by Adam Walser

The criminals new joy with Biometrics is, once you’ve fool the system, your faked fingerprint is made of the same stuff as fruit pastilles, so you can simply dress the evidence on other innocent victim, without letting the victim any chance to hold himself blameless.

LOUISVILLE, Ky. (WHAS11) — A Louisville woman says she was arrested by police, thrown in jail and went to court for crimes she never committed three times in the last year and a half because of her name.  The woman’s name is Melissa Ann Richardson, but she’s not the only woman with that name in Louisville.  Richardson says another Melissa Ann Richardson has been getting in lots of trouble and doesn’t show up for court, which is making her life increasingly difficult.
Whenever Melissa Ann Richardson leaves home, she has to have lots of documentation proving that she’s Melissa Ann Richardson because recently she’s been confused with a different Melissa Ann Richardson.  She is also white, has brown hair, green eyes and an October birthday.  The difference is that Melissa Ann Richardson has been arrested dozens of times for prostitution and drugs. “I don’t see any resemblance and that’s just because I don’t want to be affiliated in any way with prostitution,” said Richardson.
The other Melissa Ann Richardson also has an unfortunate habit of not showing up for court.  Twice last year, Melissa Ann Richardson was arrested, booked and had to go to court for the other woman’s crimes. “They told me that it was done. They typed everything in. The clerk said ‘Okay, we’re sorry. It won’t happen again,’” said Richardson.  However, on Friday, Richardson said it happened again.
She was stopped at a red light in a minivan in West Louisville when a police officer pulled her over and questioned her.  After checking her ID, the officer arrested Richardson on charges she says belong to the other woman.  The other Melissa Ann Richardson apparently even gave officers the first Melissa Ann’s date of birth when she was arrested so it was back to jail.
“Usually it’s only been about eight hours. This past weekend, it was the worst of it. It was 33 hours,” Richardson said.  Police say the mix-ups can happen because right now, pictures aren’t placed on e-warrants, which are displayed on officers’ laptop computers so police rely on the information they’re given. A Louisville Metro Corrections Department spokesperson says it’s standard procedure to use a fingerprint scan on all prisoners who are booked.  It’s unclear as to what happened in the latest case.
As for Richardson, she’ll keep carrying her makeshift purse.  “Thank you for not believing me, but I’m out. And if you arrest me again, I’m gonna get out again. But this time, I’m pursuing a different angle. I’ve called our attorney and we’re gonna go that route,” Richardson said.
Late this afternoon, we learned that part of the problem at the jail is that the records for both Melissa Ann Richardsons were apparently merged, leading them to believe they had the right suspect over the weekend.
We tried to locate the other Melissa Ann Richardson to talk to her about the situation today, but like the police, we weren’t able to find her.

Apple looking to profile users with heartbeat sensor, facial recognition on future iPhone?



By:Will Park

About Will -  Monday, August 23rd, 2010 at 12:28 PM PST

Apple isn’t just looking to keep their iPhone and iPod devices secure from the ever-present threat of users looking to jailbreak their smartphone/media player, the Cupertino, CA.-based tech company is apparently considering using biometric heartbeat sensors to verify authorized users. We recently mentioned that a newly uncovered patent application hinted at Apple’s plans to lock down or remote wipe data on iPhones that have been deemed jailbroken or unlocked. That, in itself, was a bit disturbing, but we’re not sure how to feel about a future iPhone being able to identify users by heartbeat, voice, or facial recognition.

On the one hand, the technology is impressive. We first saw Apple’s patent application on embedded biometric sensors about a year ago. The idea that a smartphone could use integrated sensors to detect users via heartbeat patterns, voice patterns, and pictures of users’ faces is like sweet, sweet music to a gadget geek’s ears. Automatic biometric identification sounds like a geek’s dream come true. In fact, this kind of technology solves one of the initial obstacles to artificial intelligence – the ability to accurately identify people.

Unfortunately, there are privacy concerns at stake here. Worse yet, there’s the unsettling potential that your iPhone could turn snitch on your biometric readings, should you decide to jailbreak your phone. Think about it. Upon detecting that you’re running a jailbroken or unlocked iPhone, this technology could very well report to Apple your unique biometric signature for future reference. From that point on, you could be tagged in some Apple customer service computer as a person to scrutinize when it comes time for warranty repairs or other customer service matters.

