[Infowarrior] - CO's First Responder PKI Initiative raises questions

[Richard Forno]

Here's some information regarding what is described to me as Colorado
"backdooring" the REAL ID Act while it moves to develop a PKI system for the
issuance of identifying credentials for its many first reponders.

While I have included a few of the more salient issues below, you can find
the full documents and referenced State policies at the following location:
http://www.infowarrior.org/stuff/RFID/.  Of those documents - many of which
are background references - perhaps the most important one is "Questions for
State of CO for First Responder Identity Credentials (COFRAC v.3 Standard)
and RFP PVR­00012­08."   IMHO there's some pretty serious allegations on a
wide range of items presented that should be responded to quickly and
publicly given the many political, technical, and privacy issues associated
with such programs.

That said, I wonder how many other states' activities with ramifications for
REAL ID are being run in a similar fashion?

-rick

< - >

Source: Anonymous

CO HJR 1047 specifically opposes any portion of the REAL ID Act that
violates the rights and liberties guaranteed under the Colorado Constitution
or the US Constitution, including the Bill of Rights, yet the Identity
Management Director in Governor Ritter’s OIT is ramrodding this so
called Best Practice Standard through with an RFP posted on the COBIDS
system (state Procurement).

Under the auspices of preparing the Colorado First Responders for the
Democratic National Convention to be held in Denver in August, the standards
and the RFP are being promoted in an extremely short timeframe.

Why were meetings to develop Best Practice Standards held in secret? Also
these meetings appear to be in direct violation of the CO Sunshine Law?

Why was there no public comment period before this policy was released to
RFP? 

Who will be doing the State of Colorado Independent Verification and
Validation process to insure the citizens and first responders identities
will be safe in this planned database of identities to ensure the security,
confidentiality, and Integrity of their Personal identifying Information?

... And most importantly from a pure privacy view....

This policy has serious privacy implications, especially since the
implementing system would be  classified as a “system of record”.

a) Privacy Impact Assessment (PIA) mentioned in the acronyms section, and is
a ‘lofty principle’ that is “more responsive to privacy needs” on Page 10,
but HOW to achieve this is not spelled out anywhere.

i) No provisions for user notification on usage of the information
ii) No choice for opt-in or ability to opt-out
iii) Usage policy not specified and how data can be utilized
iv) Ability to correct errors by data owner or redress mechanism not in
place 
v) Security of the backend database not specified

b) The barcode technology was turned down according to Gov. Ritter as being
insecure and Colorado Law was put in place against the Real ID Act yet this
proposed policy has those same  technologies in it.  Are our First
Responders Identities LESS IMPORTANT??