Questions? Call 800-624-6242
|
|
|
|
|
The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Page 5
1
Introduction and Overview
While the events of September 11,
2001, have galvanized a search for improvements in the safety and
security of our society, the challenge is to provide protection
without sacrificing fundamental freedoms. An idea that has
resurfaced as a result of the attacks is the creation of a
“national identity card,” often referred to simply as a
“national ID.” 1
This term is a bit of a misnomer, in that a card would likely be
but one component of a large and complex nationwide identity
system, the core of which could be a database of personal
information on the U.S. population. This report by the Committee on
Authentication Technologies and Their Privacy Implications provides
a limited exploration of such a system and of the potential legal,
policy, and technical challenges that it might present.
No one really knows if a nationwide identity system could detect or
deter terrorism, although several arguments have been advanced. One
is that such a system could be used to easily identify known
terrorists upon their interaction with particular agents (such as
airline security officials), facilitating their arrest. On the
other hand, unless the database of suspects includes those
particular individuals, the best possible identity sys-
|
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 5
1
Introduction and Overview
W
hile the events of September 11, 2001, have galvanized a search
for improvements in the safety and security of our society, the
challenge is to provide protection without sacrificing funda-
mental freedoms. An idea that has resurfaced as a result of the attacks is
the creation of a “national identity card,” often referred to simply as a
“national ID.”1 This term is a bit of a misnomer, in that a card would
likely be but one component of a large and complex nationwide identity
system, the core of which could be a database of personal information on
the U.S. population. This report by the Committee on Authentication
Technologies and Their Privacy Implications provides a limited explora-
tion of such a system and of the potential legal, policy, and technical
challenges that it might present.
No one really knows if a nationwide identity system could detect or
deter terrorism, although several arguments have been advanced. One is
that such a system could be used to easily identify known terrorists upon
their interaction with particular agents (such as airline security officials),
facilitating their arrest. On the other hand, unless the database of sus-
pects includes those particular individuals, the best possible identity sys-
1See, for example, “States Devising Plan for High-Tech National Identification System”
at and
“National ID Card Gaining Support” at .
5
OCR for page 6
6 IDs—NOT THAT EASY
tem would not lead to their apprehension. Another suggestion is that the
data collected from the widespread use of nationwide IDs could help
prevent terrorists from achieving their objectives. This might involve the
detection of abnormal or suspicious patterns of behavior that accompany
the planning and/or execution of a terrorist act.
Another potential role of a nationwide identity system is as an inves-
tigative tool in the aftermath of a crime or terrorist attack. Here, the data
collected could help retrospectively in the identification, arrest, and pros-
ecution of the perpetrators. Some argue that this is primarily (though not
exclusively) a post facto activity, more useful for law enforcement than
for counterterrorism, which is, in part, an a priori intelligence function.
Terrorism issues per se are beyond the scope of this report, which
examines the concept of a nationwide identity system in the large, not
solely with respect to counterterrorism. The committee believes that the
concept of a nationwide identity system—including whether such a sys-
tem is a good idea—must be examined on its own merits.
Indeed, nationwide identity systems have been sought for many pur-
poses in addition to countering terrorism. They have been proposed to
aid in fraud prevention (for example, in the administration of public ben-
efits), catch “deadbeat dads,” enable electoral reforms, allow quick back-
ground checks for those buying guns or other monitored items, and pre-
vent illegal aliens from working in the United States.
Depending on the nature of the population, the data collected, and
the scope of use, a nationwide identity system might be able to help with
other tasks as well. For example, a robust, accurate and comprehensive
system might aid law-enforcement officials in tracking or finding people.2
It is possible that the correlation of social (for example, health, economic,
demographic) information could be more easily accomplished with the
use of a national identity system; statisticians, for example, note how a
single identifier would facilitate some of their analyses. In addition, de-
pending on implementation choices, e-commerce and e-government trans-
actions might be simplified. However, there could also be negative con-
sequences, ranging from infringement on rights and liberties (including
loss of or invasion of personal privacy) to harm resulting from misiden-
tification or misuse of the system, plus significant implementation and
deployment costs. The trade-offs (enhanced security versus risks to pri-
2Examples include tracking fugitives, executing warrants, tracking noncitizens with ex-
pired visas, tracking illegal aliens, and confirming alibis for those innocent of criminal
charges. A nationwide identity system could facilitate the work done by the National
Crime Information Center, a computerized database at the Federal Bureau of Investigation
that permits access by authorized users to documented criminal justice information.
OCR for page 7
7
INTRODUCTION AND OVERVIEW
vacy, cost versus functionality, and so on) need to be carefully consid-
ered.
