Testimony of Jonathan Stribling-Uss on Behalf of the New York Civil Liberties Union Before the City Council Committee on Immigration

In Support of Intro. 1706 Prohibiting a Smart Chip from Being Added to New York City Identity Card

The New York Civil Liberties Union (“NYCLU”) respectfully submits the following testimony in support of Intro. 1706, which would prohibit the addition of a smart chip and financial technology to the New York City Identity (“IDNYC”) card.

The NYCLU, the New York affiliate of the American Civil Liberties Union, is a not-for-profit, non-partisan organization with eight offices throughout the state and more than 180,000 members and supporters. The NYCLU’s mission is to promote and protect the fundamental rights, principles, and values embodied in the Bill of Rights of the U.S. Constitution and the New York Constitution.

History of the IDNYC program

When the IDNYC bill was first proposed in July 2014, the NYCLU objected to the initial requirement that the City store New Yorkers’ personal documentation in a manner that could be accessed by law enforcement without a demonstration of probable cause.[1] Because of these concerns, when the card was launched in 2015, the City responded by ensuring that the IDNYC database does not retain individual documents.[2] The City deserves credit for acknowledging the potential risks of harm to card-holders – particularly those without documentation or in fluid citizenship status – and designing the IDNYC system to minimize those potential harms. The IDNYC program was therefore launched, and has been administered, in a manner that protects the privacy of card-holders. IDNYC has reached 1.2 million card-holders under a system in which each person knowingly consented to the City creating a unique card. Indeed, IDNYC requires that people show up in person at an office within city limits with physical documents – and then does not store those documents after the card is created. This eliminates the need for the city to maintain a vast database of personal documents that could be hacked or breached.[3] This physical contact is a solid strategy and is an excellent proxy for informed consent – that is, every card-holder knows precisely which information they’ve given to the City and that these documents are not digitally retained. Today, we are elated by the fact that the IDNYC now has helped over one million New Yorkers access basic services.[4] And we believe that the success of the IDNYC program has achieved this success precisely because of the community’s trust in the card – card-holders and community advocates have been able to rely on the IDNYC program’s robust security and privacy safeguards. Unfortunately, the city has recently indicated an intention to divert from this privacy-driven approach and expand the IDNYC from an identification card into one that has digital financial technology (or “fintech” – which uses new technologies to acquire data about individuals to automate insurance, trading, banking services, and risk management industries) embedded into the card.

Financial technology is at odds with both the purposes of the card itself, and the wishes of IDNYC cardholders. We are therefore encouraged to see the City Council take up a bill which builds on these privacy concerns by prohibiting a smart chip from being added to New York City identity card, which would ensure that the card continues its existence as a vital and protective resource for all New Yorkers.

NYCLU support for Intro. 1706 prohibiting a smart chip in the IDNYC

Intro. 1706 is a straightforward bill that would require an IDNYC card to contain and transmit only the information that is visibly displayed on the face of the card. The bill states that an IDNYC “shall not contain or transmit any information other than that which is visibly displayed on the face of the card, or contain any additional device or mechanism for transmitting information.”  With this change, Intro 1706 prohibits any financial technology or payment systems being imposed on the ID, now or in the future. Like the history and purpose of the IDNYC card, this bill would ensure that card holders know precisely which information the city, and the card, retain about them. Thus, this bill will ensure that card holders can continue to know with certainty just what information the city is taking and storing about them. In this manner, the IDNYC program can ensure that every card holder provides meaningful informed consent to the use and sharing of all the information they provide to the city. 

The NYCLU supports Intro. 1706 because it ensures that the IDNYC cards do not contain any tracking or surveillance technology that could create grave risks for the vulnerable population served by the IDNYC. Its passage will help ensure that this government identification card continues to serve vulnerable communities by building on its most important asset – community trust. 

Dangers of marrying government identification and banking in one card

Intro. 1706 ensures that we are not creating one ID for many functions. Government identity documents should be sacred – they are required to live, work, and move around freely in the world. Governments should therefore be very wary of attaching additional functionalities – and any associated risks – into such a vital identification document. Financial technology no more belongs on a municipal ID than a MasterCard logo belongs on our driver’s licenses.

