A National ID Card With Biometrics? Really?

I do find it a bit ironic that the same Senator Schumer seeking to force Facebook to change its privacy policies - rightly so I might add - is simultaneously leading the push in Congress to require all Americans to have national ID cards.

The concept for a National ID Card with biometric identifiers - like fingerprints, facial, and/or iris scans - is being proposed for inclusion in the coming immigration reform legislation. There are a number of reasons why this concerns me, most notably the fact that its part of much larger pattern of government expansion of power through increasingly intrusive assaults on our civil liberties. All of course, in the name of keeping us safe, and protecting us usually from one kind of brown person or another. Now, instead of pandering to those afraid of "terrorists" on every street corner, this seems to be pandering to those unduly afraid of the "illegal immigrant threat".

Consider, biometrics technology is the computerized matching of an individual’s personal characteristics against an image or database of images. Initially, the system captures a fingerprint, picture, or some other personal characteristic, and transforms it into a small computer file (often called a template). The next time someone interacts with the system, it creates another computer file (often called a sample), and compares it to the original template or tries to find a match in its database. Because every sample is a little different, biometrics really asks whether the sample is similar enough to the template.

So let's be real clear, creating a database with 100's of millions of facial scans and thumbprints raises a host of surveillance, tracking and security questions, and consumer hassles with the DMV - never mind the enormous cost.

Privacy expert Bruce Schneier recently pointed out some of pro's and con's of a biometric based ID:

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it's important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. It's hard to affix a fake fingerprint to your finger or make your retina look like someone else's. Some people can mimic voices, and make-up artists can change people's faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they've touched, and posted them on the Internet. We haven't yet had an example of a large biometric database being hacked into, but the possibility is there. Biometrics are unique identifiers, but they're not secrets.

And a stolen biometric can fool some systems. It can be as easy as cutting out a signature, pasting it onto a contract, and then faxing the page to someone. The person on the other end doesn't know that the signature isn't valid because he didn't see it fixed onto the page. Remote logins by fingerprint fail in the same way. If there's no way to verify the print came from an actual reader, not from a stored computer file, the system is much less secure.

...

A more secure system is to use a fingerprint to unlock your mobile phone or computer. Because there is a trusted path from the fingerprint reader to the stored fingerprint the system uses to compare, an attacker can't inject a previously stored print as easily as he can cut and paste a signature. A photo on an ID card works the same way: the verifier can compare the face in front of him with the face on the card.

Fingerprints on ID cards are more problematic, because the attacker can try to fool the fingerprint reader. Researchers have made false fingers out of rubber or glycerin. Manufacturers have responded by building readers that also detect pores or a pulse.

The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system.

...

One more problem with biometrics: they don't fail well. Passwords can be changed, but if someone copies your thumbprint, you're out of luck: you can't update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you're stuck. The failures don't have to be this spectacular: a voiceprint reader might not recognize someone with a sore throat, or a fingerprint reader might fail outside in freezing weather. Biometric systems need to be analyzed in light of these possibilities.

Biometrics are easy, convenient, and when used properly, very secure; they're just not a panacea. Understanding how they work and fail is critical to understanding when they improve security and when they don't.

So, from Schneier's perspective, it does seem that requiring ALL AMERICANS to carry these, particularly with the fingerprint or the iris as the biometric identifier, doesn't make much sense, and poses a significant threat to ones identity being stolen - not protected.

The Consumer Federation of California joined with the ACLU and a host of other organizations to oppose the transition to biometric drivers licenses here in California not long ago. Some of the privacy concerns we raised during that debate include:

Right to Privacy – Personal Freedom and Security

o Whether biometric images should be collected, which images should be collected (i.e. facial v. thumbprint scan), who has access to those images, and for what purposes are the preliminary privacy questions that should addressed to protect individuals’ constitutional right to privacy.

o The Creation of Dossiers about Individuals and their Activities: Where a biometric identifier is used as a unique identifier to catalogue personal information about an individual, it would enable monitoring, tracking and surveillance of individuals. This concern applies to both the government and databrokers/private industry using the same biometric to gather information.

Threat to Anonymity and Anonymous Speech: Unless current law is changed, the biometric thumbprints and facial scans from the DMV will be used in criminal investigations, and as public and private surveillance cameras become more ubiquitous, the likelihood rises of using facial recognition to identify and surveil innocent people just walking down the street or engaged in First Amendment protected speech on political or labor issues.

The Supreme Court has found that compelling an individual to disclose his or her political ideas or affiliations to the government deters the exercise of First Amendment rights. The right to anonymous speech, protest and leafleting are critical to our democracy.

o Perceived Infallibility and Inaccuracy: The concept that each of us is unique does not always translate into accurate biometric identification. Computer “matches” must be reviewed visually by people to confirm the accuracy. And, even then, errors are made.

