Wyoming HB 2337, “relating to the use of information provided by an applicant for a driver’s license or personal identification certificate in an image verification system”, was submitted a few months ago by Rep. Frank Corte (R-Cheyenne) and has been co-sponsored by Rep. Juan Escobar (D-Laramie) and Rep. Pete Gallego (D-Sheridan). The bill, if passed, would require the Wyoming Department of Public Safety to collect facial images and thumb or fingerprints of drivers for collection into a vast statewide database, with the idea of preventing the issuance of fraudulent driver’s licenses. This data would then be shared with other law enforcement agencies for victim identification and criminal investigations. Currently the bill has been passed to engrossment but not yet submitted to the Senate. The third reading of the bill will probably occur Monday, when the House returns from its recess after the death of Rep. Joe Moreno. Let’s analyze this proposal to see how effective it might be.
Per the financial analysis accompanying the bill:
The bill would amend the Transportation Code to extend by two years the ability of the Department of Public Safety (DPS) to use the $1 fee collected upon registration of a motor vehicle (from August 31, 2005 to August 31, 2007). The bill would direct DPS to use the money to include image comparison technology in the reengineering of the driver’s license system. The bill would remove the restriction on using biometric information. The bill would delay by two years (from August 31, 2005 to August 31, 2007) the provision that allows funds collected under this section of the Transportation Code to be deposited and appropriated for use by the Texas Department of Insurance, the Texas Department of Transportation, and DPS.
DPS would be required to establish and maintain an Image Verification System, based on certain identifiers provided when a person applies for a personal identification certificate, driver’s license, or commercial driver’s license or permit. Under this bill, identifiers would include an applicant’s facial image, and thumbprints or fingerprints.
The bill would amend the Transportation Code to require applications for an original driver’s license to include a photograph and the signature of the applicant.
Let’s examine this via Schneier’s analysis process:
What assets are you trying to protect?
The goal is to ensure that applicants are “issued only one original license”; do not “fraudulently obtain a duplicate license”; and do not “commit other fraud in connection with the application for a license”. So the asset in question is the mapping between driver licenses and drivers (individuals), as well as any other assets where the security solution involves an identification check using driver’s licenses.
What are the risks to these assets
If malicious individuals could get multiple licenses, they would be able to fake their identity and possibly imitate authorized persons when they themselves are not authorized.
How well does the security solution mitigate those risks?
Facial image comparison technology is notoriously inaccurate, so applicants have relatively high probabilities of being rejected as duplicates of someone else (false positives), and actual fraudsters have similar probabilities of not being recognized and being allowed to get multiple licenses (false negatives).
Let’s say that the false positive rate is 1% (an optimistic rate given the current state of the art). According to the US Department of Transportation (select Traffic Safety Fact Sheets > 2003 > State Traffic Data), in 2003 there were about 22.1 million people in Texas and 13.5 million licensed drivers. Assuming that drivers are required to appear in person for imaging during renewals every four years (this is not currently the case), this means that every year nearly 34,000 legitimate residents will be improperly identified as duplicates.
But the flip side? Again, let’s say that the false negative rate is 1%. The Federal Trade Commission reports about 10 million ID theft cases in 2002. As many of the solutions to ID theft require an ID check, let’s assume that driver’s license fraud might be attempted in 10% of the cases. Feel free to redo the calculations with any other reasonable proportion. Assuming that the cases are distributed across states proportionally by population, this means about 80,000 attempted driver’s license frauds per year in Texas. A 1% false negative rate means that about 8,000 of them will succeed.
What other risks does the security solution cause?
The implications of such data gathering are huge. As two-factor authentication becomes more widely deployed, biometric data (such as your thumbprint) will be more commonly used everywhere. Having such a massive, statewide database would present immense risk to the entire state should that data ever be disclosed, as in the continuing data insecurity problems making the news lately. No warrant would be required to access the data by law enforcement, and there are no requirements for data security in the bill. One of the two companies currently bidding for the project, Digimarc, was responsible for a related identity theft incident in Wyoming agent where the data of 8900 individuals was stolen from a DMV office and was not properly secured (e.g. no encryption of the data).
What trade-offs does the security solution require?
To attempt to prevent license fraud, the state of Texas would compel anyone needing to drive to expose themselves to a great risk of identity theft. There’s no legislative requirement for security of the data in this database, but there is a requirement to use inaccurate technology that will not be effective in its goal of reducing duplicate and fraudulent licenses, particularly where facial recognition is used. Under somewhat optimistic assumptions, 34,000 drivers a year will be initially denied their legitimate licenses, while perhaps 8,000 fraudsters will be initially accepted in their application for fraudulent ID.
Clearly the solution as proposed is woefully inadequate and needs to be re-examined. This is not necessarily a case where open source software will solve the problems, but it’s clear that substantial outside review of any such system would be required. Transparency would be paramount as an opaque system will be far more likely to be abused. Additionally, producers of such systems don’t have a particularly good track record, so trust in their systems would be naïve at best.
Via grits for breakfast. Additional analysis of similar issues can be found in the September 2001 Crypto-Gram by Bruce Schneier.
Hah! I have embedded HTML in this blog entry that has compromised your system. It’s smart enough to attack multiple platforms (including Windows and Linux) and gives me command-line administrative level access. Don’t believe me?
Heh. You just lost your privacy.
While there are lots of dumb ways to secure wireless networks, here are the six dumbest. Read the article, there are a lot more details there.