On Monday afternoon, the ACLU member's conference offered a number of panels on various assaults on civil liberties. I decided to listen in on a panel entitled "Your Papers Please—National I.D. Cards for America." The panel was moderated by Barry Steinhardt, the head of the ACLU's Technology and Liberty Program. Another participant was Tim Sparapani who is spearheading the ACLU's opposition to the REAL ID program that would require every state to adopt uniform driver's licenses which would be tied into a national database. And David Fahti who works on the ACLU's national prison project spoke about his travails as someone who somehow got on the government's "no fly" list of possible terrorists.
Steinhardt noted that today Americans are asked for I.D. at virtually every turn. He outlined the various ways in which Federal government has tried and continues to spy on Americans including the Pentagon's Total Information Awareness program to create electronic dossiers on every American. Steinhardt also mentioned the National Security Agency's (NSA) warrantless wiretapping program, and the recently revealed SWIFT arrangement between the NSA and the world's leading banks to allow the agency to monitor private financial transactions. Earlier this year, the ACLU has also launched its "Don't Spy on Me" campaign in which it has filed petitions at 20 state public utility commissions and the Federal Communications Commission asking them to investigate telephone companies that handed over private phone records to the NSA.
Steinhardt went on to describe how "policy laundering" works. The Feds want every American to carry electronic I.D. cards, but the proposal fails domestically. So U.S. officials prod an international agency to adopt the new standards for machine readable travel documents, aka biometric passports. In this case the feds went to an obscure agency known as the International Civil Aviation Organization (ICAO). The feds then return saying, "We understand the concerns that American citizens have about I.D. cards, but it's out of our hands now. We are just complying with international standards." The new biometric passports will contain a radio frequency identification (RFID) chip that can display various information including a digitized photo. The Denver passport office has now begun issuing the new e-passports. In a debate with a State Department official, Steinhardt dummied up his passport with an RFID chip. When the official denied that such chips could be read from a distance, he had confederate scan it and then display his information on a screen behind the official. The official dismissed it as a "parlor trick," but Steinhardt argues that current versions of the RFID chips in passports could be the equivalent of a sign saying, "I'm an American, kidnap me."
Steinhardt did note that the RFID chips are very fragile and could suffer damage. It is against the law to deliberately disable the chips, but how could the State Department tell. One audience member wondered what would happen to the chips if one's passport somehow got it inside one's microwave oven?
Next the ACLU's David Fathi then briefly described the hassles he endured for 18 months or so when airline officials and Transportation Safety Administration officials offered him an "enhanced level" of security services. His worst experience occurred at Dulles Airport when returning from a trip abroad. He was pulled out of line by immigration and customs agents and asked for his social security number. Fathi asked the agent if other people were being asked for their social security numbers and was told no, it was just him. The agent said, "We need to make sure that you're not a bad guy." Fathi then asked why a valid U.S. passport and a valid DC driver's license was not enough to get back into his own country. The agent said it wasn't in his case. So how long can you keep me here, Fathi asked. The agent replied that they could keep Fathi for days, weeks, months, however long it took to make sure that he was not a bad guy. Then the agent demanded that Fathi hand over his wallet—Fathi asked, "Am I required to hand over my wallet?" The agent didn't reply and Fathi didn't turn over his wallet.
Fathi was traveling with his girlfriend who overheard another agent say, "Just hand cuff him and get him out of here." Fathi admitted that he finally caved and gave them his social security number. The agents immediately became very friendly saying, "Welcome home sir." Fathi noted that he was scared and he is an ACLU lawyer, a native born English speaker-what must non-citizen visitors, green card holders, and naturalized citizens experience? He noted that he was not alone on the no fly list—even Sen. Ted Kennedy (D-Mass.) has had trouble boarding airliners.
While relatively few Americans actually have passports, it turns out the new federal law that attempts to impose standardized electronic driver's licenses—Real I.D.--is modeled on the biometric passport program. Every driver's license would contain an electronic chip containing the licensee's face and fingerprints Real I.D. would tie every driver's license into a national database to which all sorts of local, state, and federal officials will have immediate electronic access. Real I.D. has real bite because without the new federally mandated electronic I.D.s Americans could be denied access to government buildings and to public transportation including buses, trains, and airplanes.