Many other countries have nationwide identity systems, which they
often use for such diverse purposes as proof of age (e.g., Belgium), proof
of citizenship, and for generating electronic signatures (e.g., Finland). In
the United States, citizens’ concern for civil liberties, their historic associa-
tion of ID cards with repressive regimes, and states’ rights concerns have
discouraged movement toward a governmentally sanctioned nationwide
identity system.3 Additionally, because the country was settled by immi-
grants, a significant fraction of whom wanted to escape just such prac-
tices, many U.S. record systems were intentionally designed not to gather
linking data.4 Further, it appears that laws requiring individuals to show
proof of legal status or citizenship result in increased discrimination based
on national origin and/or appearance.5 The human rights issues that
could arise, such as increased demands for documentation from those
who look or sound “foreign” and the deterioration of living and working
conditions for aliens, are substantial.6 Clearly, an examination of the
legal and social framework surrounding identity systems, while outside
the scope of this report, would be essential.7
Although discriminatory acts such as those alluded to above might be
constrainable by law, the presentation of identifying documents—driver’s
licenses and credit cards, for example—is being demanded today in more
3The Electronic Privacy Information Center has compiled a set of resources and reports
on the topic at its Web site, .
4An example that frustrates many genealogists is that U.S. birth certificates usually re-
quire identifying the town of birth only for parents born in the United States; for people
born elsewhere, the country of birth is sufficient. Generally speaking, the mindset that such
things are “no one’s business” has deep roots.
5See U.S. General Accounting Office (GAO), Immigration Reform: Employer Sanctions and
the Question of Discrimination, March 1990; Marvin Howe, “Immigration Law Leads to Job
Bias, New York Reports,” New York Times, February 26, 1990, p. A1. The GAO report on the
Immigration Reform and Control Act of 1986 (IRCA) cites a “widespread pattern of dis-
crimination” resulting “solely from the implementation of IRCA.” Ten percent of employers
discriminated on the basis of foreign accent or appearance, and nine percent discriminated
by preferring certain authorized workers over others.
6Especially for communities of recent immigrants, there is likely to be significant contro-
versy in shifting to a system that would prohibit or make difficult work and other activities
without presentation of an ID. In considering the feasibility and desirability of a particular
approach, designers of any such system should be aware of this potential opposition, as
well as possible opposition from other segments of the population.
7It would be useful to examine how such systems have worked in other countries, as well
as to examine nations where IDs have been proposed but not implemented (such as the
United Kingdom).
OCR for page 8
8 IDs—NOT THAT EASY
and more generic circumstances. There is also evidence of growing ef-
forts in the public and private sectors to collect, maintain, correlate, and
use more and more information on citizens’ activities based on existing
identifiers such as Social Security numbers (SSNs). Initially designed only
for administering social security benefits, SSNs are now common data
elements in public and private sector databases, allowing for easy sharing
and correlation of disparate records. This is a classic example of function
“creep”—continuous expansion in the use of a system first intended for a
limited purpose.8
Before any decisions can be made about whether to attempt to formal-
ize some kind of nationwide identity system, the question of what is being
discussed must be answered. Thus the committee believes that substan-
tive and sustained analysis is needed on the issue.
There is no recognized universal model for a nationwide identity
system. Because different people mean different things when they dis-
cuss the concept, evaluating it requires clarification of what is intended.
The range of possibilities for identity systems is broad and includes alter-
native approaches such as the following:
• A database establishing a unique identity and maintaining infor-
mation on every U.S. citizen, including, for example, information on
known felony convictions and place of residence, available for govern-
ment and commercial query;
• A system similar to the above system that also includes noncitizens
who are legally in the United States;9
8Some might argue that the SSN is already a de facto national identifier. The General
Accounting Office makes this assertion and also points out that no one law governs the use
of SSNs. While originally intended to identify retirees who qualified for the Social Security
retirement system, the SSN is now required, in some cases by law, to be used to identify
individuals who seek federal assistance. In addition, of course, the SSN has been adopted
as a taxpayer ID number. In his book Database Nation, Simson Garfinkel provides a history
of the expanded use of the SSN. Provisions of the Social Security Act, the Privacy Act, and
the Computer Matching Act are among the laws that attempt to limit the conditions under
which SSNs and associated data are used (General Accounting Office, Social Security: Gov-
ernment and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28,
February 1999). For example, the Privacy Act of 1974, available at , requires the disclosure of how the SSN will be used by all government
agencies. In 1986, the Office of Technology Assessment addressed the issue of ubiquitous
use of the SSN as well (U.S. Congress, Office of Technology Assessment, Government Infor-
mation Technology: Electronic Records Systems and Individual Privacy, OTA-CIT-296, Washing-
ton, D.C., U.S. Government Printing Office, June 1986).
