Real ID

Real ID: Connecting the Dots to an International ID

  "Under REAL ID biometric facial recognition technology, you become a number literally worn on your face - a number which is read by computer, tracked by surveillance camera, and distributed worldwide."
NEWS WITH VIEWS.com - By Rep. Sam E. Rohrer, Pennsylvania House of Representatives from the 128th Legislative District representing Berks County - August 24, 2008
History offers many examples of societies which have sought to increase security by sacrificing freedom. America itself provides many pertinent instances. However, our founding fathers have not left us without wisdom on this issue. Ben Franklin has famously stated, "People willing to trade freedom for temporary security deserve neither and will lose both." REAL ID undoubtedly exemplifies a scenario in which a difficult tension exists between freedom and security. By commandeering every state's driver's license issuing process, REAL ID threatens the results warned by Franklin - loss of both freedom and security. It has become the biometric enrollment phase of a plan to implement a terribly invasive tracking system, largely without public knowledge or approval. REAL ID is merely the current face of a far larger, international government and private economic effort to collect, store, and distribute the sensitive biometric data of citizens to use for the twin purposes of government tracking and economic control. At issue are much more than standardized or non-duplicative driver's licenses. This effort extends worldwide, threatening every person alive today. Although very legitimate security concerns exist in this age of terrorism, this Act extends far beyond terrorism prevention or protection of the innocent. Keeping that broad picture in mind, let us move to some background behind the face of REAL ID implementation in America.

The REAL ID Act passed Congress in 2005 buried in a "must-pass" war funding and tsunami relief bill. The little debate in the House and total absence of debate in the Senate ensured that many Congressmen did not realize the full implications of REAL ID. Importantly, the desire by government and economic interests to implement a national tracking and ID system did not start with the REAL ID Act in 2005. Under the guise of security, it has been attempted numerous times in the past, even during Ronald Reagan's administration. When former Attorney General William French Smith proposed to implement what he called a "perfectly harmless" national ID system as well as when a second cabinet member proposed to "tattoo a number on each American's forearm," Ronald Reagan responded, "My God, that's the mark of the beast," signaling an abrupt end to the national ID debate during the Reagan years.

The significant opposition to a national ID system in the past extends to the REAL ID issue today. This conviction has united both Democrats and Republicans as well as such normally opposed groups as the ACLU and the ACLJ. Whether the concern is privacy, religious rights, states' rights, or cost of implementation, REAL ID has galvanized broad and deep resistance, currently including an estimated six hundred groups. Today, over twenty legislatures have passed resolutions or legislation variously opposing implementation of the REAL ID Act. Eleven of those legislatures have gone further by passing laws specifically prohibiting compliance with REAL ID.

What does REAL ID do? REAL ID attempts to mandate a standardized process and format for all state drivers' licenses to achieve increased security. Most importantly in this standardized process, REAL ID mandates a certain picture quality. A footnote issued by the Department of Homeland Security establishes this quality as compliant with the ICAO Document 9303 biometric format. The global body setting this format, the International Civil Aviation Organization (ICAO), is a specialized agency created under the United Nations. Biometric data can be produced from a simple digital photograph of this quality by running the picture of a person's face through a software program which measures and analyzes the unique, personally identifiable characteristics of that face. The process results in a unique numeric code which identifies a person according to facial measurements. You read that correctly. A unique number or "code" is developed from an algorithmic formula which converts a digital biometric sample to biometric "face print" data. Under REAL ID biometric facial recognition technology, you become a number literally worn on your face - a number which is read by computer, tracked by surveillance camera, and distributed worldwide. Clearly, this international standard provides global compatibility of American citizens' biometric data collected through REAL ID.

Having this background, we should observe that many Americans still do not know why the provisions of the REAL ID Act must be rejected and aggressively opposed because they do not understand the full implications of REAL ID. Many wrongly assume that the legitimate need for security trumps all other considerations. However, REAL ID is not primarily about a secure driver's license or terrorism prevention. The full and dangerous implications of REAL ID may be fleshed out through a discussion of why each American must vigorously oppose this Act's most basic tenets. It poses dangers in the following three areas:

1 - REAL ID violates Constitutional rights.
2 - REAL ID compromises national and state sovereignty.
3 - REAL ID threatens the safety of all Americans.

I - First, let us note that compliance with REAL ID would violate our constitutionally protected freedoms.

Amendment I - Freedom of Religion

REAL ID violates freedom of religion for some citizens by forcing inclusion into a system which requires a picture - and more - just to access public services. The Amish and some Mennonites provide examples of religious groups who view the mere taking of photographs as idolatry. REAL ID conditions their freedoms, such as entering a federal building, upon a provision which violates their religious beliefs. Because this "government" identification system limits travel and access to certain public places, and could even become a debit card, other more mainline religious groups view REAL ID as the advent of the "mark of the beast."

Particularly because this technology assigns a unique number to represent each person's biometric face print, these concerns are hardly unfounded.

A Powerpoint presentation from L-1 Identity Solutions, the major biometrics company in the U.S. today, bolsters this claim. A slide in that presentation includes a graph which charts future likely applications for biometrics. Phase 1 of this "blueprint" for biometric implementation utilizes the authority of Federal agencies to impose such requirements as REAL ID. Phase 2 utilizes bureaucratic leveraging on regulated industries to implement biometrics. Phase 3 anticipates mass implementation on the citizens at large for such everyday activities as buying and selling. As an example, under Phase 2 DHS is attempting to force airlines to pick up the costs of collecting biometrics from foreigners at airports. In Texas under Phase 3, a company is experimenting with using the driver's license as a debit card. Whether one is personally alarmed at some or all of these concerns, REAL ID would prohibit the free exercise of religion for many people.

