identification – Page 4

At the Instituto de Segurança Pública

Paola and I had a very productive interview with Colonel Mario Sergio de Brito Duarte, the Director President of the Institute for Public Security (ISP) in Rio de Janeiro. The ISP is a state-level organisation with multiple functions including research on public security and the compilation of crime statistics; professional development for the police services (and also more broadly to encourage greater cooperation and coordination between military and civil police); and community involvement and participation in the development of security policy. The Colonel gave us an hour and a half of his time to explain his view on a wide range of issues around crime, security, the problems of the favelas, and the potential for surveillance, social interventions and policing in solving these problems.

As with many senior police (and military) officers with whom I have talked over the years, the Colonel is an educated, thoughtful man who has strong views based in his experiences as a front-line officer with the Policia Militar in Rio (including some years in BOPE, the special operations section) – as detailed in his book, Incursionanda no Inferno (Incursions into the Inferno). Despite how the title may sound, he was far from being gung-ho or authoritarian in his views, emphasising throughout, as with almost everyone I have talked to, that socio-economic solutions will be the only long-term guarantee of public security in Rio. And he certainly had no sympathy for the illegal actions of militias, despite understanding why they emerged and continued to be supported by some sections of the community.

However, it was also clear to him that current policies like Mayor Eduardo Paes’ ‘choque de ordem’ strategy which involves demolitions of illegally-built houses in the favelas, was absolutely necessary as well. He spent some time outlining his view of the history of how drug gangs infiltrated and gained control of many favelas, an in particular the importance of their obtaining high quality small arms – though he was vague on exactly where these arms came from – I have, of course, heard allegations from other interviewees that corrupt soldiers and policemen were one common source of such weapons.

From the point of view of surveillance studies, it was notable how profoundly indifferent the Colonel appeared to be towards he growth of surveillance, and in particular CCTV cameras. He argued that they might be a useful supplement to real policing, but he certainly did not appear to favour a UK-style ‘surveillance society’ – of which, at least in Rio, there seems little sign as yet. He was similarly indifferent towards other central state social interventions like the Programa Bolsa Familia (PBF), and initiatives like ID cards – of course they might help in some way, but he certainly made no attempt to ague, as the UK government has done, that such technology will make a big difference to fighting crime and terrorism (indeed it was interesting that ‘terrorism’ was not mentioned at all – I guess that, when you have to deal with the constant reality of poverty, drugs and fighting between police and gangs, there is no need to conjure phantasms of terror). Even so, the Colonel recognised that the media in Rio did create fantasies of fear to shock the middle classes, and that this sensationalism did harm real efforts to create safer communities.

There was a lot more… but that will have to wait until I have had the whole interview transcribed and translated. In the meantime, my thanks to Colonel Mario Sergio Duarte and to the very nice and helpful ISP researcher Vanessa Campagnac, one of the authors of the analysis of the Rio de Janeiro Victimisation Survey, who talked to us about more technical issues around crime statistics.

Sport and Surveillance: new Brazilian football fans ID

Sport and surveillance might not seem the most closely linked topics, but there are intersections and these are increasing in number. Sports ‘mega-events’ are often the trigger for surveillance surges, with the introduction of new technologies and practices. Because of the use of drugs and other medical techniques to illicitly aid performance the practice of sport is now a subject of constant suspicion and the body of sportspeople are the sites of intense scrutiny (drugs testing, biological passports etc.). And finally, sports fans are subject to all kinds of controls and monitoring.

In this last area, the Brazilian government has recently announced a national ID card scheme for football fans… this is of course in addition to the new national ID card that everyone in Brazil will have to carry anyway.

However, in common with many commentators here, Brazilian football researcher, Oliver Seitz, does not believe the plan will or should happen. He makes a penetrating comparison to the very similar proposals in the UK in the 1980s and also notes that, whatever the problems of violence in Brazilian stadiums, they are not the main problem, which is the crumbling and unsafe infrastructure of football stadia. The one recent tragedy in Brazilian football, when 7 fans died after falling through rotten seating at Fonte Nova, he says “only happened because the stadium was literally falling to pieces. In that situation, the identification wallet it would not have saved the victims”.

