Page 16

2

Policy Considerations

Numerous policy questions surround any proposed nationwide identity system. They require sustained deliberation by policy makers and significant input from the various stakeholders— including federal, state, and local governments and agencies, privacy advocates, public-interest groups, civil rights and liberties groups, and those who would participate in and use the system (that is, ID holders, ID requestors, and data analysts). Establishing a nationwide identity system would almost certainly be a complex and expensive process, requiring years of legislative, technical, and public relations work, as systems now in place elsewhere have shown.1

WHAT DOES IDENTITY PROVIDE?

Whether and when knowledge of “identity” could aid in solving a problem or meeting an objective depends in part on the word's very definition. For the purposes of this report, identity refers to sets of information (say, a database record or a strongly linked system of records) about a person that can be used to tell who that person is. Confirmation

1In the Philippines, for example, the social security system ID card project has been under active development and deployment for 6 years and has only reached an enrollment of just over 2 million, en route to the goal of enrolling 40 million social security beneficiaries, members, and dependents.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 16
2 Policy Considerations N umerous policy questions surround any proposed nationwide identity system. They require sustained deliberation by policy makers and significant input from the various stakeholders— including federal, state, and local governments and agencies, privacy ad- vocates, public-interest groups, civil rights and liberties groups, and those who would participate in and use the system (that is, ID holders, ID requestors, and data analysts). Establishing a nationwide identity system would almost certainly be a complex and expensive process, requiring years of legislative, technical, and public relations work, as systems now in place elsewhere have shown.1 WHAT DOES IDENTITY PROVIDE? Whether and when knowledge of “identity” could aid in solving a problem or meeting an objective depends in part on the word’s very definition. For the purposes of this report, identity refers to sets of infor- mation (say, a database record or a strongly linked system of records) about a person that can be used to tell who that person is. Confirmation 1In the Philippines, for example, the social security system ID card project has been under active development and deployment for 6 years and has only reached an enrollment of just over 2 million, en route to the goal of enrolling 40 million social security beneficia- ries, members, and dependents. 16

OCR for page 16
17 POLICY CONSIDERATIONS (at some level of assurance) of identity is useful in contexts when one or more of the following are needed: (1) knowledge (in the present) about a person’s past is sought (e.g., the use of a dossier), (2) knowledge about a person in the present needs to be remembered for use in the future (e.g., the creation of a dossier), (3) distinguishing between two individuals is required to prevent the possibility of mistaking one of them for the other, or (4) verification of identity information provided by a third party. Iden- tification and/or authentication are generally used to aid in recognition when there are multiple dealings with a single individual but could also be relevant to a single experience/transaction. (Note that authentication presumes a proffered identity that needs to be confirmed, whereas identi- fication does not—see Box 1.1.) While casual discussions of IDs or ID cards may assume simple, unique pairings of information and individuals, the reality is often more complicated. In practice, individuals usually have multiple identities—to family, to an employer or school, to neighbors, to friends, to business associates, and so on. Thus, different sets of information are associated with an individual in different contexts—and sometimes an ID card or equivalent is relied upon to provide or point to that information. For identity systems that have existed in our society for some time, there is a common understanding of what information is associated with each. A record associated with a driver’s license, for example, includes traffic violations; a record associated with a credit card includes late payment information; and so on. Multiple identities (that is, multiple sets of information correspond- ing to a single individual) may allow individuals to control who has access to what kinds of information about them, and the use of multiple identities can be a legitimate strategy for controlling personal privacy in an information society. In addition to providing a measure of privacy protection, the use of multiple identities, even with respect to a single organization, serves legitimate and desirable functions in societal institu- tions as well. One individual may have several distinct roles with respect to a particular organization. For example, as far as the IRS is concerned, one might be an individual taxpayer, an IRS employee, or the comptroller of a nonprofit organization. If, however, colluding agents are willing to make the effort, they might be able to link an individual’s records—through additional information or correlation with each other’s information—to create a single record. In many cases, an identity will include a common cross-reference, such as a Social Security number, that makes it trivially easy to link it to other identities. Moreover, there are usually other possible cross-references (such as address, age, and so on) that enable different sets of information to be linked, though there may be institutional practices or practical barri-

