Preface

One proposal that has received a fair amount of attention is a national identification card--or, more precisely, a nationwide identity system. The Bush administration has indicated that a national identification card is not within the scope of options it is contemplating. Congress, however, has been considering various alternatives--for example, a measure in the Enhanced Border Security and Visa Entry Reform Act of 2001 would require biometric identifiers to be employed on visas and other travel and entry documents for aliens (H.R. 3525, Section 303). Additional suggestions include a proposal by the American Association of Motor Vehicle Administrators (AAMVA) to link state motor vehicle departments and a proposed "trusted traveler" system for airports.

The persistence of public discussion on the topic and the expectation that other proposals will be offered argue for an informed analysis and critique of the concept of a nationwide identity system.

In early 2001, the Computer Science and Telecommunications Board, (CSTB) a unit of the National Research Council with a long history of examining information technology, security, and related issues,¹ launched a study to examine authentication technologies and their privacy implications. Sponsored by the National Science Foundation, the Office of Naval Research, the General Services Administration, the Federal Chief Information Officers' Council, and the Social Security Administration, the study aims to assess emerging approaches to user authentication in computing and communications systems, and it specifically focuses on the implications of these authentication technologies for privacy.

The study is being conducted by the multidisciplinary Committee on Authentication Technologies and Their Privacy Implications, whose members include experts in the design, implementation, deployment, and use of information systems generally and information systems security in particular, along with experts in privacy law and policy (see Appendix A for committee and staff biographies). Given that identification and authentication systems constitute a large portion of the committee's agenda, it is well positioned to comment on the technology and policy issues surrounding a nationwide identity system and its supporting infrastructures (hereinafter referred to as a nationwide identity system). In fact, CSTB asked the committee to do so, in the interest of providing a timely contribution to the public debate. Additional resources from the Vadasz Family Foundation enabled development of this report.

The committee's broader and more comprehensive final report is expected in late 2002, but its members felt compelled to issue a brief report at this time because of the real possibility that further debate on a nationwide identity system, and even action on the topic, could take place prior to the final report's issuance. Thus the present effort outlines the issues the committee believes must be addressed and raises a number of questions that the committee believes should be answered as part of any consideration of a nationwide identity system.

This brief report is a product of the committee's deliberations, drawing on its members' areas of expertise. But, given time and resource limitations, it is not an exhaustive assessment. It is intended to catalyze a broader and more sophisticated discussion. Clearly, the legal, policy, and technological issues associated with nationwide identity systems warrant a much more detailed and comprehensive examination. The committee invites feedback on this brief report as it continues the process of preparing its broader and more in-depth final report on the topic of authentication technologies and their implications for privacy.

The committee thanks David D. Clark, chair of the CSTB, and Marjory S. Blumenthal, CSTB's director, for their commentary and feedback on draft versions of the report. The committee also wishes to thank the various members of the CSTB staff who helped to make it happen. Jennifer Bishop took over as senior project assistant for the authentication study midway through the project, managing logistics, organizing materials, and coping with an unplanned brief report and review with aplomb. She also assisted in developing the diagrams in the report and designed its cover. Janet Briscoe, CSTB's administrative officer, provided crucial administrative and logistical support as well as the suggestion that ultimately led to the report's title. Andy White, director of the NRC's Committee on National Statistics, provided feedback during the formulation and review phases. The committee also thanks Steven J. Marcus, a free-lance editor, for assistance at multiple stages of the report's development. Liz Fikre at the National Research Council also made significant editorial contributions to the final manuscript. Lynette Millett is the study director for this project; she synthesized this report, coordinating contributions from committee members and drafting the response to reviewers.

Stephen T. Kent, Chair

Committee on Authentication Technologies and Their Privacy Implications

Note

¹ See, for example, CSTB reports such as Growing Vulnerability of the Public Switched Networks (1989), Computers at Risk (1991), Evolving the High Performance Computing and Communications Initiative to Support the Nation's Information Infrastructure (1995), Cryptography's Role in Securing the Information Society (1996), For the Record: Protecting Electronic Health Information (1997), Trust in Cyberspace (1999), The Internet's Coming of Age (2000), Embedded, Everywhere: A Research Agenda for Networked Systems of Embedded Computers (2001), and Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002). See <http://www.cstb.org/web/topic_security> for a complete list of CSTB reports related to security, assurance, and privacy.