9Note that there are additional discussions about systems aimed exclusively at non-
citizens, including, for example, proposals that would more rigorously track foreign stu-
dents within the United States.
OCR for page 9
9
INTRODUCTION AND OVERVIEW
• A database of only a fraction of the country’s population—those
individuals who have a specific characteristic (for example, criminal
record, past noncriminal but anomalous behavior, trusted travelers)—
that would not include the majority of people in the country; and
• A database allowing voluntary participation in return for such ben-
efits as ease of entry into the country or access to the fast line at the airport
security checkpoint.
The above possibilities (there are others as well) emphasize the need
for answers to a number of questions before a more substantive analysis
can proceed. Several policy questions should be asked when considering
any kind of identity system (see also Figure 1.1):
• What would be the purpose of the system? Possibilities include expe-
diting and/or tracking travel, prospectively monitoring citizens’ activi-
ties in order to discern suspicious behavior, and retrospectively aiding in
the identification of perpetrators of crime, among others.10
• What is the scope of the population for whom an ID would be issued
and whose activities would presumably be recorded in the system? How
would the identities of these individuals be authenticated?
• What is the scope of the data that would be gathered about individu-
als participating in the system and correlated with their national identity?
While it may be referred to casually as an “identification system,” imply-
ing that all the system would do is identify individuals, many proposals
talk about the ID as a key to a much larger collection of data. Would these
data include only identity data (and what, precisely, is meant by identity
data)? Or would other data be collected, stored, and/or analyzed as well?
With what confidence would the accuracy and quality of these data be
established and subsequently determined?
• Who would be the user(s) of the system (as opposed to who would
participate in the system by having an ID)? One assumption seems to be
that the public sector/federal government would be the primary user, but
what parts of the government, in what contexts, and with what con-
straints? In what setting(s) in the public sphere would such a system be
used? Would state and local governments have access to the system?
Would the private sector be allowed to use it? What entities within the
government or private sector would be allowed to use the system? Who
could contribute, view, and/or edit data in the system?
10In general, the narrower the goals, the simpler and, perhaps, less controversial a sys-
tem is likely to be, although even a narrowly focused system can run into function creep
and problems associated with misidentification.
OCR for page 10
10 IDs—NOT THAT EASY
Voluntary or
mandatory? What data?
Legal
Type of structures?
use?
Goals?
Users?
Who is
participating?
FIGURE 1.1 Interconnecting policy choices. The choices made for each of the
questions posed will bear, with differing degrees of influence, on the choices
made with respect to all of the other issues. For example, the goals of the system
will influence what data are collected about individuals. What data are collected
about individuals will constrain the possible goals of the system. Who is allowed
to use the system will have a bearing on what legal structures are needed. What
legal structures are put in place will bear on what kinds of access to the system
are allowed. And so on.
• What types of use would be allowed? Who would be able to ask for
an ID, and under what circumstances? Assuming that there are datasets
associated with an individual’s identity, what types of queries would be
permitted (e.g., “Is this person allowed to travel?” “Does this person have
a criminal record?”)? Beyond simple queries, would analysis and data
mining of the collected information be permitted? If so, who would be
allowed to do this kind of analysis and for what purpose(s)?
• Would participation in and/or identification by the system be vol-
untary or mandatory? In addition, must participants be aware of or con-
sent to having their IDs checked (as opposed to, for example, undergoing
surreptitious facial recognition)?
OCR for page 11
11
INTRODUCTION AND OVERVIEW
• What legal structures would protect the system’s integrity, as well
as the data subject’s privacy and due process rights, and define the gov-
ernment and relying parties’ liability for system misuse or failure?
These questions will drive technological considerations (described in
Chapter 3), including what kinds and what levels of system security
would be required.
Throughout this report, the term “nationwide identity system” is used
in lieu of the more colloquial “national ID” or “national ID card.” Many
of the proposals are often presented in terms of a national identity card,
though technologies exist—possibly including biometrics, which mea-
sures and analyzes unique physiological and behavioral characteristics of
individuals—that might serve some of the same proposed purposes with-
out requiring a physical card. Nevertheless, the emphasis in this report is
on card-based models simply because they have been proposed most
frequently. In addition, many of the policy questions and database-re-
lated technical issues apply both to card-based systems and those that do
not require a physical card (see Chapter 3).
With respect to the chosen phrase, nationwide identity system, “na-
tionwide” is meant to underscore the scale (both geographic and in terms
of numbers of users) needed, without implying that IDs would necessar-
ily be generated from a single central location or, implicit in the term
“national,” that only citizens would need an ID.
