Here's an article I wrote for the Risks digest, and rewrote for a CPSR
newsletter.
Chris
--------------------------------------------------
California Adds Magnetic Strips to Driver's Licenses
By Chris Hibbert
California introduced a new format of driver's license in January which will
have important implications for privacy. The change is the addition of a
magnetic stripe on the back that standard commercial credit card readers will
be able to read. The ostensible reason for this change is to make the process
of writing out traffic tickets easier and less error-prone, but privacy experts
are concerned that the side effects to privacy of the new cards may outweigh
the intended consequences.
Since the information on driver's licenses will be more accessible, businesses
and government agencies will find ways to use it more often than they have in
the past. The most likely first step is that merchants will keep more detailed
records on their customers and their habits. The probable result is that more
information will be stored about nearly everybody.
This creates the possibility of an enormous number of databases storing a wide
variety of information, all using the driver's license number as a key. This
will be similar to the situation that we currently have, to a lesser extent,
with Social Security numbers (SSNs). Federal legislation prevents government
agencies from using SSNs as a universal ID. Keeping a new, state-wide
universal ID out of corporate databases has no such prohibition. It is also
easy to capture and will be a much more reliable identifier.
The New Format
The picture on the front of the new cards will be in color, with a hologram of
the state and DMV seals to make counterfeiting harder. For people under the
legal drinking age, the picture will be on the right instead of the left.
The magnetic stripe will have three tracks. The middle one will be encoded in
the same format as credit cards, and is intended to be read by ordinary
commercial readers. This track can only contain 40 bytes of information, and
will hold the birth date, driver's license number, and expiration date. The
other two tracks will be encoded at double density (incompatible with current
commercial readers), and will contain the rest of the information that is
printed on the front of the license: name, eye color, hair color, height,
weight, etc.
The magnetic strip will be encoded at a higher coercivity (resistance to change
in magnetization) than the commercial standard. The standard calls for 30
oersteds of coercivity; the DMV will use 3600 oersteds to make it harder to
erase or rewrite. It is unclear whether there will be penalties for carrying
an erased card.
Uses for ID
There are a variety of reasons that people are asked for identification, and
most don't realize the extent to which there are different goals. Some of the
common purposes are:
- verifying facts about an individual who is present (i.e
insure that the individual is 21 years old)
- communicating identity with a third party (i.e. an insurer
wants to limit coverage to those individuals employed by a
certain company)
- linking actions performed by the same person (i.e., for
compiling longitudinal medical histories, knowing the
identity isn't important)
- identifying an individual as the same person who was present
before (i.e. owner of a particular bank account)
- being reasonably sure that a check won't bounce
Depending on a reliable form of ID is a simple way to be reasonably sure about
many of these things. However, each of these needs can be satisfied in some
other way with a bit more work. When the expedient mechanism of using a
well-known key is used, the result is a lot of data stored in different places
using the same key, which is a major problem for anyone trying to safeguard
their privacy.
Why not use the same ID all the time?
To maintain privacy and still deal with people, you need to be able to give out
some information without giving access to all the other information about you
that is stored in many databases. Since you don't have complete control over
how much any of your contacts tells any other, you have to make it hard for
them to identify you to one another. If everyone uses the same universal ID
this is impossible.
A part of your privacy lies in knowing how much access to information about you
particular parties have. If everyone uses the same identifiers for you, you
have to know what databases they have access to in order to know what they can
look up. If you can use different identifiers for different purposes, you can
control the spread of the data.
Related to this is the problem of controlling the spread of erroneous
information. The more that people use common keys and look in more than one
database, the more it becomes possible for mistakes to spread along with the
truth. If each of the records stays separate, then once someone discover a
mistake, it only has to be corrected in one place.
Another problem with using the same ID everywhere is that it's a single point
of failure: If you lose your one ID card, you can't access anything, and
correspondingly, whoever finds it (or steals it) has access to nearly
everything. If you have multiple identifiers, you at least have the
possibility of keeping them separate and reducing your risk.
Conclusion
This constitutes a new invasion of privacy even though the DMV wouldn't be
providing any information on the new cards that isn't on the old ones. The
fact that the information is available with much less effort makes uses of it
feasible that wouldn't even have been considered before.
In a response to a request from this reporter, Assemblywoman Delaine Eastin
(Chairwoman of the committee on Governmental Efficiency and Consumer
Protection) wrote: "I share [the concern] that the stripes, if used improperly
or if expanded beyond the current plan, could constitute an invasion of
privacy. A society where people carry around magnetically coded `ID' cards for
use by police and store-keepers would not be one most of us want to live in.
Nevertheless, the DMV plan, limited in its scope, seems like a relatively
benign way to save time and money for everyone."
The new licenses constitute exactly the "magnetically coded `ID' cards for use
by police and store-keepers" that she said we wouldn't find acceptable.
Merchants will start asking customers for their licenses, and many customers
will comply unthinkingly. Those who see deeper privacy issues and don't want
their identity recorded along with their buying habits in yet another computer
system will have to contend with clerks who just do what the boss tells them
to. They won't be allowed to ignore those behind them in line who can only
tell that someone is interrupting the routine and making them wait longer. I'm
afraid that we've lost a little more of our privacy, and it's going to be very
hard to get it back.