He is quite right. As usual this appears to be a case of a technological ID solution to a problem that has nothing to do with what identification. To paraphrase Seitz’s conclusion, Brazilian supporters are treated like animals, so they behave like animals, and under this plan, it will be no different, except that they will be officially identified animals!

(Thanks to a dedicated Corinthians fan, Rodrigo Firmino, for this story – which is one with which I am catching up after my holiday!)

A quarter of UK databases break privacy laws

This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal…

A new report for the Joseph Rowntree Reform Trust by a very credible largely Foundation for Information Policy Research (FIPR) team that combines engineers, lawyers, software developers, and political scientists, has concluded that a quarter of the UK public-sector databases are illegal under human rights or data protection law. It also looks at UK involvement in some European database projects and finds all of them questionable too.

The report rates the 46 databases on a traffic light system – green, amber, red – and argues that those rated ‘red’, in particular the National Identity Register and the Communications Database, and are simply unreformable and should be scrapped. This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal, and not just massively expensive, morally questionable or politically undesirable. In fact, a quarter of all the databases were found to contravene the law and more than half were ‘problematic’ (i.e. open to challenge in court) . All of those rated ‘amber’ (29 databases) the authors argue, should be subject to independent review.

There are a number of other major recommendations, including the reassertion of the necessity and proportionality tests contained in DP law, citizens should anonymous rights to access data, more open procurement of systems, and better training processes for civil servants. The most important and radical measures proposed, and entirely correctly in my view, are those concerning the location of data and the whole nature of UK IT development. For the former, the report recommends that the default location for sensitive personal data should be local, with national systems kept to a minimum – this appears to be rather like the ‘information clearing house’ system as opposed to central databases, that we proposed in our Report on the Surveillance Society, but better worded and justified! In the latter case, the authors simply note that fewer than 30% of government IT projects succeed at a cost of 16Bn GBP per annum and that there should never be a general and aimless government IT program, rather there should only ever be specific projects for clearly defined and justified (proportional and necessary) aims.

It is an excellent report and probably unanswerable in its logic. Tellingly, The Guardian report contains no response from any government minister…

David Blunkett Attacks Surveillance!

I know. Pause. Take a deep breath…

You read it right. The former UK Home Secretary, with a reputation as one of the most authoritarian of recent years (though it is hard to chose in that regard), will condemn the growth of surveillance in a speech at the University of Essex today. He will also, according to Tom Young at VUnet, call for the ID card scheme (which he introduced!) to be scrapped, and for the information-sharing powers that were hidden in the new Coroners and Justice Bill, to be reduced. He also argues that the latter will happen as he knows the Justice Minister, Jack Straw, recognises the problem.

I don’t know whether to laugh or cry. Certainly it is fantastic when a prominent figure like this changes their mind and is prepared to admit that they were wrong, I just wish that sometimes they listened to the arguments against what they were doing when they were in office. In addition, of course Blunkett spent several years after leaving office writing very strong pro-surveillance, pro-ID card pieces for the populist, right-wing tabloid newspaper, The Sun, and is (or was) according to the Register of House of Commons Members Interests, paid £25-30,000 ($35-40,000 US) as the Chair of the International Advisory Committee of Entrust Inc., a company that works on digital certification and Internet surveillance, and which was involved in consortia for the ID card contract. Perhaps they have had enough of him.

But let’s hope he really has had a genuine change of heart.

At the Departamento de Policia Federal

Both human rights advocates and the police seem to be strongly in favour of the new RIC system as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state.

Departemento de Policia Federal, Brasilia — Departamento de Policia Federal, Brasilia

I have just come back from a very productive interview with Romulo Berredo, from the Director-General’s office at the Departamento de Policia Federal (DPF), who are the Brazilian equivalent of the FBI. There was a lot covered and I couldn’t hope to reproduce it all here. There were however a number of immediately interesting aspects.

