Questions? Call 800-624-6242
|
|
|
|
|
The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Page 34
3
Technological Challenges
Though the aim of this short report is
merely to point out some of the essential policy questions that
would be raised by the introduction of a nationwide identity
system, the committee believes that the technological and
implementation challenges raised—even without a precise
characterization of such a system's goals or subsequent
policies— are enormous and that they warrant significant and
serious analysis.
This need becomes clear when an ID is understood as an element of a
much larger system that includes technical, material, and human
elements. At a minimum,
Cards and card readers (if used for validation) would need to
be designed, fabricated, distributed, and updated or
otherwise maintained or replaced.
A corresponding (backend) database would need to be
established, maintained, and protected.
Procedures for checking the authenticity of IDs and for
verifying the presenter (with or without specialized
equipment) would need to be established, promulgated,
practiced, and audited. 1
|
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 34
3
Technological Challenges
T
hough the aim of this short report is merely to point out some of
the essential policy questions that would be raised by the introduc-
tion of a nationwide identity system, the committee believes that
the technological and implementation challenges raised—even without a
precise characterization of such a system’s goals or subsequent policies—
are enormous and that they warrant significant and serious analysis.
This need becomes clear when an ID is understood as an element of a
much larger system that includes technical, material, and human ele-
ments. At a minimum,
• Cards and card readers (if used for validation) would need to be
designed, fabricated, distributed, and updated or otherwise maintained
or replaced.
• A corresponding (backend) database would need to be established,
maintained, and protected.
• Procedures for checking the authenticity of IDs and for verifying
the presenter (with or without specialized equipment) would need to be
established, promulgated, practiced, and audited.1
1Association of an identity card with its holder has to be verified before the identity
information it contains can be relied upon (otherwise, stealing the card would permit the
theft of the cardholder’s identity).
34
OCR for page 35
35
TECHNOLOGICAL CHALLENGES
• Means to discover, report, verify, and authoritatively correct mis-
takes would need to be put in place.
• A variety of security measures would need to be factored into all
aspects of the system to be sure that it meets its objectives and is not
vulnerable to things such as fraud or denial-of-service abuses that can
result in privacy violations.
Fraud (and security in general) is a significant concern in any system,
even the most technologically sophisticated.2 The nationwide scale of
such a system would require knowing that all aspects of the system are
scalable—a daunting problem for lesser systems.3 In any case, the chal-
lenges of building robust and trustworthy information systems—they are
extensive and well-documented4 —are accompanied by the even greater
challenge of making the systems resistant to attacks by well-funded ad-
versaries.
Architectural issues include the degree of centralization of the under-
lying databases as well as the location and cost of data storage, computa-
tion, and communication, which can all be done at different places.5 For
example, how would authorized entities obtain the records they wanted,
under what circumstances, and with what degree of authorization?
Would there be daily or weekly downloads of selected records to more
permanent storage media? Would a real-time network feed be required
(perhaps similar to those used in real-time credit authorization systems)?
Would it be possible to secure such a feed sufficiently?6
Choices among architectural options, as well as other options, would
depend on the functional goal(s) of the system. Architecture influences
scalability, cost, and usability/human factors. It also interacts with proce-
2A large breach of security with French banking cards is causing a significant upgrade of
the infrastructure in France (). In the United
States, satellite-signal theft by smart card fraud is so extensive that it is now the focus of a
government sting operation. See Ross Anderson’s work on cryptography and security,
much of which is available at .
3CSTB’s 2000 report Making IT Better underscores the profound challenges associated
with large-scale systems.
4See the CSTB reports Computers at Risk (1990), Trust in Cyberspace (1999), Making IT Better
(2000), and Embedded, Everywhere: A Research Agenda for Networked Systems of Embedded Com-
puters (2001).
5A general rule is that the lower the cost of accessing an online database and the larger
the likelihood of doing so, the less sophisticated the card needs to be.
6Such security might require a very large new network that would have to be connected
inside the firewalls of the institutions and organizations using the system. Securing such a
network is extremely difficult; experience suggests that maintaining that security would be
very challenging.
OCR for page 36
36 IDs—NOT THAT EASY
dure: Decisions must be made about who would be in charge of issuing,
reissuing, renewing, revoking, and administering the cards, along with
maintaining, updating, and granting access to the database. A further
concern is the need for graceful recovery from failure as well as substitute
mechanisms when the system is compromised or not adequately respon-
sive at the time verification of an identity is needed. All of these factors
influence cost, as well as effectiveness.