OCR for page 16
18 IDs—NOT THAT EASY ers that discourage such linking.2 In addition, questions arise as to how reliable the linking would be—some institutions may not mind if linkages are not completely supported, whereas others demand high levels of ac- curacy. Sometimes, the use of multiple identities by a single person, or the use of a single identity by multiple persons, may be evidence of (or ex- ploitable for) fraudulent behavior. Several criminals could use a single identity not considered problematic within the system, or a single terror- ist could use the least suspicious of multiple identities accessible to him for boarding a plane. In principle, a nationwide identity system could, in some contexts, eliminate or significantly reduce these sorts of problems if it is designed to prevent both multiple individuals from claiming a single identity and multiple identities from being claimed by a single person.3 One implication of the term “national ID” is that these identities are centrally managed in order to make it difficult, if not impossible, for one person to have multiple identities. A system designed to link a person to a single identity (and prohibit use of multiple identities by a single per- son) within a certain domain must be mandatory (that is, everyone within the domain of interest must be included in the system), otherwise those wishing to establish multiple identities would simply opt out of the pro- gram. Also, checking is essential at the time an individual joins, to be sure that he or she is not already in the system. If an identity reveals poten- tially damaging information about a person, the person may try to avoid the entry of this information into the system by creating a different iden- tity. In some cases, this capability is controlled by having only one central registry for the identity information.4 2See the 1997 CSTB report For the Record: Protecting Electronic Health Information. 3Historically, the Social Security Administration (SSA) allowed husbands and wives to share a single Social Security number, and some grandfathered couples still do. Thus, such an SSA “identity” refers to two people. Similarly, children and one of their parents can share a single passport and passport number. More commonly, the case of two or more individuals maintaining a joint bank account illustrates one identity (the bank account and associated information) being shared by multiple individuals. Creating multiple identities out of the single record set would be extremely hard for the issuing agencies, because the linked people usually share a single last name. Splitting the record, therefore, might re- quire additional personal information. 4A current example of a system that attempts to disallow multiple identities is the Com- mercial Driver’s License Information System (CDLIS). U.S. federal law—the Commercial Motor Vehicle Safety Act of 1986 (P.L. 99-570)—prohibits commercial truck drivers from having multiple driving identities. In compliance with the law, CDLIS is used by the states— via a centralized system that links the various issuing (state) agencies—to check that multiple licenses are not issued. However, nothing in the CDLIS system itself prevents multiple drivers from using this single license and, in fact, fraud of this type has been documented (see “Biometric Identification Standards Research: Final Report Volume I,” San Jose State University, December 1997, at ).

OCR for page 16
19 POLICY CONSIDERATIONS Depending on the goals of the system, creating a tight identity-to- individual bond might be excessive. Often it doesn’t matter exactly who someone is as long as it is clear that he or she is a member of a particular group (e.g., over 21 or an officer of a corporation with check-signing privileges). Such group identities are often extremely useful in expedit- ing matters in certain contexts and may raise fewer privacy concerns. Thus, any proposal for a new identity system requires a discussion of what sorts of identity information would be relevant and helpful to the stated goals of the system.5 It also requires taking into account the levels of confidence with which information was associated to an individual, since basing a system on fragile or unreliable data poses numerous risks. In addition, in some cases there are legal restrictions on what sort of information may be asked of an individual (presumably to include in that person’s associated identity information)—for example, it may not be legal to take into account a person’s race, gender, national origin, religion, and so forth. In other cases, retaining the advantages that come with the ability of an individual to maintain multiple identities or to maintain group identities could also be desirable. All in all, establishing what is meant by “identity” in a nationwide identity system—in other words, which collection of information is meant to encapsulate an individual’s distinctiveness—is a first-order concern. TO WHOM AND FOR WHAT? Once the notion of identity has been articulated, a determination must be made as to who would be issued an ID (see Box 1.1 for the distinction between “ID” and “identity”) and for what purpose. First and foremost, the goals and requirements of the system must be carefully articulated. What problems should the system be designed to solve? How would it provide solutions to those problems? Without a priori decisions about what types of system functions, determined by policy choices, are de- sired, the software and hardware may impose unwanted or undesirable restrictions or allowances.6 If a goal of the system is the identification and/or tracking of non-U.S. nationals, then issuing IDs only to U.S. citizens would not be sufficient. 5If the goal of the system is to aid in counterterrorism, then relevant questions might include the following: Is a past criminal record a signal of a potential terrorist? Is a long record of frequent travel a signal that a person is or is not likely to be a terrorist? And so on. 6See Lawrence Lessig’s treatment of software imposing values in Code and Other Laws of Cyberspace, Basic Books, New York, 1999.