The first was more evidence that the whole basis on which identity cards and database issues are being considered here is entirely different from the UK. Now I know this represents a police, and a state, view, but so far, both Brazilian human rights advocates and the police seem to be strongly in favour of the new Registro de Identidade Civil (RIC) system. This is both as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state. It is fairly easy to acquire 27 different identities in Brazil at present. And identification is important here. The great fear that many people seem to have – indeed it was called a ‘cultural’ characteristic by Berredo – is not the use of identification by the state as a form of control or intrusion but as a guarantee against the anonymity that would allow abuses by the state or indeed by other malicious persons. It provides a metaphysical and material kind of certainty and stability. The legacy of the last dictatorship was not so much an East German-style nightmare of knowledge and order but of corrupt and arbitrary rule.

It is this latter legacy which also drives the divisions between the different police forces in Brazil. The states-based Policia Militar (Military Police) and Policia Civil are both tainted in different ways by associations with authoritarian rule, and the former particularly with extra-legal execution and torture, and they continue to be regarded with caution, suspicion or even hatred by many Brazilians. The other police forces are also suspicious of the growing role of the DPF, which is often seen in terms of a power struggle not rational subsidiarity. Ironically then it is the states-based police forces that are dragging their heels over plans to create the kinds of national databases of criminal information that the UK has, and not for any libertarian reasons. In fact the DPF seem far more concerned with protecting human rights and defending the idea of citizenship, and because they are tasked with anti-corruption investigations have even arrested Senators and Judges, something unheard of even ten years ago. Of course those very same Senators and Judges are now fighting back, in a manner rather similar to Berlusconi in Italy, trying to alter the law to give immunities and protections. For example, handcuffing of arrested suspects was always normal until it happened to a Senator arrested for corruption. The Senate suddenly became interested in the ‘human rights’ of arrested suspects and passed a law limiting the use of handcuffs! Corruption at every level is still an enormous problem here, though Berredo argued that it was largely associated with those who had retained power from the years of the dictatorship.

The concentration on inclusion and joining-up government where it is clearly much needed does however lead to some gaps in thinking. The creation of new databases brings with it new duties and new potential problems of data-handling. As the privacy and data-protection law expert, Danilo Doneda, pointed out to me the other day, Brazil is in an almost unique position in not having any kind of regulator for privacy and information / data rights. He argued it was because the authorities just don’t see the need. Berredo confirmed this. He claimed that the DPF were trusted by the public – and relative to other police forces, that is certainly true! – and that they had to carry out their duties appropriately or they would lose that trust. It sounds nice, but it isn’t a good-enough (or legally-sound) basis for the protection of data-rights.

It all confirmed once again that Brazil is not yet a surveillance society – the state does not yet have the capabilities. There is no national database of fingerprints (even for convicted criminals) for example. But as Berredo said, it is moving in that direction. He was keen that there should be be limits. I liked the fact that he used this word. ‘Limits’ is a word that I found that the neither the UK government nor the European Commission seem to like, and they seem very unwilling to say what limits might be. However Berredo was quite clear that a technologically-driven surveillance future in which individuals could be tracked – he used the example of Google Latitude – was not one which he wanted to see. He recognised that he was both a policemen (at work) and a private citizen (at home) and that he, as much as anyone else, valued his privacy.

(Thank-you very much to Delegado Romulo Barredo of the DPF, for his openness, time and patience, and also to Agent Alessandre Reis, for his help)

Britain ‘risks a police state’

Following the damning reports of the House of Lords Constitution Committee and yesterday, the International Commission of Jurists, now Stella Rimington, ex-Head of the security service, MI5, has warned that Britain risks becoming a police state. In an internview with the Spanish newspaper La Vanguardia reported by the Daily Telegraph, Ms Rimington attacked government plans for the National Identity Register and the soon-expected plans for a database of all communications (delayed from last year). If even ex-heads of the security service are now asking the government to change direction, in addition to civil liberties experts, independent judges, and just about everyone else, their stock of excuses must be rapidly diminishing. The current cabinet must know that their actions smack of the desperation of a failing government desperately searching for votes in being ‘tough on crime and terrorism’… but they seem to be locked into a trajectory of ever-increasing surveillance and security that they cannot justify but cannot escape. You do wonder who is actually advising them that this is all a good idea…

UK travel database

Lots of media outlets today and yesterday reporting on the UK government’s e-Borders initiative. I’m not quite sure why particularly now: we’ve known about the e-Borders program – which is based around the new RFID-chipped passports – for some time. Of course the system involves collecting vast amounts of data, including rather more personal information than seems in any way necessary, like for example, travel companions – as if terrorists and criminals will obediently identify themselves by booking and traveling together!

