by Kevin Baker
If someone tried to sell you security software that was ten years old, would you buy it? Of course, it wouldn’t make sense to spend money on something that’s now outdated and vulnerable. Just like it doesn’t make sense for California to spend millions on driver’s licenses that come with unencrypted computer chips – especially when you consider that those chips have been widely recognized as insecure for over a decade.
Unfortunately, the California legislature passed a bill that would do just that.
If Gov. Brown doesn’t veto SB 249 (Hueso), the California Department of Motor Vehicles will issue “enhanced” driver’s licenses (EDLs) that use unencrypted computer chips called Radio Frequency Identification (RFID) tags.
Experts warned that this technology was insecure ten years ago, when the Department of Homeland Security (DHS) under President Bush first introduced these licenses. Back then, DHS admitted that the personal information stored in these chips could be read from a distance of up to 30 feet.
In fact, a security researcher built a reader with $250 in spare parts, drove around downtown San Francisco, and proved how easy it is to read and copy these documents – without anyone ever knowing or even suspecting their information was being skimmed.
Sound creepy? That’s because it is. This technology is a dream come true for identity thieves and stalkers, and a civil liberties nightmare for Californians concerned about government intrusion and tracking.
Proponents of these EDLs are pitching these licenses as a way to speed up border crossings. But that is an empty promise when the state can’t control border wait times, and SB 249 fails to ensure that EDLs have even the most basic privacy and security safeguards included in a U.S. passport and modern smartchip credit cards. These days even smartphone messages are encrypted. Should your driver’s license be less protected than your text messages?
The bill would also give any employer in the state the green light to make EDLs a job requirement even if the licenses are not job-related. This would allow an employer to fire or refuse to hire those who are unwilling to put their personal privacy at risk or anyone not eligible for an EDL, such as noncitizens or those that don’t pass a federal background check.
For this reason, and many others, the ACLU of California and numerous other organizations across the political spectrum have expressed significant privacy and safety concerns.
Other states have rightly refused to adopt EDLs. There is no reason why California should settle for this unnecessary, outdated and risky technology.
Kevin Baker is the Legislative Director for the ACLU of California’s Center for Advocacy and Policy.
If the EDLs are such a problem, who are the proponents and what do they say about the security issues?
The Assembly Judiciary Committee analysis of the bill has a thorough discussion of the privacy and security issues: http://www.leginfo.ca.gov/pub/15-16/bill/sen/sb_0201-0250/sb_249_cfa_20150906_125255_asm_comm.html
why is the democratically controlled assembly judiciary committee ignoring expressed concerns by the aclu?
My understanding is that it’s very easy to block RFID chips with simple DIY sleeves (search instructables.com) or RFID-blocking wallets that are now widely available at modest prices.
This is additional evidence of the idiocy of overbearing, power-mongering, technologically illiterate politicians and the value of a free press. Oink!