Page 5

1

Introduction and Overview

While the events of September 11, 2001, have galvanized a search for improvements in the safety and security of our society, the challenge is to provide protection without sacrificing fundamental freedoms. An idea that has resurfaced as a result of the attacks is the creation of a “national identity card,” often referred to simply as a “national ID.” 1 This term is a bit of a misnomer, in that a card would likely be but one component of a large and complex nationwide identity system, the core of which could be a database of personal information on the U.S. population. This report by the Committee on Authentication Technologies and Their Privacy Implications provides a limited exploration of such a system and of the potential legal, policy, and technical challenges that it might present.

No one really knows if a nationwide identity system could detect or deter terrorism, although several arguments have been advanced. One is that such a system could be used to easily identify known terrorists upon their interaction with particular agents (such as airline security officials), facilitating their arrest. On the other hand, unless the database of suspects includes those particular individuals, the best possible identity sys-

1See, for example, “States Devising Plan for High-Tech National Identification System” at < http://www.washingtonpost.com/wp-dyn/articles/A32717-2001Nov2.html> and “National ID Card Gaining Support” at < http://www.washingtonpost.com/wp-dyn/articles/A52300-2001Dec16.html>.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 5
1 Introduction and Overview W hile the events of September 11, 2001, have galvanized a search for improvements in the safety and security of our society, the challenge is to provide protection without sacrificing funda- mental freedoms. An idea that has resurfaced as a result of the attacks is the creation of a “national identity card,” often referred to simply as a “national ID.”1 This term is a bit of a misnomer, in that a card would likely be but one component of a large and complex nationwide identity system, the core of which could be a database of personal information on the U.S. population. This report by the Committee on Authentication Technologies and Their Privacy Implications provides a limited explora- tion of such a system and of the potential legal, policy, and technical challenges that it might present. No one really knows if a nationwide identity system could detect or deter terrorism, although several arguments have been advanced. One is that such a system could be used to easily identify known terrorists upon their interaction with particular agents (such as airline security officials), facilitating their arrest. On the other hand, unless the database of sus- pects includes those particular individuals, the best possible identity sys- 1See, for example, “States Devising Plan for High-Tech National Identification System” at and “National ID Card Gaining Support” at . 5

OCR for page 5
6 IDs—NOT THAT EASY tem would not lead to their apprehension. Another suggestion is that the data collected from the widespread use of nationwide IDs could help prevent terrorists from achieving their objectives. This might involve the detection of abnormal or suspicious patterns of behavior that accompany the planning and/or execution of a terrorist act. Another potential role of a nationwide identity system is as an inves- tigative tool in the aftermath of a crime or terrorist attack. Here, the data collected could help retrospectively in the identification, arrest, and pros- ecution of the perpetrators. Some argue that this is primarily (though not exclusively) a post facto activity, more useful for law enforcement than for counterterrorism, which is, in part, an a priori intelligence function. Terrorism issues per se are beyond the scope of this report, which examines the concept of a nationwide identity system in the large, not solely with respect to counterterrorism. The committee believes that the concept of a nationwide identity system—including whether such a sys- tem is a good idea—must be examined on its own merits. Indeed, nationwide identity systems have been sought for many pur- poses in addition to countering terrorism. They have been proposed to aid in fraud prevention (for example, in the administration of public ben- efits), catch “deadbeat dads,” enable electoral reforms, allow quick back- ground checks for those buying guns or other monitored items, and pre- vent illegal aliens from working in the United States. Depending on the nature of the population, the data collected, and the scope of use, a nationwide identity system might be able to help with other tasks as well. For example, a robust, accurate and comprehensive system might aid law-enforcement officials in tracking or finding people.2 It is possible that the correlation of social (for example, health, economic, demographic) information could be more easily accomplished with the use of a national identity system; statisticians, for example, note how a single identifier would facilitate some of their analyses. In addition, de- pending on implementation choices, e-commerce and e-government trans- actions might be simplified. However, there could also be negative con- sequences, ranging from infringement on rights and liberties (including loss of or invasion of personal privacy) to harm resulting from misiden- tification or misuse of the system, plus significant implementation and deployment costs. The trade-offs (enhanced security versus risks to pri- 2Examples include tracking fugitives, executing warrants, tracking noncitizens with ex- pired visas, tracking illegal aliens, and confirming alibis for those innocent of criminal charges. A nationwide identity system could facilitate the work done by the National Crime Information Center, a computerized database at the Federal Bureau of Investigation that permits access by authorized users to documented criminal justice information.