For that is the justification for all this. On the Politics.co.uk website, Phil Woolas, the Minister of State for Borders and Immigration – another barrel-scraping appointment by a government that doesn’t really have many options for ministers now – said that this is is just about allowing ‘us to count all passengers in and out of the UK.’ But this isn’t just counting. What was a system derived in a combination of bowing to US demands after 9/11 and embarrassment over the government’s total inability to counter opposition criticism over immigration with any real facts has expanded its functionality (as with all of these systems) into something rather more comprehensive.

Woolas goes on to say that it ‘targets those who aren’t willing to play by our rules’ – tough talk, but it with the ever increasing numbers of trivial, silly and sometimes plain bad rules introduced by the current government, it’s hard to know what playing by the rules means anymore. This is a major problem for those who just accept all of this with a shrug and argue ‘nothing to hide nothing to fear’. I also wonder how long it will be before this database is hacked or details get left on a train or the whole thing is ‘lost’. Maybe I will start paying attention to Phil Woolas’s idea of the rules when his government starts paying attention to the European Convention on Human Rights, introduces some proper accountability and oversight for all these new surveillance initiatives as the House or Lords recommended, and stops losing our data and pandering to fear. Accountability, competence, ethics and rationality: it’s not much to ask from a government is it?

Britain is a surveillance society and it must change: detailed anaysis of the Lords Constitution Committee report

This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place.

It’s 3.00am here in Brazil, and I have just spent the last four hours reading, analyzing and writing about the House of Lords Constitution Committee Report Surveillance: Citizens and the State. My expectations of the work of the committee have generally not been disappointed. This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place. However it is not only relevant to Britain. The UK seems to have come to be regarded as some kind of model for other democracies to follow in terms of surveillance and security – at least by governments. Reading this report should serve to disabuse others of any notion that Britain is a good example.

Here’s the detailed analysis. It is long and there are no pictures! But this is serious stuff. I have gone through the whole report and thought about all the recommendations. It is worth remembering first of all what the Committee was asked to do. Here are the questions they started out with:

Have increased surveillance and data collection by the state fundamentally altered the way it relates to its citizens?
What forms of surveillance and data collection might be considered constitutionally proper or improper? Is there a line that should not be crossed? How could it be identified?
What effect do public and private sector surveillance and data collection have on a citizen’s liberty and privacy?
How have surveillance and data collection altered the nature of citizenship in the 21st century, especially in terms of citizens’ relationship with the state?
Is the Data Protection Act 1998 sufficient to protect citizens? Is there a need for additional constitutional protection for citizens in relation to surveillance and the collection of data?

The answers to the first and last questions are, in short ‘yes’ and ‘no’ respectively. Their basic conclusion is that increasing surveillance by the state is the greatest change to the nature of the relationship between state and individual in Britain since the end of the second world war. In opposition to the House of Commons Home Affairs Committee report from last year, and largely in support of our Report on the Surveillance Society form 2006 and that of the Royal Academy of Engineers from 2007, they show that Britain is a surveillance society, and that this must change. They do not go so far as to recommend an Information Act to bring all legislation in this area together, as I have been arguing, but they do advocate significant new legal / constitutional measures to rebalance the state-individual relationship in favour of the individual.

There are 8 chapters of consideration of all of the evidence given, which is treated in a very careful and even-handed way. The Home Office, the police and the Surveillance Commissioners for example, all come in for a telling-off at various points, but at the same time, some of the current government’s initiatives on openness are quite rightly praised (although of course they don’t go far enough in tackling the culture of secrecy that has plagued British government for far too long).