Cost needs to be analyzed completely, on a life-cycle basis and with
attention to numerous trade-offs. Even if software and hardware costs
are minimized, experience with lesser systems—from SSNs to state driv-
ers’ licenses to military identification systems—shows that there will be
significant ongoing administrative costs for training, issuing cards, verifi-
cation, maintenance (keeping whatever information is associated with an
individual and his or her ID up to date), and detection and investigation
of counterfeiting.7 In particular, the costs—and technological and admin-
istrative complexity—of assuring the integrity and security of an identity
infrastructure are likely to be large. They would depend in part on
whether technology for automated checking of an ID—as opposed to a
visual check used today with SSNs or drivers’ licenses—is required, which
in turn depends on the choice of ID technology (see Box 3.1).
For example, in response to legislation enacted in August 1996,8 the
Social Security Administration (SSA) conducted an analysis and produced
a report on options for enhancing the Social Security card.9 Citing a num-
ber of key business and technology assumptions that appeared valid at
the time of the study (1997), SSA estimated that issuing enhanced cards
might have a life-cycle cost of $5.2 billion to $10.5 billion, depending on
the technology developed and deployed. These estimates included as-
sumptions about the need for reissuing cards, issuing new cards, and
maintaining the systems in order to store data related to the cards and
keep that data up to date. The study did not assume that each SSN and its
related card would relate to just one individual, because SSA estimated
that at the time, approximately 10 million of the 269 million valid SSNs
7There are numerous ways in which fraudulent (“novelty”) identification documents can
be obtained. A simple Web search on “fake id” provides links to many possible suppliers.
8Section 111 of P.L. 104-193, “Personal Responsibility and Work Opportunity Reconcilia-
tion Act of 1996” (Welfare Reform) and section 657 of P.L. 104-208, Division C, “Illegal
Immigration Reform and Immigrant Responsibility Act of 1996” (Immigration Reform).
9See Report to Congress on Options for Enhancing the Social Security Card, Social Security
Administration, Publication No. 12-002, September 1997. Available at .
OCR for page 37
37
TECHNOLOGICAL CHALLENGES
were duplicates (that is, two or more persons had been given the same
SSN). There was a variety of reasons for such duplication, including error
on the part of SSA and malfeasance on the part of some individuals.
As with the design of any system, decisions about trade-offs would
need to be made in advance. The security, efficiency, and effectiveness
options chosen would depend on the goals and policies (see Chapter 2)
and the planned uses of the system. For example, a “trusted traveler”
system whose sole function was to authenticate individuals who had been
previously certified as “trusted” in the particular context of travel might
place more emphasis on efficiency in travel-related queues and on elimi-
nating false positives than on protecting the fact that a particular person
has been certified as trusted (or untrusted). A secure driver’s license
system, in which the license is used as an ID for many activities beyond
driving on a public roadway, might trade ease of replacing a lost license
against the rigorous authentication of individuals who request a replace-
ment. In making decisions about trade-offs, understanding the potential
threats and risks will be a large component of assessing the security re-
quirements of a system.
BINDING PERSONS TO IDENTITIES
A practical issue that would arise in a card-based identity system is
that of relating cards and identities to individuals: How would the issu-
ing authorities create this binding? Most of the systems (both hypotheti-
cal and actual) alluded to in this report employ what is known as two-
factor authentication, requiring the holders to present more information
than the card itself (perhaps a face that matches the picture, a PIN, or a
thumbprint) to verify that they are the legitimate holders.
If someone has a valid card, how would anyone know that it belongs
to him or her? A picture on the front of the card would not be sufficient if
very high assurance is sought.10 If the card makes use of a magnetic
stripe, it would have been easy to copy the stored information to a new
card with a different picture. If the card is a memory card or smart card,
duplication, while a little more difficult, would still have been possible. If
biometric information11 is used, it could have been stored on the card and
10The inability of human inspectors to reliably match faces to cards was demonstrated in
Pike, Kemp, and Brace, “Psychology of Human Face Recognition,” IEEE Conference on
Visual Biometrics, London, March 2, 2001.
11There are a number of biometrics that might be used; for the purposes of this discus-
sion, assume an iris scan or fingerprint.
OCR for page 38
38 IDs—NOT THAT EASY
BOX 3.1
Cards and Their Requirements
The presumed goal of a counterfeit-resistant, long-lasting, easily replaceable ID
presents difficult technical challenges. With respect to the ID itself, assuming that it
is a physical artifact such as a card, a number of questions need to be answered.1
Form factors—the size, shape, and substance of the card—would likely play a part
both in acceptance on the part of the citizenry and in the card’s resistance to coun-
terfeiting. The more difficult challenges pertain to the aspects of cards that are deter-
mined by the kind of technology used.