Overlapping identity and financial identification systems increases data mining risks, especially for the vulnerable individuals whom the IDNYC was designed to serve. The data stored or recorded by an IDNYC could be overlaid with traffic or usage patterns to de-anonymize it (meaning a third party could use bits of ostensibly anonymous data to re-identify the person associated with the card’s use). Academic studies have consistently shown that it only takes three pieces of known data to de-anonymize an individual in a whole data set.[5] Even data that doesn’t have any personal identifying information could still be correlated to connect a card or payment identifier. Just the time, place, sequence, or timing of IDNYC use would then allow an advertising company or government agency to undo the pseudonymous numerical identifier that the transit agency or payment company applied to each card. This would then allow them to go back in time, over all the travel or transaction data that they hold, and see details of all the purchases or travel that individual ever had in the system. The City has not given us enough information in writing to understand what exact technology will be included in the proposed standards and how this type of metadata collection could be avoided. Among the potential fintech the city is considering is “contactless” technology, which relies on RFID chips and remote readers to access information digitally stored on the card. We are very concerned that the City’s recent proposal to utilize contactless RFID (Radio Frequency Identification) technology risks upending IDNYC’s cautious, consensual, and low-risk approach.[6] All contactless technology opens up the very real possibility that location, usage patterns, and IDNYC ownership can be remotely “sniffed” by third parties, creating acute new privacy risks for card-holders. “Contactless” technology means that information stored on the IDNYC – and without question, the existence and use of the card itself – could be revealed from a distance without the card-holder’s knowledge or consent.[7] This is not a worthwhile tradeoff for an ID that is designed to support the most vulnerable among us.

Responding to The City’s “Smart Chip Exploratory study”

The City has claimed that the addition of the “smart chip” in the IDNYC card is in response to demands from card holders. However the City’s own research, as articulated in the City’s “April 17th, 2019 IDNYC Card & “Smart Chip” Exploratory Study” is profoundly limited and deeply divided. The research methods are a tiny sample, without statistical or scientific controls. Based in this small sample the City claims that a chip is needed for banking access in the card. But from the questions asked in the survey it is difficult to distinguish if the city is discussing access to a bank account, which is a request shared by many people in the survey, or if people are looking for a prepaid card with a “chip.” The addition of a chip into the IDNYC does nothing to give unbanked people access to a bank account. Even after the addition of a chip into the IDNYC card many major banks will still refuse to allow it to be used as a primary ID for opening a bank account. The goal to increase financial equity for unbanked people is a worthy one, but adding intrusive financial tracking technology to a government ID is not the solution to this problem.

Indeed, the most broadly supported survey response is the significant concern cardholders have toward any tracking of their card use. The City’s April 17th, 2019 IDNYC Card & “Smart Chip” Exploratory Study articulates this need for robust privacy guarantees with a strong preference to resist any technology that could be used for tracking the cards. This is articulated as the primary worry of people utilizing the IDNYC card. Card holders’ concern over personal privacy should therefore be the starting point of analysis for any newly inserted design or technology elements. Utilizing the City’s own information presented in their exploratory study group in the criterion for smart chips, it is clear that contactless cards simply cannot meet this need for tracking minimization. Because RFID wireless implementation is passively powered by a secondary device (the device designed to read the card’s data), the ability to track it cannot be turned off. The person with the card reader controls the distance at which the card can be read – because the card is a tag that responds to radio waves.[8] This enables any prospective card-reader (including hackers, law enforcement, or anyone else with the equipment and motivation) to access at least certain information from a card with contactless technology without the knowledge or consent of the cardholder. There is little question that among the data that could be “sniffed” remotely is the simple fact that a person carries an IDNYC card – data that itself may be of immense interest to immigration authorities, for example.[9]

Responding to The City’s claims about smart chip encryption

In addition, City staffers and third parties hired by the city have cited “encryption” as a less than specific buzzword to address any privacy or security concern advocates may have with the proposed changes to the card. The encryption on the card might protect certain information (e.g. Personally Identifiable Information, or PII), but will almost certainly broadcast that the user has an IDNYC card – a harmful revelation that could be weaponized by federal immigration authorities or hackers attempting to prey on vulnerable communities.

The unspecific and overbroad use of the term “encryption” to solve more serious privacy issues is an unfortunately common – but often hollow – refrain in many policy debates. The science of cryptography has provided many important benefits to modern technology and cryptography’s application, in the form of encryption, allows for many confidentiality, integrity and authentication functions that are necessary for everyday information systems, including banking, Wifi, and internet systems. However, invoking encryption to obscure difficult questions about functional electromagnetism is a misunderstanding of which branch in the tree of scientific knowledge a project rests on.  Regardless of encryption protocol, RFID/NFC (Near-Field Communication) systems reveal their historical bytes to all interested transmitters, because the systems require physical power from the transmitter and must reply in some form to that power.[10] Encryption simply cannot limit the ability for third parties to surreptitiously sniff RFID/NFC cards at a distance, an ability that will only increase over time, as transmitters become more ubiquitous and powerful.