Brandon Mayfield, the Oregon Attorney, was erroneously linked to the 2004 Madrid train bombings after his prints were misidentified and he was held by the FBI for two weeks, though he was never charged. His prints were “identified” through the Integrated Automated Fingerprint Identification System (IAFIS). IAFIS identified a few potential matches that were then reviewed by a fingerprint examiner and an outside experienced fingerprint expert.

o What is the "bang for the buck" that California (or in this case the US) would get from undefined changes being proposed in the nature and use of these biometric databases? How much is the whole system going to cost? How much would be borne by the state, how much would be borne by individuals?

We do know that creating biometric database systems (facial image and thumbprint) will be very costly, and even more costly to do correctly (in addition to the technology, staff needs be trained, and there must be technical and due process protections in place to ensure that people’s licenses are not wrongly denied or taken away because of an error).

The Legislative Analysts Office raised their own privacy concerns, particularly regarding whether the data would be stored by a private vendor, and whether states that have experienced a 5-10 percent reduction in fraud using biometrics is necessarily relevant to state's that already have secure cards and issuance processes. In other words, the Legislature (or Congress in this case) would need to assess costs of implementing a biometrics system in light of the cost of implementing other solutions and the actual number of fraudulent IDs prevented.

EFF, in its opposition to this concept as a component of PASS ID (a slightly scaled back version of REAL ID), wrote:

Proponents seem to be blind to the systemic impotence of such an identification card scheme. Individuals originally motivated to obtain and use fake IDs will instead use fake identity documents to procure "real" drivers' licenses. PASS ID creates new risks -- it calls for the scanning and storage of copies of applicants' identity documents (birth certificates, visas, etc.). These documents will be stored in databases that will become leaky honeypots of sensitive personal data, prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database.

...proponents of the national ID effort seem blissfully unaware of the creepy implications of a "papers please" mentality (think Arizona) that may grow from the issuance of mandatory federal identification cards.

Do we really want to create a multibillion-dollar program - at a time of economic recession and growing deficits - that enhances opportunities for identity theft, turns state motor vehicle departments into arms of U.S. Immigration and Customs Enforcement and will almost certainly lead to harassment of immigrants, legal or otherwise?

It would also complicate efforts by some states to issue driver's licenses to illegal immigrants, because such licenses would require special markings to signal that the bearer is here illegally. Sensible measures to enforce our immigration laws is one thing, but anything that discourages undocumented immigrants from getting driver's licenses endangers all drivers on the road and raises insurance costs for everyone.

So if we put everything into that one document – make it the be-all and end-all of identification for most Americans – what might we have? An invasion of ordinary citizens' privacy and phony documentation in the hands of identity thieves and potential terrorists that we believe too readily is authentic.

Let's remember too the state reaction to REAL ID, with at least 42 states have considered anti-Real ID legislation, and another 25 states have enacted anti-real ID bills or resolutions, and fourteen of those states have passed binding legislation prohibiting participation in the Real ID program. Six more states have already passed resolutions or statutes in 2009.

Imposing a first-ever national identity card system, even if just for employment, would violate privacy by helping to consolidate data and facilitate tracking, and over time its use will almost certainly expand to cover other activities necessary to participate in society.

Here's a couple clips from an article in United Press International this week:

On a five-year timetable the biometric cards would replace Social Security cards and would be used to prove eligibility for employment. Card scanners would be issued to all U.S. employers. The cards would at least have the capability of being linked to a central data system.

Like all controversial government programs, the proposed national ID card has an innocuous name: When Senate Democratic leaders unveiled the new program last month they called it Biometric Enrollment, Locally Stored Information and Electronic Verification of Employment -- or "Believe," for short.

...

The difference would be in the biometric information and the universality of the employment requirement. However, the opportunities for abuse by unscrupulous government employees are obvious.

The proposal rang alarm bells at the American Civil Liberties Union in Washington. While criticizing several aspects of proposed immigration reform, the group is concentrating its criticism on the ID cards.

"If the biometric national ID card provision of the draft bill becomes law, every worker in America would have to be fingerprinted and a new federal bureaucracy -- one that could cost hundreds of billions of dollars -- would have to be created to issue cards," the organization said in a statement. "The ACLU strongly opposes the inclusion of a biometric national ID in this or any comprehensive immigration reform bill and urges senators to reject such an ID card."

In his own statement, Christopher Calabrese, ACLU legislative counsel, said: "Creating a biometric national ID will not only be astronomically expensive, it will usher government into the very center of our lives. Every worker in America will need a government permission slip in order to work. And all of this will come with a new federal bureaucracy -- one that combines the worst elements of the (Department of Motor Vehicles) and the (U.S. Transportation Security Administration). America's broken immigration system needs real, workable reform, but it cannot come at the expense of privacy and individual freedoms."

Click here to read more.

So my position is clear. What I particularly don't like about it is the pattern for which it is a part of...a pattern of deteriorating privacy, increasing government and corporate powers and authority, and the expanding number of ways in which "security" and "safety" are used to scare people into giving up those very things.

If nothing else, before anything remotely like this becomes law, I would like to see an open, vigorous debate, and if the public goes and the legislature truly goes for it, then a series of steps need to be taken to implement it in a way that is fair, reasonable and secure.