Amendment IV - Freedom of Privacy

REAL ID also violatess the Fourth Amendment's guarantee of freedom of privacy. First, by mandating the collection, storage, and dissemination of personally identifiable data without any informed consent, REAL ID tramples on this right. In reality, this practice constitutes government-sanctioned identity theft and seriously breaches the "security of person" guaranteed to every U.S. citizen. No sufficiently compelling need exists to warrant government mass collection and storage of such sensitive information about its citizens. Concern heightens even further when private corporations control the databases being set up to house this information. As an example, L-1 Identity Solutions houses a database of U.S. driver's license information. This company, which has consolidated a virtual monopoly on the driver's license issuing market in the U.S., will handle all private information collected during the license issuing process.

Secondly, REAL ID threatens freedom of privacy because this warehoused data cannot be confidently secured. Even the Department of Homeland Security's own Privacy Impact Assessment fails to guarantee that the database linking and networking that will result from REAL ID will be secure. Many privacy experts agree that REAL ID will actually increase identity theft! In reality, the database and access to it will create an electronic superhighway for potential mass identity theft.

Thirdly, REAL ID violates the Fourth Amendment in that the process of collecting personal biometric data without consent violates the very laws that exist to protect against such measures. This is probably one of the most significant Constitutional issues. Current US law allows the collection of biometric information only in the case of criminal activity. However, REAL ID institutionalizes the capture of facial recognition biometrics for every driver, regardless of criminality.

Fourthly, REAL ID ripens the climate for aggressive efforts to control the masses via information and leading-edge technology, regardless of crucial privacy considerations. Data collection and surveillance is simultaneously occurring across several diverse fronts, each one a potential privacy danger painting the broader picture of where REAL ID will take us as a country. For instance:

1- In Rhode Island, a school district is allowing a company to place radio frequency tracking (RFID) chips in students' book bags.

2- Nationwide, Great Britain has installed an estimated 4.2 million surveillance cameras utilizing facial recognition technology to keep tabs on all citizens. These cameras, of which there is 1 for every 14 citizens, can observe a person up to 300 times in a normal day in the city of London.

3- China is aggressively pursuing country-wide surveillance of its citizens using facial recognition technology purchased from a contractor supplied by the previously mentioned L-1 Identity Solutions.

4- According to a June 28, 2008 New York Times article, US and European officials are nearly agreed upon a "binding international agreement" which would allow "European governments and companies to transfer personal information to the United States, and vice versa." Under the cloak of terrorism prevention, European governments could request "private information - like credit card transactions, travel histories, and Internet browsing habits" about American citizens.

5- Homeland Security Presidential Directive 24 issued by the President on June 5, 2008, "establishes a framework to ensure that Federal executive departments and agencies use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information of individuals." This step shows the President's extensive authority and disregard for privacy in streamlining the biometric sharing process.

6- The FBI is currently building a billion-dollar database to house an enormous amount of biometric data. While officially aimed at housing criminal and terrorist data, this database already retains finger prints, iris scans and other individual biometrics that the government collects on ordinary citizens. Who knows the extent of the private information that will be stored in this massive database? REAL ID-collected "face prints" are just one more piece of the data collection and tracking system.

These examples only serve to underscore the aggressive global government efforts to track and control citizens. In every case, REAL ID violates the freedoms guaranteed by the Fourth Amendment.

Amendment X - States' Riights

REAL ID violates the Tenth Amendment in that the federal government is attempting to force the states to collect private data on their citizens, only to allow that data to be shipped out-of-state and shared worldwide. This action forces the states to work against the very interests of the citizens they are to protect. When states accede to this pressure under REAL ID, they allow the transfer of state authority to the federal government. The separation of powers built into our Constitution then crumbles as the federal government makes the rules, interprets the rules, and enforces the rules regarding all state drivers' licenses.

II- In addition to the three ways REAL ID would violate the Constitution, compliance with the REAL ID Act would undermine our national and state sovereignty. While REAL ID reads like a manual for a national ID card, the Department of Homeland Security's own rules for REAL ID reveal that it implements an international ID system based on biometric identification. Complying with the requirements under REAL ID would violate U.S. national and state sovereignty by forcing states to adopt international biometric facial image standards and to document standards set by international organizations.

As mentioned previously, the ICAO, affiliated with the UN, sets the standards for facial image captures (photos). Besides tracking the movements of international travelers, the ICAO also has assumed the responsibility of creating a common international passport system that stores individual personal and biometric information on a RFID chip built into the passport. The American Association of Motor Vehicle Administrators (AAMVA), which recognizes ICAO standards, "enables" this scheme. This international body and private organization sets nearly all the standards for REAL ID document scanning, storage, data encryption, barcode and layout design to comply with their 2005 international driver's license system. Under REAL ID, AAMVA is the hub and backbone of the database system being set up to share information between states. From a broad perspective, the system created by REAL ID destroys national sovereignty and constitutional authority by removing control of government from the people and establishing government control over the people.

Furthering AAMVA's control strategy here in North America, implementation of REAL ID is "de facto" enrollment of each state into AAMVA's Driver's License Agreement (DLA). AAMVA has pushed the DLA, which meets REAL ID specifications, for nearly ten years. The implementation of this DLA is crucially important to the global effort because it mandates the sharing of all U.S. drivers' license information with Mexico and Canada. This egregious step places U.S. citizen's data at the mercy of Canadian and Mexican privacy controls, further exacerbating the identity theft problem, and violating Constitutional law and national sovereignty by essentially having states form a treaty with a foreign nation.