Tim Sparapani argued that the deployment of Real I.D. would make America a checkpoint society in which we must prove our identities in order to be authorized to do almost anything. No I.D., no permission granted. Sparapani argued that the Real I.D. violates the First Amendment because it interferes with the right of assembly and the right to travel unhindered. Real I.D. essentially becomes an internal passport. He pointed out that Real I.D. had Second Amendment implications in that state databases on gun ownership could be easily linked to the Real I.D. databases letting officials know what guns you own. The right to anonymity would be eviscerated by Real I.D.
In addition, Sparapani pointed out that the statute offers no privacy protections at all. So naturally, private companies would insist Real I.D.s for any transactions. CVS, Target, Amazon.com would record where you bought, what you bought, how much you paid, how often you visit and so forth. These retailers could then resell this information to private identification and credential verification companies like Choicepoint. Such companies already compile electronic dossiers on nearly all Americans. As Sparapani noted few doubt that one of the biggest buyers of this privately compiled information would be U.S. spy and law enforcement agencies.
Fortunately, resistance to Real I.D. seems to be growing. In New Hampshire legislators proposed to opt out the program (since stalled) and the New York City Council has passed a resolution opposing Real I.D. If we want to avoid the creation of the Total Surveillance Society, Sparapani warned, "We have to take action now against Real I.D. This is an important moment in our history."
Ronald Bailey is Reason's science correspondent. His book Liberation Biology: The Scientific and Moral Case for the Biotech Revolution is now available from Prometheus Books.
COUNT THE COSTS! NAIS WILL ALSO BE JUST AS BAD!
Real ID Cost to States
On September 21st, the National Conference of State Legislatures (NCSL), in conjunction with the National Governors Association (NGA) and the American Association of Motor Vehicle Administrators (AAMVA), released the results of a nationwide survey of state motor vehicle agencies (DMVs) which evaluated the potential costs of the REAL ID and its impact on the states. Based on the results of that survey, NGA, NCSL and AAMVA conclude that Real ID will cost more than $11 billion over five years, have a major impact on services to the public and impose unrealistic burdens on states to comply with the act by the May 2008 deadline. NCSL, NGA and AAMVA also provided practical and cost effective solutions for Congress and the Department of Homeland Security (DHS) to address these shortcomings and meet the objectives of the act.
For the whole story, go to the link below:
Real-ID: Costs and Benefits
The argument was so obvious it hardly needed repeating. Some thought we would all be safer -- ?from terrorism, from crime, even from inconvenience -- ?if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and it's ridiculous that a modern country like the United States doesn't have
Still, most Americans have been and continue to be opposed to a national ID card. Even just after 9/11, polls showed a bare majority (51%) in favor -- and that quickly became a minority opinion again. As such, both
political parties came out against the card, which meant that the only way it could become law was to sneak it through.
Republican Cong. F. James Sensenbrenner of Wisconsin did just that. In February 2005, he attached the Real ID Act to a defense appropriations bill. No one was willing to risk not supporting the troops by holding up the bill, and it became law. No hearings. No floor debate. With nary a whisper, the United States had a national ID.
By forcing all states to conform to common and more stringent rules for issuing driver's licenses, the Real ID Act turns these licenses into a de facto national ID. It's a massive, unfunded mandate imposed on the states, and -- naturally -- the states have resisted. The detailed rules and timetables are still being worked out by the Department of Homeland Security, and it's the details that will determine exactly how expensive and onerous the program actually is.
It is against this backdrop that the National Governors Association, the National Conference of State Legislatures, and the American Association of Motor Vehicle Administrators together tried to estimate the cost of this initiative. "The Real ID Act: National Impact Analysis" is a methodical and detailed report, and everything after the executive summary is likely to bore anyone but the most dedicated bean counters. But rigor is important because states want to use this document to influence both the technical details and timetable of Real ID. The estimates are conservative, leaving no room for problems, delays, or unforeseen costs, and yet the total cost is $11 billion over the first five years of the program.