The ISO (International Organization for Standardization) standardization specifications for NFC are helpful in understanding what the designers of NFC systems are hoping their systems achieve. However, standards are written ideals that do not fully represent how the final system operates in the physical world. NFC is a standard which is designed to have a smaller read range (3-5 cm) than the incredibly broad 250 foot range of normal RFID. That is the ideal in the NFC ISO standards. However in real life the NFC read range has been shown to be much farther; as much as 3-50 feet for sniffing or reading.[11] This read range is always controlled by the reader, not the card, which means that as transmitters become more technologically advanced the readers will have a more extreme range. This problem cannot be solved by encryption. It is a physics problem, to which the City can offer no technical solution other than the prohibition on this type of technology as contained within Intro. 1706.

Conclusion

The NYCLU supports an effective IDNYC card, without the risk of privacy harms, mass surveillance, or undermining the trust of vulnerable communities. Intro. 1706 honors the original purpose of IDNYC and will make it even more successful in the coming years by avoiding risky contactless RFID or tracking technology that could undermine the City’s original purpose in creating the IDNYC.

 

 

[1]     NYCLU, Testimony in Opposition to Proposed Rules Governing The City Identification Card Program, available at https://www.nyclu.org/en/publications/testimony-opposition-proposed-rules-governing-city-identification-card-program See also NYCLU, Statement of the NYCLU Regarding the New York City Municipal ID Bill, available at https://www.nyclu.org/en/publications/statement-nyclu-regarding-new-york-city-municipal-id-bill (last accessed 2/11/2019)

[2]     NYCLU, City Can Reduce Risks that NYC IDs Pose for Undocumented New Yorkers, available at https://www.nyclu.org/en/press-releases/nyclu-city-can-reduce-risks-nyc-ids-pose-undocumented-new-yorkers (last accessed 2/11/2019)

[3]     City of New York, New York City Identity Card Program Quarterly Report October 1, 2018 – December 31 , 2018 available at https://www1.nyc.gov/assets/idnyc/downloads/pdf/quarterly-report-20181231.pdf (last accessed 2/11/2019)

[4]     City of New York, New York City Identity Card Program Quarterly Report October 1, 2018 – December 31 , 2018 available at https://www1.nyc.gov/assets/idnyc/downloads/pdf/quarterly-report-20181231.pdf (last accessed 2/11/2019)

[5]     Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization UCLA Law Review, Vol. 57, p. 1701, (2010) available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006 (last accessed 2/11/2019) See also Philippe Golle, Revisiting the Uniqueness of Simple Demographics in the US Population available at http://crypto.stanford.edu/~pgolle/papers/census.pdf (last accessed 2/11/2019)

[6]     City of New York, Request for Expressions of Interest (RFEI) IDNYC Dual Interface Card Payments Initiative, available at https://tech.cityofnewyork.us/wp-content/uploads/2018/05/IDNYC-Smart-Chip-RFEI.pdf  (last accessed 2/11/2019)

[7]     Chris Paget, DEF CON 18 - Chris Paget - Extreme-Range RFID Tracking available at https://www.scribd.com/document/145653052/Extreme-range-RFID-hacking-by-Chris-now-Kristin-Paget (last accessed 2/11/2019) See also DEF CON 18 - Chris Paget - Extreme-Range RFID Tracking available at  https://www.youtube.com/watch?v=q9_8F_BKeto (last accessed 2/11/2019)

[8]     In an RFID system a reader includes a radio transmitter and receiver.

[9]     Renaud Lifchitz, Hacking the NFC credit cards for fun and debit  Hackito Ergo Sum (2012) available at https://deepsec.net/docs/Slides/2012/DeepSec_2012_Renaud_Lifchitz_-_Hacking_the_NFC_Credit_Cards_for_Fun_and_Debit_%3b).pdf (last accessed 2/11/2019) see also Gerhard Klostermeier RFID/NFC-Grundlagen - A Pentesters Perspective available at https://media.ccc.de/v/gpn18-79-rfid-nfc-grundlagen-a-pentesters-perspective#t=333 (last accessed 2/11/2019)

[10]   List of historical bytes and associated contactless cards: By Ludovic Rousseau https://archive.fo/QXk2v

[11] Renaud Lifchitz, Hacking the NFC credit cards for fun and debit  Hackito Ergo Sum (2012) available at https://deepsec.net/docs/Slides/2012/DeepSec_2012_Renaud_Lifchitz_-_Hacking_the_NFC_Credit_Cards_for_Fun_and_Debit_%3b).pdf (last accessed 2/11/2019) See also Gerhard Klostermeier RFID/NFC-Grundlagen - A Pentesters Perspective available at  https://media.ccc.de/v/gpn18-79-rfid-nfc-grundlagen-a-pentesters-perspective#t=333 (last accessed 2/11/2019)