 |
Questions? Call 888-624-8373 |
|
|
|
|
|
 |
|
|
|
The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Page 16
2
Policy Considerations
Numerous policy questions surround
any proposed nationwide identity system. They require sustained
deliberation by policy makers and significant input from the
various stakeholders— including federal, state, and local
governments and agencies, privacy advocates, public-interest
groups, civil rights and liberties groups, and those who would
participate in and use the system (that is, ID holders, ID
requestors, and data analysts). Establishing a nationwide identity
system would almost certainly be a complex and expensive process,
requiring years of legislative, technical, and public relations
work, as systems now in place elsewhere have shown.1
WHAT DOES IDENTITY PROVIDE?
Whether and when knowledge of “identity” could aid
in solving a problem or meeting an objective depends in part on
the word's very definition. For the purposes of this report,
identity refers to sets of information (say, a database record
or a strongly linked system of records) about a person that can
be used to tell who that person is. Confirmation
|
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 16
2
Policy Considerations
N
umerous policy questions surround any proposed nationwide
identity system. They require sustained deliberation by policy
makers and significant input from the various stakeholders—
including federal, state, and local governments and agencies, privacy ad-
vocates, public-interest groups, civil rights and liberties groups, and those
who would participate in and use the system (that is, ID holders, ID
requestors, and data analysts). Establishing a nationwide identity system
would almost certainly be a complex and expensive process, requiring
years of legislative, technical, and public relations work, as systems now
in place elsewhere have shown.1
WHAT DOES IDENTITY PROVIDE?
Whether and when knowledge of “identity” could aid in solving a
problem or meeting an objective depends in part on the word’s very
definition. For the purposes of this report, identity refers to sets of infor-
mation (say, a database record or a strongly linked system of records)
about a person that can be used to tell who that person is. Confirmation
1In the Philippines, for example, the social security system ID card project has been
under active development and deployment for 6 years and has only reached an enrollment
of just over 2 million, en route to the goal of enrolling 40 million social security beneficia-
ries, members, and dependents.
16
OCR for page 17
17
POLICY CONSIDERATIONS
(at some level of assurance) of identity is useful in contexts when one or
more of the following are needed: (1) knowledge (in the present) about a
person’s past is sought (e.g., the use of a dossier), (2) knowledge about a
person in the present needs to be remembered for use in the future (e.g.,
the creation of a dossier), (3) distinguishing between two individuals is
required to prevent the possibility of mistaking one of them for the other,
or (4) verification of identity information provided by a third party. Iden-
tification and/or authentication are generally used to aid in recognition
when there are multiple dealings with a single individual but could also
be relevant to a single experience/transaction. (Note that authentication
presumes a proffered identity that needs to be confirmed, whereas identi-
fication does not—see Box 1.1.)
While casual discussions of IDs or ID cards may assume simple,
unique pairings of information and individuals, the reality is often more
complicated. In practice, individuals usually have multiple identities—to
family, to an employer or school, to neighbors, to friends, to business
associates, and so on. Thus, different sets of information are associated
with an individual in different contexts—and sometimes an ID card or
equivalent is relied upon to provide or point to that information. For
identity systems that have existed in our society for some time, there is a
common understanding of what information is associated with each. A
record associated with a driver’s license, for example, includes traffic
violations; a record associated with a credit card includes late payment
information; and so on.
Multiple identities (that is, multiple sets of information correspond-
ing to a single individual) may allow individuals to control who has
access to what kinds of information about them, and the use of multiple
identities can be a legitimate strategy for controlling personal privacy in
an information society. In addition to providing a measure of privacy
protection, the use of multiple identities, even with respect to a single
organization, serves legitimate and desirable functions in societal institu-
tions as well. One individual may have several distinct roles with respect
to a particular organization. For example, as far as the IRS is concerned,
one might be an individual taxpayer, an IRS employee, or the comptroller
of a nonprofit organization.
If, however, colluding agents are willing to make the effort, they might
be able to link an individual’s records—through additional information
or correlation with each other’s information—to create a single record. In
many cases, an identity will include a common cross-reference, such as a
Social Security number, that makes it trivially easy to link it to other
identities. Moreover, there are usually other possible cross-references
(such as address, age, and so on) that enable different sets of information
to be linked, though there may be institutional practices or practical barri-
OCR for page 18
18 IDs—NOT THAT EASY
ers that discourage such linking.2 In addition, questions arise as to how
reliable the linking would be—some institutions may not mind if linkages
are not completely supported, whereas others demand high levels of ac-
curacy.