The notion of identity is complicated, even when only the identity of
persons (and not things, arguments, systems, etc.) is being referred to, as
this report is doing. This report distinguishes between an identifier (the
name or sign by which a person is known), which can be thought of as a
label by which an individual is known in and to society and with which
he or she conducts his or her affairs within society, and the identity of a
person as seen by others. For the purposes of this report, “identity” refers
to a set of information about a person X believed to be true by Y. More
colloquially, identity is associated with an individual as a convenient way
to characterize that individual to others. The set of information and the
identifier (name, label, or sign) by which a person is known are also
sometimes referred to as that person’s “identity.” The choice of informa-
tion may be arbitrary, linked to the purpose of the identity verification
(also referred to as authentication) in any given context, or linked intrinsi-
cally to the person—as in the case of biometrics (see Box 1.1).11 For
11Although biometrics are proposed with increasing frequency for a variety of identifica-
tion and authentication purposes, they pose many difficult issues for system design, imple-
mentation, and use. These will be explored in the committee’s final report.
OCR for page 12
12 IDs—NOT THAT EASY
BOX 1.1
Terminology
For the purposes of this brief report, and to help clarify discussion, concepts that
the committee’s final report1 will explore in detail are explained here.
• Identity. The identity of X according to Y is a set of statements believed by Y
to be true about X. In this report, identity generally refers to a set of informa-
tion about X, especially in the context of a particular identity system.
• Identification. Identification is the process of determining to what identity a
particular individual corresponds, often without a claimed identity on the part
of the individual (for example, the identification of an unconscious patient in
an emergency room).
• ID. In this report, ID refers to the identity information pertaining to a particular
individual that is contained within an identity system and/or the token associ-
ated with that information.
• Authentication. Authentication is the process of confirming an asserted iden-
tity with a specified or understood level of confidence. Note that authentica-
tion is quite distinct from identification.
• Security. Security refers to a collection of safeguards that ensure the confi-
dentiality of information, protect the integrity of information, ensure the avail-
ability of information, account for use of the system, and protect the system(s)
and/or network(s) used to process the information. Security is intended to
ensure that a system resists (potentially correlated) attacks.
• Privacy. The right to privacy is the right of an individual to decide for himself
or herself when and on what terms his or her attributes should be revealed.
It should be noted that each of these terms represents a complicated, nuanced,
and, in some instances, deeply philosophical topic. The descriptions of these con-
cepts given here are not meant to be definitive, prescriptive, or comprehensive.
1See for more information.
example, the information corresponding to an identity may contain facts
(such as eye color, age, address), capabilities (for example, licensed to
drive a car), medical history, financial activity, and so forth. Generally,
not all such information will be contained in the same identity, allowing a
multiplicity of identities, each of which will contain information relevant
to the purpose at hand. In the phrase “nationwide identity system,” the
word “identity” implies that decisions must be made about what consti-
tutes an identity within a system and that an identity will be established
for participants.
OCR for page 13
13
INTRODUCTION AND OVERVIEW
A critical question—which goes beyond the scope of this report, but
which must be considered in the larger law-enforcement and national-
security context—is whether establishing and verifying identity is either
necessary or sufficient for achieving any of the desired objectives of the
system. It may be that they require collection and analysis of data and/or
prospective or retrospective tracking or surveillance, well beyond mere
identity verification.12 Note that even the question of whether to institute
collection of data and surveillance is not binary (see Box 1.2).
“System” may be the most important (and heretofore least discussed)
aspect of the term “nationwide identity system,” because it implies the
linking together of many social, legal, and technological components in
complex and interdependent ways. The success or failure of such a
system is dependent not just on the individual components, but on the
ways they work—or do not work—together. Each individual component
could, in isolation, function flawlessly yet the total system fail to meet its
objectives.13 The control of these interdependencies, and the mitigation
of security vulnerabilities and their unintended consequences, would de-
termine the effectiveness of the system.
A nationwide identity system would also consist of more than simply
a database, communications networks, card readers, and hundreds of
millions of physical ID cards. The system would need to encompass
policies and procedures and to take into account security and privacy
considerations and issues of scalability, along with human factors and
manageability considerations (if the requirements of use prove too oner-
ous or put up too many barriers to meeting the goal of the relying party,
that party might try to bypass the system). The system might need to
specify the participants who will be enrolled, the users (individuals, orga-
nizations, governments) that would have access to the data, the permitted
12For example, if the goal were to track the activities or whereabouts of an individual to
detect illegal activity or suspicious patterns, surveillance of the behavior and activities of
said individual would be needed after identification was accomplished. Surveillance might
require a warrant or other judicial intervention, depending on the approach taken. If the
goal were to detect suspicious activity by previously unsuspected individuals (in order to
prevent illegal activity), correlation of surveyed actions would be required after identifica-
tion and surveillance were accomplished. Such correlation would presumably have to be
done before establishment of probable cause for a search in order for it to be useful.
