Shostack + Friends Blog Archive


The Assignment of a Mandatory Identifier

surveillance-is-security.jpgSo two stories came out recently, and they’re connected by a thread, which is the assignment of identifiers. The first was in Government Computer News, “IG: U.S. Visit RFID needs better security controls,” which opens:

The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which is a small computer chip, contains only a number. This number must be viewed within US Visit’s secure database to obtain personal information on the visitor.

Overall, the inspector general judged these privacy protections to be effective, and to present no “high or medium” information security vulnerabilities.

No, sir, that’s incorrect. That the card itself contains only a number means that that number will, eventually, be captured by a variety of actors, who will use it as yet another link in the chains which bind their databases. Worse, (as I understand it) the i-94 needs to be kept with the holder at all times, meaning that that number can be silently captured at the whim of anyone with the $50 to buy a radio receiver. Which brings us to the second story, “License Plate Tracking for All.”

The assignment of a mandatory and public identifier means that identifier will be captured and used by a variety of people, from police to lawyers to stalkers and murderers:

“I know it sounds really Big Brother,” Bucholz says. “But it’s going to happen. It’s going to get cheaper and cheaper until they slap them up on every taxicab and delivery truck and track where people live.” And work. And sleep. And move.

It all starts with the assignment of numbers. Then everything else, as Mr. Bucholz says, is going to happen.

PS: I must offer an appreciation for the clever fellows at AOL, who have offered us, if only briefly, AnonID.

“Surveillance is Security” image from

5 comments on "The Assignment of a Mandatory Identifier"

  • Justin Mason says:

    when did they start putting RFID in I-94s? wow, as if tourists visiting the US didn’t have enough surveillance-society fun 😉 The I-94 is bound into the passport. I certainly didn’t carry that at all times, so I think most tourists/visitors wouldn’t either.
    There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging (or whatever the attacker may have in mind).

  • Adam says:

    Around July, 2005. See
    When I drove into the US from Vancouver recently, there were 4 dinner-plate sized antenae and a sign saying “make I94 available” or something.

  • Justin Mason says:

    It must be at certain crossings, then; I took several flights back and forth between July 2005 and Feb 2006, mostly via LAX or ORD, and as far as I could tell, I-94s were dealt with manually there.

  • Adam says:

    I think it may be driving vs. flying, as well.

  • Adam, I hate to ruin a good rant, but something a lot bigger than license plate tracking is coming down the pipeline: Vehicle-Infrastructure Integration (VII). See this clumsy pdf from our friends at the DoT:
    The good news about a system like this is that if it’s properly designed, the identifying info can be kept locally. License plate surveillance requires centralization to do it’s job. Remote sensors CAN be designed to only transmit “important” data. I’m currently involved in a team trying to compare traffic surveillance systems for privacy and effectiveness.

Comments are closed.