Sometimes, the use of multiple identities by a single person, or the
use of a single identity by multiple persons, may be evidence of (or ex-
ploitable for) fraudulent behavior. Several criminals could use a single
identity not considered problematic within the system, or a single terror-
ist could use the least suspicious of multiple identities accessible to him
for boarding a plane. In principle, a nationwide identity system could, in
some contexts, eliminate or significantly reduce these sorts of problems if
it is designed to prevent both multiple individuals from claiming a single
identity and multiple identities from being claimed by a single person.3
One implication of the term “national ID” is that these identities are
centrally managed in order to make it difficult, if not impossible, for one
person to have multiple identities. A system designed to link a person to
a single identity (and prohibit use of multiple identities by a single per-
son) within a certain domain must be mandatory (that is, everyone within
the domain of interest must be included in the system), otherwise those
wishing to establish multiple identities would simply opt out of the pro-
gram. Also, checking is essential at the time an individual joins, to be sure
that he or she is not already in the system. If an identity reveals poten-
tially damaging information about a person, the person may try to avoid
the entry of this information into the system by creating a different iden-
tity. In some cases, this capability is controlled by having only one central
registry for the identity information.4
2See the 1997 CSTB report For the Record: Protecting Electronic Health Information.
3Historically, the Social Security Administration (SSA) allowed husbands and wives to
share a single Social Security number, and some grandfathered couples still do. Thus, such
an SSA “identity” refers to two people. Similarly, children and one of their parents can
share a single passport and passport number. More commonly, the case of two or more
individuals maintaining a joint bank account illustrates one identity (the bank account and
associated information) being shared by multiple individuals. Creating multiple identities
out of the single record set would be extremely hard for the issuing agencies, because the
linked people usually share a single last name. Splitting the record, therefore, might re-
quire additional personal information.
4A current example of a system that attempts to disallow multiple identities is the Com-
mercial Driver’s License Information System (CDLIS). U.S. federal law—the Commercial
Motor Vehicle Safety Act of 1986 (P.L. 99-570)—prohibits commercial truck drivers from
having multiple driving identities. In compliance with the law, CDLIS is used by the states—
via a centralized system that links the various issuing (state) agencies—to check that multiple
licenses are not issued. However, nothing in the CDLIS system itself prevents multiple
drivers from using this single license and, in fact, fraud of this type has been documented
(see “Biometric Identification Standards Research: Final Report Volume I,” San Jose State
University, December 1997, at ).
OCR for page 19
19
POLICY CONSIDERATIONS
Depending on the goals of the system, creating a tight identity-to-
individual bond might be excessive. Often it doesn’t matter exactly who
someone is as long as it is clear that he or she is a member of a particular
group (e.g., over 21 or an officer of a corporation with check-signing
privileges). Such group identities are often extremely useful in expedit-
ing matters in certain contexts and may raise fewer privacy concerns.
Thus, any proposal for a new identity system requires a discussion of
what sorts of identity information would be relevant and helpful to the
stated goals of the system.5 It also requires taking into account the levels
of confidence with which information was associated to an individual,
since basing a system on fragile or unreliable data poses numerous risks.
In addition, in some cases there are legal restrictions on what sort of
information may be asked of an individual (presumably to include in that
person’s associated identity information)—for example, it may not be
legal to take into account a person’s race, gender, national origin, religion,
and so forth. In other cases, retaining the advantages that come with the
ability of an individual to maintain multiple identities or to maintain
group identities could also be desirable. All in all, establishing what is
meant by “identity” in a nationwide identity system—in other words,
which collection of information is meant to encapsulate an individual’s
distinctiveness—is a first-order concern.
TO WHOM AND FOR WHAT?
Once the notion of identity has been articulated, a determination must
be made as to who would be issued an ID (see Box 1.1 for the distinction
between “ID” and “identity”) and for what purpose. First and foremost,
the goals and requirements of the system must be carefully articulated.
What problems should the system be designed to solve? How would it
provide solutions to those problems? Without a priori decisions about
what types of system functions, determined by policy choices, are de-
sired, the software and hardware may impose unwanted or undesirable
restrictions or allowances.6
If a goal of the system is the identification and/or tracking of non-U.S.
nationals, then issuing IDs only to U.S. citizens would not be sufficient.
5If the goal of the system is to aid in counterterrorism, then relevant questions might
include the following: Is a past criminal record a signal of a potential terrorist? Is a long
record of frequent travel a signal that a person is or is not likely to be a terrorist? And so on.
6See Lawrence Lessig’s treatment of software imposing values in Code and Other Laws of
Cyberspace, Basic Books, New York, 1999.