One could use a relatively simple card, like a credit card or driver’s license.
Each individual in the system would have a card with some information printed on it
about the holder and perhaps a picture. There might be a unique number on the
card, and the information in a nationwide database would be indexed by that num-
ber. The card itself might contain a magnetic stripe along with embossed and printed
data. As with a driver’s license or passport, access to this database (for reading data
out or putting data in) would presumably be limited,2 as it would be under the
proposal by the American Association of Motor Vehicle Administrators to create
nationwide standards for driver’s licenses.
On the other hand, the counterfeiting of magnetic stripe cards is a trivial under-
taking.3 More important, the ease with which the information contained in the mag-
netic stripe can be duplicated means that a counterfeiter can produce a clone card
and/or retransmit the data in other transactions as if they came from a legitimate card.
All of this implies serious security and privacy vulnerabilities, and there is no verifi-
able connection (by means of biometrics, for example) between the holder of the
card and the person to whom the card was issued. Hence, using such credentials as
a basis for issuing new cards (and, ergo, identities) would compromise the accuracy
of some of the identification data, inasmuch as the credentials depend on attestations
by the individual or even third parties.4
1The Department of Defense is now deploying a smart card that it refers to as a common
access card (CAC) as an authentication device and for other purposes. The card combines a
magnetic stripe, bar code, a photo ID, and smart card technology. DOD’s experiences may well
prove instructive when considering a nationwide system. However, the privacy concerns of
military employees are likely to be different from those of average citizens, making an exact
analogue unlikely. In addition, the CAC will be deployed for a population that is more than an
order of magnitude smaller than the U.S. population, which is more diverse in many dimensions
than the military and currently less subject than the military to sanctions for failure to comply
with the identification system’s requirements.
2On November 2, 2001, the Washington Post reported that the American Association of
Motor Vehicle Administrators was working on a plan to link all driver databases and to strength-
en the security and functionality of current driver’s licenses and state identification cards. See
. See also for a description of AAMVA’s
standard, which aims to provide a uniform means for identifying holders of driver’s licenses
throughout North America.
3See, as just two of many examples, “Skim Artists Can Swipe Your Credit,” at and “Newly Dis-
covered Bug Skims Credit Card Data,” at .
4Note that the existing identification infrastructure (including the system of birth and death
records) in the United States often depends on the presentation of credentials and is highly
decentralized. The lack of common national standards generates skepticism about the quality of
the data.
OCR for page 39
39
TECHNOLOGICAL CHALLENGES
Another possibility is a memory card (or storage card), which would hold more
information and be more expensive than the magnetic-stripe cards of the previous
example.5 These cards contain memory as well as some security logic to prevent
unauthorized reading or tampering with their data. The information contained on
them could be digitally signed (that is, a number would be associated with that
information that is dependent on a secret known only to the signer as well as on the
data itself) to prevent easy counterfeiting. The correspondence between the user and
the card (along with the information on the card and in the database) could be
ascertained through biometric authentication, which would be undertaken using
special equipment—such as a reader for fingerprints or iris scans—in addition to
presentation of the card. An additional possibility is to use smart card technology
that permits computation (such as digital signatures and encryption) to take place on
the card itself.
Though successful attacks have taken place, these cards are even harder to
counterfeit than memory cards. They might have a name, photo, number, and bio-
metric data, all of which could be cryptographically signed. The data would be
backed up in a database to enable checking when reissuing a card and checking for
duplicates when the card is first issued. A card of this sort could engage in a real-
time, cryptographic exchange with an online system to verify a user’s identity—
possibly without exposing details of that identity to the organization performing the
data capture—for example, an airline or a retail establishment.
As an example of a card-based system using biometrics, consider the Connect-
icut Department of Social Services, which issues cards to aid welfare recipients.6
Fingerprints of each applicant are taken and compared with the fingerprint of all
applicants previously enrolled. Under the assumption that people are not modifying
their fingerprints (and assuming no matching errors), this can prevent a single user
from registering under multiple identities within the system. The card is printed with
the fingerprints encoded in a two-dimensional optical bar code on the front of the
card. At point-of-service applications, the user presents a fingerprint that is com-
pared with that encoded on the card. This prevents multiple users from making use
of a single identity. Other biometric technologies, such as iris recognition, might be
useful in this application as well. However, no biometric technology is completely
invulnerable to attacks by sophisticated adversaries.7,8
5One example is the INSPASS and the data stored on it, coupled with a hand-geometry
reader at point of entry to verify identity. Another example is a German identification card, die
Karte, which uses two separate smart card chips and contains 22 separate mechanisms for card
validation/antifraud technology.
