security
Wikipedia
  • Driver’s licence scanners at security check points can collect a lot of data about you.
  • If you want to figure out what they do with it, you've picked yourself a tough task.
  • One expert says he rather leaves his car outside security estates and walks in on foot than give up his details.
  • Even one scanner maker says not everyone is handling data in a responsible fashion.
  • For more stories go to www.BusinessInsider.co.za.

They are now just about everywhere: handheld scanners used by security guards at vehicle entry points to capture the details on your driving licence and car licence disc, before allowing you entry to a controlled site.

Instead of the old sign-in book, which it was so easy to feed false information to, these scanners decrypt the barcode-like data on the back of credit-card style licences, keeping a real record of all who come and go.

For security companies, and those they guard, the benefits are obvious. But those giving up their data may not be getting quite such a good deal. 

And until the Protection of Personal Information Act, or PoPI, comes into effect, there is very little you can do about it.

According to many companies who make the scanning devices, they don’t pull more information from licence cards than that which is visible on the face of the card: photograph, full name, identity number, date of birth, driving licence restrictions, gender, and South African citizenship status (which can be deduced from the ID number).

Effectively, they argue, they may as well be making a photocopy of the licence.

The vehicle licence disc offers less sensitive personal information: the make, model, registration number, and vehicle identification number (VIN) of the car you are in.

All that information is shared with security companies only to the extent that they need it, says security company OnGuard, which developed and sells one popular handheld scanner.

Companies like OnGuard buy decrypting licences from South Africa’s Electronic National Administration Traffic Information System, or eNatis, says Robby Balona, who helped develop the software for OnGuard’s IdentiScan device. This allows them full access to the information encrypted in the barcode-like information on the back of licences.

Much of the data they collect is already accessible elsewhere, anyway, Balona says, and with the security measures in place in handling that data the public should not have any concerns when IdentiScan devices are used.

“You’ve got to decide what [criminals] can actually do with that information,” says Balona. “Most of that stuff is public knowledge. I don’t necessarily have to hack a system to get your ID - I can get your name and your telephone number and your date of birth quite easily.”

But the Justice Project’s Howard Dembovsky disagrees. He says that the devices pull far more information than some manufacturers claim, that he has concerns about both how the data is stored and how it is accessed - and that in the wrong hands, it can do a lot of damage. 

Although he hasn’t used OnGuard’s IdentiScan specifically, Dembovsky told Business Insider South Africa that he can easily demonstrate how some handheld barcode scanning devices with access to eNatis can pull your photograph, residential and work addresses, telephone numbers, ID number, and email address.

“If you take the information that’s available from a barcode on a driving licence card, and you put it together with the information that’s available on the licence disc on your windscreen,” he says, “there’s a lot more that appears in that scan than appears on the face on your driving licence”.

Although much of this information is already visible on the face of the driver’s licence, it’s not being stored off site. And, according to Dembovsky, it doesn’t mean that this isn’t sensitive information that should be stored with extreme care.

Until PoPI comes into force there’s little governing exactly how companies should store and use the data that they collect. Instead, it’s left up to each scanner manufacturer or security company to decide how it wants to handle this sensitive personal information.

According to Balona, a good device should create an automatic encrypted online backup of the information - and not present any specific details to the security guard on the ground, or allow any kind of ad-hoc offline access. 

But he says that some manufacturers are less scrupulous when it comes to the collection, storage and handling of this data.

“Some [licence scanning companies] allow multiple logins without auditing, emailing of reports, printing of reports with clients details, storing of information for longer than three months, or let the guard see data that’s not relevant to him,” says Balona.

OnGuard has aligned their scanning device with the impending PoPI legislation. But according to Balona, the same isn’t true for all companies, many of whom will fall foul of the law when it is implemented.

“You’ve got to keep [personal information collected by the devices] in the cloud, in a secure environment,” he says. "It’s got to have web security and an encryption certificate.” 

He also says OnGuard won’t keep records for longer than three months, and they’re one of the few companies that don’t allow for emailing of reports. 

To limit the possibility of data breaches, they also only allow one approved person to log in to the database - usually an estate manager - and won’t provide multiple logins to unauthorised people.

This is of little comfort to Dembovsky, who says there is “no such thing as an online system that can’t be hacked”. 

And although IdentiScan might have best-practice security measures in place, it’s also impossible to know which scanners any one estate uses - and how it handles your data.

Combined with the possibility of a rogue estate manager or wily hacker accessing or selling these neat packages of personal information for nefarious purposes, it’s not surprising that Dembovsky refuses to hand over his document to security guards.

Dembovsky has worked on cases where stolen details - the kind revealed by these scanners - have caused havoc for victims of identity theft.

“Even if the devices don’t have access to eNatis,” says Dembovsky. “They’ve still got your photograph, they’ve still got your ID number and licence number. You take that, and you put it together with the vehicle licence disc information and the vehicle identification number (VIN), and you can transfer the vehicle out of that person’s name in a heartbeat.”

He’s seen several cases where people have had their identity stolen and fallen victim to eNatis fraud - where cars have been transferred out of peoples’ names without their knowledge.

Until PoPI is fully implemented, most drivers are at the mercy of the guidelines put in place by estates and the security companies using data gathering scanners.

This essentially means that if you want to access a private estate, and the estate rules allow for printing and emailing of your personal information, or don’t have adequate encryption, then your only option is not to enter the private premises.

Lisa Schmidt, an associate at Schindler’s Attorneys, warns that trustees and managing agents found guilty of transgressing PoPI will be liable for hefty fines. 

“Administrative fines may be levied by the regulator on parties who are alleged to have committed an offence in terms of PoPI,” says Schmidt. “The fine will be limited to a maximum amount of R10,000,000, and the infringer will then have the choice of either paying the fine within 30 days of service of the fine, or to be tried in court on a charge of having committed the alleged offence.”

When PoPI does come into force, visitors to estates will have more rights - and it may be easier to ask tough questions about how the security company involved will handle the data.

In the interim, options at these checkpoints are limited - particularly if you have no choice but to enter. 

Dembozsky says he refuses to allow companies to scan his South African driver’s licence - the risks, he believes, are just too great. And at times, he’s climbed out of his car and left it at the entrance to the estate, and proceeded on foot. If that creates an uncomfortable situation, he says drivers should travel to these estates prepared.

“I suggest that people take a written contract assuring that their data is safe and will be destroyed within a specific timeframe,” he says. Dembozsky believes that no company should keep this information for longer than 24 hours - and this timeframe should be stipulated in the document.

Ultimately, though, Dembovsky cautions that drivers should be careful about what personal information you give to whom. “Do you know the directors of that homeowners association personally? And do you know the guards personally? If you don’t, can you trust them?”

Receive a daily email with all our latest news: click here.

Also from Business Insider South Africa: