RFID

Passport Biometrics. Why?

Kaliya Young · May 4, 2006 · Leave a Comment

From Tara over at Horse Pig Cow she highlights this issue she learned about while in Europe by a fellow blogger.

Here in Europe we’re currently forced to get passports with biometrical data because the US wants us to do so. There are a lot of discussions about this and not everyone is happy with it. There is still no explanation from my government on what this is for. But there might be at least some control and protection of my data by my own government against other interests.

The reason this is happening around the world is a phenomena called ‘policy laundering.’ This what happens when governments want a policy.
Policy – “biometrics embedded in passports” and even more specifically being able to read these biometrics without touching the pass port. Basically mandating RFID chips with your biometrics in your passport.
So would this pass in the US? Not likely. So they took the ‘policy’ to the international standards body that determines international standards for passports. It is this body that decides that the policy.
The blogger continues and touches on issues that we are tackling in the identity world.

And now there’s this huge database of the same data building up without any control.
And that’s a big part of my problem: I don’t have control over my own data. At least none that I know of. Everyone can upload pictures of me and tag them with my name and e-mail address and I don’t even know it. In Germany it’s a human right to know what others know about someone and I see some possible violations of that in your (and other’s, for sure) service.

Owning your own data or at least having a copy of it is what we have been talking about in the identity community for a while.

Implanted RFID club entrance/human debit card

Kaliya Young · July 11, 2005 · Leave a Comment

A while back there was the DIY RFID that I blogged about. Today there is this story in the Financial Times about exclusive clubs offering their most prestigious patrons embedded chips the size of a rice grain to give them privileged access to their clubs. It has a whole history of this technology.

One night in Barcelona last year, a young Dutchman named Antoine Hazelaar received a strange proposition from the owner of a local nightspot, the Baja Beach Club. The club had just started a new programme called VipChip, he was told, and for E125, a qualified nurse could inject a device the size of a grain of rice, a VeriChip, into his upper arm. Once implanted, it would transmit an ID number to a scanner that would recognise Hazelaar as a special customer, so he wouldn’t have to wait in line and would get access to a private lounge. Since he would be one of the first people to be injected, the nightclub’s management would waive the initiation fee.
ADVERTISEMENT
Hazelaar agreed. At about 8pm one spring evening, in front of a throng of journalists, he sat down on a sofa in the cavernous Baja with another Dutch expat and a Spanish woman, ready to be injected. Bandages, needles and syringes were ceremoniously laid out on a cocktail table. Thanks to a local anaesthetic, Hazelaar didn’t feel the long shaft, about the size of a large sewing needle, as it entered his flesh. He didn’t feel the chip either, and a year later, he still doesn’t. “I forgot that I had it until you called,” he said.
Now, every time Hazelaar visits the Baja, he strides past the queue outside and goes straight to the doorman, who scans his arm until his name and photograph pop up on a computer screen. When he goes through another checkpoint at the special VipChip lounge, the number under his flesh becomes a payment instrument, like a loyalty card at Starbucks.
A waitress runs a scanner over his right bicep and the cost of a drink is deducted from his account.
As it turns out, Hazelaar became one of the world’s first human debit cards. But he wasn’t the last. The Baja now has 90 implanted VIPs; there are 70 at its sister club in Rotterdam, which opened last November. Even though the injection now costs E1,500 per person – including a E500 drinks credit – both establishments have waiting lists. Club co-owner Conrad Chase, a former star of the Spanish version of Big Brother, says his group might expand to Valencia and Hamburg, where they will also offer VipChip membership.
Some might say that this technology was inevitable, but how has this slightly creepy device become even remotely popular? And will it one day become part of everyday life?
…..
Ultimately, the choice is fear versus fear. What makes people feel most vulnerable? A hacker running up to them with a scanner, or news stories of rampant ID theft, infant abductions, botched surgeries, convicts on the run and terrorists among us? The VeriChip may be an extreme solution for extreme times, but the days when it could be dismissed as futuristic fancy are clearly long past.

Belgium Identity Cards

Kaliya Young · July 5, 2005 · Leave a Comment

From ID Corner comes this story about Belgium Identity Cards.
The card provides strong security against traditional outsider attacks, but unfortunately has not been designed with privacy in mind. In fact, it features one of the worst privacy designs imaginable. Two glaring problems:

The citizen certificates on each ID chipcard contain the cardholder’s name and RRN (the œrijksregistratienummer,” a single government-wide identification number for each natural person). The name and RRN are disclosed whenever a card is used at a relying party. The RRN (which has a simple structure based on the citizen’s birthday) serves as the key to numerous databases containing citizen information; on the basis of this number, all cardholder actions and movements with the eID chipcard can be electronically traced and linked (not merely by the government itself!).

The eID card specifies the following information, both visibly on the card itself and stored within the card’s chip: cardholder’s photo, surname and first names, gender, nationality, place and date of birth, signature, RRN, and the validity period of the card. In addition, the chip also stores the cardholder’s current address. Some of this information is privacy-sensitive, yet the cardholder has no control over its disclosure. (Historically, this is the same information as has always been on Belgium identity cards, and so arguably this does not constitute a reduction in privacy; however, in most countries around the world an information-rich national identity card would not pass in the first place.)

The privacy problems do not stop here. Each eID chip contains two X.509v3 identity certificates (each specifying the citizen’s name and RRN number, one for authentication and one for digital signing), as well as a basic signature key to authenticate the card with respect to the RRN. The certificates and public keys, which are assigned by the central issuing authority, by themselves serve as “omni-directional” identifiers that are globally unique. For a detailed account on the various privacy problems caused by this use of PKI, see, for instance, here.