OCR for page 16
20 IDs—NOT THAT EASY Identification and tracking of all individuals would be required.7 Fur- thermore, non-U.S. nationals are already required to have IDs when in the United States (passports and, in some cases, visas); however, there is likely to be less control over—and therefore less confidence in—such for- eign-issued credentials. This raises questions about international coordi- nation, cooperation, and harmonization.8,9 The problems now present in keeping track of passports and visas, and in assuring that the right indi- viduals and agencies have the appropriate data when needed, would undoubtedly persist in a new identification system.10 They also serve to demonstrate how difficult it is to implement a large identification system that is also robust. What Is Required for ID Issuance? The best that any system of authentication can do is provide a com- pelling connection with some previous verification of identity. Accord- ingly, trust in the integrity of the system is based not so much on the first such verification as on increasing confidence when all previous transac- 7The terrorist attacks of September 11, 2001, were carried out exclusively by non-U.S. nationals; none of them would have had a U.S. ID if one had been required only of citizens. In addition, undercover operatives sponsored by a major foreign group or state hostile to the United States generally are individuals without suspicious records. It follows that such people’s IDs (be they within a United States nationwide identity system or outside it) would not contain anything particularly problematic. 8The logistical considerations involved in issuing high-security identities for everyone entering the country are significant, especially when individuals do not need visas in ad- vance (such as citizens of countries in the Visa Waiver Program). 9Even if IDs were issued to foreign visitors entering the United States, the information would be based on information provided by their country of origin. Its usefulness is lim- ited for at least two reasons: (1) many countries do not have much data about their citizens to begin with, and others may be unlikely to provide other nations with suspicious back- ground information about their own citizens and (2) even if a country indicates that an individual seeking admission to the United States has a problematic background record, that doesn’t mean the United States would consider such a person a risk (for example, a country might provide warnings about political dissidents). Adding information to an individual’s ID beyond what his or her country of origin provides (presumably gathered by U.S. intelligence) is problematic for a number of reasons, including cost, scale, paucity of data, and potential compromise of sources and methods behind the information. 10As an example of this, the Washington Post reported that 15 of the September 11 hijack- ers applied for visas in Saudi Arabia, where officials have indicated that identity theft is a serious concern. See .

OCR for page 16
21 POLICY CONSIDERATIONS tions with that particular individual have worked out.11 But at the outset, upon determination of who should have IDs, a host of questions arises: How is identity first established within the system? What information would be required of an individual upon application? How would that information be verified? Such broad questions imply others that are more specific: How would the “true” identity of individuals be established (e.g., for individuals in the initial stages of a program or after card loss or destruction)? What family name(s) would be used for the individual (birth name, adopted name, married name, father’s name, father’s mother’s name)? Could middle names, diminutives, or nicknames be used as first names? When can or must these names be changed? How would people with similar or identical names (or other pieces of associated data) be differentiated in the system? If participation in the system were mandatory, at what point in a person’s life would the ID begin to be required? How frequently would renewal be required? Under what circumstances would reissuance be required? What if the system “loses” a person (that is, a person claims to be in the system, but his or her information is not accessible)? What Is the Meaning of an ID? Broader, and perhaps more important, is the meaning of the ID (that is, the identity information about a person in the identity system and its associated token). Would the law define rights, privileges, and obliga- tions with respect to the ID? Would the law define a legal person in terms of the ID, or vice versa, or neither? Related to the meaning is the issue of a citizen’s and the government’s responsibilities with respect to a nation- wide identity system. A host of legal issues arises if an ID is to have significance as, say, a government-authorized identification token. Using an ID to verify a person’s identity would not be of value without an obligation to present it upon demand by authorities or in an authorized search of one’s person.12 Questions that would need to be addressed include the following: When must the ID be carried? When must it be presented to a govern- ment official? What happens if the holder refuses to present it? What happens if the ID has been lost or stolen? How can information on the ID 11Although trust developed in this fashion is vulnerable as well. For example, individu- als may act in a completely trustworthy fashion for a long period of time and then behave fraudulently or criminally. 12 Other identification techniques, such as facial recognition, might not require an obliga- tion to present an ID.