REAL ID also violates national sovereignty because any international system includes and requires agreements and obligations that would weaken any sovereign standing. In fact, a Government Computer News report notes the following from Robert Mocny, acting program manager for the U.S. Visitor and Immigrant Status Indicator Technology program. His quote comes from comments about a federal plan to extend biometric data sharing to Asian and European governments and corporations, so as to create a Global Security Envelope of identity management.

"My question is, how is it ethical not to share?" Mocny asked. "It makes no sense for us to develop separate systems . . . information sharing is appropriate around the world." Government Computer News further notes that he is sketching a plan for sharing biometric data that would permanently link an individual with data that governments and corporations hold. Since both governments and corporations have been infiltrated by extremists and terrorists and since certain governments of today may be our enemies tomorrow, I hardly think that worldwide sharing of our citizen's data is a good idea!

Enhanced Driver's Licenses (or EDL's) provide a further example of the undermining of national and state sovereignty. Citizens that purchase these nearly REAL ID-compliant licenses, which contain biographic and biometric information on an RFID chip, can use them as a passport to enter either Mexico or Canada. This advancement establishes the international ID designation of REAL ID. The Canadian province British Columbia has also issued a new EDL which, according to their website is also, "an acceptable document for entry from Canada into the United States by land and water."

REAL ID violates state sovereignty because the issue in contention is "national identity management", with the federal government manipulating the tool of state driver's licenses. Consider the following statements about REAL ID from Electronic Data Systems, the very company likely to maintain AAMVA's driver's license database: "The Real ID Act, then, is about more than a driver's license. It puts in place a set of standards for Identity Management (IdM) that can be leveraged across an entire government organization to create an integrated citizen identity security program." The international biometric standards mandated in DHS's final rules, paint the broader picture of an international ID card for government surveillance and tracking.

III- REAL ID would endanger Constitutional rights and both national and state sovereignty. Finally, let us consider that compliance with the REAL ID Act would compromise the safety of our people. Unlike what some government officials might say, 9/11 and the prevention of terrorism are not the real reasons for REAL ID. In fact, this technology was being pushed well before 9/11. Although REAL ID and biometrics are promoted as the "cure-all" to terrorism and identity theft problems, many highly dispute this claim. In response to the post-9/11 claims of biometrics companies that their technology could have prevented 9/11, Jim Wayman, the former head of the US Biometrics Center countered, "No, the government didn't have this stuff in place, precisely because it had been working on it and knew its limitations and didn't find any value for the costs involved." He further noted, "It's going to be hard to know how these technologies can be applied to increase national security. We're not just going to turn these machines on and start catching terrorists." REAL ID will not assure greater safety since terrorists will either avoid or duplicate a REAL ID compliant drivers' license, although a correctly operating biometric system would certainly increase the difficulty of faking or forging a license.

Despite the government's assurances about the "certain" safety benefits of REAL ID, no government or company can create a foolproof, perfectly secure system. A person who breaks the law or who desires to wreak havoc on American soil will find a loophole with which to avoid the requirements of REAL ID. One needs only consider that driver's licenses on the black market will continue to be readily available.

Further, the safety of law abiding citizens will be compromised as their identities are stolen, stored and made accessible to thieves around the globe. Some people reject this idea because they hope that the government will be able to protect their identity once it has all of a person's information. The simple faith implicit in this idea is widely misplaced, however. As proof, consider that in 2007, a Globe and Mail report noted, "A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports." A breach of security in Great Britain last December resulted in the loss of approximately 25 million individual records. In my state of Pennsylvania, a security breach which occurred two years ago at a Driver's License Center resulted in over 11,000 records being compromised. Such security breaches highlight significant personal dangers to law abiding citizens and prove that the only secure data is uncollected data.

Finally, REAL ID does not assure safety because biometric technology itself does not work predictably. At this point in time, the technology we are discussing does not work well; hence REAL ID and facial recognition biometrics can not ensure safety. As a result, no one has yet been successfully prosecuted via facial biometrics. The opportunity for false identification and therefore being, "guilty before proven innocent" is great. For example, the Tampa, Florida police force scrapped a facial recognition system in 2003 because, according to a spokesman, "We never identified, were alerted to, or caught any criminal. It didn't work." While on its face, the concept of REAL ID seems like it would increase security, it does not. A Privacy International Study conducted in 2004 found "Of the 25 countries that have been most adversely affected by terrorism since 1986, eighty percent have national identity cards, one third of which incorporate biometrics. This research was unable to uncover any instance where the presence of an identity card system in those countries was seen as a significant deterrent to terrorist activity." The simple truth is that REAL ID cannot stop crime.

In summary, we have seen that REAL ID threatens Constitutional rights, national and state sovereignty, and the safety of our people. The enrollment of American citizens into an international biometric system of identification and tracking constitutes the heart of the REAL ID issue. A secure driver's license is not the ultimate goal or certainly the ultimate result of the REAL ID Act. And it is unfortunately clear that the ultimate purpose is government tracking and economic control through enhanced knowledge and surveillance through biometric identification and tracking.

This being established, it is clear that this aggressive effort of the federal government, working hand-in-hand with private commercial interests, must be opposed on every level. While Congress must move to quickly repeal the passage of the REAL ID Act, the states provide an ideal position from which to fight this encroachment by the federal government. The responsibility for the security and privacy of our own generation and the generations to come, however, rests upon our shoulders.

The next action to be taken involves the following three steps.

First, Congress must immediately repeal the REAL ID Act and resist any effort to pass anything remotely similar. Secondly, individual states which have not passed legislation preventing implementation of any provision of REAL ID, particularly the biometric portion, must do so without delay. As has been stressed throughout this article, biometrics is the core provision of REAL ID; consequently, the states must move to protect their citizens' biometric data immediately. This step is critical because the vast majority of statutory law did not envision the breadth of individually identifiable data that could be gleaned by rapidly advancing technology. Further, because L-1 Identity Solutions holds a virtual monopoly as contractor for state DMVs, they could use their position to coerce the states into implementing all of DHS's wishes. This scenario further endangers state's rights.