6For a discussion of the costs associated with identification cards and fingerprints in social
service applications, see “A Review of Five Cost/Benefit Studies of Fingerprinting in Social Ser-
vice Applications,” Roger Salstrom, Burton Dean, and James Wayman, available at .
7T. van der Putte and J. Keuning, “Biometrical Fingerprint Recognition: Don’t Let Your
Fingers Get Burned,” Proceedings of IFIP TC8/WG8.8 Fourth Working Conference on Smart Card
Research and Advanced Applications, Kluwer Academic Publishers, September 2000, pp. 289-
303. Also, see T. Matsumoto et al., “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Sys-
tems,” Proceedings of the SPIE, vol. 4677 (January 2002) and D. Maio, D. Maltoni, J. Wayman,
and A. Jain, “FVC2000: Fingerprint Verification Competition 2000,” Proceedings of the 15th
International Conference on Pattern Recognition, Barcelona, September 2000, available on-line
at .
8D. Willis and M. Lee, “Six Biometric Devices Point the Finger at Security,” Network
Computing, June 1, 1998.
OCR for page 40
40 IDs—NOT THAT EASY
a “live capture” of the biometric could be carried out when an individual
presents the card. The captured data would then be compared with the
data stored on the card. Depending on what kinds of cryptographic
protections are used, this system could be susceptible to forgery as well—
for example, someone might recreate the card with his or her own biomet-
ric information in combination with another person’s identity informa-
tion.
Another scenario might be to have the person present a biometric to a
controlled scanner and present the card that contains reference informa-
tion. Both pieces of information are then validated in combination against
a backend server. However, this creates a requirement for high availabil-
ity (that is, the system should be usable essentially all of the time) and a
dependence on reliable, secure network and communications infrastruc-
tures.
In principle, a card coupled with biometrics and the appropriate in-
frastructure for reading and verifying biometric data may offer the great-
est confidence with respect to linking persons and their cards. But getting
biometrics technology right (including control of the risks of compro-
mise) and widely distributed is not easy.12,13 There are additional issues
associated with the use of biometrics, such as some popular resistance.14
Note that biometrics allows for cardless system options: A database-
only system based solely on biometrics eliminates the risk of card loss or
theft, but real-time database accessibility then becomes a major consider-
ation. In addition, compromise of the database is an even greater concern
than in card-based systems, where the cards can be used to provide a
check against corrupted data in the database. Further, a cardless system
implies that anyone wishing to use the system (even for activities needing
only moderate to low levels of security) would have to invest in the equip-
ment needed to access the infrastructure in real time.
12“Advice on the Selection of Biometric Products: Issue 1.0,” (U.K.) Communication
Electronic Security Group, November 23, 2001, available at .
13J.D.M. Ashbourn, Biometrics: Advanced Identity Verification: The Complete Guide, Springer,
London, 2000.
14For further information, see the recent RAND report Army Biometric Applications: Iden-
tifying and Addressing Sociocultural Concerns, 2001. In addition, an accuracy issue arises
with biometrics because it uses what are known as probabilistic measures of similarity. No
two images of the same biometric pattern (even fingerprints) from the same person are
exactly alike. Consequently, biometrics is based on pattern-matching techniques that re-
turn sufficiently close measures of similarity. With enough (or not enough) information
about the application environment and user population, it is possible to convert those mea-
sures into probabilities of a match or nonmatch. Thus, incorrect decisions occur randomly
with a probability that can be measured.
OCR for page 41
41
TECHNOLOGICAL CHALLENGES
Cryptographic protection and digital signatures, in combination with
offline verification of the signature and a properly deployed public key
infrastructure (PKI),15 could provide a measure of protection for the in-
formation associated with IDs and guard against misuse. But for any
technology, some degree of imperfection will exist. Therefore, it is neces-
sary to decide on thresholds for false rejection rates (false negatives) and
false acceptance rates (false positives), not only for when the ID is used
but also at the time of issuance, reissuance, and renewal. Policy deci-
sions—perhaps with corresponding legal backing—need to be made
about what happens in the event of a false negative or false positive.
Creation of exception-handling procedures for dealing with incorrect de-
cisions opens up additional vulnerabilities for the system, as impostors
might claim to have been falsely rejected and request handling as an
exception.