OCR for page 5
7 INTRODUCTION AND OVERVIEW vacy, cost versus functionality, and so on) need to be carefully consid- ered. Many other countries have nationwide identity systems, which they often use for such diverse purposes as proof of age (e.g., Belgium), proof of citizenship, and for generating electronic signatures (e.g., Finland). In the United States, citizens’ concern for civil liberties, their historic associa- tion of ID cards with repressive regimes, and states’ rights concerns have discouraged movement toward a governmentally sanctioned nationwide identity system.3 Additionally, because the country was settled by immi- grants, a significant fraction of whom wanted to escape just such prac- tices, many U.S. record systems were intentionally designed not to gather linking data.4 Further, it appears that laws requiring individuals to show proof of legal status or citizenship result in increased discrimination based on national origin and/or appearance.5 The human rights issues that could arise, such as increased demands for documentation from those who look or sound “foreign” and the deterioration of living and working conditions for aliens, are substantial.6 Clearly, an examination of the legal and social framework surrounding identity systems, while outside the scope of this report, would be essential.7 Although discriminatory acts such as those alluded to above might be constrainable by law, the presentation of identifying documents—driver’s licenses and credit cards, for example—is being demanded today in more 3The Electronic Privacy Information Center has compiled a set of resources and reports on the topic at its Web site, . 4An example that frustrates many genealogists is that U.S. birth certificates usually re- quire identifying the town of birth only for parents born in the United States; for people born elsewhere, the country of birth is sufficient. Generally speaking, the mindset that such things are “no one’s business” has deep roots. 5See U.S. General Accounting Office (GAO), Immigration Reform: Employer Sanctions and the Question of Discrimination, March 1990; Marvin Howe, “Immigration Law Leads to Job Bias, New York Reports,” New York Times, February 26, 1990, p. A1. The GAO report on the Immigration Reform and Control Act of 1986 (IRCA) cites a “widespread pattern of dis- crimination” resulting “solely from the implementation of IRCA.” Ten percent of employers discriminated on the basis of foreign accent or appearance, and nine percent discriminated by preferring certain authorized workers over others. 6Especially for communities of recent immigrants, there is likely to be significant contro- versy in shifting to a system that would prohibit or make difficult work and other activities without presentation of an ID. In considering the feasibility and desirability of a particular approach, designers of any such system should be aware of this potential opposition, as well as possible opposition from other segments of the population. 7It would be useful to examine how such systems have worked in other countries, as well as to examine nations where IDs have been proposed but not implemented (such as the United Kingdom).

OCR for page 5
8 IDs—NOT THAT EASY and more generic circumstances. There is also evidence of growing ef- forts in the public and private sectors to collect, maintain, correlate, and use more and more information on citizens’ activities based on existing identifiers such as Social Security numbers (SSNs). Initially designed only for administering social security benefits, SSNs are now common data elements in public and private sector databases, allowing for easy sharing and correlation of disparate records. This is a classic example of function “creep”—continuous expansion in the use of a system first intended for a limited purpose.8 Before any decisions can be made about whether to attempt to formal- ize some kind of nationwide identity system, the question of what is being discussed must be answered. Thus the committee believes that substan- tive and sustained analysis is needed on the issue. There is no recognized universal model for a nationwide identity system. Because different people mean different things when they dis- cuss the concept, evaluating it requires clarification of what is intended. The range of possibilities for identity systems is broad and includes alter- native approaches such as the following: • A database establishing a unique identity and maintaining infor- mation on every U.S. citizen, including, for example, information on known felony convictions and place of residence, available for govern- ment and commercial query; • A system similar to the above system that also includes noncitizens who are legally in the United States;9 8Some might argue that the SSN is already a de facto national identifier. The General Accounting Office makes this assertion and also points out that no one law governs the use of SSNs. While originally intended to identify retirees who qualified for the Social Security retirement system, the SSN is now required, in some cases by law, to be used to identify individuals who seek federal assistance. In addition, of course, the SSN has been adopted as a taxpayer ID number. In his book Database Nation, Simson Garfinkel provides a history of the expanded use of the SSN. Provisions of the Social Security Act, the Privacy Act, and the Computer Matching Act are among the laws that attempt to limit the conditions under which SSNs and associated data are used (General Accounting Office, Social Security: Gov- ernment and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28, February 1999). For example, the Privacy Act of 1974, available at , requires the disclosure of how the SSN will be used by all government agencies. In 1986, the Office of Technology Assessment addressed the issue of ubiquitous use of the SSN as well (U.S. Congress, Office of Technology Assessment, Government Infor- mation Technology: Electronic Records Systems and Individual Privacy, OTA-CIT-296, Washing- ton, D.C., U.S. Government Printing Office, June 1986). 9Note that there are additional discussions about systems aimed exclusively at non- citizens, including, for example, proposals that would more rigorously track foreign stu- dents within the United States.