OCR for page 20
20 IDs—NOT THAT EASY
Identification and tracking of all individuals would be required.7 Fur-
thermore, non-U.S. nationals are already required to have IDs when in the
United States (passports and, in some cases, visas); however, there is
likely to be less control over—and therefore less confidence in—such for-
eign-issued credentials. This raises questions about international coordi-
nation, cooperation, and harmonization.8,9 The problems now present in
keeping track of passports and visas, and in assuring that the right indi-
viduals and agencies have the appropriate data when needed, would
undoubtedly persist in a new identification system.10 They also serve to
demonstrate how difficult it is to implement a large identification system
that is also robust.
What Is Required for ID Issuance?
The best that any system of authentication can do is provide a com-
pelling connection with some previous verification of identity. Accord-
ingly, trust in the integrity of the system is based not so much on the first
such verification as on increasing confidence when all previous transac-
7The terrorist attacks of September 11, 2001, were carried out exclusively by non-U.S.
nationals; none of them would have had a U.S. ID if one had been required only of citizens.
In addition, undercover operatives sponsored by a major foreign group or state hostile to
the United States generally are individuals without suspicious records. It follows that such
people’s IDs (be they within a United States nationwide identity system or outside it) would
not contain anything particularly problematic.
8The logistical considerations involved in issuing high-security identities for everyone
entering the country are significant, especially when individuals do not need visas in ad-
vance (such as citizens of countries in the Visa Waiver Program).
9Even if IDs were issued to foreign visitors entering the United States, the information
would be based on information provided by their country of origin. Its usefulness is lim-
ited for at least two reasons: (1) many countries do not have much data about their citizens
to begin with, and others may be unlikely to provide other nations with suspicious back-
ground information about their own citizens and (2) even if a country indicates that an
individual seeking admission to the United States has a problematic background record,
that doesn’t mean the United States would consider such a person a risk (for example, a
country might provide warnings about political dissidents). Adding information to an
individual’s ID beyond what his or her country of origin provides (presumably gathered by
U.S. intelligence) is problematic for a number of reasons, including cost, scale, paucity of
data, and potential compromise of sources and methods behind the information.
10As an example of this, the Washington Post reported that 15 of the September 11 hijack-
ers applied for visas in Saudi Arabia, where officials have indicated that identity theft is a
serious concern. See .
OCR for page 21
21
POLICY CONSIDERATIONS
tions with that particular individual have worked out.11 But at the outset,
upon determination of who should have IDs, a host of questions arises:
How is identity first established within the system? What information
would be required of an individual upon application? How would that
information be verified?
Such broad questions imply others that are more specific: How would
the “true” identity of individuals be established (e.g., for individuals in
the initial stages of a program or after card loss or destruction)? What
family name(s) would be used for the individual (birth name, adopted
name, married name, father’s name, father’s mother’s name)? Could
middle names, diminutives, or nicknames be used as first names? When
can or must these names be changed? How would people with similar or
identical names (or other pieces of associated data) be differentiated in
the system? If participation in the system were mandatory, at what point
in a person’s life would the ID begin to be required? How frequently
would renewal be required? Under what circumstances would reissuance
be required? What if the system “loses” a person (that is, a person claims
to be in the system, but his or her information is not accessible)?
What Is the Meaning of an ID?
Broader, and perhaps more important, is the meaning of the ID (that
is, the identity information about a person in the identity system and its
associated token). Would the law define rights, privileges, and obliga-
tions with respect to the ID? Would the law define a legal person in terms
of the ID, or vice versa, or neither? Related to the meaning is the issue of
a citizen’s and the government’s responsibilities with respect to a nation-
wide identity system. A host of legal issues arises if an ID is to have
significance as, say, a government-authorized identification token. Using
an ID to verify a person’s identity would not be of value without an
obligation to present it upon demand by authorities or in an authorized
search of one’s person.12
Questions that would need to be addressed include the following:
When must the ID be carried? When must it be presented to a govern-
ment official? What happens if the holder refuses to present it? What
happens if the ID has been lost or stolen? How can information on the ID
11Although trust developed in this fashion is vulnerable as well. For example, individu-
als may act in a completely trustworthy fashion for a long period of time and then behave
fraudulently or criminally.
12 Other identification techniques, such as facial recognition, might not require an obliga-
tion to present an ID.
OCR for page 22
22 IDs—NOT THAT EASY
(or associated with it) be changed, and by whom? What if the infrastruc-
ture is down and the ID cannot be verified? Can only the federal govern-
ment compel the presentation of the ID, or would state and local govern-
ment officials (which is where most law-enforcement occurs and many
social services are delivered) also have such authority?13
Where Does the Identity Information Reside?