On the upside, it sure would be nice to know that your wayward iPhone was capable of detecting an unauthorized user and alerting authorities (and yourself, of course) that it is in the process of being “misappropriated” – all before you even realized that the handset is no longer in your pocket or purse. Apple’s Find My iPhone feature in its MobileMe service does a great job of tracking the phone and wiping all data (should it come to that), but that’s only possible if you A) know that your phone is missing and B) have a computer nearby to lock/wipe the handset.

The downside, of course, is being denied for customer service on your device because Apple knows that your unique biometric signature has been associated with a jailbroken, unlocked, or otherwise hacked iPhone. That’s not a pleasant thought – especially because Apple customer service is widely considered to be at the top of its game.

In either case, we’re not going to be able to stop the mobile industry’s march towards higher technology and more gadget wizardry as time goes on, so we might as well get used to new tech that makes us feel a bit uncomfortable.

What say you? Would you be inclined to buy a phone that included biometric security and technology that would be able to detect an unauthorized user?

[Via: AppleInsider]

Adobe CTO: Apple’s behavior a throwback to 1984

BY D-USA, ON AUGUST 24TH, 2010

As the first results of our Endorsement Survey are arriving, and we feel that we need to clarify one of our questions and share our reasons for opposing a particular law in Oklahoma.

The Pirate Party of Oklahoma is not opposed to the inclusion of an identifying facial picture on drivers licenses issued to Oklahomans. Our drivers license was not created to be an ID card, it’s only purpose was to certify that the carrier of the license passed an examination by the Department of Public Safety and is authorized to operate a motor vehicle in the State of Oklahoma. For a law enforcement official to verify that the bearer of a license is the licensee in question, the official needs to be able to visually compare the person that is in possession of the license to the person the license was issued to. This objective is achieved by taking the picture at the time the license is issued and then printing it on the license.

The process we oppose is the collection of a biometric picture, in addition to biometric fingerprints, whenever a drivers license is being issued. Biometric facial pictures feature a higher resolution than is needed for a small picture on a license. This high resolution picture is then digitized, a biometric template is created, and together with a digital version of your fingerprint this information is stored in a database controlled by the Department of Public Safety.

Including a traditional photograph on your drivers license enables a law enforcement official to physically compare your face to the picture on the license. Taking your picture and adding your biometric profile stored in a database enables the Department of Public Safety to compare this profile to any other picture they want. This is already happening every time you renew your license, or when you change your address and have a new license issued. The Department of Public Safety takes a new biometric photo, converts it to a digital biometric profile, compares it with the previous biometric profile they have stored in your database, and if they match you get a new license.

The problem with technology like this is the always popular mission creep of our Government. Once the State of Oklahoma is in possession of your biometric profile, it can be used for many applications not originally indented by the legislators who wrote the law. Storing your biometric profile enables the state to use automated surveillance to monitor and log the activities of Oklahomans.

Using CCTV cameras already in use in many places, the state will be able to record crowds and use facial recognition software to scan the faces present at the event and match them to stored biometric profiles. Law enforcement officials would be able to use cameras mounted on vehicles to scan all the faces in a particular area and compare them to the database. Law enforcement officials on foot will be able to utilize hand-held video cameras to record your presence at a lawful rally, then scan all the faces and create a log of all people present. In short time the State of Oklahoma will have a database that shows that Oklahoman X was present at the Tea Party Rally, the Gay Pride Parade, and the Thunder playoff games. And by analyzing your past behavior, the state can anticipate your future actions.

While this might sound very futuristic and unlikely to many Oklahomans, we urge you to keep in mind that the same Department of Public Safety that is responsible for storing and using your Biometric Data is currently in the process of implementing an Automated License Plate Recognition System; one requirement of which is the ability to keep a database of the time and location each license plate was seen, even if no crime was committed.

Our Department of Public Safety has already demonstrated that given the opportunity to deploy an automatic system that gives them the ability to track the driving habits of any given vehicle in the state that passed the proposed camera systems, they will store this data even if no unlawful activity exists. This eagerness by the DPS to create a database of lawful activities does not give us much hope that they will be able to restrain themselves when it comes to the opportunity to perform additional monitoring of Oklahomans.

Oklahoma legislators are becoming increasingly aware of the threat created by technology such as this, and HB 2923 is a good example of turning towards the right path. HB 2923 would have deleted the biometric data stored by the Department of Public Safety, as well as requiring a return to non-biometric pictures on our license. If would also have prohibited the implementation of radio frequency identification technology , the use of which will require a separate article all together.

