The proposed imposition of identity cards tends to gets people riled up. This is especially true of the people who are going to have to carry the documents in their purses and wallets. In British Columbia the provincial government has slowly, and quietly, developed an identity card termed the ‘BC Services Card’. The Services Card will effectively be a required piece of documentation for all BC residents as of about 2018; it will be used to access non-emergency medical services, as well as to-be-decided government services provided by education, citizen services, and more.
In 2012, the British Columbia Civil Liberties Association commissioned a technical report about the services card from my company, Block G Privacy and Security Consulting. The goal of our report was to contextualize the politics and technology behind the new BC Services Card and, in the process, understand prospective security-and privacy-related issues linked with the initiative. A core aspect of our report consists of a technical survey of the Services Card and its associated infrastructure. As part of our survey we evaluate possible vulnerabilities that could be exploited by a hostile third-party intent on undermining, disrupting, or otherwise compromising Services Cards or the trust BC residents are expected to place in them as technically sophisticated and reliable identity tokens. Given that we lacked direct access to the cards and infrastructure our analyses and critiques were based on limited documentary evidence, expert-level interviews, and secondary sources.
Highlights from the section of the report covering risks and vulnerabilities include:
- The importance of ensuring that government actors responsible for issuing the cards are trustworthy; failure to do so could undermine many of the government’s identity assurance processes that underlie the entire card system.
- Physical security characteristics are positive, though the inclusion of biometric facial images does not necessarily lead to the security enhancements suggested by the government.
- The near field communication (NFC) chips embedded in the cards are a point of significant vulnerability, insofar as they could be read at a distance, compromised by a malicious actor, or tampered with to intrude into the computers and mobile phones reading the chips.
- The potential for ‘function creep’, or the expanded use of the Services Card for purposes beyond the current scope of the card. This might include use of the card by private parties or the card ultimately being integrated with the federal government’s planned pan-Canadian identity card.
In light of these risks, we provide the following suggestions to ameliorate potential security dangers:
- Penetration tests should conducted to ‘attack’ the system, in order to understand where vulnerabilities exist, how they could be exploited, and how to subsequently rectify them. Given the magnitude of the government’s proposed data linking infrastructure associated with the Services Card this kind of analysis is critical. Testers should be given a wide permit in testing the system and not be artificially limited in what they can do to identify vulnerabilities.
- Public consultations with security experts should occur and consultations findings summarized and subsequently made public. These consultations should attend to how security of the cards and BC residents’ privacy can be maximized.
- Public audits should be routinely conducted on the systems and infrastructure surrounding the BC Services Card. This should include auditing private vendors who are contracted to provide service.
Our report is available for public download.
Over the next 48-72 hours I’ll be doing some (extensive) work on my site. I’m simultaneously trying to renovate some features, dispose of others, and generally repair some long-standing problems on the backend. This site – and the database behind it – started as an experiment many years ago and I made a large number of fairly boneheaded mistakes over the years that I’ve tried (I think successfully) to cover up with bandages and duct tape during the last 3 years. It’s time, however, to amputate of these festering areas and rebuild them.
I’ve begun fixing up some of the problems over the past month, including migrating to a better hosting company that has located my data in Canada. Uptime has been more reliable and access speeds have generally improved, but more needs to be done. By the end of the weekend I hope to have performed the work needed to correct the bits and pieces of the site that are becoming increasingly problematic to deal with.
One of the more significant changes will be that the “/blog” in my URL will largely be removed. I’ll be trying to remedy internal links over the coming while, to limit internal breaks, but this might mean that some inbound links are broken. Significantly, those who use RSS readers to read what is written will likely need to adjust their feed. By the end of the weekend, the feed should have moved to: https://christopher-parsons.com/?feed=rss2
I’ll post an update, to this post, once the transition is complete. See you on the other side!
The move has concluded. In addition to considerable visual modifications I’ve also remedied some rotten links and tried to improve page response speed. URL structure has changed, though old links should successfully redirect to the new link structure. Text should remain easy to read (ideally as good, if not better, than before) and I’ve presently adopted a ‘reading-for-mobile’ theme. The analytics engine that I use is, at present, Piwiki, which stores data on my server instead of providing it to a third party. The privacy notice has been updated as a result.
As noted in the earlier note, the RSS feed has moved to: https://christopher-parsons.com/?feed=rss2
As mentioned previously, I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies for the past several months. One aspect of our work addresses the concept of jurisdiction: what systems of rules mediate or direct how social media companies collect, retain, use, and disclose subscribers’ personal information? To address this question we have taken up how major social networking companies comply, or not, with some of the most basic facets of Canadian privacy law: the right to request one’s own data from these companies. Our research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions. As part of our methodology, while we may report on our access requests being stymied, we are not filing complaints with the federal Commissioner’s office.
Colin Bennett first presented a version of this paper, titled “Real and Substantial Connections: Enforcing Canadian Privacy Laws Against American Social Networking Companies” at an Asian Privacy Scholars event and, based on comments and feedback, we have revised that work for a forthcoming conference presentation in Malta. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.
Any organization that captures personal data in Canada for processing is deemed to have a “real and substantial connection” to Canada and fall within the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the Office of the Privacy Commissioner of Canada. What has been the experience of enforcing Canadian privacy protection law on US-based social networking services? We analyze some of the high-profile enforcement actions by the Privacy Commissioner. We also test compliance through an analysis of the privacy policies of the top 23 SNSs operating in Canada with the use of access to personal information requests. Most of these companies have failed to implement some of the most elementary requirements of data protection law. We conclude that an institutionalization of non-compliance is widespread, explained by the countervailing conceptions of jurisdiction inherent in corporate policy and technical system design.
Download the paper at SSRN