WARNING: efficiency rant ahead.
So I came across a newsfeed today from the RSS-reader of my Gmail which made me a bit upset. Not for any really valid reason, like social injustice, but because it was about a large-scale misuse of technology.
In short, the Chinese government wants to institute a new national ID card with an embedded data-chip (supposedly) containing such wonderfully private information as:
- citizen's name and address
- work history
- educational background
- religion
- ethnicity
- police record
- medical insurance status
- landlord's phone number
- possibly personal reproductive history
- potentially credit histories, subway travel payments and small purchases charged to the card.
Basically, if you are Chinese you will be carrying your entire life on a small card in your wallet.
The goal of having all of this info is to help the police prevent crime. The reason this idea upsets me is not because of the possibilities for flagrant civil rights violations, but because it's a terrible security risk to carry all of that information around with you. If these cards use something like RFID technology, even worse, as it's been proven repeatedly that they're easy to hack (and from a distance, at that). It just doesn't make sense to me.
Why does all of that information need to be on the card itself? Even if it's 'protected' by the most ridiculously complicated cryptography, it's still physically THERE. No matter how long it takes to crack, if somebody steals the card they will have as much time as they want to try/succeed. And then there goes your privacy.
I have a better idea -- no wait, two better ideas. The first, which may not be applicable here (but sure is for US passports), is to avoid the whole 'remote-hacking' potential by not using RFIDs. Instead, use something similar that requires physical contact with the sensing device, or maybe a near-zero sensing range (I mean millimeters -- I don't want you scanning my pocket as I walk by). Credit card-type swiping isn't my favorite, since I've had problems with my cards wearing out. The monthly bus-pass I had in Lyon worked really well; I have no idea what type of chip it was, but I had to touch my wallet to the sensor pad to get it to scan.
The second is to do away with the whole 'carry-everything-for-all-possible-scenarios' idea (yes, if you know me I lug around extra stuff all the time, but this is different). Instead, have some really complicated personal identifier string embedded on the card (preferably under heavy encryption). This will then be read and unencrypted by official scanners that have must have a secure connection to a central database, where the personal id string will allow them to retrieve the relevant information. This way, you can steal my card, but I don't care since you can't do anything with my ID number (at least, not before I change it at the central repository). Unless of course you managed to steal a police scanner, or hacked the government's database, in which case I think there are much bigger problems to worry about.
Sure, it would require more resources to pass the id and info back and forth instead of the local read, but I'm pretty sure they do that anyway (since they need to use it to verify the card info to prevent forgeries). Yes, it probably requires more security on the network side, but again, it's probably already supposed to be there. My alternative just eliminates the most prominent security hole.
Read On [Chinese ID Cards]
http://www.thenewstribune.com/news/nationworld/story/131145.html>
http://www.nytimes.com/2007/08/12/business/worldbusiness/12security.html?_r=1&hp=&oref=slogin&pagewanted=print>
Read On [Hacked RFID tags]
http://www.engadget.com/2006/10/23/researchers-hack-rfid-credit-cards-big-surprise/
skip to main |
skip to sidebar
Random thoughts and things. Also the occasionnal travelogue.
WIIIIIIZZARD!!!
What about Cornflakes?
- dr.zaus
- Raleigh, Congo - Kinshasa
- Renegade vigilante with a penchant for verbosity.
No comments:
Post a Comment