As Oklahomans who are concerned with privacy, and the increasing surveillance of our activities, we need to push our legislators to stop this invasive technology before it reaches a point of no return.

Legislation could lead to ‘use of less secure identity solutions’

Aug 12, 2010 | 03:08 PM

ALEXANDRIA, Va. – Legislation that would sharply restrict the use of biometric technology in Alaska would have unintended negative consequences and “ultimately result in the use of less secure identity solutions,” the Security Industry Association (SIA) warned in a letter to the bill sponsor.

The bill (SB 190) from Alaska State Sen. Bill Wielechowski (D-District J) mandates that “A person may not retain or analyze, or disclose or distribute to another person, biometric information on an individual without first obtaining the informed and written consent of the individual.” (Law enforcement and other parties authorized by state or federal law would be excluded.) Biometric data is defined to include fingerprints, handprints, voices, facial images, iris images and retinal images. Violators would be liable for actual damages and civil penalties of as much as $100,000.

SIA CEO Richard Chace noted in the letter to Wielechowski that the federal government is implementing an identity management program that relies on biometric technology and argued that biometrics are an important security tool that “answers the question, ‘Are you who you say you are?’”

“Biometrics provide an effective measure against fraud and identity theft in applications as diverse as personal access to buildings/computers, banking security, business-to-business transactions and ecommerce,” the letter stated.

Chace also stressed that the association and its members are committed to developing security solutions that protect personal information and ensure privacy and said that they “are in the final stages of developing a framework that will help educate policymakers, consumers and industry stakeholders on technology and privacy related issues.”

The Security Industry Association (www.siaonline.org) is the leading trade group for businesses in the electronic and physical security market. SIA protects and advances its members’ interests by advocating pro-industry policies and legislation on Capitol Hill and throughout the 50 states; producing cutting-edge global market research; creating open industry standards that enable integration; advancing industry professionalism through education and training; opening global market opportunities; and providing sole sponsorship of the ISC Expos, the world’s largest security trade shows and conferences.

POSTMEDIA NEWS – AUGUST 10, 2010 2:02 AM

Canada’s privacy watchdog has gone to court to stop the collection and storage of fingerprints from students who apply to medical schools.

Privacy commissioner Jennifer Stoddart launched legal action in Federal Court last week, accusing the American Association of Medical Colleges of violating the Canadian law that governs electronic personal information.

The association administers the Medical College Admission Test on behalf of schools in the U.S. and Canada. It uses “biometric identity verification” to stop cheating on the tests.

But it also means the fingerprints and photographs of Canadian students who write the MCAT in Canada — even if they plan to attend medical school in Canada — could later be accessed by U.S. authorities under the Patriot Act.

© Copyright (c) The Edmonton Journal

Read more

The public has repeatedly rebuffed attempts by the federal government to centralize identification management

By Mike Spinney – Jul 22, 2010

Mike Spinney is a senior privacy analyst at the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy.

The Homeland Security Department recently announced an initiative aimed at creating a more secure system of online identification. According to its Web site, the National Strategy for Trusted Identities in Cyberspace seeks to “improve cyberspace for everyone — individuals, private sector and governments — who conducts business online.”

That’s certainly a noble goal. But the very existence of NSTIC begs two very important questions: Does protecting me and my fellow citizens while we transact business online fall within the department’s areas of responsibility? And does DHS truly believe it can do what the private sector, driven by a clear and compelling profit motive, has yet to successfully accomplish?

The answer to both questions is a resounding no. DHS should focus on doing what its name implies — protecting the homeland — and resist the urge to demote itself into the role of national cyber mall cop.

I say this not to demean the department, which shoulders a weighty load in addressing the manifold threats to our shores in this age of terrorism, but because any effort by DHS to create a voluntary trusted identity program is doomed to fail.

The recent experience and backlash associated with Real ID — rebuffed by the general public and legislatively rejected by 11 states before being scrapped — and high-tech passports — subject to ongoing criticism for their security vulnerabilities — demonstrate that the public is uneasy at best and at worst dead set against any attempts by the federal government to centralize identification in any form. Another national identification storm cloud is gathering on the horizon in the form of the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment provision of pending immigration reform. With every attempt at using technology to track citizens, George Orwell’s shadow grows longer.

Conspiracy theories aside, lessons learned from the evolution of Social Security numbers into a de facto national financial credential — in spite of being prohibited by the law that created them for any use other than the management of Social Security benefits — should be enough to remind us of what can happen with a national identification program even when it is conceived with the best of intentions.

