And those databases are also protected with security measures against unauthorized use.

Privacy and preventing identity theft are important considerations in choosing the kind of travel document that is right for you, as are the convenience benefits.

We’re concerned about these issues as well since one of the key goals in mandating secure documents is to make sure they are secure and that people are who they claim to be. Cases of mistaken identity when travelling will become rarer as people opt to establish their identity through these kinds of secure measures. (Source)

So, let’s clarify some things. What is the possible read distance on an EDL? How powerful a radio receiver can you create? The more powerful the antenna, the longer the range. Conservative estimates, with standard off-the-shelf-readers RFID readers, place read rangers at up to 10-50 feet.

Next, while American citizens may not legally have personal data situated on the chip – I don’t know American privacy laws and regulations well enough to definitively say either way – the Canadian privacy commissioner has come out and said that where a number can serve as a proxy for an individual that that number is classified as personal information. Hence, your Social Insurance Number is classified as personal information because, even though it is ‘just a number’ it can (and is) used to identify and service Canadians. A difference, of course, is that there is a more prevalent need to get a SIN, as they are needed to work in Canada.

When they are referring to ‘secure measures’ are they referring to ‘broadcasting the number associated with the RFID in the clear, with no encryption?’ The article seems to allude that there will be protections with the EDL numbers, just as there is with American passports, but to clarify that: there is no such encryption in, or planned for, EDL identifier numbers. None. The technical specification for the RFID chips themselves does not allow for encrypting the number. The most ‘secure’ thing about the EDLs is that the database will be house in Canada, following outcry by the privacy commissioners of Canada – being safe from the Patriot Act is a good first step, but it’s a first step along a bad road.

One thought on “Comment: To RFID or not to RFID, that is the question

  1. Here here!
    The truth is, the better the tech, the easier it is for the hackers to steal the information. As we have no way of knowing what data is encoded, no way of controlling who is reading our information and no way of stopping its release, I think its a bad thing.

    But it is the way it is.

    I bought an RF-Shield for my cards. The Armadillo Dollar, actually. Nothing else I tested blocked all my cards.

    After a search for “How to hack RFID”, I learned that it wasn’t safe to walk the streets!

    What’s this world coming to?


Comments are closed.