BACKEND SYSTEMS
Once methods are in place to satisfactorily link persons to IDs, the
requirements and goals of the system should drive decision making about
associated databases. The databases’ principal features are likely to in-
clude an ability to search based on an ID number or other unique identi-
fier, various ID attributes, and possibly biometric data. Depending on
whether tracking and prediction are requirements of the system, signifi-
cant logging, auditing, and data mining capabilities would be needed as
well.
Key issues related to this part of the system stem from both structural
and procedural decisions. If the database needs to be readily accessible
from remote locations (which is likely), it would almost certainly need to
be replicated. This, in combination with its perceived (and actual) value
and the fact that more people over a more widespread area would be
likely to have authorized access to the system, makes it even more vulner-
able to break-ins: by physically accessing one of the sites, by finding some
communications-based vulnerability, or by bribing or corrupting some-
one with access to the system. Moreover, if verification of identity re-
quired an online database query at airports, a handful of “accidents” at
key places around the country (such as wires being cut at critical points in
a way that appears accidental) could cripple civil aviation and any other
15The committee’s final report will examine PKI and other authentication technologies in
detail.
OCR for page 42
42 IDs—NOT THAT EASY
commerce that required identity verification (for example, purchase of
guns or certain chemicals).
Note that availability would be a key aspect of any online component
of a nationwide identity system. While the desire for cost savings might
lead to such a backend system being accessible via the public Internet (as
opposed to a dedicated network), this would expose the system to yet
more attacks, both direct and indirect, on shared infrastructure, such as
the routing systems and hardware, the domain name system, or shared
bandwidth. As noted previously, it has proven extremely difficult to
secure systems that utilize the Internet; a nationwide identity system
would likewise need to be widely accessible and would inevitably be the
target of malicious attacks as well as subject to unintentional or incidental
damage. Failure modes of the system would have to be very carefully
studied, and backup plans and procedures would have to be designed
and tested for all critical systems that depend on use of the nationwide
identity system.
A further complication would result if it were decided that different
users should be granted different levels of access to the database, whether
for aggregated data or information about individuals. This raises query
capability, access control, and security issues. Related to the size of the
user base (that is, those who use the identity system to make some sort of
determination about an individual) is the question of whether the same
security measures need to hold for each user. For example, if the system
were used broadly in the private sector, a clerk at a liquor store might be
relatively less concerned about detecting counterfeit cards than would be
an intelligence or law-enforcement agent granting access to national secu-
rity-related sites or information. In addition, the clerk would need less
information (for example, age of individual is greater than 21) verified
through the system than would the agent.
It is a significant challenge to develop an infrastructure that would
allow multiple kinds of queries, differing constraints on queries (based on
who was making them), restrictions on the data displayed to what was
needed for the particular transaction or interaction, and varying thresh-
olds for security based on the requirements of the user. Determining the
scope of use and the breadth of the user population in advance would
dictate which functionalities are needed.
A further challenge resulting from a wide variety of users and uses is
data integrity. Different users (even if the system were used only by
agencies within the government) would undoubtedly have different per-
ceptions of how critical the accuracy of the data is. Therefore, to maintain
the quality of the data, controls over who could input data, and with what
degree of specificity and security, must also be a factor in the design of the
system.
OCR for page 43
43
TECHNOLOGICAL CHALLENGES
Another necessary component of system and data integrity is audit-
ing capability. Keeping track of who has accessed what parts of the
system and which data would be necessary for reasons of technology (to
track down errors and bugs, for example) and liability.16
Procedurally, such a large system would require many people to be
authorized to maintain and administer it. Even if perfect technological
security were achievable, there would still be the security risk of compro-
mised insiders, given the very large numbers of people needed to main-
tain and administer the system.17,18 The human factor would also be an
issue with regard to data entry and possible errors in the database. This is
well known among statisticians, and various technical and procedural
steps can be taken to offset risks of inaccuracy. In general, therefore,
correction mechanisms would need to be created; however, these mecha-
nisms provide additional opportunity for fraud. Given the uses to which
such a system is expected to be put, however, and potential impacts on
individuals’ reputations and freedom to function as social and economic
actors, mechanisms that allow individuals to know what is in the data-
base and to contest and/or correct alleged inaccuracies would be desir-
able and politically essential (and, if run by the federal government, le-
gally required). While such mechanisms can be found in credit-reporting
and medical databases,19 the law-enforcement and national-security
frameworks that are motivating proposals for a nationwide identity sys-
tem pose unique accessibility and disclosure challenges.