Of course, DHS would not be the first organization to fail at creating a broadly successful universal digital identifier. Devices such as smart cards and tokens have been in use for years and are effective for managing identity-based access to secure enterprise systems. But such technology works best in a single organization because cost and management issues temper their advantages in broader applications.

At the consumer level, where individuals might be using multiple identities for a broad range of applications, any secure identity system would need to take into account the highly complex vagaries of human behavior. Doing so successfully in the private sector would be a feat with a multibillion-dollar payday — and there’s plenty of money and brainpower being spent on that effort already.

Consider, too, the challenges DHS faces in successfully launching a trusted identity program when the agency lacks the trust of the general public. In the Ponemon Institute’s annual Privacy Trust Study of the United States Government, DHS ranked 70th among the 75 federal agencies studied. The Citizenship and Immigration Services agency and Customs and Border Protection agency, both of which are part of DHS, ranked 74th and 75th, respectively.

If DHS believes that a more secure online experience will enhance homeland defense, that goal would be better served by the creation of an educational program that makes people more aware of how to safely conduct online activities. When you get beyond the Beltway, you find that too many people are making unsafe decisions online not because the technologies and techniques are lacking but because they simply don’t know any better. If left to persist, public ignorance will be the downfall of any trusted identity strategy.

Third Quarter Fiscal Year 2010 Report to CongressDepartment of Homeland Security Report of the Chief Privacy Officer Pursuant to Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007June 23, 2010

In a country where Nepali’s, Bangladeshis and Pakistani’s can practically walk across the border – why should a terrorist bother to fake a biometric passport?

It could come useful in certain situations. Why would someone like David Headley risk a clandestine crossover, when he could live in the best of hotels, mix in the most hallowed social circles – legally? It’s also a neat trick to shift blame to an Indian citizen, after a terrorist attack.

But an “attack” is not the only thing a cloned biometric passport can be used for. It can also be used to steal your identity. For cheap. If my last post made you believe it’s almost impossible to mess around with a biometric passport, I’m very sorry. Because this one – is about how it’s already been done. With equipment that costs less than ten thousand rupees.

Lukas Grunwald, a German security expert, did it in 2006. British newspapers reported on a similar stunt by Adam Laurie, in 2007. Jeroen Van Beek, a researcher in the Netherlands, actually walked into Amsterdam airport with a fake biometric passport made in the name of Elvis Presley. He was not stopped.

Just Google their exploits – most technically minded terrorists probably already have. Here’s a quick account of how they did it.

A biometric passport has a chip, about the size of the one in your mobile phone SIM. That chip is embedded in a radio transmitter, slightly smaller than your visiting card. The entire unit is then sealed, into the last, thick page of our passports. You’ll get one of these things when you apply to renew your passport.

Effectively – this passport is now a tiny radio transmitter. It emits radio signals at a certain frequency. And over those radio waves, it transmits the information stored in its chip.

If you have a radio scanner listening in on that specific frequency – you can intercept that data. You could be standing ten meters away, you wouldn’t even need to touch the passport. You could read it, then clone it.

I’ll get into the specifics later. But here’s why you should begin to get worried.

1.) Let’s say a terrorist knows he looks a fair bit like you. First, he’d clone all your passport details by eavesdropping on the chip. Then insert his new, cloned chip into a fake paper passport he’s already made.

He’d grow a beard or a pony tail – to confuse the airport guards. When they test his passport on their reader, it wouldn’t ring any alarms – after all it’s a perfect clone of a perfectly valid passport.

When they try to physically cross check his appearance against your facial image stored on the chip, they wouldn’t spot a difference. A biometric facial or fingerprint scanner would have rung alarms – but they’re very expensive and used at very few counters. So a terrorist COULD cross borders – using YOUR passport details.

There is also a psychological problem – if the machine says a passport is OK, airport officials will tend to believe it and drop their guard. They won’t bother to do a more careful physical check. Because that would take more time – and after all wasn’t the biometric passport meant to save time at check in counters?

2.) Or let’s say it’s scamsters who want to target you. The postman or courier boy who delivers your passport home, could copy details from its chip, without even opening the envelope. So could a hotel attendant abroad – when you show him your passport to book a room. Among those details, will be an exact digital copy of the first page of your passport.

