The Royal Academy of Engineering has just released a report entitled Dilemmas of Privacy and Surveillance Challenges of Technological Change. The report focuses on areas where the developments in IT have had a particularly significant impact on personal privacy. It gives examples of some of the harm that can be done by exposing people to these risks, for example while talking about RFID chips in British passports:

With sensitive personal details readable over a distance, it could even become possible, with appropriate antennas and amplification, to construct a bomb that would only detonate in the presence of a particular nationality or even a particular individual.

The report also covers proposed government databases holding sensitive personal information. It urges the government to prepare for failures in these systems.

There are a number of incidents in which a government or series of governments have suffered loss of trust due to poor role performance, or perceived poor performance. Crucially to the interests of this report, a number of these relate to the introduction of new technologies. For example, the implementation of a new computer system in the Child Support Agency (CSA) was considered a disaster, with many vulnerable people failing to receive child support payments due to its inadequate functioning. The failures associated with the CSA have been brought up in criticisms of plans for the NHS project ‘Connecting for Health’ which involves bringing modern computing systems to the NHS. They have also been raised in connection with the ID cards scheme and the associated National Identity Register (NIR).

Both past problems and recent difficulties mean that government is vulnerable when it comes to trust in their ability to implement a large IT project, or any other complex business change project. Of course, government is not alone in experiencing difficulties in implementing complex projects with a large IT component, but it is particularly vulnerable since its projects use public money and involve critical services such as the NHS.

The Academy calls for the government to take action to prepare for such failures, making full use of engineering expertise in managing the risks posed by surveillance and data management technologies. It also calls for stricter guidelines for companies who hold personal data, requiring companies to store data securely, to notify customers if their data are lost or stolen, and to tell them what the data are being used for. It recommends that engineering solutions should be devised which protect the privacy and security of data.

Great piece in The Guardian about how Adam Laurie and No2ID’s Phil Booth cracked the new hi-tech passport RIFD chips. If you weren’t worried about these new passports before, you should be:

Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders’ images appear on the screen of Laurie’s laptop. The passports belong to Booth, and to Laurie’s son, Max, and my partner, who have all given their permission.

Booth is staggered. He has undercut Laurie by finding an RFID reader for £174, which also works. “This is simply not supposed to happen,” Booth says. “This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport.”

Wired reports on a Department for Transport pilot scheme to test RFID chipped car numberplates here in the UK, with battery powered chips that can broadcast their identity up to 300ft. Considering that we don’t have that many toll bridges or roads here, and the congestion charge is limited to London, I wonder what the justification for this would be. What problem do we have that RFID chipped plates would solve?

If they want to use RFID chips to allow people to pay bridge tolls or the congestion charge, why make them embedded in the number plate and not a hand-held device one could leave in the glove compartment or transfer from car to car? If it’s about geolocation of stolen cars, well, we already have transponders you can buy that can do that for you.

So what is it about? Identifying speeding motorists as they go past speed cameras? Would the rise in income from fines justify the cost of chipping 25 million cars on our roads? Or is this about location and prosecution of tax and insurance evasion? Trouble is, the DVLA claim they can do from their desks now just by checking their database, so that’s not a compelling argument either.

So let’s see: The government are wasting our money testing an expensive solution that doesn’t actually solve any real problems and which no one in their right minds would want. If they tell us it’s for ’security’ and to ‘crack down on terror’… well, words fail me.

Originally posted on Chocolate and Vodka.

RFID, automatic vehicle tracking, privacy