Another concern is that depending solely on feedback from partici-
pants to correct inaccuracies would catch only a fraction of the errors.
People may tend to notice and report only those errors that interfere with
something they are attempting to accomplish. An incorrectly entered
birth date, for example, may not be noticed or corrected for decades and
may only come to light when the person applies for, say, Medicare. An
16Indeed, major federal agencies such as the Internal Revenue Service have run into
problems with tracking and controlling access to information. For a discussion of this as it
relates to privacy, see Peter P. Swire, “Financial Privacy and the Theory of High-Tech Gov-
ernment Surveillance,” Washington University Law Quarterly 177(2):461-512 (1999).
17CSTB held a planning meeting on the topic of the insider threat in late 2000. For more
information, see .
18The President’s Commission on Critical Infrastructure Protection at discusses cyberthreats, including the insider threat. For-
tune has examined the cost of insider attacks online at .
19See, for example, Computer Science and Telecommunications Board, For the Record:
Protecting Electronic Health Information, National Academy Press, Washington, D.C., 1997.
OCR for page 44
44 IDs—NOT THAT EASY
accumulation of latent errors is inevitable and leads to at least two prob-
lems: (1) by the time the error is discovered it may be hard to locate the
information needed to verify the claim of error and (2) the act of making
the correction may interfere with or delay some action that should be
allowed by the system. Creating a workable nationwide identity system
that can compensate in effective ways for these inevitabilities is clearly a
nontrivial task.
DATA CORRELATION AND PRIVACY
A key question about a nationwide identity system database is
whether it would be designed to foster consolidation of other (especially
federal) databases—or whether that might happen as a side effect. Either
way, proponents note that this would make information sharing among
intelligence and law-enforcement agencies easier,20,21 although the com-
mittee believes that it could also carry significant risks.
A centralized, nationwide identity system essentially offers adversar-
ies a single point of failure and presents an attractive target for identity
theft and fraud. The more valuable the information in the database and
the credentials associated with an identity, the more they become a target
for subversion. Unauthorized access might be sought by terrorists, stalk-
ers, abusive ex-spouses, blackmailers, or organized crime. Furthermore,
to the extent that important activities become dependent on the system,
the system becomes an attractive target for denial-of-service attacks.
Implementing a secure and reliable nationwide identity system that is
resistant to credential theft or loss,22 fraud, and attack is a significant
technological challenge, with ancillary procedural challenges.
Related to consolidation, information correlation is facilitated by sys-
tems in which one individual has exactly one identity. This has both
negative and positive implications. Such a system is useful for predicting
20A forthcoming CSTB report will explore issues on critical information infrastructure
protection and the law, including a preliminary analysis of the issue of information sharing
between the public and private sectors. For more information, see .
21See, for example, Larry Ellison’s October 8, 2001, article in the Wall Street Journal, “Digi-
tal IDs Can Help Prevent Terrorism,” and Cara Garretson’s December 2001 article in CIO,
“Government Info Sharing Key to Fighting Terrorism,” at .
22Loss of ID cards presents its own challenges to the system; if all of the individuals with
lost IDs were to become immediately “suspect” in the system, intolerable backlogs and/or
overload could result.
OCR for page 45
45
TECHNOLOGICAL CHALLENGES
or detecting socially detrimental activities, because it avoids the uncer-
tainty and confusion that may arise from multiple identities (notwith-
standing that multiple identities can serve useful and socially desirable
purposes, as described previously). Credit card companies, for example,
can conduct behavior-pattern analysis for fraud detection.23 Similar tech-
nologies must be used to detect behavior indicative of impending crimi-
nal or terrorist activities, although this raises concerns about profiling.
On the negative side, such analysis also enables invasions of personal
privacy. The extent to which this occurs would depend heavily on the
circumstances under which an individual can be compelled to present an
ID, what information is retained, and which activities are tracked within
the system (a topic explored above). Indeed, detecting a problem might
only be possible in some instances through broad analysis. This would
necessitate examining the behavior of many people who do not pose a
risk—most human behavior involves law-abiding citizens pursuing con-
stitutionally protected activities—in order to identify the few who do.24
23Credit card companies make these correlations using both standard statistical methods
and neural networks.
24For a discussion of some of the effects and implications of ubiquitous surveillance
cameras, see the October 7, 2001, article by Jeffrey Rosen, “A Watchful State,” New York
Times Magazine.
Representative terms from entire chapter:
smart card