This first page is something we often photocopy. We use it as a proof of identity – to open a bank account, to apply for a new phone connection, for a driving license etc. The scamster could send that first page to an Indian bank and open a new account in your name. And funnel in dirty money into it, without you ever knowing.

3.) There’s another loophole in the “Biometric Passport as extra security” scheme. When you walk into a country like the US with your passport, your info is not only scanned and crosschecked – it’s also stored on their servers for a very long time. This supposedly happens to all passports presented at immigration – part of their “War on Terror” is keeping track of the details and frequency of people’s visits.

In theory, a corrupt official in the department could gather your private data and sell it to people on the black market. Right now – someone else can’t easily match your unique biometrics. But technology gets better everyday, so a leak in the department would mean a terrorist could walk around with your identity.

4.) Another pinprick in the “security” angle. At least one researcher has shown how to trigger a small bomb when it comes close enough to radio signals transmitted by a particular country’s passport. Terrorists could also use a similar technique can to single out people of a particular country from a group – and target them for kidnapping/elimination.

It’s not just passports. The technology can be used to eavesdrop and clone other RFID or Radio Frequency Identification Devices. That includes the card you use to get entry into your office, your new driving license and perhaps even the upcoming UID or Universal Identity card.

Getting back to the passports. Inexpensive Radio Frequency scanners can easily be bought online. You could also build one by modifying the Bluetooth receiver on your PC. Software like Golden Reader, that let you communicate with a passport chip, are easily available on the net. The International Civil Aviation Organization or ICAO – the nodal agency behind the biometric passport movement, has it on its website.

When held over a passport reader at the airport, the chip and the reader first challenge each other with a code. Once each is satisfied the other’s a genuine party – the chip transmits the info it carries to the reader.

To prevent people from eves-dropping on this exchange, the designers of biometric passports used a simple trick. They printed a twenty four character, two line strip of data on one of the pages of the passport.

This “Strip” is called a “Machine Readable Zone”, or MRZ. Only after swiping this strip through a machine, would the passport reader be able to generate a valid challenge that the passport chip would respond to. So whoever wants to read the passport, would have to have it open, in his hand.

Smart. The problem is, the characters they’ve decided to print on that strip. Your date of birth, your passport number, its date of expiry and so on – in a specific pattern.

Clever programmers can guess those details. Your DOB, they find from sites like Facebook. From public databases online – they observe patterns in a long series of passport numbers. They also find out the number of passports issued everyday in the country.

They feed all that research into a maths formula that’s often used by companies to generate things like random credit card numbers. And crack the MRZ of your passport, on a normal home PC, in under two hours. The big expense – about Rs 10,000 for a radio scanner. With the MRZ code, a terrorist or scamster can suck data from your chip, standing upto ten meters away at the check in counter.

Governments could of course put in place a more complex passport numbering system. But though such demonstration attacks have been widely reported in the foreign press, they haven’t moved on this yet.

When someone like a postman has the luxury of holding your physical passport in his hand, he can suck it dry with another trick. He swipes the passport against his radio scanner many, many times.

The more the number of swipes, the higher the chance of the computer mathematically guessing the security code. In an ATM, if you enter the wrong code thrice – you’re locked out and can’t withdraw any money. A similar safety feature hasn’t yet been built into these passport chips.

A small backgrounder on how all this started in the first place. After 9/11, America decided that all foreigners entering its borders would need to have machine readable passports with biometrics – on the assumption that these would be tough to forge.

It demanded this of the 27 countries that had a visa waiver agreement with it. Most of Europe fell in line and soon, the rest of the world.

After researchers publicly carried out attacks on these passports, FIDIS, or the “Future of Identity in the Information Age” – a European Union funded body called the technology used in them “poorly conceived”.

“European governments have forced their citizens to adopt documents which dramatically reduce their security and privacy and increase the risk of identity theft.”

The Indian Government however – doesn’t seem to have listened.

Posted by Howard A. Schmidt to the White House Blog – on June 25, 2010 at 02:00 PM EDT

Cyberspace has become an indispensible component of everyday life for all Americans.  We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure.  It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth.  Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much — has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

The Department of Homeland Security (DHS), a key partner in the development of the strategy, has posted the draft NSTIC at www.nstic.ideascale.com. Over the next three weeks (through July 19^th), DHS will be collecting comments from any interested members of the general public on the strategy. I encourage you to go to this website, submit an idea for the strategy, comment on someone else’s idea, or vote on an idea. Your input is valuable to the ultimate success of this document. The NSTIC will be finalized later this fall.