These questions point to other questions that must be considered
about the information associated with a person’s ID. If it is a card or other
physical token, what information is stored on it in human-readable for-
mat on the ID? What information does the ID store in machine-readable
format? What information about or pertaining to an individual is stored
in the identity system’s databases? What information in those databases
is explicitly linked to information in other databases? Who has the au-
thority to create these linkages? Who can access which information about
a person in the system? What algorithms are used to analyze data in
order to make assessments about a particular individual in a particular
context (e.g., risk profiling)?14 (See Figure 2.1 for a description of what
can happen to identity information within a system.)
Many of the questions raised in this section point more broadly to the
problem of controlling function creep (as mentioned in Chapter 1). Deci-
sions and policies made for one kind of system may not apply well if that
system begins to be used for other than its original purposes. In the
context of an identity system, function creep can occur when the same
ID/token is used to access multiple systems. (This has happened with
driver’s licenses in that they are used not only to prove authorization to
drive, but also for proof of age and proof of address in various contexts.)
13For example, if the goal were to locate and keep track of non-U.S. citizens and/or
known criminals within the United States, it would probably be necessary to challenge all
individuals (including citizens) to present the card at regular intervals and/or for a wide
variety of activities. It would further be necessary to require all individuals to carry the
card at all times. It could be that many forms of purchases and transactions would require
use of the card in an ancillary fashion, in the same way that purchases with a check often
require the presentation of a driver’s license or equivalent form of photo identification. In
this way, the information associated with the card (and by extension with the holder’s
identity) would become part of the records generated by some set of interactions, just as
Social Security numbers and license numbers are used today—a practice that suggests the
development, in effect, of dossiers. A question then arises as to what an individual’s failure
or refusal to present the card under these circumstances would mean.
14The European Data Protection Directive mandates a limited right of individuals to
know what algorithms are used to make decisions about them on the basis of personal
information.
OCR for page 23
23
POLICY CONSIDERATIONS
ID
Format?
Machine
Human
Readable
Readable
Location?
Card Elsewhere
Database
FIGURE 2.1 Potential information flow in identity systems. The information
associated with an individual identity could be distributed within the identity
system in multiple ways. Parts of it may be machine-readable, parts may be
readable by humans. Parts may be stored on a card, in a database, or elsewhere.
Access to this information may be available to other systems, card readers, and/
or people. Not present in this diagram, but implicit, is the notion that pieces of
information, once outside the system, could then be added to other systems. Or,
information from outside the system could be incorporated into this system.
Understanding how information flows through the system, who has access to it,
and who can change it will be important in understanding both the security and
privacy implications of an identity system.
Reuse of an ID/token for purposes beyond the original intent leads to the
feasibility of correlating information from many different sources and
systems, which can be a cause of concern, particularly with respect to
privacy. Strategies and policies that prevent or constrain function creep
will be an important factor in any identity system.
OCR for page 24
24 IDs—NOT THAT EASY
PERMITTED USERS OF THE SYSTEM
Another set of policy questions arises over users of a nationwide
identity system (recall that a system encompasses numerous social, legal,
and technological aspects): May only the government use or request an
ID? Under what circumstances? Which branches (federal, state, local) of
the government? May any private person or commercial entity request
presentation of an ID within the system? May any private person or
commercial entity require presentation of an ID? Would certain private-
sector organizations be required to use, ask for, and verify IDs? If so,
there is a possibility that such mandates might be interpreted as a safe
harbor with respect to some liability questions. How would that be
handled? Who may use the information on (or associated with) the ID,
and for what? Who may enter or modify information associated with the
ID?
Depending on the goals of the system, use of the system by the pri-
vate sector may be necessary. For example, if the goal is to create a
database to mine for suspicious activities, tracking of a broad class of
activities in the private sector may be viewed as critical. To accomplish
this tracking, the ID would need to be presented in connection with many
transactions in the private sector (e.g., when traveling on commercial
airlines, when purchasing weapons, or when staying in a hotel.) How-
ever, as the set of users of a system expands, securing against misuse
becomes more complicated. Widespread use (and abuse) of the informa-
tion associated with an ID is a major concern, underscoring the impor-
tance of the initial policy choices related to the purpose of the system.
Management and Operations
Determining how any nationwide identity system should be man-
aged and operated will be a key issue. If the federal government were to
play a leading role in operations and management, an overhaul of busi-
ness and management practices at multiple levels might be necessary.15
In addition, worldwide coordination would likely be necessary. For ex-
15Since passage of the Paperwork Reduction Act of 1995, the Office of Management and
Budget has been challenged to manage complex information assurance issues, even though
it has both budgetary and statutory authority. The Department of Defense, as another ex-
ample, is charged with managing classified and other national security systems. Nation-
wide identity systems pose new problems for each of these organizations. If the federal
government were to attempt oversight of the system, it would be necessary to determine an
appropriate management model suited to undertaking management of large-scale identity
systems.