13There are examples of this in security mechanisms—for example, where individual
techniques to provide additional security interact unexpectedly in such a way as to make
the system less secure. Charles Perrow explores the broad concept more thoroughly in
Normal Accidents, McGraw-Hill, 1986. In addition, the Web site describes the distinction between component
failure accidents and system accidents.
OCR for page 14
14 IDs—NOT THAT EASY
BOX 1.2
Degrees of Data Collection and Surveillance
Merely asserting that some data collection or surveillance would occur in a
system or that data would be analyzed is insufficient. It is important to determine
precisely what is meant or intended by “collection” and “analysis” within an identi-
fication system. There are at least five different ways to approach this issue:
• Little to no data collection. The only data collected and stored are those
needed to establish, at a particular time, an individual’s identity within the
system (for a predetermined meaning of “identity.”)
• Individual data collection. Information about an individual’s activities and
behavior is collected and stored but analyzed only upon request by an autho-
rized agent (for example, a court order).
• Aggregate data collection. Behavioral data are aggregated and stored but
only analyzed upon request or for a specific purpose. It may or may not be
possible to link data to an individual.
• Aggregate data analysis. Behavioral data are aggregated and proactively ana-
lyzed to search for suspicious or abnormal patterns. Upon an authorized
request it may or may not be possible to link data to an individual.
• Individual data analysis. Each individual’s data are proactively analyzed to
check for suspicious or abnormal patterns of behavior, and any such findings
are flagged and authorized agents alerted.
uses of the data, and the legal and operational policies and procedures
within which the system would operate. In addition, a process would
need to be in place to register individuals, manipulate (enter, store, up-
date, search and return) identity information about them, issue creden-
tials (if needed), and verify search requests, among other things. The
word “system” suggests the complicated nature of what would be re-
quired in a way that the colloquial phrase “national ID card” does not.
It is important to note that a variety of identity systems fit within the
scope of what is being discussed in this report. The recent AAMVA
proposal14 to link state motor-vehicle databases is a nationwide identity
system. So is the recent proposal to create a traveler ID and database to
expedite security checks at airports. Each of these systems could and
should be subjected to the kind of analysis and critique described in this
14See for more information. The committee received a brief-
ing describing some of the issues facing AAMVA in developing a more secure driver’s
license infrastructure in a context where use of driver’s licenses is expanding beyond their
nominal function.
OCR for page 15
15
INTRODUCTION AND OVERVIEW
report. Some of the issues raised here will be more applicable to some
systems than to others, but virtually any large-scale identity system will
need to take into consideration a number of policy and technological
issues; in fact, before deciding to build any identity system, the issues
outlined in this report should be explored.
A top-down, monolithic system controlled by the federal government
is not the only kind of nationwide identity system that this report ad-
dresses. For example, unifying document formats and linking the data-
bases of state driver’s licenses and ID-issuing systems would provide
broad (though not complete) coverage without creating a federally con-
trolled nationwide identity system. Further, the successes and failures of
the various nationwide identity systems in use in other countries should
be examined in order to have a fully informed discussion in the United
States. However, when studying such systems, questions of scale must be
kept in mind. Experience with a system for a population of tens of millions
is not necessarily applicable to a system that might incorporate hundreds
of millions. In any case, many of the questions raised in this report assume
large-scale systems and widespread participation in and use of such
systems.
Without attempting to answer comprehensively the many questions
surrounding a nationwide identity system and without making asser-
tions about whether to move toward or away from a nationwide identity
system, the report aims to highlight some of the significant policy, proce-
dural, and technical challenges presented by such a system, with the over-
all goal of prompting a broad discussion among and between policy mak-
ers and stakeholders.
This brief document is intended to inform the policy debate. Com-
plete policy analysis is outside its scope, though several of the broad
themes outlined here will be addressed more fully in the committee’s
final report. Chapter 2 describes what the committee believes is the most
important issue in the debate—namely, the system goals—along with
other policy issues that the committee believes should be considered in
advance of implementation and deployment. Chapter 3 explores some of
the technological issues involved in implementing a reliable and secure
nationwide identity system while minimizing unintended consequences,
such as compromises of privacy or the creation of new vulnerabilities.
Chapter 4 offers concluding remarks and suggestions.
Representative terms from entire chapter:
national identity