Who comes out of it well? First of all, the Information Commissioner, Richard Thomas and his office (the ICO). This is entirely right. None of this debate would have happened without him and he continues to push the agenda forward in an activist manner that many campaigners should look to as an example. Secondly, the media. The Lords seem to be very aware of the role of investigative journalists in holding the government to account. People are too willing these days to make blanket generalisations about the media as if they were all superficial and obsessed with celebrity. In the case of surveillance, the BBC and The Guardian in particular have done a great job. Thirdly academics and campaigners alike come across as far more informed and sensible about this than the state, which leads the Lords to recommend that the government pay us far more attention. On a personal note, it is a bit disconcerting to see myself, Surveillance Studies Network and other people and organizations with whom I work mentioned (approvingly) quite so much in such an important document…

The Committee place the two values of privacy and freedom as the foundations of its recommendations. The Lords argue that privacy and the restraint of state powers are at the heart of liberty, and that they should be taken into account at all times. There is, I am very pleased to see no mention of ‘trade-offs’ between freedom and security and it seems that they accepted my argument (they do quote me on this) that when claims to protect fundamental freedoms by increasing security are actually eroding those freedoms, the tacit agreement that binds people and state is broken. They stress that all organisations involved in surveillance and date handling need to give far more attention to privacy at all stage, indeed that it should be built in.

There are many individual recommendations.The first concern the Information Commissioner. Basically, the Lords argue that he should be given more extensive powers and more resources, specifically:

to have a role in assessing the effect on any new surveillance measure on public trust;
to be able to monitor the human rights (Article 8, ECHR) effects of government and private surveillance practices on the public;
to be consulted by the government at the earliest stages of policy development – they specifically attack the government for not doing thus far; to extend the ICO’s power of inspection to private companies (again something I am quoted on) – they don’t note that the power of inspection over government departments was only granted in a rush by Gordon Brown following the revelations of disastrous losses of data by various state bodies;
to speed up the implementation of the ICO’s new power to fine bodies that break the rule on data protection and freedom of information;
to be a statutory consultee on all surveillance and data processing laws and for the ICO to report to Parliament on this;
for the government and the ICO to undertake a review of the law governing citizens’ consent to use of their personal data – there is quite a lot of interesting discussion in the body of the report on how consent might operate, and I am very pleased that they haven’t, unlike the government, given up on the importance of consent;
for the government to work with the ICO on raising public awareness as it should already be doing but has failed to do;
and finally, and this is really important – for the Data Protection Act to be amended to mandate a Privacy Impact Assessments (PIA) “prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing” with a role for the ICO in overseeing these. The government will probably try to ignore this, but this is the most crucial recommendation for future policy.

On the various other commissions – of which there are too many in my opinion – they merely recommend that the Surveillance and Communications Commissioner work together better and seek the advice of the ICO, especially with regard to the misuse of powers under the Regulations of Investigatory Powers Act (RIPA), and that the Investigatory Powers Tribunal stops hiding from the public. These are weak recommendations. Later they are rather more robust about the problems of having too many ineffectual regulators of RIPA, but despite a brief mention, any recommendations regarding the regulation of the Intelligence Services get quietly dropped along the way (not surprisingly). I would have thought that recommending at the very least that the offices of the Surveillance and Communications Commissioners are brought under the control of the ICO, if not completely absorbed into the ICO, would have been a much better long-term move.

They also have a number of other recommendations on the egregious RIPA, firstly that the (inadequate) administrative procedures are reviewed and secondly that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers” should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.” In my opinion, this effectively amounts to saying ‘repeal RIPA’ without saying so directly. The use of intense targeted surveillance powers to deal with minor infractions is what a lot of RIPA is all about whether that was the intention or not. It is an ill-thought out and badly worded law, like so many in this area.

The Lords recognize this deficiency in detail and specificity and argue as a general point, following the Human Rights Committee, that “the Government’s powers should be set out in primary legislation.” Crucially they also note that the government has not seemed very concerned with what happens after legislation is passed or how it works. They recommend the formation of a new Joint Committee in parliament on surveillance and data powers that would have post-legislative scrutiny as one of its key functions.