OCR for page 25
25
POLICY CONSIDERATIONS
ample, depending on the system goals, ID issuance by U.S. consulates
abroad may have to be allowed, raising the potential for fraudulently
obtained IDs. Pragmatically, even the most secure documents issued by
the U.S. government (passports, green cards, and even currency) have
been forged with regularity. Requiring federal government management
and operations expertise for nationwide identity systems thus raises a
host of issues that must be taken into consideration.
Another set of policy issues involves the roles of the public, private,
and not-for-profit sectors in a nationwide identity system. For example,
in place of the above scenario (in which the federal government takes
responsibility for the management and administration of a nationwide
identity system), the private sector alone might develop and maintain the
system. Alternatively, the private sector could be subordinate to some
procuring federal agency, in which case any resulting data would be
subject to federal laws such as the Privacy Act, the Computer Matching
Act, the Government Information Security Reform Act, and the Com-
puter Security Act.16
Of course, some hybrid model—featuring a public/private partner-
ship—is also possible, though it would require explicit designation of
which sector is responsible for what and who might be liable to poten-
tially aggrieved parties when errors or abuses occur. (In particular, care-
ful attention should be paid to due process issues that may arise in con-
nection with error correction.) In any case, it would be absolutely
necessary to define how a single organization’s private role in enabling
the system should relate, if at all, to that same organization’s private role
in its use. Furthermore, how the private entity would be funded would
also be an issue. Moreover, the goals of private institutions with respect
to such a system are likely to be very different from those of public insti-
tutions.17 This difference in ultimate objectives could lead to significantly
16These acts all impose regulatory requirements on federal agencies that collect, use, and
maintain sensitive information. The Privacy Act and the Government Information Security
Reform Act in particular impose significant public notice and comment requirements on
federal agencies to ensure public participation in the appropriateness of planned agency
uses of data. The Computer Security Act imposes a risk-based standard for agencies to
ensure they protect the confidentiality, integrity, and availability of sensitive federal infor-
mation and supporting systems. If a nationwide identity system turned out not to be a
federal government system, these laws would not apply and the protections they offer
would not be available to individuals whose information is housed in the system.
17For example, a small-store owner probably is not as interested in customers’ individual
identities at point-of-sale transactions as he or she is in receiving assurance that payment
will be made.
OCR for page 26
26 IDs—NOT THAT EASY
different system requirements and design and could encourage function
creep over time.
PERMITTED USES OF THE SYSTEM
A key question about a nationwide identity system is the uses to
which the information in it will be put. Will the system be designed to
foster consolidation of other (especially federal) databases—or might that
be a predictable side effect? Will it be designed to support individualized
queries about individuals or provide a yes/no answer to simple questions
(for example, “Is this individual a U.S. citizen?”)? Will the system facilitate
data mining to establish “suspicious profiles”? If the system is to be used
extensively by law enforcement, checks and balances would need to be
put in place to prevent misuse of information (for example, constraints
should be placed on how information collected or seen—perhaps tangen-
tially—as a result of a particular investigation can be used for other pur-
poses).
Consider the system’s potential need to make real-time associations
of persons with identity—a policy question with technology-challenging
implications. For many purposes, the linkage between the person and the
identity need not be provided instantly. An application for a mortgage
need not be processed in seconds. On the other hand, an identity that
authorizes access to a secure building must be validated at the time of the
intended entry. A related issue is the prospect of constant real-time corre-
lation and analysis of an individual’s national-identity-based transac-
tions.18 It is likely that such correlation, while possibly desirable depend-
ing on the goals of the system, would be financially, technologically, and
administratively impossible. For that matter, even retrospective correla-
tion of all transactions would be extremely challenging and expensive.
Depending on what information must be tracked and stored, very large
amounts of data may be generated. And the analysis of large amounts of
data while looking for certain kinds of patterns is a large and open re-
search area.
An additional correlation concern relates to potential uses beyond
those associated with public safety and counterterrorism. If private enti-
ties are allowed to use the nationwide identity system for their own pur-
poses, it is likely that IDs would be linked to a wide range of information,
including bank accounts, credit cards, airline tickets, car rentals, hotel
stays, retail transactions, purchases of controlled items (guns, explosives,
18For example, it may be useful to correlate instantly the renting of a large truck in one
state with the purchase of a large amount of fertilizer a day later in another state.
