Comment National ID Cards (Score 1) 400
Mr. Schneier,
In your article you criticize National ID Cards. It is my opinion that many of your points are invalid and/or misleading. More broadly, it is my opinion that your opposition to National ID Cards is based more on philosophical opposition to the idea that the actual reality of any such system. Of course, I would like to point out that many democratic nations have ID cards without undermining civil liberties and in fact providing essentially perfect protection against identity theft (which the US most assuredly does not have). Overall, a National ID Card is basically an unforgable driver's license. Why such a thing should arouse such fierce opposition is not clear to me, although obviously it does.
A few specific points:
1. Any decent National ID Card would be totally unforgable. The technology required for an unforgable ID card has existed for years and would presumably be employed in the U.S. For example, all of the information on the card would be digitally signed using a secret key. To be useful the signed information would include a picture, fingerprints and/or iris data. Any attempt to create a fake ID would show up as a digital signature mismatch. To date no cryptographic flaws have been found in the standard digital signature algorithms used in the U.S. and around the world.
Of course, there is always the risk that the secret key used to sign ID cards might be lost. Presumably enormous care would be taken to prevent any such failure. Beyond that, an array of different secret keys could easily be used to sign ID cards. Each key could be separately stored and protected so that the loss of any one key would not compromise the system. Giving the keys limited lifetimes (5-10 years) would ensure that at least one key was still intact at the point that the secret keys (and cards) would have to be replaced.
In addition, the data on the cards would also be stored in some central database. This means that even if all of the secret keys leaked, a National ID Card could still not be forged. Why? Because the data on the forged ID card would not match the contents of the database and would result in the immediate recognition that card in question was invalid. In other words, to successfully create a fake ID card, someone would have to obtain all of the secret keys used to sign ID cards and simultaneously corrupt the national identification database.
2. Your article asks what would happen if the database crashed or was otherwise unavailable. The answer is not much. Why? Because the ID cards would be self-verifying as stated above. Even if terrorists successfully attacked the ID database with the intent of stopping database verification they would still have to obtain all of the secret keys to create even one forged ID. Beyond that the ID database could easily be replicated. What many folks may not realize is how small such a database would be. Allowing for 100K per person and 300 million records, only 30 terabytes would be needed for all of the records. This is roughly 120 current generation disk drives from your local CompUSA at a cost of around $30K.
In practice, higher quality and higher cost disks would be used. However, the cost would still be minimal. A recent copy of the Gilder Technology Report claimed that commercial disk space costs around $2.33 per gigabyte per year. That puts the disk storage costs of the ID database under $100K per year. Obviously the support costs of any such system could dwarf the hardware expenditures. However, it should be clear that such a system could incorporate a high level of physical replication to ensure continuous availability under any set of circumstances short of "Deep Impact" (the movie).
3. Your article suggests that any database system would be vulnerable to hackers, viruses, worms, etc. that could corrupt its contents. In my opinion, these threats can be controlled and are not an obstacle to deploying any such system. The best evidence is that the Federal government already runs any number of critical databases that have not been materially corrupted to date (at least to my knowledge). The IRS is an obvious example. If it is really so easily to break into government computer systems, how many people have cracked the IRS to get multi-million dollar refunds? Has anyone done it? Of course, it could be argued that if such a crime was committed carefully enough it would never show up as a crime. However, in practice criminals usually make enough mistakes (eventually) to show up on someone's radar screen. This means that at least some IRS hackers should have been caught by now. Have any?
4. In my opinion, the strongest criticism of a National ID Card is that it is only as good as the information in it. If ID cards can be easily obtained with false data, then they are no better than the existing systems. However, this turns out to be only partially true. Why? Because even an ID system with weak entry controls will still detect attempts to obtain duplicate cards. In practice, this is an extremely valuable control mechanism even if the primary card issuance system is not tightly managed.