There are several measures concerning particular technologies. Their coverage of technologies of surveillance and data-collections is not too bad. I gave a seminar to the Committee on the range of surveillance technologies before they started their hearings, and I was beginning to despair at the levels of knowledge – “can they really do that?” was a common cry – and yet here they consider everything from CCTV to ubiquitous computing / ambient intelligence. There are still major deficiencies however. Although they take my point that government needs to get ahead of the technological game in order to regulate effectively, they still have not. They don’t recommend anything specific about the use of scanners in public places, location tracking, about the increasing dependence on RFID, or about the new flexibility, mobility, decrease in size and bodily intrusiveness of surveillance technologies and what this means for regulation. Mind you that is all in our report to the ICO that inspired all this (see Paragraph 4!)

They recommend that:

the Government comply fully with the recent ruling from the European Court of Human Rights that DNA profiles of innocent people are no longer kept indefinitely on the National DNA Database (NDNAD) – they also rule out a complete national database on both liberty and cost grounds, and argue that there should be a single, clear law governing the NDNAD and better transparency all-round.
On CCTV, they recommend more research on “the effectiveness of CCTV in preventing, detecting and investigating crime”, and more importantly that the government finally put CCTV on a proper statutory basis, with clear regulations, and systems of complaint and redress.
The report is at its weakest on the proposed new National Identity Register (NIR) and ID card. No2ID will not be happy, as all that they say is that “the Government’s development of identification systems should give priority to citizen-oriented considerations.” This is practically meaningless.Considering that this is the Constitution Committee report, and that the NIR and ID card are at the heart of how the government sees the information relationship between state and individual, this is also an unacceptable and compromised omission. No doubt it is evidence of a key area of disagreement amongst members, but the Chair should have banged some heads together on this one!
Although it is treated as a legislative measure, the Lords recommend mandatory encryption of personal data “in some circumstances.” This should have been stronger – bear in mind that most of the data lost by the state over the last few years was not encrypted
They also recommend that the government incorporate ‘design solutions’ in particular Privacy-Enhancing Technologies (PETs) in all new schemes. This is good as a minimum – we have to make sure that the government doesn’t use PETs as a way of claiming to have dealt with the problem – ooh, look: technology!

In other general measures for the whole of government, the Lords return to their central themes, specifically:

that Government should instruct government agencies and private organisations involved in surveillance and data use on compliance with Article 8 ECHR and in particular the legal meanings of necessity and proportionality. They also recommend legal aid should be available for challenges under Article 8.
a system of judicial oversight for surveillance carried out by public authorities, with compensation “to those subject to unlawful surveillance by the police, intelligence services, or other public bodies” acting under RIPA. This would be a severe blow the ad-hoc and effectively extra-legal expansion of surveillance powers under the present government. It would be great if it happens, but I am not going to hold my breath until it does…
increasing the stature and power of the data protection minister
lots of general blah about improving safeguards and restrictions on data handling and implementing standards and training, and education, to improve public confidence. But the thing is, public confidence isn’t really the main issue. Public confidence is low because the government and its private sector contractors have been time and again demonstrated to be incompetent.
there are also several paragraphs of recommendations which basically amount to saying ‘listen to the public’ and particularly, pay attention to pressure groups and research in this area because they know what they are talking about. They are right, you know – we do! They also want more research to get better information on public opinion in this area. We can do that too!

Despite this slight degeneration into well-meaning generality at the end, and despite the glaring hole when it comes to the NIR and ID cards, the principles advocated by this report, if implemented, would transform the direction of government in Britain. Many of the individual recommendations are things that I and others have been arguing for, for some time.

So what was the government’s first response? Well, the thoroughly useless Home Secretary, Jacqui Smith, according to the BBC has “rejected claims of a surveillance society as “not for one moment” true and called for “common sense” guidelines on CCTV and DNA.” When she has read the report she will realize that such guidelines are right in front of her – indeed, she got ‘common sense’ from the European Court on the DNA database some time ago and her department still does not know what to do with it!

As I said, if even half of this reported is acted on, Britain’s ways of dealing with surveillance will be transformed. I am not paying much attention to the Conservatives – in opposition you can say anything and they will beat the government with the liberty stick one day and the security stick the next. The question is, are New Labour brave enough to admit that their approach to surveillance has been almost entirely wrong?

We will soon find out.