Therefore, it is not enough for states to simply stop collecting biometric data. They must purge and "dumb-down" databases to preclude any government knowledge or use of private citizen's biometrics. Additionally, private third-party inspections should be ordered to ensure that all measures have been fully implemented. Fundamentally, the states must demand control - they must inform the contractor what to ddo, not vice versa. Thirdly, citizens must play a role in resisting illegitimate actions of the federal government. They must be encouraged in their capacity as law-abiding citizens to whom Constitutional guarantees were acknowledged, to resist implementation of any effort that would compromise their individual, God-given rights.

The American people remain the strongest defenders of freedom in the world. Many in our past have died for the liberties we enjoy today. Most of us are still willing to fight and die today for our freedom and the freedom of our children tomorrow. May we each do our part to ensure the greatest nation on earth remains "the land of the free and the home of the brave!"

"Liberty has never come from the government; it has always come from the subjects of it. The history of liberty is a history of limitation of governmental power, not the increase of it." -Woodrow Wilson

Sam Rohrer is a Representative for the state of Pennsylvania and a member of the American Policy Center Advisory Board.

For more information on the dangers of the Real ID Act, contact:

Mark Lerner
Co-Founder - Stop Real ID Coalition
Phone: (816) 401-7615
Email: stoprealid@aol.com

Sam Rohrer is a Representative for the state of Pennsylvania and a member of the American Policy Center Advisory Board.

Original Report

How RFID Tags Could Be Used to Track Unsuspecting People

A privacy activist argues that the devices pose new security risks to those who carry them, often unwittingly
SCIENTIFIC AMERICAN [Holtzbrinck] - By Katherine Albrecht - August 21, 2008
If you live in a state bordering Canada or Mexico, you may soon be given an opportunity to carry a very high tech item: a remotely readable driver's license. Designed to identify U.S. citizens as they approach the nation's borders, the cards are being promoted by the Department of Homeland Security as a way to save time and simplify border crossings. But if you care about your safety and privacy as much as convenience, you might want to think twice before signing up.

The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler's photograph and other details are displayed on the agent's screen.

Although such "enhanced" driver's licenses remain voluntary in the states that offer them, privacy and security experts are concerned that those who sign up for the cards are unaware of the risk: anyone with a readily available reader device-unscrupulous marketers, government agents, stalkers, thieves and just plain snoops-can also access the data on the licenses to remotely track people without their knowledge or consent. What is more, once the tag's ID number is associated with an individual's identity-for example, when the person carrying the license makes a credit-card transaction-the radio tag becomes a proxy for that individual. And the driver's licenses are just the latest addition to a growing array of "tagged" items that consumers might be wearing or carrying around, such as transit and toll passes, office key cards, school IDs, "contactless" credit cards, clothing, phones and even groceries.

RFID tags have been likened to barcodes that broadcast their information, and the comparison is apt in the sense that the tiny devices have been used mainly for identifying parts and inventory, including cattle, as they make their way through supply chains. Instead of having to scan every individual item's Universal Product Code (UPC), a warehouse worker can register the contents of an entire pallet of, say, paper towels by scanning the unique serial number encoded in the attached RFID tag. That number is associated in a central database with a detailed list of the pallet's contents. But people are not paper products. During the past decade a shift toward embedding chips in individual consumer goods and, now, official identity documents has created a new set of privacy and security problems precisely because RFID is such a powerful tracking technology. Very little security is built into the tags themselves, and existing laws offer people scant protection from being surreptitiously tracked and profiled while living an increasingly tagged life.

Beyond Barcodes
The first radio tags identified military aircraft as friend or foe during World War II, but it was not until the late 1980s that similar tags became the basis of electronic toll-collection systems, such as E-ZPass along the East Coast. And in 1999 corporations began considering the tags' potential for tracking millions of individual objects. In that year Procter & Gamble and Gillette (which have since merged to become the world's largest consumer-product manufacturing company) formed a consortium with Massachusetts Institute of Technology engineers, called the Auto-ID Center, to develop RFID tags that would be small, efficient and cheap enough to eventually replace the UPC barcode on everyday consumer products.

By 2003 the group had developed a working version of the technology and attracted investment from more than 100 companies and government agencies. The tags' promoters promised the tiny chips would revolutionize inventory management and counterfeiting prevention [see "RFID: A Key to Automating Everything," by Roy Want; Scientific American, January 2004].

To kick-start government adoption of the technology, the General Services Administration (GSA), a federal bureau that manages purchasing for other government institutions, issued a memo in 2004 urging the heads of all federal agencies "to consider action that can be taken to advance the [RFID] industry." Suddenly, virtually every agency, from the Social Security Administration to the Food and Drug Administration, began announcing RFID trials.

During the same period, similar initiatives were under way around the world. In 2003 the International Civil Aviation Organization (ICAO), a United Nations agency that sets global passport standards, endorsed the use of RFID tags in passports. ICAO now calls for their use in all scannable "e-passports." Today dozens of countries, including the U.S., issue e-passports with RFID tags embedded in their covers.

Since their debut, the new passports have been controversial on both privacy and security grounds. In a 2006 report one ICAO official promised that encryption measures would provide a "level of protection [that] should reassure the most anxious passport holder that his personal data cannot be read without his knowledge."