OCR for page 5
9 INTRODUCTION AND OVERVIEW • A database of only a fraction of the country’s population—those individuals who have a specific characteristic (for example, criminal record, past noncriminal but anomalous behavior, trusted travelers)— that would not include the majority of people in the country; and • A database allowing voluntary participation in return for such ben- efits as ease of entry into the country or access to the fast line at the airport security checkpoint. The above possibilities (there are others as well) emphasize the need for answers to a number of questions before a more substantive analysis can proceed. Several policy questions should be asked when considering any kind of identity system (see also Figure 1.1): • What would be the purpose of the system? Possibilities include expe- diting and/or tracking travel, prospectively monitoring citizens’ activi- ties in order to discern suspicious behavior, and retrospectively aiding in the identification of perpetrators of crime, among others.10 • What is the scope of the population for whom an ID would be issued and whose activities would presumably be recorded in the system? How would the identities of these individuals be authenticated? • What is the scope of the data that would be gathered about individu- als participating in the system and correlated with their national identity? While it may be referred to casually as an “identification system,” imply- ing that all the system would do is identify individuals, many proposals talk about the ID as a key to a much larger collection of data. Would these data include only identity data (and what, precisely, is meant by identity data)? Or would other data be collected, stored, and/or analyzed as well? With what confidence would the accuracy and quality of these data be established and subsequently determined? • Who would be the user(s) of the system (as opposed to who would participate in the system by having an ID)? One assumption seems to be that the public sector/federal government would be the primary user, but what parts of the government, in what contexts, and with what con- straints? In what setting(s) in the public sphere would such a system be used? Would state and local governments have access to the system? Would the private sector be allowed to use it? What entities within the government or private sector would be allowed to use the system? Who could contribute, view, and/or edit data in the system? 10In general, the narrower the goals, the simpler and, perhaps, less controversial a sys- tem is likely to be, although even a narrowly focused system can run into function creep and problems associated with misidentification.

OCR for page 5
10 IDs—NOT THAT EASY Voluntary or mandatory? What data? Legal Type of structures? use? Goals? Users? Who is participating? FIGURE 1.1 Interconnecting policy choices. The choices made for each of the questions posed will bear, with differing degrees of influence, on the choices made with respect to all of the other issues. For example, the goals of the system will influence what data are collected about individuals. What data are collected about individuals will constrain the possible goals of the system. Who is allowed to use the system will have a bearing on what legal structures are needed. What legal structures are put in place will bear on what kinds of access to the system are allowed. And so on. • What types of use would be allowed? Who would be able to ask for an ID, and under what circumstances? Assuming that there are datasets associated with an individual’s identity, what types of queries would be permitted (e.g., “Is this person allowed to travel?” “Does this person have a criminal record?”)? Beyond simple queries, would analysis and data mining of the collected information be permitted? If so, who would be allowed to do this kind of analysis and for what purpose(s)? • Would participation in and/or identification by the system be vol- untary or mandatory? In addition, must participants be aware of or con- sent to having their IDs checked (as opposed to, for example, undergoing surreptitious facial recognition)?