RFID chips readable ´from more than a mile away´

The important thing about RFID chips is not that they are the ´Mark of the Beast´ or any other such nonsense but that they are an appalling security risk

A story that has been circulating around the place over the last 48 hours, but which was originally in The Register on February 2nd, was the latest from Chris Paget´s valiant attempts to show that using RFID chips is just about the worst way to safeguard confidential information. This time he drove around San Francisco with a simple antenna and managed to read the unique number (which can be used to gain access to information on the US Department of Homeland Security database) from passports up to 30 feet (around 13m away), but he claims that with more powerful equipment, chips could be read from more than a mile (1.6km) away. There is also a very informative video on the site.

The important thing about RFID chips is not that they are the ´Mark of the Beast´ or any other such nonsense but that they are an appalling security risk…

Transport Surveillance in Brazil (1) SINIAV

One of the items reported on in Privacy International´s assessment of privacy in Brazil was that ¨in November 2006, the Brazilian National Road Traffic Council approved a Resolution adopting a Radio Frequency Identification (RFID) tags in all licensed vehicles across the country.¨ The Conselho Nacional de Trânsito (CONTRAN) is part of the Departemento Nacional de Trânsito (DENATRAN), itself part of the massive new Ministério das Cidades (Ministry of Cities), the product of Lula´s major ministerial reforms designed to shift emphasis and power away from the large rural landowners to the growing numbers of increasingly populous cities.

The new scheme is called the Sistema Nacional de Identificação Automática de Veículos (SINIAV, or National System for the Automatic Identification of Vehicles). Basically it will put an RFID-tag in every vehicle license plate, in a gradual process. Much like the new ID scheme for people, SINIAV is based on a unique number. In Annex II, Paragraph 3, the resolution provides a breakdown of exactly what will be contained in the tiny 1024-bit chip as follows. The unique serial number (64), and a manufacturer´s code (32), will be programmed in at the factory, leaving a total of 928 programmable bits. The programmable area contains two main sections. The first contains all the personal and vehicular information: place of registration (32), registration number of seller (32) application ate (16), license plate number (88), chassis number (128), vehicle tax number (RENAVAM) (36), vehicle make and model code (16) and finally 164 bits for ´governmental applications´. The remaining 384 bits are split into 6 blocks for unamed ´private initiatives.´

Privacy International note that there is no more than a mention of conformity to constitutional rules on privacy (of which more later). However there is much more that is of concern here. The resolution claims that the data will be encrypted between plate and reader, but the technical specifications are not given to any level of detail (*though there is more information from the Interministerial Working Group on SINIAV, which I haven´t examined in any detail yet). We all know already how easy it is to clone RFID chips. This scheme is supposed to be about security for drivers, but it could easily result in the same kind of identity fraud and consequent necessity of disproving the assumption of guilt created by automated detection systems for car-drivers as for credit cardholders. Could you always prove that it wasn´t your car which was the gettaway vehicle in a robbery in Saõ Paulo, or you driving it, when your actual car was in a car park in Curitiba? Widespread cloning of chips would also render the whole system valueless to government.

Then there is the question of function creep. The chip has spare capacity, and assigned space for unamed functions, state and private. Brazil already has a system of state toll roads (pay-for-use highways), and these chips could certainly be used as part of an automated charging system. That might be very convenient. However what other functions could be thought up, and how might safeguards be built in? As I have already noted, Brazil has no body for protecting privacy or data/information rights so it would be very easy for new more intrusive functionality to be added.

Combining the problems of a movement towards automated fines or changes, and criminality, another major issue would be the one recently revealed in Italy, where a automated red-light camera system was found to have been fixed in order to generate income from fines for corrupt police and a multitude of others.

The final question of course is whether this will all happen as planned or at all. The system would supposedly be complete by 2011. I know of a trial scheme in Saõ Paulo, but on a quick (and very unscientific) straw poll of people who I encountered today at the university here in Curitiba, there is to be no-one who has an RFID license plate or knows someone who does, and there is practically zero awareness even amongst educated professionals. Like the National ID-card scheme, people just don´t think it will go to plan or timetable. That may however, just reflect a (middle-class) Brazilian view of the abilities of the state.

Still, as the Frost and Sullivan market assessment states, all of this turns Brazil into a ‘highly attractive market for RFID suppliers’ which was probably the main motivation and will be the only real outcome.