Security experts quickly proved otherwise. In 2007 British security consultant Adam Laurie cracked the encryption code on a U.K. passport and "skimmed," or remotely read, its personal information-while it was still sealed in its mailing envelope. Around the same time, German security consultant Lukas Grunwald copied the data from a German passport's embedded chip and encoded it into a different RFID tag to create a forged document that could fool an electronic passport reader. Investigators at Charles University in Prague, finding similar vulnerabilities in Czech e-passports, wrote that it was "a bit surprising to meet an implementation that actually encourages rather than eliminates [security] attacks."

Yet these demonstrated security problems have not slowed the adoption of RFID. On the contrary, the technology is being deployed for domestic ID cards around the world. Malaysia has issued some 25 million contactless national identity cards. Qatar is issuing one that stores the cardholder's fingerprint in addition to personal information. And in what industry observers are calling the single largest RFID project in the world, the Chinese government is spending $6 billion to roll out RFID-based national
IDs to nearly one billion citizens and residents.

There is an important difference, however, between other nations' RFID-based ID cards and Homeland Security's new driver's licenses. Most countries' contactless national IDs and e-passports have adopted an RFID tag that meets an industry standard known as ISO 14443, which was developed specifically for identification and payment cards and has a degree of security and privacy protection built in. In contrast, U.S. border cards use an RFID standard known as EPCglobal Gen 2, a technology that was designed to track products in warehouses, where the goal is not security but maximum ease of readability.

Whereas the ISO 14443 standard includes rudimentary encryption and requires tags to be close to a scanner to be read (a distance measured in inches rather than feet), Gen 2 tags typically have no encryption and only minimal data safeguards. To skim the data from an encrypted ISO 14443 chip, you have to crack the encryption code, but no special skills are required to skim a Gen 2 tag; all you need is any Gen 2 reader. Such readers can be purchased readily and are in common use in warehouses worldwide. A hacker or criminal armed with one could skim a border card through a purse, across a room, even through a wall.

As of this past April, more than 35,000 Washington State motorists had signed up for enhanced driver's licenses, and other border states, including Arizona, Michigan and Vermont, have agreed to participate in the program. New York State will begin making the new licenses available to its residents after Labor Day.

But the possibility that the security of such cards could be compromised is just one reason for concern. Even if tighter data-protection measures could someday prevent unauthorized access to RFID-card data, many privacy advocates worry that remotely readable identity documents could be abused by governments that wish to tightly monitor and control their citizens.

China's national ID cards, for instance, are encoded with what most people would consider a shocking amount of personal information, including health and reproductive history, employment status, religion, ethnicity and even the name and phone number of each cardholder's landlord. More ominous still, the cards are part of a larger project to blanket Chinese cities with state-of-the-art surveillance technologies. Michael Lin, a vice president for China Public Security Technology, a private company providing the RFID cards for the program, unflinchingly described them to the New York Times as "a way for the government to control the population in the future." And even if other governments do not take advantage of the surveillance potential inherent in the new ID cards, ample evidence suggests that data-hungry corporations will.

Living a Tagged Life
If the idea that corporations might want to use RFID tags to spy on individuals sounds far-fetched, it is worth considering an IBM patent filed in 2001 and granted in 2006. The patent describes exactly how the cards can be used for tracking and profiling even if access to official databases is unavailable or strictly limited. Entitled "Identification and Tracking of Persons Using RFID-Tagged Items in Store Environments," it chillingly details RFID's potential for surveillance in a world where networked RFID readers called "person tracking units" would be incorporated virtually everywhere people go-in "shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, restrooms, sports arenas, libraries, theaters, [and] museums"-to closely monitor people's movements.

According to the patent, here is how it would work in a retail environment: an "RFID tag scanner located [in the desired tracking location]... scans the RFID tags on [a] person.... As that person moves around the store, different RFID tag scanners located throughout the store can pick up radio signals from the RFID tags carried on that person and the movement of that person is tracked based on these detections.... The person tracking unit may keep records of different locations where the person has visited, as well as the visitation times."

The fact that no personal data are stored in the RFID tag does not present a problem, IBM explains, because "the personal information will be obtained when the person uses his or her credit card, bank card, shopper card or the like." The link between the unique RFID number of the tag and a person's identity needs to be made only once for the card to serve as a proxy for the person thereafter. Although IBM envisioned tracking people via miniature tags in consumer goods, with today's RFID border cards there is no need to wait for such individual product tags to become widespread. Washington's new driver's licenses would be ideally suited to the in-store tracking application, because they can already be read by Gen 2 inventory scanners in use today at stores such as Wal-Mart, Dillard's and American Apparel.

A tracking infrastructure will become increasingly fruitful to marketers as more people begin carrying, and even wearing, RFID-tagged items. At present, tens of millions of contactless credit and ATM cards containing RFID tags are in circulation, along with millions of employee access badges. RFID-based public-transit passes, widely used in Europe and Japan, are also coming to U.S. cities. IBM's person tracking unit is still only a patent, but an English amusement park called Alton Towers provides a living illustration of RFID's tracking potential. On entering the park, each visitor is offered an RFID wristband encoded with a unique ID number. As people enjoy the attractions, a network of RFID readers placed strategically throughout the park detects each wristband as it comes within range and triggers nearby video cameras. Candid footage of each individual is stored in a file labeled with the wristband ID number, then made available to the customer on a keepsake DVD at the end of the day.

Protecting the Public
If RFID tags can enable an amusement park to capture detailed, personalized videos of thousands of people a day, imagine what a determined government could do-not to mention marketers or criminals. That is why my colleagues in the privacy community and I have so firmly opposed the use of RFID in government-issued identity documents or individual consumer items. As far back as 2003, my organization, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)-along with the Privacy Rights Clearinghouse, the Electronic Privacy Information Center, the Electronic Frontier Foundation, the American Civil Liberties Union, and 40 other leading privacy and civil liberties advocates and organizations-recognized this threat and issued a position paper that condemned the tracking of human beings with RFID as inappropriate.

