The MTO and “security through obscurity”

A component of our research project involves investigating what information is stored on the magnetic stripe and barcode of the Ontario driver’s licence. This has proved to be a challenging task. So far, we have received this official response from the Ministry of Transportation (MTO):

the information stored in the barcode and magnetic stripe is for use by law enforcement personnel to confirm the information that is displayed on the front of the card.”

That may indeed be the purpose that the magstripe and barcode were originally designed for, but function creep has extended the use of the driver’s licence far beyond law enforcement. Card readers and barcode scanners are used at many establishments throughout Ontario. Recently, the “We Expect ID” program has enabled convenience stores throughout the province to swipe a customer’s ID if they look under 25. Owners may claim that they are swiping ID for law enforcement purposes. But what other latent purposes might be lying under the surface of this practice? What is to stop the owner of one of these private stores from realizing the potential value of the personal information that he has collected on his customers? What is to stop him from then selling this coveted information to third-parties, e.g. marketers?

Our point is not that card swiping and barcode scanning should never be practiced. Rather, our point is that if the public is at least made aware of the personal information that is being transmitted whenever a magstripe or barcode is used, perhaps more people will begin to insist on privacy protective principles. For example, when a card is swiped through a reader, all of the information on that card is usually captured. Why should a convenience store need to capture your name, height and driver’s licence number? The store should only need to capture the date of birth, and even that should not be held in the database longer than necessary.

The letter continues:

to maintain the integrity and security of the driver’s licence card, the Ministry of Transportation does not disclose to the public the specific content or formatting of the information stored in the magnetic stripe and barcode.”

But we here on the Prop-ID project do not subscribe to security through obscurity, which is essentially what the MTO is promoting with this response. Feel free to read the many convincing arguments against the “security through obscurity” approach here. If there are in fact security vulnerabilities in the Ontario driver’s licence, then they should be dealt with by design, not by obfuscation. Obfuscation is not only a poor approach to security, it also unnecessarily deprives the public of full knowledge about the ID documents carrying their personal information. Surely, in a democratic country, citizens should be entitled to fully understand any and all ID documents that carry their personal information. With this principle in mind, then, we would like to share with you what we have thus far been able to learn about the Ontario driver’s licence magstripe and barcode:

1) the driver’s licence information can be captured using a three-track magstripe reader and 2D barcode reader.

2) the larger barcode on the bottom of the backside of the licence contains the same information that is printed on the face of the licence. The barcode is PDF417 format.

3) the smaller barcode just above the larger one on the backside of the licence contains only the driver’s licence number. It is a 1D Code 39 format barcode.

We hope that this information will be of assistance to future researchers. It was disappointing but not entirely surprising that finding out even this little bit of information took quite a bit of effort. More questions certainly need to be asked of these government agencies, e.g. why? Why is there a separate barcode that holds only the driver’s licence number? Answers to these questions should be made available to the public. We are simply asking questions about documents that hold our personal information, not confidential diplomatic cables. And any argument coming from a government agency that sounds like security through obscurity should be treated with immense skepticism by the public.

Read the full response from the MTO here.