For example, duplicate detection would have prevented the 9-11 terrorists from obtaining Virginia driver's licenses. How? Because the fingerprints and iris's of the terrorists would have matched the biometric data obtained when they applied for visas and/or entered the U.S. Of course, back then the U.S. did not collect biometric data from foreigners entering our country. Now we do. The system is not perfect (some countries are exempt) but could be tightened in the future.
Did having Virginia driver's licenses make possible the 9-11 attacks? Would the airlines have allowed Saudi (15 of the 19) nationals to board with box cutters even if they used their passports to identify themselves? Who knows. However, it is generally agreed that the ease with which the terrorists obtained driver's licenses facilitated their crimes. To be specific, several of the 9-11 terrorists were illegally resisiding in the U.S. when they hijacked the four airplanes. Had they been forced to use their passports, they might have been arrested or at least denied boarding.
The U.S. government has obtained a considerable body of biometric data on terrorists over the years. Much of this data has been obtained from friendly foreign governments (including many in the Middle East). An ID database will prevent these folks from obtaining ID cards even if the basic card issuance system is weak. Of course, such a system is of no value against new terrorists with no prior records. However, in practice many terrorists and most (all?) terrorist leaders are well known to the authorities. Arresting and/or blocking the movements of these people is of considerable value even if it does not constitute a perfect defense against terrorism.
It is worth noting that biometric ID systems have been used to detect duplicate IDs for more than a century. Even before fingerprints were used to identify criminals, the Bertillon system (see http://onin.com/fp/fphistory.html) was in use. Its goal was to prevent criminals from using a false identity to avoid recognition as multiple offenders. Sound familiar?
The value of ID databases should not be underestimated. The DC sniper case was broken using fingerprint and picture data obtained by the INS in Washington state. After Lee Malvo was (illegally) released in Washington state he proceeded to Alabama where he left a fingerprint at a liquor-store murder scene. That fingerprint was matched to his picture breaking the case.
There is a worldwide trend towards ID cards backed by biometric databases. The UK just announced plans to build one. Notably, 80% of the British support the system in spite of the direct cost to them in higher passport fees.
Thank you
Peter Schaeffer
In your article you criticize National ID Cards. It is my opinion that many of your points are invalid and/or misleading. More broadly, it is my opinion that your opposition to National ID Cards is based more on philosophical opposition to the idea that the actual reality of any such system. Of course, I would like to point out that many democratic nations have ID cards without undermining civil liberties and in fact providing essentially perfect protection against identity theft (which the US most assuredly does not have). Overall, a National ID Card is basically an unforgable driver's license. Why such a thing should arouse such fierce opposition is not clear to me, although obviously it does.
A few specific points:
1. Any decent National ID Card would be totally unforgable. The technology required for an unforgable ID card has existed for years and would presumably be employed in the U.S. For example, all of the information on the card would be digitally signed using a secret key. To be useful the signed information would include a picture, fingerprints and/or iris data. Any attempt to create a fake ID would show up as a digital signature mismatch. To date no cryptographic flaws have been found in the standard digital signature algorithms used in the U.S. and around the world.
Of course, there is always the risk that the secret key used to sign ID cards might be lost. Presumably enormous care would be taken to prevent any such failure. Beyond that, an array of different secret keys could easily be used to sign ID cards. Each key could be separately stored and protected so that the loss of any one key would not compromise the system. Giving the keys limited lifetimes (5-10 years) would ensure that at least one key was still intact at the point that the secret keys (and cards) would have to be replaced.
In addition, the data on the cards would also be stored in some central database. This means that even if all of the secret keys leaked, a National ID Card could still not be forged. Why? Because the data on the forged ID card would not match the contents of the database and would result in the immediate recognition that card in question was invalid. In other words, to successfully create a fake ID card, someone would have to obtain all of the secret keys used to sign ID cards and simultaneously corrupt the national identification database.
