How to have a national ID card that doesn't threaten civil liberties
By Jeffrey Rosen, Wired



Bring up the idea of a national identification card and you're asking for trouble. Sure, it might sound good in theory. Entrepreneurs and politicians have said that ID cards would keep terrorists off airplanes and out of buildings. Cards linked to law enforcement databases would ensure travelers weren't on watch lists or wanted for other crimes.

But debate about the concept has been polarized in the extreme. Techno-positivists argue that for a secure state, the government should have access to as much data as possible. Principled libertarians respond that government shouldn't have access to any data at all - that a badly designed system could keep tabs on citizens' travel, spending, and personal habits.

The truth is, any identification system is inherently neutral; it can either respect privacy or threaten it. But this distinction was lost in the noise until last fall, when media mogul Steven Brill promised a middle way: a volunteer ID card that, he says, would protect both privacy and security. His company, Verified Identity, hopes to have cards and turnstiles in place by February.

More

Putting aside the merits of Brill's card for a moment, it's a conceptual leap beyond the last marquee proposal. Shortly after September 11, Larry Ellison, CEO of Oracle, proposed integrating all the personal information stored by the state and federal governments in a single national database, along with thumbprints or iris scans. The users' biometrics would be stored in a database and encoded on a card. Although voluntary, Ellison's system had the most invasive of all possible architectures. It would have allowed the government to identify people without their consent, and it linked that identity to data in both the public and private sectors.

But a privacy-friendly card is feasible if it follows one simple rule: verification, not identification. In other words, the card would confirm identity but wouldn't allow the government to pick you out of a crowd. There's a model: In 1995, Canadian entrepreneur George Tomko invented an innovative technology that made it possible to lock packets of data in encrypted files, using a fingerprint as a private key. After clearing a background check, the users of a Tomko-like card would receive a digitized packet of information that said, for example, they were cleared to cross a particular border. They'd download the parcel onto a card and lock it with a thumbprint.

Using this card at a border checkpoint, they'd swipe it and then provide a thumbprint. If the print decrypted the file, the system would verify their identity. Because the fingerprints wouldn't be stored in a central database, individuals would retain complete control over how much personal information was revealed. To maximize privacy, the system would keep no identifiable records of who had passed through, and it would not be linked with any other databases that might allow predictions of future behavior.

Technology alone won't prevent mission creep. After the card's deployment, Congress would have to prohibit the government from accessing private fingerprint databases or linking them with other information without cause. Such legislation is already in the pipeline: Russell Feingold (D-Wisconsin), the only senator to vote against the USA Patriot Act, is sponsoring a bill to restrict the use of predictive data mining. It revives a requirement that the Patriot Act eliminated, limiting the most invasive surveillance technologies to those who have been identified as unusually suspicious.

Designing a card that respects privacy in theory will be easier than getting Americans to accept it in practice. A poll conducted the week after the 9/11 attacks found that 70 percent of Americans supported the idea; six months later, support had dropped to 26 percent. Moreover, a powerful antigovernment coalition of libertarian conservatives and liberal civil rights advocates opposes a government-issued ID card under any circumstances. These unlikely allies persuaded Congress to prohibit a national ID card in the Homeland Security bill.

So how does Brill's voluntary identification card stack up? It doesn't quite meet the Tomko gold standard, but it protects privacy more effectively than Ellison's. Brill's card would allow holders to whisk through checkpoints. Every day, Verified Identity turnstiles will receive electronically a list of all the current V-ID customers. When card carriers go through a turnstile, they're verified without any travel information being transmitted back to the company. Databases are always vulnerable to hackers (and subpoenas), but Brill says he'll minimize these dangers by storing only fingerprints, promising not to link them to other identifiable data, and appointing an ombudsman to ensure that his system respects civil liberties. Brill also told me he was considering an alternative design that - like the Tomko plan - would store the fingerprint only on the card.

None of those safeguards will guarantee market success. A private ID card like Brill's, sold principally as a way to avoid long lines, might not provoke Americans' mistrust of monitoring, but frequent fliers already avoid long lines at airports. Building and stadium owners have no compelling reason to invest in card readers if they don't help eliminate liability for letting in terrorists. And many offices already issue their own IDs.

Even with careful attention to privacy, an ID card might do little to prevent another terrorist attack. Bruce Schneier, one of the world's leading computer security experts, says that any identification system that relies on background checks creates three categories of people: trusted, untrusted, and trusted-but-malicious - people who aren't on watch lists but turn out to be terrorists anyway. As Schneier pointed out to me, Ted Kaczynski and Richard Reid would have qualified for V-IDs. Brill says that the pressure for ID cards will be overwhelming after the next attack, so a well-designed one is better than a desperate one. But rather than fixating on whether ID cards threaten privacy, civil libertarians and techno-positivists should explore security measures that might actually thwart terrorism. Otherwise, feel-good solutions could make us less safe in the end.

Jeffrey Rosen's book The Naked Crowd: Reclaiming Security and Freedom in an Anxious Age will be published in January.

posted by awiggins | 04:01 PM