If anything, it's surprisingly cheap: Only $37 each for an estimated 295 million people who would get a new ID under this program. But it's still an enormous amount of money. The question to ask is, of course: Is the
security benefit we all get worth the $11 billion price tag? We have a cost estimate; all we need now is a security estimate.
I'm going to take a crack at it.
When most people think of ID cards, they think of a small plastic card with their name and photograph. This isn't wrong, but it's only a small piece of any ID program. What starts out as a seemingly simple security device -- a card that binds a photograph with a name -- becomes a complex security system.
It doesn't really matter how well a Real ID works when used by the hundreds of millions of honest people who would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.
The first problem is the card itself. No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we can't make it impossible. Real IDs will be forged.
Even worse, people will get legitimate cards in fraudulent names. Two of the 9/11 terrorists had valid Virginia driver's licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn't be bribed, cards are issued based on other identity documents -- all of which are easier to forge.
And we can't assume that everyone will always have a Real ID. Currently about 20% of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself would be susceptible to abuse.
Additionally, any ID system involves people: people who regularly make mistakes. We've all heard stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It's not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints could help, but bring with them their own set of exploitable failure modes.
All of these problems demonstrate that identification checks based on Real ID won't be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American -- one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.
The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don't know how to keep a database of
this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
But even if we could solve all these problems, and within the putative $11 billion budget, we still wouldn't be getting very much security. A reliance on ID cards is based on a dangerous security myth, that if only we knew who everyone was, we could pick the bad guys out of the crowd.
In an ideal world, what we would want is some kind of ID that denoted intention. We'd want all terrorists to carry a card that said "evildoer" and everyone else to carry a card that said "honest person who won't try to hijack or blow up anything." Then security would be easy. We could just look at people's IDs, and, if they were evildoers, we wouldn't let them on the airplane or into the building.
This is, of course, ridiculous; so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you're likely to be an evildoer. But that's almost as ridiculous.
Even worse, as soon as you divide people into two categories -- more trusted and less trusted people -- you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity -- and profile -- of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.
There's another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. Think of all the problems with the government's no-fly list. That list, which is what Real IDs will be checked against, not only wastes investigative resources that might be better spent elsewhere, but it also causes grave harm to those innocents who fit the profile.
Enough of terrorism; what about more mundane concerns like identity theft? Perversely, a hard-to-forge ID card can actually increase the risk of identity theft. A single ubiquitous ID card will be trusted more and used in more applications. Therefore, someone who does manage to forge one -- or get one issued in someone else's name -- can commit much more fraud with it. A centralized ID system is a far greater security risk than a decentralized one with various organizations issuing ID cards according to their own rules for their own purposes.
Security is always a trade-off; it must be balanced with the cost. We all do this intuitively. Few of us walk around wearing bulletproof vests. It's not because they're ineffective, it's because for most of us the trade-off isn't worth it. It's not worth the cost, the inconvenience, or the loss of fashion sense. If we were living in a war-torn country like Iraq, we might make a different trade-off.
Real ID is another lousy security trade-off. It'll cost the United States at least $11 billion, and we won't get much security in return. The report suggests a variety of measures designed to ease the financial burden on the states: extend compliance deadlines, allow manual verification systems, and so on. But what it doesn't suggest is the
simple change that would do the most good: scrap the Real ID program altogether. For the price, we're not getting anywhere near the security we should.
This essay will appear in the March/April issue of "The Bulletin of Atomic Scientists."
The REAL-ID Act: National Impact Analysis:
There's REAL-ID news. Maine became the first state to reject REAL-ID. This means that a Maine state driver's license will not be recognized as valid for federal purposes, although I'm sure the Feds will back down over this. My guess is that Montana will become the second state to reject REAL-ID, and New Mexico will be the third.
More info on REAL-ID:
February 15, 2007
by Bruce Schneier
Founder and CTO
Minnesota joins states bucking plan for a national ID
MICROCHIPS IN YOUR ANIMALS *AND* YOUR CHILDREN?!