OCR for page 5
11 INTRODUCTION AND OVERVIEW • What legal structures would protect the system’s integrity, as well as the data subject’s privacy and due process rights, and define the gov- ernment and relying parties’ liability for system misuse or failure? These questions will drive technological considerations (described in Chapter 3), including what kinds and what levels of system security would be required. Throughout this report, the term “nationwide identity system” is used in lieu of the more colloquial “national ID” or “national ID card.” Many of the proposals are often presented in terms of a national identity card, though technologies exist—possibly including biometrics, which mea- sures and analyzes unique physiological and behavioral characteristics of individuals—that might serve some of the same proposed purposes with- out requiring a physical card. Nevertheless, the emphasis in this report is on card-based models simply because they have been proposed most frequently. In addition, many of the policy questions and database-re- lated technical issues apply both to card-based systems and those that do not require a physical card (see Chapter 3). With respect to the chosen phrase, nationwide identity system, “na- tionwide” is meant to underscore the scale (both geographic and in terms of numbers of users) needed, without implying that IDs would necessar- ily be generated from a single central location or, implicit in the term “national,” that only citizens would need an ID. The notion of identity is complicated, even when only the identity of persons (and not things, arguments, systems, etc.) is being referred to, as this report is doing. This report distinguishes between an identifier (the name or sign by which a person is known), which can be thought of as a label by which an individual is known in and to society and with which he or she conducts his or her affairs within society, and the identity of a person as seen by others. For the purposes of this report, “identity” refers to a set of information about a person X believed to be true by Y. More colloquially, identity is associated with an individual as a convenient way to characterize that individual to others. The set of information and the identifier (name, label, or sign) by which a person is known are also sometimes referred to as that person’s “identity.” The choice of informa- tion may be arbitrary, linked to the purpose of the identity verification (also referred to as authentication) in any given context, or linked intrinsi- cally to the person—as in the case of biometrics (see Box 1.1).11 For 11Although biometrics are proposed with increasing frequency for a variety of identifica- tion and authentication purposes, they pose many difficult issues for system design, imple- mentation, and use. These will be explored in the committee’s final report.

OCR for page 5
12 IDs—NOT THAT EASY BOX 1.1 Terminology For the purposes of this brief report, and to help clarify discussion, concepts that the committee’s final report1 will explore in detail are explained here. • Identity. The identity of X according to Y is a set of statements believed by Y to be true about X. In this report, identity generally refers to a set of informa- tion about X, especially in the context of a particular identity system. • Identification. Identification is the process of determining to what identity a particular individual corresponds, often without a claimed identity on the part of the individual (for example, the identification of an unconscious patient in an emergency room). • ID. In this report, ID refers to the identity information pertaining to a particular individual that is contained within an identity system and/or the token associ- ated with that information. • Authentication. Authentication is the process of confirming an asserted iden- tity with a specified or understood level of confidence. Note that authentica- tion is quite distinct from identification. • Security. Security refers to a collection of safeguards that ensure the confi- dentiality of information, protect the integrity of information, ensure the avail- ability of information, account for use of the system, and protect the system(s) and/or network(s) used to process the information. Security is intended to ensure that a system resists (potentially correlated) attacks. • Privacy. The right to privacy is the right of an individual to decide for himself or herself when and on what terms his or her attributes should be revealed. It should be noted that each of these terms represents a complicated, nuanced, and, in some instances, deeply philosophical topic. The descriptions of these con- cepts given here are not meant to be definitive, prescriptive, or comprehensive. 1See for more information. example, the information corresponding to an identity may contain facts (such as eye color, age, address), capabilities (for example, licensed to drive a car), medical history, financial activity, and so forth. Generally, not all such information will be contained in the same identity, allowing a multiplicity of identities, each of which will contain information relevant to the purpose at hand. In the phrase “nationwide identity system,” the word “identity” implies that decisions must be made about what consti- tutes an identity within a system and that an identity will be established for participants.

OCR for page 5
13 INTRODUCTION AND OVERVIEW A critical question—which goes beyond the scope of this report, but which must be considered in the larger law-enforcement and national- security context—is whether establishing and verifying identity is either necessary or sufficient for achieving any of the desired objectives of the system. It may be that they require collection and analysis of data and/or prospective or retrospective tracking or surveillance, well beyond mere identity verification.12 Note that even the question of whether to institute collection of data and surveillance is not binary (see Box 1.2). “System” may be the most important (and heretofore least discussed) aspect of the term “nationwide identity system,” because it implies the linking together of many social, legal, and technological components in complex and interdependent ways. The success or failure of such a system is dependent not just on the individual components, but on the ways they work—or do not work—together. Each individual component could, in isolation, function flawlessly yet the total system fail to meet its objectives.13 The control of these interdependencies, and the mitigation of security vulnerabilities and their unintended consequences, would de- termine the effectiveness of the system. A nationwide identity system would also consist of more than simply a database, communications networks, card readers, and hundreds of millions of physical ID cards. The system would need to encompass policies and procedures and to take into account security and privacy considerations and issues of scalability, along with human factors and manageability considerations (if the requirements of use prove too oner- ous or put up too many barriers to meeting the goal of the relying party, that party might try to bypass the system). The system might need to specify the participants who will be enrolled, the users (individuals, orga- nizations, governments) that would have access to the data, the permitted 12For example, if the goal were to track the activities or whereabouts of an individual to detect illegal activity or suspicious patterns, surveillance of the behavior and activities of said individual would be needed after identification was accomplished. Surveillance might require a warrant or other judicial intervention, depending on the approach taken. If the goal were to detect suspicious activity by previously unsuspected individuals (in order to prevent illegal activity), correlation of surveyed actions would be required after identifica- tion and surveillance were accomplished. Such correlation would presumably have to be done before establishment of probable cause for a search in order for it to be useful. 13There are examples of this in security mechanisms—for example, where individual techniques to provide additional security interact unexpectedly in such a way as to make the system less secure. Charles Perrow explores the broad concept more thoroughly in Normal Accidents, McGraw-Hill, 1986. In addition, the Web site describes the distinction between component failure accidents and system accidents.