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

Yosie Saint-Cyr

It was recently reported that Passport Canada has issued 25,000 biometric passports, and plans to issue them to all Canadians by 2011. The government is introducing e-passports to enhance security, fight fraud, reduce identity theft and meet international counter-terrorism measures already in use in travel documents in over 60 countries, including the United States, the European Union, Australia and Israel. The e-passport will now be valid for a period of 10 years (thank you!—that’s an improvement at least).

A biometric passport has a data chip inside it that can be read electronically. The chip contains information about the holder’s face—such as the distances between eyes, nose, mouth and ears—which authorities can use to identify the passport holder. These details are taken from the holder’s passport photograph. The chip also holds the information that is printed on the personal details page of the passport. Biometric details are unique to each citizen, like a fingerprint, the iris of the eye and facial features.

The US Electronic Privacy Information Centre (EPIC) describes the privacy issues and risks associated with facial recognition technology (FR) in the following manner:

Devices using biometric identifiers attempt to automate this (FR) process by comparing the information scanned in real time against an ‘authentic’ sample stored digitally in a database. The technology has had several teething problems, but now appears poised to become a common feature in the technological landscape. … There are significant privacy and civil liberties concerns regarding the use of such devices that must be addressed before any widespread deployment.” (Emphasis added.)

EPIC has identified six major areas of concern:

Passport Canada has indicated that it has taken measures to avoid or mitigate the above privacy risks. Several summary reports dealing with these issues and action taken are available on the Passport Canada website.

Data on the chip is protected in various ways, including: a “digital signature”, which shows that the data is genuine and which country has issued the passport; access control, where a “chip protocol” prevents the data being read without the passport holder’s knowledge; and a digital technique that confirms the data on the chip was written by an authorized regional passport department and has not been changed. Also, the chip can only be read within 10 centimetres from a chip reader, so it cannot be accidentally read.

However, the Canadian Civil Liberties Association (CCLA) still believes that privacy concerns are an issue and have not all been dealt with.

In a recent report, the CCLA indicated that new technologies such as biometric passports should be implemented with adequate legal safeguards. The group is interested in knowing what measures Passport Canada has taken to date, and intends to continue acting to ensure the civil liberties of Canadians are being protected, including the rights of privacy and mobility.

Moreover, the CCLA shares the same privacy and accuracy concerns (in PDF) on the introduction of biometric passports (e-passports) in Canada as EPIC. They are:

• “Function creep”, which means using the information in the future for a purpose beyond the original purpose
• Third party access to the information to link the information to that of the third party without the consent of the individual
• Centralized retention of the information
• Loss of control by individuals on the use and dissemination of one’s personal information

In addition, Canadians travelling with biometric passports will be subject to the privacy practices of other countries. This means, for example, that foreign databases might store Canadian citizens’ personal identifying information. The CCLA would like to know how Passport Canada plans to handle this inevitability? And rightly so. Privacy International has reported that because of biometric passports, the International Civil Aviation Organization (ICAO), would have a database of over a billion people worldwide by 2015. Yikes!

The CCLA has stated—and I totally agree with them:

While Canadian citizens understand they have restricted privacy rights at international borders, they are not necessarily consenting to the information contained on the RFID chip in the passport being stored in a foreign government’s database.”

Furthermore, the CCLA brought up the issue that faces are constantly changing, and facial biometrics open a Pandora’s box for mass surveillance by states of individuals, with a corresponding chilling effect on many civil liberties. As a fine example, take the 2009 case of Suaad Hagi Mohamud, a Canadian woman who was erroneously accused by Kenyan border officials of impersonation because they thought she did not look like her passport photo. Canadian consular officials concurred that she was an imposter and voided her passport. She was stranded in Kenya for three months before DNA evidence proved her identity.

As I was reading the CCLA’s privacy and accuracy concerns on the introduction of biometric passports in Canada, a story broke about misuse of passport information. A border guard used women’s passport details to hit on them later on Facebook (of course). The Canada Border Services Agency has known about the problem since last October when it received a complaint. The article states that the agency refused to release the name of the employee subject of the complaint, or information about whether the employee was disciplined or terminated.

It is evident that biometrics, and the collection of personal biometric information, raises obvious significant privacy concerns. It’s easy to see that this information can be used and misused. Yes, maybe it is a strong authentication measure, but the invasion of privacy and potential for misuse is in my opinion very undesirable.