OCR for page 16
22 IDs—NOT THAT EASY (or associated with it) be changed, and by whom? What if the infrastruc- ture is down and the ID cannot be verified? Can only the federal govern- ment compel the presentation of the ID, or would state and local govern- ment officials (which is where most law-enforcement occurs and many social services are delivered) also have such authority?13 Where Does the Identity Information Reside? These questions point to other questions that must be considered about the information associated with a person’s ID. If it is a card or other physical token, what information is stored on it in human-readable for- mat on the ID? What information does the ID store in machine-readable format? What information about or pertaining to an individual is stored in the identity system’s databases? What information in those databases is explicitly linked to information in other databases? Who has the au- thority to create these linkages? Who can access which information about a person in the system? What algorithms are used to analyze data in order to make assessments about a particular individual in a particular context (e.g., risk profiling)?14 (See Figure 2.1 for a description of what can happen to identity information within a system.) Many of the questions raised in this section point more broadly to the problem of controlling function creep (as mentioned in Chapter 1). Deci- sions and policies made for one kind of system may not apply well if that system begins to be used for other than its original purposes. In the context of an identity system, function creep can occur when the same ID/token is used to access multiple systems. (This has happened with driver’s licenses in that they are used not only to prove authorization to drive, but also for proof of age and proof of address in various contexts.) 13For example, if the goal were to locate and keep track of non-U.S. citizens and/or known criminals within the United States, it would probably be necessary to challenge all individuals (including citizens) to present the card at regular intervals and/or for a wide variety of activities. It would further be necessary to require all individuals to carry the card at all times. It could be that many forms of purchases and transactions would require use of the card in an ancillary fashion, in the same way that purchases with a check often require the presentation of a driver’s license or equivalent form of photo identification. In this way, the information associated with the card (and by extension with the holder’s identity) would become part of the records generated by some set of interactions, just as Social Security numbers and license numbers are used today—a practice that suggests the development, in effect, of dossiers. A question then arises as to what an individual’s failure or refusal to present the card under these circumstances would mean. 14The European Data Protection Directive mandates a limited right of individuals to know what algorithms are used to make decisions about them on the basis of personal information.

OCR for page 16
23 POLICY CONSIDERATIONS ID Format? Machine Human Readable Readable Location? Card Elsewhere Database FIGURE 2.1 Potential information flow in identity systems. The information associated with an individual identity could be distributed within the identity system in multiple ways. Parts of it may be machine-readable, parts may be readable by humans. Parts may be stored on a card, in a database, or elsewhere. Access to this information may be available to other systems, card readers, and/ or people. Not present in this diagram, but implicit, is the notion that pieces of information, once outside the system, could then be added to other systems. Or, information from outside the system could be incorporated into this system. Understanding how information flows through the system, who has access to it, and who can change it will be important in understanding both the security and privacy implications of an identity system. Reuse of an ID/token for purposes beyond the original intent leads to the feasibility of correlating information from many different sources and systems, which can be a cause of concern, particularly with respect to privacy. Strategies and policies that prevent or constrain function creep will be an important factor in any identity system.

OCR for page 16
24 IDs—NOT THAT EASY PERMITTED USERS OF THE SYSTEM Another set of policy questions arises over users of a nationwide identity system (recall that a system encompasses numerous social, legal, and technological aspects): May only the government use or request an ID? Under what circumstances? Which branches (federal, state, local) of the government? May any private person or commercial entity request presentation of an ID within the system? May any private person or commercial entity require presentation of an ID? Would certain private- sector organizations be required to use, ask for, and verify IDs? If so, there is a possibility that such mandates might be interpreted as a safe harbor with respect to some liability questions. How would that be handled? Who may use the information on (or associated with) the ID, and for what? Who may enter or modify information associated with the ID? Depending on the goals of the system, use of the system by the pri- vate sector may be necessary. For example, if the goal is to create a database to mine for suspicious activities, tracking of a broad class of activities in the private sector may be viewed as critical. To accomplish this tracking, the ID would need to be presented in connection with many transactions in the private sector (e.g., when traveling on commercial airlines, when purchasing weapons, or when staying in a hotel.) How- ever, as the set of users of a system expands, securing against misuse becomes more complicated. Widespread use (and abuse) of the informa- tion associated with an ID is a major concern, underscoring the impor- tance of the initial policy choices related to the purpose of the system. Management and Operations Determining how any nationwide identity system should be man- aged and operated will be a key issue. If the federal government were to play a leading role in operations and management, an overhaul of busi- ness and management practices at multiple levels might be necessary.15 In addition, worldwide coordination would likely be necessary. For ex- 15Since passage of the Paperwork Reduction Act of 1995, the Office of Management and Budget has been challenged to manage complex information assurance issues, even though it has both budgetary and statutory authority. The Department of Defense, as another ex- ample, is charged with managing classified and other national security systems. Nation- wide identity systems pose new problems for each of these organizations. If the federal government were to attempt oversight of the system, it would be necessary to determine an appropriate management model suited to undertaking management of large-scale identity systems.

