Friday, January 11, 2008

Warning! Watch Where You Drink!

The frustration of proving one's age to buy things like alcohol and tobacco does not end when you reach the appropriate legal age. Those of us who are fortunate enough to have a youthful appearance are forever burdened with having to carry a state-issued ID card to every place where we might want to buy alcohol or tobacco. Over the past few years, we've been gradually subjected to another, more intrusive ID-related hassle -- that of electronic drivers license scanning. It's one thing when a government representative scans your driver's license; it's another thing entirely when a restaurant does it, and records your personal information in the process. Is this legal? Ethical? Secure? In order to find out, I contacted an electronic security and privacy expert, and the American Civil Liberties Union.


The incident at Houstons

It was August of 2006, and I decided to take my girlfriend out to a nice dinner. She's particularly fond of the veggie burger at Houstons, a regional restaurant chain owned and operated by the Los Angeles-based Hillstone Restaurant Group, which also controls the Gulfstream, Bandera, Rutherford Grill, Palm Beach Grill, Cherry Creek Grill, Los Altos Grill, and Cafe R&D restaurants.

We sat down and ordered drinks. I was, of course, asked for my driver's license, which I presented to the waitress. My girlfriend was not asked for her ID, which she found somewhat insulting, being that she is of an age to be insulted by the assumption that she looks over 30. The waitress thanked me for handing over my Florida driver's license, then hurried away before I could both recognize the fact that she'd walked off with my ID, and organize some kind of protest. She returned a few minutes later with our drinks, and handed me my ID card. "Why did you need to take my license?" I asked. "Oh, we had to verify it," she replied. "Out of curiosity, what do you do to verify it?" "We scan it through a machine that makes sure it's real," she said cheerfully.

I was totally shocked and really upset that my driver's license was just scanned without my consent, so I asked the speak with the manager. Not only was he clueless as to the license scanner's method of operation -- he insisted that it was for my own protection, which is as bizarre a statement as I can imagine -- but during the course of our heated and repetitive conversation he tried to flirt with my girlfriend to get her on his side, against me. I wrote a letter to an executive at Hillstone to complain about the situation on both levels, and a few days later I got a call from Robert Hardie, a regional vice president at Hillstone. The first thing he did was apologize for the manager's behavior; I responded by thanking him for the effort, but that the only appropriate apology for the situation would come in writing from the manager I dealt with, not a proxy. This was the only remedy I was interested in, because I felt more insulted at the manager's behavior than I did about anything else -- I already wasn't going to eat at Houstons ever again because of the license scanning issue, but I wanted the situation to be made right. I was told that a written apology from the restaurant manager was not an option available to me. The second thing Hardie told me was that serving alcohol was a privilege, not a right, and that Hillstone implemented the license scanning procedure to protect customers from false IDs. I told him outright that what he'd just said was ridiculous because my safety and security were not at risk until my license was confiscated and scanned by the waitress, effectively putting me at risk instead of removing some imaginary risk. I asked him to explain how I could possibly benefit from his license scanning scheme. The answer was that it protects people under the age of 21 from drinking alcohol, which has benefits that are supposed to be obvious to me, and as a side effect it protects the restaurant from underage drinking sting operations. "Aha," I said, "So it does not protect me, it protects you." He agreed reluctantly. Hardie further stated that he would make sure the manager I dealt with was reprimanded accordingly, but he was more concerned that the manager did not know all of the appropriate technical details of the scanning machine than he was about the man's behavior toward my girlfriend. Before our conversation was over, Hardie provided me with the exact make and model of the license scanning machine Hillstone-controlled restaurants used -- an IntelliCheck IDC1400. This model is no longer in production, but there are many like it showcased on the IntelliCheck home page.

