IDs -- Not That Easy: Questions About Nationwide Identity Systems (2002)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Executive Summary N ationwide identity systems have been proposed as a solution for problems ranging from counterterrorism to fraud detection to enabling electoral reforms. In the wake of September 11, 2001, and renewed interest in the topic, the Committee on Authentication Tech- nologies and Their Privacy Implications of the Computer Science and Telecommunications Board1 developed this short report as part of its on- going study process, in order to raise questions and catalyze a broader debate about such systems. The committee believes that serious and sustained analysis and discussion of the complex constellation of issues presented by nationwide identity systems are needed. Understanding the goals of such a system is a primary consideration. Indeed, before any decisions can be made about whether to attempt some kind of nationwide identity system, the question of what is being discussed (and why) must be answered. There are numerous questions about the desirability and feasibility of a nationwide identity system. This report does not attempt to answer these questions comprehensively and does not propose moving toward such a system or backing away. Instead, it aims to highlight some of the significant and challenging policy, procedural, and technological issues 1See <http://www.cstb.org/web/project_authentication>. 1 

2 IDs—NOT THAT EASY presented by such a system, with the goal of fostering a broad, deliberate, and sophisticated discussion among policy makers and stakeholders about whether such a system is desirable or feasible. Policy questions that the committee believes should be considered when contemplating any kind of identity system include the following: • What is the purpose of the system? Possibilities range from expedit- ing and/or tracking travel to prospectively monitoring individuals’ ac- tivities in order to identify and look for suspicious activity to retrospec- tively identifying perpetrators of crimes. • What is the scope of the population that would be issued an “ID” and, presumably, be recorded in the system? How would the identities of these individuals be authenticated? • What is the scope of the data that would be gathered about individu- als participating in the system and correlated with their national identity? While colloquially it is referred to as an “identification system,” implying that all the system would do is identify individuals, many proposals talk about the ID as a key to a much larger collection of data. Would these data be identity data only (and what is meant by identity data)? Or would other data be collected, stored, and/or analyzed as well? With what confidence would the accuracy and quality of this data be established and subsequently determined? • Who would be the user(s) of the system (as opposed to those who would participate in the system by having an ID)? One assumption seems to be that the public sector/government will be the primary user, but what parts of the government, in what contexts, and with what con- straints? In what setting(s) in the public sphere would such a system be used? Would state and local governments have access to the system? Would the private sector be allowed to use the system? What entities within the government or private sector would be allowed to use the system? Who could contribute, view, and/or edit data in the system? • What types of use would be allowed? Who would be able to ask for an ID, and under what circumstances? Assuming that there are datasets associated with an individual’s identity, what types of queries would be permitted (e.g., “Is this person allowed to travel?” “Does this person have a criminal record?”)? Beyond simple queries, would analysis and data mining of the information collected be permitted? If so, who would be allowed to do such analysis and for what purpose(s)? • Would participation in and/or identification by the system be vol- untary or mandatory? In addition, would participants have to be aware of or consent to having their IDs checked (as opposed to, for example, allow- ing surreptitious facial recognition)? 

EXECUTIVE SUMMARY 3 • What legal structures protect the system’s integrity as well as the data subject’s privacy and due process rights, and determine the govern- ment and relying parties’ liability for system misuse or failure? Each of these issues is elaborated on in the report. And each of the above questions evokes a larger set of issues and questions that must be resolved. In addition, many of these issues are interdependent, and choices made for each will bear on the options available for resolving other issues. Decisions made at this level will also have ramifications for the tech- nological underpinnings of the system, including what levels and kinds of system security will be required. In fact, “system” may be the most important (and heretofore least discussed) aspect of the term “nationwide identity system,” because it implies the linking together of many social, legal, and technological components in complex and interdependent ways. The success or failure of such a system is dependent not just on the individual components but also on the ways they work—or do not work— together. The control of these interdependencies, and the mitigation of security vulnerabilities and their unintended consequences, would deter- mine the overall effectiveness of the system. The committee believes that given the complexity and potential im- pact of nationwide identity systems, more analysis is needed with respect to both desirability and feasibility. In particular, • Given the potential economic costs, significant design and imple- mentation challenges, and risks to both security and privacy, there should be broad agreement on what problem(s) a nationwide identity system would address. Once there is agreement on the problem(s) to be solved, alternatives to identity systems should also be considered as potential solutions to whatever problem(s) is identified and agreed upon. • The goals of a nationwide identity system must be clearly and publicly identified and deliberated upon, with input sought from all stake- holders; public review of these goals prior to selecting a proposed system is essential. • Proponents of such a system should be required to present a very compelling case, addressing the issues raised in this report and soliciting input from a broad range of stakeholder communities. • Serious consideration must be given to the idea that—given the broad range of uses, security needs, and privacy needs that might be contemplated—no single system may suffice to meet the needs of poten- tial users of the system. 

4 IDs—NOT THAT EASY • Care must be taken to explore completely the potential ramifica- tions, because the costs of abandoning, correcting, or redesigning a sys- tem after broad deployment might well be extremely high. The legal, policy, and technological issues associated with nation- wide identity systems warrant much more detailed and comprehensive examination and assessment than are presented in this report. The com- mittee hopes that the extensive set of questions and issues raised here will help to both further and inform the policy debate. The committee wel- comes feedback on this brief report as it continues preparing its broader and more in-depth final report on the topic of authentication technologies and their privacy implications.