Under a Freedom of Information request, the Privacy Impact Assessment (PIA) for the initial tests with Enhanced Drivers Licenses (EDLs) has been released to the public. I would highly recommend taking a look at the documents if you’re interested in this issue. Over the next few days and weeks I’m going to be (briefly) posting notes on the document. For more information, I’d recommend turning to the Canadian hub for advocates campaigning against the EDLs, at the Canadian IDentity forum.
I have a real passion surrounding databases – they are used to guide daily practices, from accessing money at instant tellers, to authenticating you to web sites that you visit, to identifying the cost of products when they are scanned at the grocery store. Databases are big business, and when it comes time to deploy new pieces of identity infrastructure the database chosen is important, as are the security precautions that surround it.
In British Columbia (BC) the personal information for the 500 individuals who were a part of the EDL trial was encrypted by the Insurance Company of British Columbia (ICBC), and then copied to a CD. The CD was handed over to the Canadian Border Services Agency (CBSA) (who could not access the encrypted data) and then shipped south of the border to the American administrators of the Treasury Enforcement Communications System (TECS). The data was retained by TECS and released to the Customs and Border Patrol (CBP) when a traveller with an EDL came the BC/Washington border. At that time, an entry record was recorded – this record was kept in a separate database from the TECS database, though it isn’t wholly clear what information was moved from the EDL to the entry record database. The document that was released had almost all mention to the RFID in the EDL, and use of biometric technologies, redacted.
What is perhaps the most alarming from the document is its focus on using a ‘push’ method to transmit EDL information to the Americans when the EDLs are more widely deployed throughout Canada. The CBP is demanding that all data be accessible to their agents within 500 milliseconds, and the CBSA doubts that they can both provide adequate security and meet the CBP’s access time requirement. As a result, they highly suggest that Canadian EDL information should be periodically ‘pushed’ to American databases – this will ensure that CBSA will not be responsible for the securing and storage of highly personal information, nor will the have to shoulder the costs of this potentially expensive program. Effectively, this will involve transmitting all Canadian EDL records to US authorities on a periodic basis; it is unclear whether this transmission would be to TECS, or to a database that was operated by CBP themselves. Of course, by simply acting as ‘push’ agents the CBSA will largely keep their hands clean of the whole EDL mess, which I’m sure that they aren’t losing any sleep over.
I should note that the document that has been released does note that if demands are high enough, that CBSA may establish a ‘pull’ or ‘ping’ database that the American’s can query when they need access to EDL information. Under this system, the EDL information would be stored on Canadian soil (subject to Canadian, rather than American, law), and when an EDL was brought within proximity of the American border the American border system would call for the record from the Canadian master-EDL database. This would authenticate the EDL, draw up the individual’s data, and allow the CBP agent to create an entry record. The advantage of this is that without the master database of EDL information, a sweeping American surveillance law (i.e. the Patriot Act) could not be used to access the EDL database information.
Something that might be interesting to think about: depending on what is transmitted from the EDL database to the entry record database (e.g. RFID identifier, biometric template) it is possible that by cloning an RFID identifier that ‘ghost’ entries, or attempted entries, into the US might be recorded. It would be very interesting to learn how these sorts of acts of civil disobedience might be prevented by the system as it is presently designed, in part to determine whether this would be effective, and also to gain insight into the actual creation of a record of entry.