Testimony on Oversight of the New York City Identification Program

Testimony of Jonathan Stribling-Uss on Behalf of the New York Civil Liberties Union 

Before the City Council Committee on Immigration

Hearing on Oversight of the New York City Identification (IDNYC) Program

The New York Civil Liberties Union (“NYCLU”) respectfully submits the following testimony regarding the IDNYC card. The NYCLU, the New York affiliate of the American Civil Liberties Union, is a not-for-profit, non-partisan organization with eight offices throughout the state and more than 180,000 members and supporters. The NYCLU’s mission is to promote and protect the fundamental rights, principles, and values embodied in the Bill of Rights of the U.S. Constitution and the New York Constitution.

Background on NYCLU involvement in the IDNYC program

At NYCLU our priorities include advocating for the rights of immigrants across New York and protecting individuals’ privacy from unwarranted government intrusion. Because the City’s proposal to include contactless technology in its IDNYC cards poses risks both to immigrants who live in our city and to the general public’s privacy, we write today to express our concerns about the proposal to include invasive technology in this otherwise valuable resource.[1]

When the IDNYC bill was first proposed in July 2014, the NYCLU objected to the initial requirement that the City store New Yorkers’ personal documentation in a manner that could be accessed by law enforcement without a demonstration of probable cause.[2] However, when the card was launched in 2015, the City responded to these concerns by ensuring that the IDNYC database does not retain individual documents.[3] Because the City recognized the unique harm of creating a new database that would include immense amounts of personal data and the IDNYC program was launched in a manner that protected the privacy of card-holders. Today, we are cheered by the fact that the IDNYC now has helped an estimated 1.2 million New Yorkers access basic services.[4]  And the City deserves credit for acknowledging the potential risks of harm to card-holders – particularly those without documentation or in a fluid citizenship status – and designing the IDNYC system to minimize those potential harms.

IDNYC has reached these 1.2 million card-holders under a system in which each person knowingly consented to the City holding their data. Indeed, IDNYC requires that people show up in person at an office within city limits with physical documents –eliminating the need for the city to maintain a vast database of personal documents that could be hacked or breached.[5] This physical contact is a smart strategy and is an excellent proxy for informed consent – that is, every card-holder knows precisely which information they’ve given to the City and that these documents are not digitally retained. We are very concerned that the City’s recent proposal to utilize contactless RFID (Radio Frequency Identification) technology risks upending this cautious, consensual, and low-risk approach.    

The Risks of Contactless Technology

The privacy and surveillance risks associated with contactless RFID technology are significant. The City has not informed us of the specific contactless technology or vendor they are considering for the new IDNYC card, but contactless technology opens up the very real possibility that  location, usage patterns, and IDNYC ownership can be remotely “sniffed” by third parties, creating acute new privacy risks for card-holders.  “Contactless” technology means that information stored on the IDNYC – and without question, the existence and use of the card itself – could be revealed from a distance without the card-holder’s knowledge or consent. And because the IDNYC was designed in large part to ensure that already vulnerable New Yorkers – including those without secured immigration status – could access basic services, even the fact that an individual holds an IDNYC could be information of interest to law enforcement agencies. Data related to the IDNYC could then be obtained by the NYPD, FBI, ICE, or Department of Homeland Security.

We urge the City to refocus its implementation of this program on the vulnerable communities it was intended to serve, rather than allowing IDNYC to become a tool for law enforcement. By adopting simple privacy protections, the City can take important steps in that direction. But the City’s statements and 2018 request to vendors (RFEI) indicates that the City has not fully understood the risks of contactless RFID technology.[6] The RFEI uses the term “smart card” in ways that are confusing and unclear. A smart card can refer to a number of distinct features: Broadly, the term can refer to a chipped card that either creates encryption for contact or contactless communications, or a contactless card, or a card with a full operating system that is able to do its own calculations and hold significant amounts of data on a powered chip. The City’s RFEI only requests vendor proposals on three clear technological standards: 1) ISO 7816 (contact), 2) 14443 A/B (contactless), and 3) 7813 (magnetic stripe).  None of these by themselves implement security or privacy features.[7]

One form of “smart” chip technology is an EVM (Europay, Visa, Mastercard) contact card, which is the chip that most people now have in their ATM cards. These contact chip cards do not pose the tracking risks of the various RFID/NFC cards, because the user has to physically insert their card into a device in order to use it – thus requiring specific knowledge and consent to each use. However, EVM security to ensure those transactions cannot be hacked is still a critical priority. If contact EVM cards are used they need a robust encryption standards for all data transfers.[8]