Last week we decided to see if the restaurant had changed its policies, and reserved a table at Houstons. Again, the waitress tried to walk away with my license, but this time I stopped her and told her that under no circumstances was it to be scanned. "Look at it, test it with a blacklight, call the motor vehicles bureau, whatever -- you are not allowed to record that card electronically," I insisted. I then provided her with a second form of government issued photo ID that did not have a bar code or magnetic strip -- a concealed weapons permit. "That's two forms of government-issued photo ID -- that should be enough," I told her. She said she'd have to talk to the manager about it. It was a different manager this time, but instead of being condescending like the previous one, this manager was confrontational and aggressive. He asked what the problem was with license scanning. I told him what I've related here for the most part, adding that I'd researched the machine he was using and discovered that it was designed to record drivers license data. I would not permit this. "Then we don't serve you," he said indignantly. I told him that I was the only person at a table of 4 people who was asked for ID, and that this was not only insulting and belittling towards me, but that because of the waitress' inability to approximate my age, I had to forfeit the privacy of my driver's license information. This caused a rather explosive confrontation that prompted us to leave and relocate to a different restaurant. Was I right to disagree with this policy? Was I being paranoid, or was I just upset that at 29 I was still being asked for my license by some waitress who was not only substantially younger than me, but might actually not have been of legal age to serve me alcohol?

The security of license scanners

My first concern was the security of the data being collected from my driver's license. To better understand the risk in this situation, I contacted security expert Bruce Schneier. In addition to his blog, Schneier is also the author of 8 security-oriented books, including Beyond Fear, and many essays on cryptography, and security and privacy in the information age. The first thing I wanted to know was, of course, if civilians scanning state-issued drivers licenses constituted a dangerous and insecure situation. "The situation with hackers -- can the data be intercepted, can the database be hacked -- is scary, but it's not really a realistic threat when you consider the other information available to them, like credit card numbers and social security numbers," he replied. "This is just yet another database of information on you."

There isn't a lot someone can do with your driver's license number -- it's not nearly as important as a social security number, unless you live in a state like Arizona which uses your SSN as your driver's license number. SSNs are important to identity thieves, so electronic scanning of driver's licenses puts bar and restaurant customers at a hightened risk for identity theft. But if you have a non-SSN driver's license number, the data is not particularly important to thieves and other people with nefarious intent. What other threats would collecting this information pose? "Would you like a list of every bar you've visited to be posted on the Internet? How about marketing -- would you like to receive more of that? This data is sold to ChoicePoint and combined with other data about you and sold to a wide variety of companies for marketing." He went on to explore the idea of how this might be used in the future: "Let's say I had a bar -- I could offer a drink special for 10% off if you agree to let me sell your drinking data to Bacardi. There's nothing wrong with that because as the bar owner, I'd be telling you about it upfront and you'd have to agree to it. But to do this without notifying people, by collecting data through age verification, is kind of sleazy."

Indeed it is. I was not told that my license would be scanned, that my data would be collected and transmitted over a public network to some unknown corporation that has access to information that I thought was private between the state of Florida and me. The waitress took my license, walked away with it, and came back with my drink and the license. It wasn't until I questioned her that I found out that it was scanned. I told her that I did not give her permission to scan my license, but she thought I was joking with her. So now somebody somewhere has a record of my buying alcohol -- or more specifically, being carded for attempting or intending to buy it -- along with my name, address, height, eye and hair color, driver's license number, date of birth, the status of my eyesight, the classes of vehicles I am authorized to drive, and possibly also my photo and a copy of my signature.

"The record of your drinking habits could be used in court as evidence -- for instance, in a divorce case if your wife accuses you of being an alcoholic. A record like this could be used, but this kind of thing happens all the time in our society. Do you have some kind of toll booth pass, like EZ-Pass? Data from EZ-Pass usage has been used in divorce cases.. Every time you use a credit card, there's a record of the purchase and where it occurred. Your cell phone's whereabouts can also be tracked. All of this information is being collected, organized, and used for all kinds of purposes, good and bad."

So how do we as consumers fight this? Schneier says that we're of course free to boycott establishments that use scanners, and that someday we may even see some bars advertised as offering anonymous drinking, as an alternative to places that collect and record information about your drinking habits. "You're basically screwed, because if you don't let them scan your license, they make you leave, or won't serve you. The courts and the ballot box are a better way to fight this matter. Talking to the employees won't make a difference because, as you said, it's company policy. They're going to do it because it's company policy, and since the decision about scanning is made far away from the point where it happens, you're not going to get anywhere."