In response to these concerns, dozens of U.S. states have introduced RFID consumer-protection bills-which have all been either killed or gutted by heavy opposition from lobbyists for the RFID industry. When the New Hampshire Senate voted on a bill that would have imposed tough regulations on RFID in 2006, a last-minute floor amendment replaced it with a two-year study instead. (I was appointed by the governor to serve on the resulting commission.) That same year a California bill that would have prohibited the use of RFID in government-issued documents passed both houses of the legislature, only to be vetoed by Governor Arnold Schwarzenegger.

On the federal level, no high-profile consumer-protection bills related to RFID have been passed. Instead, in 2005, the Senate Republican High Tech Task Force praised RFID applications as "exciting new technologies" with "tremendous promise for our economy" and vowed to protect RFID from regulation or legislation.

In the European Union, regulators are at least examining the situation. The European Commission-the executive arm of the E.U.-has acknowledged the potential for serious privacy problems with RFID and opened a public comment period earlier this year. As of July, when this issue went to press, recommendations stemming from the public comments were set to be released later in the summer, but expectations for any consumer-privacy regulations were low. In a March 2007 speech, E.U. commissioner for information society and media Viviane Reding announced that the commission would not regulate RFID but instead would allow businesses to regulate themselves. "I am here to tell you that on RFIDs, there is not going to be a regulation," she said. "My view is that we should underregulate rather than overregulate so that this sector can take off."

Unfortunately, industry self-regulation has little force when it comes to protecting the public from RFID risks. EPCglobal, the industry body that now sets technical standards for RFID tags, also produced a set of guidelines for the use of the chips in retail. The organization's recommendations require, among other things, notice to consumers whenever products contain RFID tags-for instance, in the form of a recognizable RFID logo. Yet when Checkpoint Systems, a member company of EPCglobal, designed RFID tags to be hidden in the soles of shoes-in clear violation of the organization's own provisions-Mike Meranda, then president of EPCglobal, told me that since the guidelines were voluntary, there was nothing he or his organization could do about it.

The Washington State Department of Licensing reassures citizens that their personal information is safe because the RFID tag in an enhanced driver's license "doesn't have a power source" and "doesn't contain any personal identifying information"-even though those facts have no bearing on whether the card can be used for tracking. For some people, a false sense of assurance provided by such official mollifications could be dangerous. The National Network to End Domestic Violence, a group that vocally opposes the use of RFID in identity documents and consumer products, has submitted legislative testimony describing how abusers could use the technology to stalk and monitor their victims.

Meanwhile the RFID train is barreling forward. Gigi Zenk, a spokesperson at Washington's licensing agency, recently confirmed that there are 10,000 enhanced licenses "on the street now-that people are actually carrying." That's a lot of potential for abuse, and it will only grow. The state recently mustered a halfhearted response, passing a law that designates the unauthorized reading of a tag "for the purpose of fraud, identity theft, or for any other illegal purpose" as a class C felony, subject to five years in prison and a $10,000 fine. Nowhere in the law does it say, however, that scanning for other purposes such as marketing-or perhaps "to control the population"-is prohibited. We ignore these risks at our peril.

Note: This article was originally published with the title, "RFID Tag--You're It".

See link for furthur reading
Original Report

How Big Brother watches your every move

In our ever-growing surveillance society, the average Briton is being recorded 3,000 times a week.
LONDON SUNDAY TELEGRAPH [Barclay - PA: Conservative/centre-right] - By Richard Gray - August 17, 2008

In many cases information is kept by companies such as banks and shops, but in certain circumstances they can be asked to hand it over to a range of legal authorities

An investigation by The Sunday Telegraph has now uncovered just how much personal data is being collected about individuals by the Government, law enforcement agencies and private companies each day.

In one week, the average person living in Britain has 3,254 pieces of personal information stored about him or her, most of which is kept in databases for years and in some cases indefinitely.

The data include details about shopping habits, mobile phone use, emails, locations during the day, journeys and internet searches.

In many cases this information is kept by companies such as banks and shops, but in certain circumstances they can be asked to hand it over to a range of legal authorities.

Britain's information watchdog, the Information Commissioner's Office, has called for tighter regulation of the amount of data held about citizens and urged the public to restrict the information they allow organisations to hold on them.

This newspaper's findings come days after the Government published plans to grant local authorities and other public bodies access to the email and internet records of millions. Phone companies already retain data about their customers and give it to 650 public bodies on request.

The loss of data by Government departments, including an incident where HM Revenue and Customs mislaid computer disks containing the personal details of 25 million people, has heightened concerns about the amount of information being stored.

David Smith, deputy information commissioner, said: "As more and more information is collected and kept on all of us, we are very concerned that appropriate safeguards go along with that.

"People should know what is happening with their information and have a choice.

"Our concern is that what is kept with the justification of preventing and detecting terrorism, can then be used for minor purposes such as pursuing people for parking fines."

Earlier this year the Commons home affairs select committee recommended new controls and regulations on the accumulation of information by the state.

Mobile phones
Every day the average person makes three mobile phone calls and sends at least two text messages.

Each time the network provider logs information about who was called as well as the caller's location and direction of travel, worked out by triangulation from phone masts.

Customers can also have their locations tracked even when they are not using their phones, as the devices send out unique identifying signals at regular intervals.

All of this information can be accessed by police and other public authorities investigating crimes.

The internet
Internet service providers (ISPs) compile information about their customers when they go online, including name, address, the unique identification number for the connection, known as an IP address, any browser used and location.