OCR for page 27
27
POLICY CONSIDERATIONS
perhaps some fertilizers, prescription drugs subject to abuse), phone lines,
cell phone accounts, prepaid cell phones, and so on.19 Even if the data
were not explicitly tied together by organizations, linking users by data
items in their identity (such as SSNs) is possible. In addition, systems that
employ biometrics could have the ability to link individuals whose infor-
mation is stored in different databases. That is, two different digital
representations of an iris or fingerprint could be compared to see if they
might have come from the same eye or finger.20,21
Finally, privacy is of serious concern to many, especially when infor-
mation linkages extend across the boundaries of multiple identities—for
example, in the linking of health data, credit ratings, or organizational
memberships with our employment records. Of greatest concern to most
people is the creation without authorization of such linkages by others,
particularly those in positions of authority—governments or employers,
for example.
The “minimization principle” is often used as a guideline when build-
ing systems sensitive to privacy concerns.22 It relates to the kind and
quantity of information collected from and/or about individuals and
emphasizes the need to collect only the minimum amount necessary for
19The issues become even thornier when one considers the possibility that physical items
may eventually have their own tracking systems embedded in them. Cross-correlation of
information about things and people would likely result in an exponential explosion of
data, further complicating the technical questions and confounding the privacy issues. See
Charlie Schmidt’s “Beyond the Bar Code,” Technology Review, March 2001.
20Systems that will allow eye/finger versus database comparisons but not database ver-
sus database comparisons have been proposed, such as in N.K. Ratha, J.H. Connell, and
R.M. Bolle, “Enhancing Security and Privacy in Biometrics-Based Authentication Systems,”
IBM Systems Journal, vol. 40, No. 3, 2001. Another possible solution would be to use
biometrics only at three points in any given system: when checking for duplicate enroll-
ments at initial registration to prevent issuance of multiple IDs to a single user, when
checking the binding between the cardholder and the card at point-of-service applications,
and when reissuing the card. This check, which could occur without revealing the biomet-
ric pattern to the holder of the card, would create yet another point in the system where
security is needed.
21Work done by Latanya Sweeney (see ) suggests that very little information is needed to uniquely identity a particular
individual in even an ostensibly anonymized database, suggesting that creating linkages
between databases—even without biometric data tying individuals to their data—may not
be difficult.
22This notion is articulated in a report of the U.S. Privacy Protection Study Commission,
Personal Privacy in an Information Society, Government Printing Office, Washington, D.C.,
1977, also known as the Privacy Commission Report. Three principles espoused in that
report are to (1) minimize intrusiveness, (2) maximize fairness, and (3) create legitimate,
enforceable expectations of confidentiality.
OCR for page 28
28 IDs—NOT THAT EASY
the desired transaction. Minimization also implies that disclosure of in-
formation should be limited to the purpose(s) for which it was collected.
A pragmatic reason for this, in addition to the privacy aspects, is that
information is likely to have an accuracy commensurate with its original
purpose (for example, the address given on a video-store membership
application form is more likely to be false than the home telephone num-
ber given on an employment application). In addition, the minimization
principle suggests that information should be deleted when no longer
needed and that the information disclosed be limited to that which is
needed to fulfill the request (as opposed to disclosing all available infor-
mation about an individual or transaction).
Clearly, minimization runs counter to the kinds of information collec-
tion and correlation needed for the preemptive and retrospective analyses
contemplated by proposals for a nationwide identity system meant to
counter terrorism and unlawful activities. Resolving or mitigating this
tension will be a serious challenge to those developing policies for a na-
tionwide identity system.
VOLUNTARY OR MANDATORY?
Whether participation in the system is to be required or chosen is a
major policy decision. Until the goals of the system are clearly articu-
lated, it will be difficult to gauge which type of participation would be
preferable. Some goals may directly or indirectly require mandatory
checking of identities and/or enrollment in the system. For example, if
the goal were to prohibit travel by persons with malicious intentions, all
air travelers would need to be enrolled—if enrollment were voluntary,
such people would simply not enroll and would be permitted to travel. In
general, any attempt to ascertain that an individual does not possess an
unwanted attribute (for example, malicious intent) requires a complete
knowledge of behaviors related to that attribute, and hence mandatory
checks.
Clearly, a voluntary system is likely to meet with less resistance and
to raise fewer concerns about civil liberties, although its voluntary nature
would seem to limit the kinds of goals that it could expect to achieve.
However, even when a system is nominally voluntary, attention should
be paid to whether the large inconveniences of nonparticipation make it
effectively mandatory. Deliberate consideration of whether and when to
require participation and the implications of widespread but voluntary
participation would be essential.
