Report Finds Significant Privacy and Security Flaws in Enhanced Driver's License and Passport Cards

Oct 24, 2008
By:
Nicole A. Ozer

Page Media

ACLU of Northern CA

The University of Washington and RSA today released a report on the significant privacy and security vulnerabilities of RFID-embedded Enhanced Drivers' Licenses and Passport cards.

  • Cloning: The report demonstrates susceptibility to straightforward cloning. A key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.
  • Read ranges: The report details experiments that show how these tags can be read at a very long distance and how that read range impacts privacy and makes them susceptible to "skimming" and cloning.
  • Ineffective Shielding: The report finds that the Enhanced Drivers License is vulnerable to reading while placed in protective sleeves, and also to denial-of-service attacks and covert-channel attacks.

The ACLU of Northern California has been working for many years to get the word out about privacy and security vulnerabilities of insecure RFID technology and ensure that government-issued ID documents have adequate protections.

Governor Schwarzenegger recently signed SB 31 into law, making it illegal for a Californian's identification document to be read from a distance without her knowledge or consent. This was a preliminary step in the right direction, but much more needs to be done to protect the privacy and security of millions of Californians.

California should not consider issuing an Enhanced Driver's License (DHS has been wooing the state for some time to start issuing these documents) or any other RFID-embedded government identification without ensuring that the document has the necessary technological protections to fully safeguard the privacy and security of Californians.

SB 768, which was passed with overwhelming bipartisan support by the California legislature, would have set a baseline for necessary technological protections so that RFID information would not be able to be read surreptitiously. Unfortunately, the bill was short-sightedly vetoed by Governor Schwarzenegger.

For more information about RFID technology and the ongoing work of the ACLU of Northern California on this important topic, please visit the RFID page and a recent Stanford Technology Law Review article on the topic here.