OCR for page 5
14 IDs—NOT THAT EASY BOX 1.2 Degrees of Data Collection and Surveillance Merely asserting that some data collection or surveillance would occur in a system or that data would be analyzed is insufficient. It is important to determine precisely what is meant or intended by “collection” and “analysis” within an identi- fication system. There are at least five different ways to approach this issue: • Little to no data collection. The only data collected and stored are those needed to establish, at a particular time, an individual’s identity within the system (for a predetermined meaning of “identity.”) • Individual data collection. Information about an individual’s activities and behavior is collected and stored but analyzed only upon request by an autho- rized agent (for example, a court order). • Aggregate data collection. Behavioral data are aggregated and stored but only analyzed upon request or for a specific purpose. It may or may not be possible to link data to an individual. • Aggregate data analysis. Behavioral data are aggregated and proactively ana- lyzed to search for suspicious or abnormal patterns. Upon an authorized request it may or may not be possible to link data to an individual. • Individual data analysis. Each individual’s data are proactively analyzed to check for suspicious or abnormal patterns of behavior, and any such findings are flagged and authorized agents alerted. uses of the data, and the legal and operational policies and procedures within which the system would operate. In addition, a process would need to be in place to register individuals, manipulate (enter, store, up- date, search and return) identity information about them, issue creden- tials (if needed), and verify search requests, among other things. The word “system” suggests the complicated nature of what would be re- quired in a way that the colloquial phrase “national ID card” does not. It is important to note that a variety of identity systems fit within the scope of what is being discussed in this report. The recent AAMVA proposal14 to link state motor-vehicle databases is a nationwide identity system. So is the recent proposal to create a traveler ID and database to expedite security checks at airports. Each of these systems could and should be subjected to the kind of analysis and critique described in this 14See for more information. The committee received a brief- ing describing some of the issues facing AAMVA in developing a more secure driver’s license infrastructure in a context where use of driver’s licenses is expanding beyond their nominal function.

OCR for page 5
15 INTRODUCTION AND OVERVIEW report. Some of the issues raised here will be more applicable to some systems than to others, but virtually any large-scale identity system will need to take into consideration a number of policy and technological issues; in fact, before deciding to build any identity system, the issues outlined in this report should be explored. A top-down, monolithic system controlled by the federal government is not the only kind of nationwide identity system that this report ad- dresses. For example, unifying document formats and linking the data- bases of state driver’s licenses and ID-issuing systems would provide broad (though not complete) coverage without creating a federally con- trolled nationwide identity system. Further, the successes and failures of the various nationwide identity systems in use in other countries should be examined in order to have a fully informed discussion in the United States. However, when studying such systems, questions of scale must be kept in mind. Experience with a system for a population of tens of millions is not necessarily applicable to a system that might incorporate hundreds of millions. In any case, many of the questions raised in this report assume large-scale systems and widespread participation in and use of such systems. Without attempting to answer comprehensively the many questions surrounding a nationwide identity system and without making asser- tions about whether to move toward or away from a nationwide identity system, the report aims to highlight some of the significant policy, proce- dural, and technical challenges presented by such a system, with the over- all goal of prompting a broad discussion among and between policy mak- ers and stakeholders. This brief document is intended to inform the policy debate. Com- plete policy analysis is outside its scope, though several of the broad themes outlined here will be addressed more fully in the committee’s final report. Chapter 2 describes what the committee believes is the most important issue in the debate—namely, the system goals—along with other policy issues that the committee believes should be considered in advance of implementation and deployment. Chapter 3 explores some of the technological issues involved in implementing a reliable and secure nationwide identity system while minimizing unintended consequences, such as compromises of privacy or the creation of new vulnerabilities. Chapter 4 offers concluding remarks and suggestions.