They also keep details of emails, such as whom they were sent to, together with the date and time they were sent. An average of 50 websites are visited and 32 emails sent per person in Britain every day.

Privacy campaigners have expressed concern that the country's three biggest ISPs - BT, Virgin Media and TalkTalk - now provide this data to a digital advertising company called Phorm so that it can analyse web surfing habits.

ISPs are already voluntarily providing information they hold about their customers if requested by law enforcement agencies and public authorities. A consultation published last week by the Government would make it a legal requirement for ISPs to provide a customer's personal information when requested. A total of 520,000 requests were made by public officials for telephone and internet details last year, an increase from around 350,000 the previous year.

Internet search engines also compile data about their users, including the IP address and what was searched for. Google receives around 68 searches from the average person each day and stores this data for 18 months.

Dr Ian Brown, a research fellow on privacy at Oxford University, said: "Companies such as Google and internet service providers are building up huge databases of data about internet users.

"These companies may be compelled, through a legal action, to hand over this information to third parties or the Government, or the companies may lose the data and it can then be misused."

Loyalty cards
Store "loyalty" cards also retain large amounts of information about individuals who have signed up to use them. They link a person's personal details to the outlets used, the transaction times and how much is spent.

In the case of Nectar cards, which are used by more than 10 million people in Britain once a week, information from dozens of shops is compiled, giving a detailed picture of a cardholder's shopping habits.

A spokesman for Loyalty Management UK, which runs the Nectar programme, insisted that information about the items bought was not compiled, but some partners in the scheme, such as Sainsbury's, use their till records to compile that information.

She admitted that the personal information that is compiled under the Nectar scheme is kept indefinitely until individuals close their account and ask for their information to be destroyed. In criminal inquiries, police can request the details held by Nectar.

Banks
Banks can also be required to hand over personal account information to the authorities if requested as part of an investigation.

They also provide personal data to credit reference agencies, debt collectors and fraud prevention organisations.

Debit and credit card transactions can give information about where and on what people are spending their money.

CCTV
The biggest source of surveillance in Britain is through the network of CCTV (closed-circuit television) cameras. On average, an individual will appear on 300 CCTV cameras during a day and those tapes are kept by many organisations for indefinite lengths of time.

On the London Underground network, Transport for London (TfL) keeps footage for a minimum of 14 days. TfL operates more than 8,500 CCTV cameras in its underground stations, 1,550 cameras on tube trains and up to 60,000 cameras on buses.

Network Rail refused to say how many CCTV cameras it operates or for how long the footage is kept.

Britain now has more CCTV cameras in public spaces than any other country in the world. A study in 2002 estimated that there were around 4.2 million cameras, but that number is likely to now be far higher.

Number plate recognition
The latest development in CCTV is the increased use of automatic number plate recognition systems, which read number-plates and search databases for signs that a vehicle has been used in crime.

A national automatic number plate recognition system is maintained by the Association of Chief Police Officers along motorways and main roads. Every number plate picked up by the system is stored in a database with date, time and location for two years.

Public transport
Travel passes such as the Oyster Card used in London and the Key card, in Oxford, can also reveal remarkable amounts of information about an individual. When they are registered to a person's name, they record journey history, dates, times and fares.

A spokesman for TfL, which runs the Oyster Card system, insisted that access to this information was restricted to its customer services agents.

Police, however, can also obtain this information and have used Oyster Card journey records as evidence in criminal cases.

The workplace
Employers are increasingly using radio-tagged security passes for employees, providing them with information about when staff enter and leave the office.
Original Report

Homeland Security Detects Terrorist Threats by Reading Your Mind

FOX NEWS [News Corporation/Murdoch] - By Allison Barrie - September 23, 2008
Baggage searches are SOOOOOO early-21st century. Homeland Security is now testing the next generation of security screening - a body scanner that can read your mind.

Most preventive screening looks for explosives or metals that pose a threat. But a new system called MALINTENT turns the old school approach on its head. This Orwellian-sounding machine detects the person - not the device - set to wreak havoc and terror.

MALINTENT, the brainchild of the cutting-edge Human Factors division in Homeland Security's directorate for Science and Technology, searches your body for non-verbal cues that predict whether you mean harm to your fellow passengers.

It has a series of sensors and imagers that read your body temperature, heart rate and respiration for unconscious tells invisible to the naked eye - signals terrorists and criminals may display in advance of an attack.

But this is no polygraph test. Subjects do not get hooked up or strapped down for a careful reading; those sensors do all the work without any actual physical contact. It's like an X-ray for bad intentions.

Currently, all the sensors and equipment are packaged inside a mobile screening laboratory about the size of a trailer or large truck bed, and just last week, Homeland Security put it to a field test in Maryland, scanning 144 mostly unwitting human subjects.

While I'd love to give you the full scoop on the unusual experiment, testing is ongoing and full disclosure would compromise future tests. . . .

So here's how it works. When the sensors identify that something is off, they transmit warning data to analysts, who decide whether to flag passengers for further questioning. The next step involves micro-facial scanning, which involves measuring minute muscle movements in the face for clues to mood and intention.

Homeland Security has developed a system to recognize, define and measure seven primary emotions and emotional cues that are reflected in contractions of facial muscles. MALINTENT identifies these emotions and relays the information back to a security screener almost in real-time.

This whole security array - the scanners and screeners who make up the mobile lab - is called "Future Attribute Screening Technology" - or FAST - because it is designed to get passengers through security in two to four minutes, and often faster.

If you're rushed or stressed, you may send out signals of anxiety, but FAST isn't fooled. It's already good enough to tell the difference between a harried traveler and a terrorist. Even if you sweat heavily by nature, FAST won't mistake you for a baddie.