OCR for page 16
25 POLICY CONSIDERATIONS ample, depending on the system goals, ID issuance by U.S. consulates abroad may have to be allowed, raising the potential for fraudulently obtained IDs. Pragmatically, even the most secure documents issued by the U.S. government (passports, green cards, and even currency) have been forged with regularity. Requiring federal government management and operations expertise for nationwide identity systems thus raises a host of issues that must be taken into consideration. Another set of policy issues involves the roles of the public, private, and not-for-profit sectors in a nationwide identity system. For example, in place of the above scenario (in which the federal government takes responsibility for the management and administration of a nationwide identity system), the private sector alone might develop and maintain the system. Alternatively, the private sector could be subordinate to some procuring federal agency, in which case any resulting data would be subject to federal laws such as the Privacy Act, the Computer Matching Act, the Government Information Security Reform Act, and the Com- puter Security Act.16 Of course, some hybrid model—featuring a public/private partner- ship—is also possible, though it would require explicit designation of which sector is responsible for what and who might be liable to poten- tially aggrieved parties when errors or abuses occur. (In particular, care- ful attention should be paid to due process issues that may arise in con- nection with error correction.) In any case, it would be absolutely necessary to define how a single organization’s private role in enabling the system should relate, if at all, to that same organization’s private role in its use. Furthermore, how the private entity would be funded would also be an issue. Moreover, the goals of private institutions with respect to such a system are likely to be very different from those of public insti- tutions.17 This difference in ultimate objectives could lead to significantly 16These acts all impose regulatory requirements on federal agencies that collect, use, and maintain sensitive information. The Privacy Act and the Government Information Security Reform Act in particular impose significant public notice and comment requirements on federal agencies to ensure public participation in the appropriateness of planned agency uses of data. The Computer Security Act imposes a risk-based standard for agencies to ensure they protect the confidentiality, integrity, and availability of sensitive federal infor- mation and supporting systems. If a nationwide identity system turned out not to be a federal government system, these laws would not apply and the protections they offer would not be available to individuals whose information is housed in the system. 17For example, a small-store owner probably is not as interested in customers’ individual identities at point-of-sale transactions as he or she is in receiving assurance that payment will be made.

OCR for page 16
26 IDs—NOT THAT EASY different system requirements and design and could encourage function creep over time. PERMITTED USES OF THE SYSTEM A key question about a nationwide identity system is the uses to which the information in it will be put. Will the system be designed to foster consolidation of other (especially federal) databases—or might that be a predictable side effect? Will it be designed to support individualized queries about individuals or provide a yes/no answer to simple questions (for example, “Is this individual a U.S. citizen?”)? Will the system facilitate data mining to establish “suspicious profiles”? If the system is to be used extensively by law enforcement, checks and balances would need to be put in place to prevent misuse of information (for example, constraints should be placed on how information collected or seen—perhaps tangen- tially—as a result of a particular investigation can be used for other pur- poses). Consider the system’s potential need to make real-time associations of persons with identity—a policy question with technology-challenging implications. For many purposes, the linkage between the person and the identity need not be provided instantly. An application for a mortgage need not be processed in seconds. On the other hand, an identity that authorizes access to a secure building must be validated at the time of the intended entry. A related issue is the prospect of constant real-time corre- lation and analysis of an individual’s national-identity-based transac- tions.18 It is likely that such correlation, while possibly desirable depend- ing on the goals of the system, would be financially, technologically, and administratively impossible. For that matter, even retrospective correla- tion of all transactions would be extremely challenging and expensive. Depending on what information must be tracked and stored, very large amounts of data may be generated. And the analysis of large amounts of data while looking for certain kinds of patterns is a large and open re- search area. An additional correlation concern relates to potential uses beyond those associated with public safety and counterterrorism. If private enti- ties are allowed to use the nationwide identity system for their own pur- poses, it is likely that IDs would be linked to a wide range of information, including bank accounts, credit cards, airline tickets, car rentals, hotel stays, retail transactions, purchases of controlled items (guns, explosives, 18For example, it may be useful to correlate instantly the renting of a large truck in one state with the purchase of a large amount of fertilizer a day later in another state.