Another form of “smart” chip technology is RFID. RFID is not a standard, but rather a term for a spectrum of different wireless identification technologies.[9] Any “contactless” card that lacks its own power source is dependent on a RFID reader to transmit information across a distance. The security of RFID wireless transmission and encryption protocols depends on vendor and model. Some products are highly insecure and have been hacked or cloned in the past.[10] This includes Near Field Communications (NFC) contactless chip cards, which have been hacked despite the promises of a closer “read” range.[11]

Because RFID wireless implementation is passively powered by a secondary device (the device designed to read the card’s data), the ability to track it cannot be turned off. The person with the card reader controls the distance at which the card can be read – because the card is a tag that responds to radio waves.[12] This enables any prospective card-reader (including hackers, law enforcement, or anyone else with the equipment and motivation) to assess information from a card with contactless technology. In the IDNYC, that would mean that third parties could tune a card-reader to the proper frequency and discern—based on frequency, communication, or response—which transactions and individuals were using or carrying an IDNYC card.

Inserting contactless technology in a card designed for vulnerable New Yorkers could turn this ID from something that assists community members into a card that could create acute new privacy and tracking risks for them. Especially in our polarized political climate, vulnerable communities need the highest standards of security and privacy. Unfortunately, the City’s track record on location tracking is inconsistent and troubling. For example, in the roll out of RFID-enabled EZPass readers, the City claimed it would only use such readers at bridges and tunnels for toll purposes.[13] However, in 2013 NYCLU proved that the City had actually created a grid of readers where they could track traffic movement of the EZPass RFID tags through all of downtown Manhattan and many outer boroughs, because they installed readers on most major intersections without notice to residents.[14]  This act wasn’t just poor public policy – the City is walking on constitutional thin ice by tracking its’ residents granular location data without notice or consent. The Supreme Court’s recent holding in Carpenter v. U.S. confirms that a person maintains a legitimate expectation of privacy, for Fourth Amendment purposes, in the record of their physical movements. 

The information and inferences that could be drawn from the data leaked from a contactless IDNYC card are even more invasive than that from an EZpass reader – because they are used in a number of contexts, rather than just driving. And the consequences of this data leak from the IDNYC’s card use, whether from law enforcement, hacking, or simple database error, could paint a detailed target on the backs of those community members who hold one.

Hacking and Data Mining Risks

Significant vulnerabilities have been demonstrated in RFID cards over the past 10 years.[15] Most critically some versions of RFID cards, including the types that are in enhanced licenses, can be activated without the knowledge of the card holder at a distance of more than 250 feet with technology that can be bought for less than $1000.[16] This includes the subset of RFID known as Near Field Communications (NFC) technology. This contactless chip technology is regularly marketed as only having a read range of 3 to 5 cm, but security professionals have been able to read it at up to 5 feet and passively sniff it at up to 50 feet.[17] These attacks are ongoing in 2019, utilizing an off-the-shelf antenna which costs a few thousand dollars and can fit in a backpack.[18]

Many models of the cards can also be cloned by a card reader, simply by being close to the card itself. For example, nearly 3.5 billion trademarked Mifare RFID cards have been produced.[19] The vast majority of these are Mifare Classic Cards; the encryption on these cards was broken in 2008 and they are now completely vulnerable to cloning and sniffing of any personally-identifiable information on the card.[20]  Given this history, the City has a duty to take any corporate representations about the security of contactless cards, including NFC cards, with a shaker of salt. Indeed, the City simply cannot truthfully promise its residents that any IDNYC card with contactless technology will keep their whereabouts secure.

Creating one ID for many functions increases data mining risks, especially for the vulnerable individuals whom the IDNYC was designed to serve. The data stored or recorded by an IDNYC could be overlaid with traffic or usage patterns to de-anonymize it (meaning a third party could use bits of ostensibly anonymous data to re-identify the person associated with the card’s use). Academic studies have consistently shown that it only takes 3 pieces of known data to de-anonymize an individual in a whole data set.[21] Even data that doesn’t have any personal identifying information could still be correlated to connect a card or payment identifier. Just the time, place, sequence, or timing of IDNYC use would then allow an advertising company or government agency to undo the pseudonymous numerical identifier that the transit agency or payment company applied to each card. This would then allow them to go back in time, over all the travel or transaction data that they hold, and see details of all the transactions or travel that individual ever had in the system. The City has not given us enough information to understand what exact technology will be included in the proposed standards. 

Conclusion

We want an effective IDNYC card, without the risk of litigation or the possibility of mass surveillance overreach into vulnerable communities. Let’s make the IDNYC even more successful in the coming years and avoid risky contactless technology that could hurt individuals or undermine the City’s original purpose and long term goal in creating the IDNYC.