2. Your article asks what would happen if the database crashed or was otherwise unavailable. The answer is not much. Why? Because the ID cards would be self-verifying as stated above. Even if terrorists successfully attacked the ID database with the intent of stopping database verification they would still have to obtain all of the secret keys to create even one forged ID. Beyond that the ID database could easily be replicated. What many folks may not realize is how small such a database would be. Allowing for 100K per person and 300 million records, only 30 terabytes would be needed for all of the records. This is roughly 120 current generation disk drives from your local CompUSA at a cost of around $30K.
In practice, higher quality and higher cost disks would be used. However, the cost would still be minimal. A recent copy of the Gilder Technology Report claimed that commercial disk space costs around $2.33 per gigabyte per year. That puts the disk storage costs of the ID database under $100K per year. Obviously the support costs of any such system could dwarf the hardware expenditures. However, it should be clear that such a system could incorporate a high level of physical replication to ensure continuous availability under any set of circumstances short of "Deep Impact" (the movie).
3. Your article suggests that any database system would be vulnerable to hackers, viruses, worms, etc. that could corrupt its contents. In my opinion, these threats can be controlled and are not an obstacle to deploying any such system. The best evidence is that the Federal government already runs any number of critical databases that have not been materially corrupted to date (at least to my knowledge). The IRS is an obvious example. If it is really so easily to break into government computer systems, how many people have cracked the IRS to get multi-million dollar refunds? Has anyone done it? Of course, it could be argued that if such a crime was committed carefully enough it would never show up as a crime. However, in practice criminals usually make enough mistakes (eventually) to show up on someone's radar screen. This means that at least some IRS hackers should have been caught by now. Have any?
4. In my opinion, the strongest criticism of a National ID Card is that it is only as good as the information in it. If ID cards can be easily obtained with false data, then they are no better than the existing systems. However, this turns out to be only partially true. Why? Because even an ID system with weak entry controls will still detect attempts to obtain duplicate cards. In practice, this is an extremely valuable control mechanism even if the primary card issuance system is not tightly managed.
For example, duplicate detection would have prevented the 9-11 terrorists from obtaining Virginia driver's licenses. How? Because the fingerprints and iris's of the terrorists would have matched the biometric data obtained when they applied for visas and/or entered the U.S. Of course, back then the U.S. did not collect biometric data from foreigners entering our country. Now we do. The system is not perfect (some countries are exempt) but could be tightened in the future.
Did having Virginia driver's licenses make possible the 9-11 attacks? Would the airlines have allowed Saudi (15 of the 19) nationals to board with box cutters even if they used their passports to identify themselves? Who knows. However, it is generally agreed that the ease with which the terrorists obtained driver's licenses facilitated their crimes. To be specific, several of the 9-11 terrorists were illegally resisiding in the U.S. when they hijacked the four airplanes. Had they been forced to use their passports, they might have been arrested or at least denied boarding.
The U.S. government has obtained a considerable body of biometric data on terrorists over the years. Much of this data has been obtained from friendly foreign governments (including many in the Middle East). An ID database will prevent these folks from obtaining ID cards even if the basic card issuance system is weak. Of course, such a system is of no value against new terrorists with no prior records. However, in practice many terrorists and most (all?) terrorist leaders are well known to the authorities. Arresting and/or blocking the movements of these people is of considerable value even if it does not constitute a perfect defense against terrorism.
It is worth noting that biometric ID systems have been used to detect duplicate IDs for more than a century. Even before fingerprints were used to identify criminals, the Bertillon system (see http://onin.com/fp/fphistory.html) was in use. Its goal was to prevent criminals from using a false identity to avoid recognition as multiple offenders. Sound familiar?
The value of ID databases should not be underestimated. The DC sniper case was broken using fingerprint and picture data obtained by the INS in Washington state. After Lee Malvo was (illegally) released in Washington state he proceeded to Alabama where he left a fingerprint at a liquor-store murder scene. That fingerprint was matched to his picture breaking the case.
There is a worldwide trend towards ID cards backed by biometric databases. The UK just announced plans to build one. Notably, 80% of the British support the system in spite of the direct cost to them in higher passport fees.
Thank you
Peter Schaeffer