OCR for page 16
27 POLICY CONSIDERATIONS perhaps some fertilizers, prescription drugs subject to abuse), phone lines, cell phone accounts, prepaid cell phones, and so on.19 Even if the data were not explicitly tied together by organizations, linking users by data items in their identity (such as SSNs) is possible. In addition, systems that employ biometrics could have the ability to link individuals whose infor- mation is stored in different databases. That is, two different digital representations of an iris or fingerprint could be compared to see if they might have come from the same eye or finger.20,21 Finally, privacy is of serious concern to many, especially when infor- mation linkages extend across the boundaries of multiple identities—for example, in the linking of health data, credit ratings, or organizational memberships with our employment records. Of greatest concern to most people is the creation without authorization of such linkages by others, particularly those in positions of authority—governments or employers, for example. The “minimization principle” is often used as a guideline when build- ing systems sensitive to privacy concerns.22 It relates to the kind and quantity of information collected from and/or about individuals and emphasizes the need to collect only the minimum amount necessary for 19The issues become even thornier when one considers the possibility that physical items may eventually have their own tracking systems embedded in them. Cross-correlation of information about things and people would likely result in an exponential explosion of data, further complicating the technical questions and confounding the privacy issues. See Charlie Schmidt’s “Beyond the Bar Code,” Technology Review, March 2001. 20Systems that will allow eye/finger versus database comparisons but not database ver- sus database comparisons have been proposed, such as in N.K. Ratha, J.H. Connell, and R.M. Bolle, “Enhancing Security and Privacy in Biometrics-Based Authentication Systems,” IBM Systems Journal, vol. 40, No. 3, 2001. Another possible solution would be to use biometrics only at three points in any given system: when checking for duplicate enroll- ments at initial registration to prevent issuance of multiple IDs to a single user, when checking the binding between the cardholder and the card at point-of-service applications, and when reissuing the card. This check, which could occur without revealing the biomet- ric pattern to the holder of the card, would create yet another point in the system where security is needed. 21Work done by Latanya Sweeney (see ) suggests that very little information is needed to uniquely identity a particular individual in even an ostensibly anonymized database, suggesting that creating linkages between databases—even without biometric data tying individuals to their data—may not be difficult. 22This notion is articulated in a report of the U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society, Government Printing Office, Washington, D.C., 1977, also known as the Privacy Commission Report. Three principles espoused in that report are to (1) minimize intrusiveness, (2) maximize fairness, and (3) create legitimate, enforceable expectations of confidentiality.

OCR for page 16
28 IDs—NOT THAT EASY the desired transaction. Minimization also implies that disclosure of in- formation should be limited to the purpose(s) for which it was collected. A pragmatic reason for this, in addition to the privacy aspects, is that information is likely to have an accuracy commensurate with its original purpose (for example, the address given on a video-store membership application form is more likely to be false than the home telephone num- ber given on an employment application). In addition, the minimization principle suggests that information should be deleted when no longer needed and that the information disclosed be limited to that which is needed to fulfill the request (as opposed to disclosing all available infor- mation about an individual or transaction). Clearly, minimization runs counter to the kinds of information collec- tion and correlation needed for the preemptive and retrospective analyses contemplated by proposals for a nationwide identity system meant to counter terrorism and unlawful activities. Resolving or mitigating this tension will be a serious challenge to those developing policies for a na- tionwide identity system. VOLUNTARY OR MANDATORY? Whether participation in the system is to be required or chosen is a major policy decision. Until the goals of the system are clearly articu- lated, it will be difficult to gauge which type of participation would be preferable. Some goals may directly or indirectly require mandatory checking of identities and/or enrollment in the system. For example, if the goal were to prohibit travel by persons with malicious intentions, all air travelers would need to be enrolled—if enrollment were voluntary, such people would simply not enroll and would be permitted to travel. In general, any attempt to ascertain that an individual does not possess an unwanted attribute (for example, malicious intent) requires a complete knowledge of behaviors related to that attribute, and hence mandatory checks. Clearly, a voluntary system is likely to meet with less resistance and to raise fewer concerns about civil liberties, although its voluntary nature would seem to limit the kinds of goals that it could expect to achieve. However, even when a system is nominally voluntary, attention should be paid to whether the large inconveniences of nonparticipation make it effectively mandatory. Deliberate consideration of whether and when to require participation and the implications of widespread but voluntary participation would be essential. There are at least two levels at which participation occurs: when an individual establishes an identity within the system and when his or her ID is requested or used in a given interaction. Whether an individual