"If you focus on looking at the person, you don't have to worry about detecting the device itself," said Bob Burns, MALINTENT's project leader. And while there are devices out there that look at individual cues, a comprehensive screening device like this has never before been put together.

While FAST's batting average is classified, Undersecretary for Science and Technology Adm. Jay Cohen declared the experiment a "home run."

As cold and inhuman as the electric eye may be, DHS says scanners are unbiased and nonjudgmental. "It does not predict who you are and make a judgment, it only provides an assessment in situations," said Burns. "It analyzes you against baseline stats when you walk in the door, it measures reactions and variations when you approach and go through the portal."

But the testing - and the device itself - are not without their problems. This invasive scanner, which catalogues your vital signs for non-medical reasons, seems like an uninvited doctor's exam and raises many privacy issues.

But DHS says this is not Big Brother. Once you are through the FAST portal, your scrutiny is over and records aren't kept. "Your data is dumped," said Burns. "The information is not maintained - it doesn't track who you are."

DHS is now planning an even wider array of screening technology, including an eye scanner next year and pheromone-reading technology by 2010.

The team will also be adding equipment that reads body movements, called "illustrative and emblem cues." According to Burns, this is achievable because people "move in reaction to what they are thinking, more or less based on the context of the situation."

FAST may also incorporate biological, radiological and explosive detection, but for now the primary focus is on identifying and isolating potential human threats.

And because FAST is a mobile screening laboratory, it could be set up at entrances to stadiums, malls and in airports, making it ever more difficult for terrorists to live and work among us. - - - -

Allison Barrie, a security and terrorism consultant with the Commission for National Security in the 21st Century, is FOX News' security columnist.
Read Full Report

Secret EU security draft risks uproar with call to pool policing and give US personal data

THE GUARDIAN [Guardian Media Group, UK] - By Ian Traynor in Brussels - August 7, 2008
Europe should consider sharing vast amounts of intelligence and information on its citizens with the US to establish a "Euro-Atlantic area of cooperation" to combat terrorism, according to a high-level confidential report on future security.

The 27 members of the EU should also pool intelligence on terrorism, develop joint video-surveillance and unmanned drone aircraft, start networks of anti-terrorism centres, and boost the role and powers of an intelligence-coordinating body in Brussels, said senior officials.

The 53-page report drafted by the Future Group of interior and justice ministers from six EU member states - Germany, France, Sweden, Portugal, Slovenia, and the Czech Republic -argues Europe will need to integrate much of its policing, intelligence-gathering, and policy-making if it is to tackle terrorism, organised crime, and legal and illegal immigration.

The report, seen by the Guardian, was submitted to EU governments last month following 18 months of work. The group, which also includes senior officials from the European Commission, was established by Germany last year and charged with drafting a blueprint for security and justice policy over the next five years.

Baroness Scotland, the UK attorney general, had observer status with the group to assess the implications for Britain, whose legal system, unlike continental Europe, is based on the common law.

The group's controversial proposals are certain to trigger major disputes, not least its calls for Europe to create an expeditionary corps of armed gendarmerie for paramilitary intervention overseas.

The report said the EU would fail to beat terrorism unless it developed a full partnership with Washington, a process currently pushing ahead in fits and starts.

"The EU should make up its mind with regard to the political objective of achieving a Euro-Atlantic area of cooperation with the United States in the field of freedom, security and justice," it said.

Such a pact, which should be finalised by 2014 at the latest, would entail the transfer of vast volumes of information on European citizens and travellers to the US authorities. Negotiations have long been under way to agree such a pact, but have been bedevilled by divergences in privacy law and data protection regimes.

The US is already demanding that EU countries sign up for a battery of security measures on transatlantic flights and the supply of personal information on passengers if they are to enjoy visa-free travel to the US. Under one such accord struck in March between Washington and Berlin, the Germans are to make DNA and biometric information on travellers available. . . .

While urging a comprehensive transatlantic electronic pact, the Future Group focuses mainly on boosting police cooperation and integration between EU states, policies which would reinforce the powers of European agencies and institutions bearing acronyms such as Europol, Eurojust, Frontex, and Sitcen and perhaps see new agencies established to deal with security and intelligence operations. . . .

The report calls for a bigger role for "Sitcen" in coordinating intelligence sharing. Sitcen, or the Joint Situation Centre, is a shadowy intelligence body based in Brussels which started as a foreign policy tool supplying analysis on international crises to Javier Solana, the EU foreign policy chief, but which now focuses on counter-terrorism and internal security policy.

Key points:

• National police forces to cooperate and integrate
• Improve European-level crisis management
• Need to harness the talents of "different actors" in fighting terrorism
• National security services and intelligence agencies need to collaborate much more closely
• New EU internet-based propaganda campaign to defeat radicalisation and terrorist recruitment
• Create "European Gendarmerie Force" for deployment and intervention abroad. Pooling of EU funds for such missions
• Common EU immigration policies. By 2014, EU leaders should make the political decision on whether to enter a "Euro-Atlantic area of freedom, security, and justice" with the Americans

Read Full Report

* Emphasis Added

Big Brother wants every single e-mail, text

Plan would create huge expansion of government surveillance
WORLDNETDAILY - July 29, 2008
LONDON -- Britain's MI5 intelligence service has persuaded the Home Office to get government approval for a massive increase in surveillance in Britain, already the most-watched nation in the West, according to a report from Joseph Farah's G2 Bulletin.

In London, every citizen already is captured on camera an average of 400 times a day. An increasing number of the cameras are directly linked to MI5's state-of-the-art computers in the basement of headquarters overlooking the Thames. Billions of images are