There are at least two levels at which participation occurs: when an
individual establishes an identity within the system and when his or her
ID is requested or used in a given interaction. Whether an individual
OCR for page 29
29
POLICY CONSIDERATIONS
must consent to presenting his or her ID as opposed to having the ID
observed from a distance (possibly without the person’s knowledge) is
another critical policy decision.
WHAT LEGAL STRUCTURES?
In considering whether to implement any nationwide identity sys-
tem, decision makers would have to determine whether and how such a
system would be regulated, and by whom. What constitutes misuse of
the ID or the data associated with it? What penalties are imposed on the
holder for misusing or tampering with the ID? What penalties are im-
posed on officers of the government for abuse of the card or misuse of its
information? What penalties are imposed on private parties or busi-
nesses other than the holder for abuse of the card or misuse of the identity
and associated information? Would laws permit, discourage, or forbid
private-sector actors from asking individuals to present the card for rea-
sons other than those intended by the public sector?
Depending on the policy choices and deployment strategies a nation-
wide identity system reflects, its constitutional implications may be sig-
nificant. The constitutional limitations on an agent’s ability to require
presentation of IDs,23 along with the limitations on the ability of Con-
gress to enact a nationwide identity system, should be explored before
any such enactment to avert the costs of imposing the system and then
having to revise or abandon it in the face of its unconstitutionality, to say
nothing of its effects on civil liberties.
Depending on implementation details and policy decisions, a nation-
wide identity system could be used to compile and store large amounts of
information on individuals, so that the legal restrictions on compiling and
using dossiers would have to be strictly obeyed. More broadly, an under-
standing of the principles that support significant privacy-related authori-
ties, as well as the major legal traditions and principles that drive U.S.
privacy law and policy, will be necessary when considering identity sys-
tems that will handle personally identifiable information.24 In particular,
23In fact, the Supreme Court has limited the situations in which government authorities
and police officers may require individuals to leave an area due to lack of apparent pur-
pose. See Brown v. Texas at .
24U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee
on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, Govern-
ment Printing Office, Washington, D.C., 1973.
OCR for page 30
30 IDs—NOT THAT EASY
it would be helpful to have insight into the statutory models that pertain
where mistakes can have severe repercussions (such as census informa-
tion collection or tax returns).
A further consideration is that because identification in the form of
birth certificates and driver’s licenses has traditionally been done at the
state and local level, states’ rights and associated issues could well arise.
It will be important to examine the federal/state constitutional tensions
along with how such issues may facilitate or impede development of
policy solutions in this arena. How, for example, should a nationwide
identity system interact with the other federal, state, and local identity
systems that are already in place? Should these other systems continue,
be coupled to the nationwide system, or be superseded?
BENEFITS AND DRAWBACKS
Creation of a well-thought-out and well-designed nationwide iden-
tity system could have some advantages over the current methods of
establishing and verifying identity, such as state-issued driver’s licenses,
Immigration and Naturalization Service documents, and birth certificates.
Current systems have many characteristics that pose a challenge to meet-
ing the goals expressed by proponents of a more uniform nationwide
identity system. For example, the documents in current systems are not
standardized in form or information content, so that a person inspecting
an offered document often cannot determine if it even resembles an au-
thentic document (much less whether it actually is authentic) without
substantial research.
Similarly, such documents are generally not strongly linked to the
person who offers one for identity, allowing several people to use a single
authentic document. Identities also cannot be clearly revoked in current
systems, allowing a person to successfully offer an invalid ID as verifica-
tion of identity. Moreover, these systems do not universally employ strong
anticounterfeiting measures—indeed, the existing measures vary from
document to document, and the documents are not easily checked.
A nationwide identity system, depending on its implementation,
might drive many other forms of identification out of use by subsuming
their functionality. Several factors in particular could encourage wide-
spread third-party reliance on the nationwide identity system to the ex-
clusion of current systems. First, if the cost of the system is borne by the
government and its associated agencies, the system’s use would be free to
other segments of society unless measures (technical, legal, or otherwise)
are taken to prevent unauthorized use. Second, unless private parties are
prevented by law (or restrictions on technology) from relying on the na-
tionwide identity system, the liability associated with such reliance would
OCR for page 31
31
POLICY CONSIDERATIONS
be shielded by the government’s sovereign immunity. Third, even if the
private parties were forbidden to rely on the data, it is very likely that
private commercial organizations would begin to correlate data about
citizens based on their card and/or identity within the system. The infor-
mation in these commercial databases may not be as strongly protected
(legally or technologically) as, presumably, is the information in the na-
tionwide identity system’s own databases. The correlation and aggrega-
tion of personal information thus raise a variety of policy questions about
the use of such information and constraints on it.