OCR for page 16
29 POLICY CONSIDERATIONS must consent to presenting his or her ID as opposed to having the ID observed from a distance (possibly without the person’s knowledge) is another critical policy decision. WHAT LEGAL STRUCTURES? In considering whether to implement any nationwide identity sys- tem, decision makers would have to determine whether and how such a system would be regulated, and by whom. What constitutes misuse of the ID or the data associated with it? What penalties are imposed on the holder for misusing or tampering with the ID? What penalties are im- posed on officers of the government for abuse of the card or misuse of its information? What penalties are imposed on private parties or busi- nesses other than the holder for abuse of the card or misuse of the identity and associated information? Would laws permit, discourage, or forbid private-sector actors from asking individuals to present the card for rea- sons other than those intended by the public sector? Depending on the policy choices and deployment strategies a nation- wide identity system reflects, its constitutional implications may be sig- nificant. The constitutional limitations on an agent’s ability to require presentation of IDs,23 along with the limitations on the ability of Con- gress to enact a nationwide identity system, should be explored before any such enactment to avert the costs of imposing the system and then having to revise or abandon it in the face of its unconstitutionality, to say nothing of its effects on civil liberties. Depending on implementation details and policy decisions, a nation- wide identity system could be used to compile and store large amounts of information on individuals, so that the legal restrictions on compiling and using dossiers would have to be strictly obeyed. More broadly, an under- standing of the principles that support significant privacy-related authori- ties, as well as the major legal traditions and principles that drive U.S. privacy law and policy, will be necessary when considering identity sys- tems that will handle personally identifiable information.24 In particular, 23In fact, the Supreme Court has limited the situations in which government authorities and police officers may require individuals to leave an area due to lack of apparent pur- pose. See Brown v. Texas at . 24U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, Govern- ment Printing Office, Washington, D.C., 1973.

OCR for page 16
30 IDs—NOT THAT EASY it would be helpful to have insight into the statutory models that pertain where mistakes can have severe repercussions (such as census informa- tion collection or tax returns). A further consideration is that because identification in the form of birth certificates and driver’s licenses has traditionally been done at the state and local level, states’ rights and associated issues could well arise. It will be important to examine the federal/state constitutional tensions along with how such issues may facilitate or impede development of policy solutions in this arena. How, for example, should a nationwide identity system interact with the other federal, state, and local identity systems that are already in place? Should these other systems continue, be coupled to the nationwide system, or be superseded? BENEFITS AND DRAWBACKS Creation of a well-thought-out and well-designed nationwide iden- tity system could have some advantages over the current methods of establishing and verifying identity, such as state-issued driver’s licenses, Immigration and Naturalization Service documents, and birth certificates. Current systems have many characteristics that pose a challenge to meet- ing the goals expressed by proponents of a more uniform nationwide identity system. For example, the documents in current systems are not standardized in form or information content, so that a person inspecting an offered document often cannot determine if it even resembles an au- thentic document (much less whether it actually is authentic) without substantial research. Similarly, such documents are generally not strongly linked to the person who offers one for identity, allowing several people to use a single authentic document. Identities also cannot be clearly revoked in current systems, allowing a person to successfully offer an invalid ID as verifica- tion of identity. Moreover, these systems do not universally employ strong anticounterfeiting measures—indeed, the existing measures vary from document to document, and the documents are not easily checked. A nationwide identity system, depending on its implementation, might drive many other forms of identification out of use by subsuming their functionality. Several factors in particular could encourage wide- spread third-party reliance on the nationwide identity system to the ex- clusion of current systems. First, if the cost of the system is borne by the government and its associated agencies, the system’s use would be free to other segments of society unless measures (technical, legal, or otherwise) are taken to prevent unauthorized use. Second, unless private parties are prevented by law (or restrictions on technology) from relying on the na- tionwide identity system, the liability associated with such reliance would

