National ID Cards
Reprinted from the 15 December 2001 CRYPTO-GRAM (http://www.counterpane.com/crypto- gram.html) with permission of the author, Bruce Schneier ([email protected]), CTO, Counterpane Internet Security, Inc. Contributed articles do not necessarily reflect the viewpoint of the ÆGIS e-journal.
There’s loose talk in Washington about national ID cards. Although the Bush administration has said that it is not going to pursue it, enough vendors are scurrying to persuade Congress to adopt the idea that it is worth examining the security of a mandatory ID system.
A national ID card system would have four components.
1. A physical card that contains information about the person: name, address, photograph, maybe a thumbprint, etc. To be effective as a multi-purpose ID, of course, the card might also include place of employment, birth date, perhaps religion, perhaps names of children and spouse, and health-insurance coverage. The information might be in text on the card and might be contained on a magnetic strip, a bar code, or a chip. The card would also contain some sort of anti- counterfeiting measures: holograms, special chips, etc.
2. A database somewhere of card numbers and identities. This database would be accessible by people needing to verify the card in some circumstances, just as a state’s driver-license database is today.
3. A system for checking the card data against the database.
Some sort of registration procedure that verifies the identity of the applicant and the personal information, puts it into the database, and issues the card.
The way to think about the security of this system is no different from any other security countermeasure. One, what problem are IDs trying to solve? Two, how can IDs fail in practice? Three, given the failure modes, how well do IDs solve the problem? Four, what are the costs associated with IDs? And five, given the effectiveness and costs, are IDs worth it?
What problem are IDs trying to solve? Honestly, I’m not too sure. Clearly, the idea is to allow any authorized person to verify the identity of a person. This would help in certain isolated situations, but would only have a limited affect on crime. It certainly wouldn’t have stopped the 9/11 terrorist attacks – – all of the terrorists showed IDs to board their planes, some real and some forged — nor would it stop the current anthrax attacks. Perhaps an ID card would make it easy to track illicit cash transactions, to discover after the fact all persons at the scene of a crime, to verify immediately whether an adult accompanying a child is a parent or legal guardian, to keep a list of suspicious persons in a neighborhood each night, to record who purchased a gun or knife or fertilizer or Satanic books, to determine who is entitled to enter a building, or to know who carries the HIV virus. In any case, let’s assume that the problem is verifying identity.
We don’t know for sure whether a national ID card would allow us to do all these things. We haven’t had a full airing of the issue, ever. We do know that a national ID document wouldn’t determine for sure whether it is safe to permit a known individual to board an airplane, attend a sports event, or visit a shopping mall.
How can IDs fail in practice? All sorts of ways. All four components can fail, individually and together. The cards themselves can be counterfeited. Yes, I know that the manufacturers of these cards claim that their anti- counterfeiting methods are perfect, but there hasn’t been a card created yet that can’t be forged. Passports, drivers’ licenses, and foreign national ID cards are routinely forged. I’ve seen estimates that 10% of all IDs in the US are phony. At least one-fourth of the president’s own family has been known to use phony IDs. And not everyone will have a card. Foreign visitors won’t have one, for example. (Some of the 9/11 terrorists who had stolen identities stole those identities overseas.) About 5% of all ID cards are lost each year; the system has to deal with the problems that causes.
Identity theft is already a problem; if there is a single ID card that signifies identity, forging that will be all the more damaging. And there will be a great premium for stolen IDs (stolen U.S. passports are worth thousands of dollars in some Third World countries). Biometric information, whether it be pictures, fingerprints, retinal scans, or something else, does not prevent counterfeiting; it only prevents one person from using another’s card. And this assumes that whoever is looking at the card is able to verify the biometric. How often does a bartender fail to look at the picture on an ID, or a shopkeeper not bother checking the signature on a credit card? How often does anybody verify a telephone number presented for a transaction?
The database can fail. Large databases of information always have errors and outdated information. If ID cards become ubiquitous and trusted, it will be harder than ever to rectify problems resulting from erroneous information. And there is the very real risk that the information in the database will be used for unanticipated, and possibly illegal, purposes. There have been several murders in the U.S. that have been aided by information in motor vehicle databases. And much of the utility of the national ID card assumes a pre-existing database of bad guys. We have no such database. The U.S. criminal database is 33% inaccurate and out of date. “Watch Lists” of suspects from abroad have surprisingly few people on them, certainly not enough to make a real-time match of these lists worthwhile. They have no identifiers, except name and country of origin, and many of the names are approximated versions or phonetic spellings. Many have only approximated names and no other identifiers.
Even riskier is the mechanism for querying the database. In this country, there isn’t a government database that hasn’t been misused by the very people entrusted with keeping that information safe. IRS employees have perused the tax records of celebrities and their friends. State employees have sold driving records to private investigators. Bank credit card databases have been stolen. Sometimes the communications mechanism between the user terminal — maybe a radio in a police car, or a card reader in a shop — has been targeted, and personal information stolen that way.
Finally, there are insecurities in the registration mechanism. It is certainly possible to get an ID in a fake name, sometimes with insider help. Recently in Virginia, several motor vehicle employees were issuing legitimate drivers licenses in fake names for money. (Two suspected terrorists were able to get Virginia drivers’ licenses even though they did not qualify for them.) Similar abuses have occurred in other states, and with other ID cards. A lot of thinking needs to go into the system that verifies someone’s identity before a card is issued; any system I can think of will be fraught with these sorts of problems and abuses. Most important, the database has to be interactive so that, in real time, authorized persons may alter entries to indicate that an ID holder is no longer qualified for access — because of death or criminal activity, or even a change of residence. Because an estimated five percent of identity documents are reported lost or stolen, the database must be designed to re-issue cards promptly and reconfirm the person’s identity and continued qualification for the card.
Given the failure modes, how well do IDs solve the problem? Not very well. They’re prone to errors and misuse, and are likely to be blindly trusted even when wrong.
What are the costs associated with IDs? Cards with a chip and some anti- counterfeiting features are likely to cost at least a dollar each, creating and maintaining the database will cost a few times that, and registration will cost many times that — multiplied by 286 million Americans. Add database terminals at every police station — presumably we’re going to want them in police cars, too — and the financial costs easily balloon to many billions. As expensive as the financial costs are, the social costs are worse. Forcing Americans to carry something that could be used as an “internal passport” is an enormous blow to our rights of freedom and privacy, and something that I am very leery of but not really qualified to comment on. Great Britain discontinued its wartime ID cards — eight years after World War II ended — precisely because they gave unfettered opportunities for police “to stop or interrogate for any cause.”
I am not saying that national IDs are completely ineffective, or that they are useless. That’s not the question. But given the effectiveness and the costs, are IDs worth it? Hell, no.
Privacy International’s fine resource on the topic. Their FAQ is excellent: http://www.privacyinternational.org/issues/idcard/
EPIC’s national ID card site: http://www.epic.org/privacy/id_cards/