As Garrett Hardin wrote in 1968, “You can’t do just one thing.”25 The
introduction of a nationwide identity system would create ripples
throughout society and the legal system. It is difficult to predict what
unintended effects these ripples would have. In part due to our frontier
history, there seems to be a widespread belief in our country that some
socially good things derive from the current inability to strongly correlate
an identity with an individual—for example, a person often has the op-
tion of leaving some detail of his or her life behind. Examples include the
expunging of the criminal records of minors, anonymous testing for sexu-
ally transmissible diseases (and the consequent public-health benefits of
reducing the incidence of these diseases), shielding the identity of rape
victims from public view, and erasing the records of bankruptcy after a
statutory interval.
It is not known how much the smooth operation of society depends
on such things, or on the assumption that they are possible. There is a
risk, however, that they would be lost, or at least significantly impaired, if
a broadly used nationwide identity system came into existence.26 Ensur-
ing the privacy protections in these examples would likely depend on
carefully limiting access to, and the specific uses of, the system’s data-
bases, and on restricting the required uses of an ID to certain circum-
stances.
Identity theft is already a critical problem,27 even without central-
25Garrett Hardin, “The Tragedy of the Commons,” Science 162:1243-1248 (1968).
26Years of experience show that when people automate or regiment a previously manual
or only lightly regimented system, they discover the new system’s demand that things be
done “exactly right” can create havoc, and that what used to be a smooth process needs to
be redesigned to accommodate the less flexible automated system. Decision makers must
consider that introducing a rigorous identity system might wreak similar havoc when
people discover that some authentication activities require more flexibility than the new
system can offer.
27Time magazine notes that in 2001 the “Federal Trade Commission logged more than
85,000 complaints from people whose identities had been pirated” and that “some con-
sumer advocates suggest as many as 750,000 identities are stolen each year.” See .
OCR for page 32
32 IDs—NOT THAT EASY
ized, mandated identities for everyone. Identity theft is an individual’s
fraudulent claim that he or she is the person to whom the information in
the system refers, allowing him or her to derive some benefit from an-
other party who is relying on that claim. It might involve theft of a
physical ID token or it might involve the thief’s learning some secret or
personal information and using this in lieu of the token. One reason for
the problem is the broad misuse of SSNs, coupled with the fact that the
number itself is small enough to be easily memorized. In addition, birth
and death data in the United States are not subject to stringent accuracy
requirements nor are they highly correlated, making it relatively straight-
forward to exploit a deceased person’s birth certificate in order to estab-
lish credentials as a basis for an identity.
Given the attendant risks, a nationwide identity system would need
to provide much better protection against identity theft than do current
systems of identification.28 Additional questions arise in the context of a
nationwide system of how to recover from identity theft. Who would
have the authority to restore or create a new identity for someone when
necessary? And what safeguards would be needed to prevent this author-
ity from being abused?
While offering better solutions to some problems surrounding iden-
tity theft, a nationwide identity system poses its own risks. For example,
it is likely that the existence of a single, distinct source of identity would
create a single point of failure that could facilitate identity theft. The theft
or counterfeiting of an ID would allow an individual to “become” the
person described by the card, in very strong terms, especially if the na-
tionwide identity system were to be used for many purposes other than
those required by the government. Paradoxically, it could be that a ro-
bust nationwide identity system makes identity theft more difficult while
at the same time making its consequences more dire. The economic in-
centive to counterfeit these cards could turn out to be much greater than
the economic incentive to counterfeit U.S. currency.
28One strategy might be for the system to avoid displaying human-readable ID “num-
bers” or other unique identifiers to private organizations. This would, in effect, make it
impossible for anyone to read another person’s information off his or her card. (Imagine,
for example, a credit card that does not have the account number embossed on the front but
makes it available only to machines that read magnetic stripes, thereby reducing opportuni-
ties for casual theft). The strategy would instead require that agents use cryptographic
techniques to authenticate individuals or enable transactions. See Figure 2.1 for a descrip-
tion of the kinds of information in an identity system and where the information might end
up.
OCR for page 33
33
POLICY CONSIDERATIONS
To determine what safeguards are necessary, a realistic threat analy-
sis would be required. Are the as-yet-undetermined countermeasures up
to the challenge? Any proposed system must be examined to determine
whether the net result with respect to identity theft would be better or
worse than it is now. It may be that more robust security in a nationwide
identity system, along with increased attention to data integrity (for ex-
ample, correlating birth and death records, as discussed above) in current
identity systems, would mitigate some of the identity theft problems that
arise.
Representative terms from entire chapter:
multiple identities
Items in cart [0]