OCR for page 16
31 POLICY CONSIDERATIONS be shielded by the government’s sovereign immunity. Third, even if the private parties were forbidden to rely on the data, it is very likely that private commercial organizations would begin to correlate data about citizens based on their card and/or identity within the system. The infor- mation in these commercial databases may not be as strongly protected (legally or technologically) as, presumably, is the information in the na- tionwide identity system’s own databases. The correlation and aggrega- tion of personal information thus raise a variety of policy questions about the use of such information and constraints on it. As Garrett Hardin wrote in 1968, “You can’t do just one thing.”25 The introduction of a nationwide identity system would create ripples throughout society and the legal system. It is difficult to predict what unintended effects these ripples would have. In part due to our frontier history, there seems to be a widespread belief in our country that some socially good things derive from the current inability to strongly correlate an identity with an individual—for example, a person often has the op- tion of leaving some detail of his or her life behind. Examples include the expunging of the criminal records of minors, anonymous testing for sexu- ally transmissible diseases (and the consequent public-health benefits of reducing the incidence of these diseases), shielding the identity of rape victims from public view, and erasing the records of bankruptcy after a statutory interval. It is not known how much the smooth operation of society depends on such things, or on the assumption that they are possible. There is a risk, however, that they would be lost, or at least significantly impaired, if a broadly used nationwide identity system came into existence.26 Ensur- ing the privacy protections in these examples would likely depend on carefully limiting access to, and the specific uses of, the system’s data- bases, and on restricting the required uses of an ID to certain circum- stances. Identity theft is already a critical problem,27 even without central- 25Garrett Hardin, “The Tragedy of the Commons,” Science 162:1243-1248 (1968). 26Years of experience show that when people automate or regiment a previously manual or only lightly regimented system, they discover the new system’s demand that things be done “exactly right” can create havoc, and that what used to be a smooth process needs to be redesigned to accommodate the less flexible automated system. Decision makers must consider that introducing a rigorous identity system might wreak similar havoc when people discover that some authentication activities require more flexibility than the new system can offer. 27Time magazine notes that in 2001 the “Federal Trade Commission logged more than 85,000 complaints from people whose identities had been pirated” and that “some con- sumer advocates suggest as many as 750,000 identities are stolen each year.” See .

OCR for page 16
32 IDs—NOT THAT EASY ized, mandated identities for everyone. Identity theft is an individual’s fraudulent claim that he or she is the person to whom the information in the system refers, allowing him or her to derive some benefit from an- other party who is relying on that claim. It might involve theft of a physical ID token or it might involve the thief’s learning some secret or personal information and using this in lieu of the token. One reason for the problem is the broad misuse of SSNs, coupled with the fact that the number itself is small enough to be easily memorized. In addition, birth and death data in the United States are not subject to stringent accuracy requirements nor are they highly correlated, making it relatively straight- forward to exploit a deceased person’s birth certificate in order to estab- lish credentials as a basis for an identity. Given the attendant risks, a nationwide identity system would need to provide much better protection against identity theft than do current systems of identification.28 Additional questions arise in the context of a nationwide system of how to recover from identity theft. Who would have the authority to restore or create a new identity for someone when necessary? And what safeguards would be needed to prevent this author- ity from being abused? While offering better solutions to some problems surrounding iden- tity theft, a nationwide identity system poses its own risks. For example, it is likely that the existence of a single, distinct source of identity would create a single point of failure that could facilitate identity theft. The theft or counterfeiting of an ID would allow an individual to “become” the person described by the card, in very strong terms, especially if the na- tionwide identity system were to be used for many purposes other than those required by the government. Paradoxically, it could be that a ro- bust nationwide identity system makes identity theft more difficult while at the same time making its consequences more dire. The economic in- centive to counterfeit these cards could turn out to be much greater than the economic incentive to counterfeit U.S. currency. 28One strategy might be for the system to avoid displaying human-readable ID “num- bers” or other unique identifiers to private organizations. This would, in effect, make it impossible for anyone to read another person’s information off his or her card. (Imagine, for example, a credit card that does not have the account number embossed on the front but makes it available only to machines that read magnetic stripes, thereby reducing opportuni- ties for casual theft). The strategy would instead require that agents use cryptographic techniques to authenticate individuals or enable transactions. See Figure 2.1 for a descrip- tion of the kinds of information in an identity system and where the information might end up.

OCR for page 16
33 POLICY CONSIDERATIONS To determine what safeguards are necessary, a realistic threat analy- sis would be required. Are the as-yet-undetermined countermeasures up to the challenge? Any proposed system must be examined to determine whether the net result with respect to identity theft would be better or worse than it is now. It may be that more robust security in a nationwide identity system, along with increased attention to data integrity (for ex- ample, correlating birth and death records, as discussed above) in current identity systems, would mitigate some of the identity theft problems that arise.