Schneier recommended his The Future of Privacy essay, and this piece on license plate scanners for further reference in the matters we discussed.

An issue of civil liberties

Bruce Schneier suggested I contact that American Civil Liberties Union (ACLU), so I did. I received a response from Jay Stanley, the public education director of the ACLU's technology and liberty program. Here's what he had to say:

"This is certainly a violation of our privacy/civil liberties. It is a violation of the principle that personal information collected for one purpose should not be used for other purposes without an individual's affirmative, fully informed permission. The fact that you provide information to prove you are complying with drinking-age laws should not require you to give up other personal information about yourself, and to be tracked.

Personally when I am asked for a driver's license for various reasons (age-verification being an increasingly rare occurrence for me), I watch carefully to make sure that it is not scanned and am not afraid to challenge, ask sharp questions if I have to.

At the same time, there is only so much the individual can do, for example if such scanning is widespread or if you're not in a position to walk out on a place whose practices you don't like. This is just one of many examples we are seeing today of novel privacy violations due to the growth of technology. Ultimately, our country needs good privacy laws implementing the "use limitation" principle I mentioned above and the other well-established basic principles of privacy, which every other industrialized nation around the world has enacted through overarching privacy legislation.

Does it really work?

Currently, the best way to visually identify a valid driver's license is to view the holographic image embedded on the front face of the ID card. If you can't see it well enough by tilting the card at an angle, you can easily see the image with a blacklight. Many bartenders do have a small blacklight behind the bar exactly for this purpose. But the holographic image can be faked -- or more accurately, it can be suitably reproduced on a counterfeit ID. It is not easy to do this, and requires sophisticated printing technology that few civilians have easy access to, but you can buy a fake ID on the Internet or in person that will reproduce the holographic technology.

IntelliCheck offers little information about its technology on its Web site -- probably because it isn't terribly complicated to read a card, verify its data in a database, and print a message. In its "fast facts" PDF, IntelliCheck's only technical point in its list of advantages is, "Our patented technology reads, verifies and parses the information encoded on issued drivers licenses, identification cards and military IDs with magnetic stripes, one- and two-dimensional bar codes and smart chips." So we are to assume that the magic that makes electronic ID verification solutions more secure and accurate is contained in the bar codes and magnetic strip. Since bar codes are optically read, they can easily be visually reproduced, and since they're in standard, documented formats like PDF417 that have freely available encoders and decoders, they can also easily be hacked. You can make a bar code record anything you want -- including that you're of legal drinking age. That means that any electronic scanning solution that provides simple feedback will be defeated by hacked bar codes. Scanning solutions that involve authentication against a remote database can also be easily hacked -- you can simply use someone else's (valid) data in your bar code. Don't think you can defeat this by erasing the strip or drawing a black line through the bar code -- defacing your license is against the law in the state of Florida (and probably everywhere else, too), and you face a $100 fine if a police officer discovers that your license is not in good condition.

The restaurant managers at Houstons and their superiors at Hillstone told me that they had the utmost confidence that the IntelliCheck devices they used were totally safe and effective, but could not tell me who stores the driver's license data, or how it is transferred. All of them also denied that any data is recorded, but the IntelliCheck IDC1400 that they use is designed to permanently record driver's license data. In fact, all of IntelliCheck's current devices except one have the capacity to permanently store ID data, and some are designed solely for this purpose. According to Bruce Schneier, if the device reads and transmits data, it's recording it in some way, even if it's not kept on record. Furthermore, whatever entity is in charge of the driver's license database is likely recording when and where a license is verified because some electronic ID verification companies list the elimination of duplicates (multiple simultaneous or successive verifications, indicating a possible duplicated ID) as a feature.

