Ontarios proposed EDLID Many questions'

1
Ontarios proposed EDL/IDMany questions.

Andrew Clement Identity, Privacy and Security
Initiative Information Policy Research
Program Faculty of Information University of
Toronto

• Public Information Forum
• on Ontarios proposed
• Enhanced Drivers Licence
• Toronto, ON
• July 16, 2008

2
Unpacking the EDL/ID proposal
Proposed DL
Proposed EDL
Current DL
FRT
MRZ
For non-drivers
Photo ID
Photo ID
3
Evaluating the EDL/ID proposals - the Oakes Four
Part Test

• The burden of proof must always be on those who
  claim that some new intrusion or limitation on
  privacy is necessary. Any proposed security
  measure must meet a four-part test
• Necessary It must be demonstrably necessary in
  order to meet some specific need
• Effective It must be demonstrably likely to be
  effective in achieving its intended purpose. In
  other words, it must be likely to actually make
  us significantly safer, not just make us feel
  safer.
• ProportionateThe intrusion on privacy must be
  proportional to the security benefit to be
  derived.
• Minimal and it must be demonstrable that no
  other, less privacy-intrusive, measure would
  suffice to achieve the same purpose.
• Privacy Commissioner of Canada, Nov02,
  derived from Oakes

?
?
?
?
4
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)
Image template
Ontario DL(ID) database 10M records
5
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• IPC statements on biometrics
• Given the power and complexity of biometrics, my
  office has set out strict conditions under which
  the use of biometrics could be considered. No
  database of biometric information, should be
  created without applying the minimum standards
  for the use of biometrics, as set out in the
  Ontario Works Acts.
• .there must be no ability to compare biometric
  images from one database with biometric images
  from other databases or reproductions of the
  biometric not obtained from the individual
• (Open letter, from Commissioner Cavoukian to
  Hon. D. Tsubouchi, April 5, 2001)

6
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• Ontario Works Act 1997 standards
• the biometric must be stored in encrypted form
  both on the card and in any database
• the encrypted biometric cannot be used as a
  unique identifier
• the original biometric information must be
  destroyed upon encryption
• the stored encrypted biometric can only be
  transmitted in encrypted form
• no program information is to be retained or
  associated with the encrypted biometric
  information
• there can be no ability at the technical level to
  reconstruct or recreate the biometric from its
  encrypted form
• there must be no ability to compare biometric
  images from one database with biometric images
  from other databases or reproductions of the
  biometric not obtained from the individual
• there can be no access to the biometric database
  by law enforcement without a court order or
  specific warrant.

7
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• Another noted Ontario biometrics expert
• "Biometrics, if used as currently marketed by
  most biometric vendors where the biometric
  template is used as the token of identification
  or verification will further erode privacy and
  jeopardise our freedoms. The simple fact is that
  template-based biometrics are not privacy
  friendly. Any time you base verification or
  identification on comparison to a stored template
  you have a situation which, over time, will
  compromise privacy either by business or
  government, in response to the next national
  emergency
• Tomko, George, "The Fundamental Problem with
  Template-based Biometrics", presentation at the
  12th Conference on Computers, Freedom and
  Privacy, San Francisco, 16 April, 2002.

8
FRT - Facial Recognition Tech(aka Photo
Comparison Technology)

• Evidence for effectiveness?
• Protection against false positives? Redress?
• Will a template approach be used?
• Compliant with Ontario Works Act standards?
• Security of the database? (e.g. biometric
  encryption?)
• Data sharing? Strictly limited and transparent?
• Protection against function creep?
• Privacy Impact Assessment?
• Independent? Public involvement?

9
Citizenship indicator

• Federal government role?
• Only for simple Canadians?
• Canadians born outside of Ontario?
• Naturalized Canadians?
• Inter-provincial data sharing?
• Documentation requirements?
• Easier than a passport?

10
RFID - Radio Frequency ID chip
10m
RFID reader
CAN/US databases
Border agent
EDL/ID carrier
11
RFID - Radio Frequency ID chip

• Why choose a notoriously insecure vicinity RFID
  (i.e.UHF EPC Gen 2), rather than a proximity
  RFID? (10m vs 10cm range)?
• What protection against covert sniffing,
  interception, or other identification attacks?
• Can the protective sleeve possibly be
  effective?
• Why isnt the unique RFID number treated as
  personal information? e.g. Why no encryption?
• What protections for Canadians data in US?
• Has DHS bullied Canada into an inferior approach?

12
Non-Drivers Photo ID
Photo ID

• Why not ready in time for June 2009 WHTI deadline?

13
Passport alternatives

• Extend life of Canadian passport to 10 years (as
  in the US, UK, etc.) i.e. lt9/year ?
• Lower price of passport?
• Auditor Gen says they are over-priced
• Ontario subsidize cost for border area residents?
• Passport as a citizenship right?
• Speed up and ease issuing?
• Passport offices in border cities
• Passport Fairs as in US
• Speed up border crossing with passport?
• Use the Machine Readable Zone?

14
Other rationales?

• Opposition to a National ID Card is so strong
  that Americans would never stand for it. Their
  heads would explode
• (Michael Chertoff, DHS Director, 2007).
• Later integration with REAL ID?
• De facto national or North American ID card?
• Protection against function creep?

15
Public Participation in Development process

• What part will the public, civil society
  organizations and independent experts play in the
  development of this ID scheme?
• Timetable
• Social impact assessments
• Venues and modes of involvement
• Legislative review
• Concept and prototype design
• Field trials
• What on-going accountability and oversight
  mechanisms?

16
Summary - Open Questions
Photo ID
FRT
RFID
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
17
Summary - Still Open Questions
Photo ID
FRT
RFID
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
18
Additional criteria

• Scheme characteristics
• Clarity of Purpose
• Requisite Capability
• Alternatives considered
• Consultation
• Respect for rights
• Developmental Process
• Discourse
• Deliberation
• Decision
• Design
• Delivery
• (see CAN ID? Visions for Canada Identity Policy
  Projections and Policy Alternatives
  www.fis.utoronto.ca/research/iprp

19
Next steps

• Legislative review
• Public participation
• Social impact assessments
• Systems design
• Concept and prototype design
• Field testing
• On-going accountability and oversight

20
EDL/ID vs Passport??

• Considering
• Cost
• Convenience of acquisition and use
• Privacy
• Security
• Usefulness
• Governance
• National sovereignty
• will the EDL/ID serve Ontarians better than than
  the passport?

21
Thanks to

• Faculty of Information
• Krista Boa
• Joseph Ferenbok
• Tony Lemmens
• Jens-Erik Mai
• John Santiago
• Karen Smith
• Areti Vourinaris
• Burt ?
• Identity Privacy and Security Initiative (IPSI)
• Information and Privacy Commission (IPC)

22
Check out the FAQ, webcast and on-line discussion
forum at IDforum.ca
IPRP
Information Policy Research Program