Skip to main content.
Friday, November 2nd, 2007

London Cameras

As a regular reader of Bruce Schneier’s excellent blog on security issues (which naturally examines impacts on privacy as a security trade-off), when I came to London I knew that I would probably be visible on at least one camera the whole time I was walking the streets. However, I had to chuckle when I encountered this sign in a pub in the Westminster district:

Toilet Sign in Pub in Westminster

Isn’t this taking the British fetish with cameras just a little bit too far?

On second thought, this is only funny if the sign placement was ill-considered. If it was intentionally placed as a practical warning, it is chilling.

Incidentally, for my flight over to Europe I had a long layover (eight hours) in Chicago O’Hare airport. I spent the time reading, trying to watch the Chargers game in a crowded sports bar, and ducking back and forth through security for a smoke. I hadn’t had much sleep the night before, and at some point I set down the book I was reading and walked away. I realized what I had done too late to go back, and at first I was concerned that someone might see it and call the bomb squad in. Then I thought about it and hoped that they would. The name of the book? Beyond Fear, Schneier’s very practical guide to making rational security choices.

Posted by Greg as Privacy, Travel at 09:37 PST

Comments Off on London Cameras

Saturday, March 17th, 2007

Swiping Driver’s Licenses

A couple of days ago I was in a Walmart, here in El Paso, and was purchasing beer and cigarettes. But I was taken off-guard when I was asked for ID. I’m forty-one years old – maybe a high-mileage forty-one. When I let my hair grow out (which I usually don’t) there’s quite a bit of grey at the temples, and the blond highlights in my Van Dyck are turning white.

So I haven’t been carded for a long, long time, except on the few occasions where I’ve been somewhere that they card everybody. But the reason for the checkout girl’s request became clear when, after I handed her my driver’s license, she glanced at it and swiped it.

I immediately got hot under the collar. I know that there’s normally enough information encoded in a driver’s license that, if it is entered in a computer, there is immediate access to those who have invested in commercial databases to know all sorts of things about you that you wouldn’t necessarily want them to know. I don’t want anybody to swipe my license. But I was mollified slightly when the young girl looked puzzled, glanced at the back of the license, and handed it back, saying that she was used to the magnetic strip on Texas driver’s licenses. I looked at it myself.

I’ve only had my Missouri driver’s license for five months, and it hasn’t stuck into my head yet that there is no magnetic stripe on the back. Yeah Missouri! Now, there is a large optical scan code there, and I’ve been meaning to decode it for a while, but the magnetic stripe is the gold standard of machine-readable cards, and I find its absence very comforting.

For most of the last fifteen years I’ve had a California driver’s license, with the exception of a couple of years each as Nevada and Rhode Island. California has the magnetic strip, but I recall that at least some of the time, I would degauss it after I got it. I don’t have to worry about that now, but I fear that it will be mandated by the Real ID Act. As an individual concerned about privacy, I strong oppose this thinly-veiled attempt to slip in a national ID card, and I’m thrilled that so many states are fighting it.

But what can you do to defend yourself against commercial operations that have a legitimate need to verify your age or identity, but who swipe your license without your consent? Usually, you have over the card for them to read, and they just quickly swipe it before you realize they’re going to do it. Once it’s been done, it’s too late. I can think a couple of habits that I need to start immediately.

  1. Hold the card up for them to see, instead of just handing it over.
  2. Keep your license in a clear plastic sheath that takes some effort to get it out, so you’ve got a little time to react in case it gets out of your hands. Of course, this means it probably won’t fit in most standard wallets.
  3. Tell anyone who insists on swiping your license that you charge a fee of US$25 ($50, $200? What would identity theft cost you?) for your personal information in machine-readable form. Maybe I can even make up a little sticker to attach to the plastic sheath, or better yet, over the magnetic strip, that informs the reader that such a fee will be charged. I don’t think that there is any law that requires a commercial interest to scan your license, but I’ve heard places will lie to you and tell you that there is to get that information. No one, of course, is going to pay this fee. But asking for it, especially if that means getting a supervisor involved, is at least sending the message that they’re trying to take something from you that has value.
  4. I know it will be hard on occasion, especially at some kick-ass bar you want to get into, but refuse to patronize a place that insists on scanning your license.
  5. This won’t work for everyone, but start using your passport as proof of id. A passport has a lot less info on it – specifically, it doesn’t show your home address, which is used to pin down the specific you in those huge databases. Personally, I’d had a passport since I was thirteen years old. I carried a US passport with me even when my military ID was enough to get me through Customs. I learned from what happened to Robert Stethem, the US Navy SEAL who was killed in 1985 when his plane was hijacked.

UPDATE: It’s only been a couple of days, and I’ve already screwed up. When I checked into my hotel in Hawai’i last night, I noticed without comment that they put my driver’s license on a little scanner that scanned the front face. It wasn’t until this morning that I realized that, with OCR as good as it is nowadays, that that’s as good as swiping the license. I’m used to people making a photocopy of my license, but this is definitely one step further. How do you refuse to patronize a place when you’re tired and checking in at ten thirty at night? I’m going to have to think more about this.

Posted by Greg as Privacy at 10:21 PST