There are many ways to work around or defeat this technology, some of them new (hacking the magnetic strip and bar code data), some of them old (having someone else buy the drink for you). There is no evidence to suggest that total reliance on devices like the ones produced by IntelliCheck and other vendors is any more effective than visual verification of IDs, and in theory could actually be much worse. When I was in Philadelphia last year, two bars I visited had a bouncer at the door scanning IDs with a handheld device. Neither of the bouncers were looking at the photos or other information on the licenses they were scanning -- people could have been handing them someone else's ID for all they knew. Neither did the waitresses at Houstons visually compare my photo and my actual appearance -- I could have given the bouncers or the waitress my older brother's ID for all they knew. It would have verified and been recorded, and had I been underage, I would have had a drink illegally and the bar would still have been at fault despite the use of electronic license scanners. So much for being safe -- a license scanner can't defeat the oldest of underage drinking tricks.

The long fingers of prohibition

Even if I were underage and used my older brother's ID and the waitress had checked the photo, who would know besides me (and possibly him)? There is enough of a family resemblance, and driver's ID photos are notoriously bad and barely representative of their subjects, that no bartender or even a police officer would be able to truly determine who I really am with an ID alone. When I was a teenager, friends over 18 used to let other people borrow their IDs to buy cigarettes all the time -- no one ever got caught. Security is a process of making easy attacks more difficult; it is not in the business of making things impossible, nor could it ever realistically be. Electronic license scanners will not stop underage drinking, and in effect could make the problem worse as they become more ubiquitous and bartenders and bouncers create logical shortcuts in their habits, scanning cards without looking at them. In situations where alcohol purchases involve little or no human interaction, such as at automated checkout lines in stores like Wal-Mart, the risk of underage alcohol sales through a totally electronic age verification process is greatly increased.

The current methods of license verification that most grocery stores use is to view a license and type its date of birth numbers into the register, which then approves or denies the alcohol sale depending on age. Again, because this is a tedious process, if you look old enough or if the date on your license makes you significantly older than 21, most cashiers just type in 11111 for the date to make it easier. There really is no substitute for proper inspection and scrutiny -- electronic devices may make this process quicker, but they don't make it more accurate or secure. Sometimes technology makes our work easier, and sometimes it makes it easier for us to be lazy.

The heart of the issue here is that prohibition doesn't work. Every little scheme to try to enforce an unreasonable drinking age restriction will be met with a workaround or hack. Someday there may be a fingerprint scheme to try to ensure that you and your ID refer to the same person, and I have no doubt that within six months from the start of that policy, there will be a prosthetic skin device that will allow you to fake your fingerprint. As long as there are laws that people want to break, there will be clever ways to break them. Even if the sale of alcohol were somehow totally prevented to people under 21, the home brewing of alcohol would increase dramatically, just as it did during all-ages prohibition in the early 20th century. But before both the government and private businesses make more of an effort to crack down on under-21 drinking, they will first make it less private for everyone and more profitable for themselves. So like both the ACLU and security expert Bruce Schneier suggested, perhaps the best way to deal with this for now is to avoid places like Houstons that scan driver's licenses, and hope that someday in the future we don't have to actively seek out an establishment that offers anonymous drinking.

Link
.

That's not all:
"If you visit a lot of bars and restaurants, you've likely crossed paths with drivers license scanners — machines that supposedly verify that your license is valid. In actuality, many of these scanners are designed to record your license information in addition to verifying them, and those that authenticate against a remote database are creating a record of when and where you buy alcohol. Not only that, but they're not even particularly effective — the bar code on your license uses an open, documented standard and can be rewritten to change your age or picture. Collecting our driver's license information is one thing, but collecting data about our personal drinking habits is not only a violation of, according to the ACLU representative quoted in the article, privacy and civil liberties, but this 'drinking record' could also create problems for people in civil and criminal lawsuits as proof of alcohol purchases in DUI cases or evidence of alcoholism in divorce lawsuits."
Link.

1 comment:

Anonymous said...

really really interesting post. i used to be a houston's employee and we were asked to card anyone who looked over the age of 40. and sometimes, even if the card doesn't go through properly (as in it doesnt scan), they still accept it. i know people who have used fakes and gotten through with it. the machine is just a bunch of rubbish. the restaurant's just trying to maintain its image of "professionalism" and blah.

their number one rule is this "aim to please approach." looks like they failed with you!