Schneier on Security
A blog covering security and security technology.
« Remote Metal Sensors Used to Detect Poachers |
| Childhood Risks: Perception vs. Reality »
June 6, 2007
DHS Data Privacy and Integrity Advisory Committee's Report on REAL ID
The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has issued an excellent report on REAL ID:
The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking.
It is critical that specific issues be carefully considered before developing and deploying a uniform identity management system in the 21st century. These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information, redress and fairness, "mission creep", and, perhaps most importantly, provisions for national security protections.
The Department of Homeland Security's Notice of Proposed Rulemaking touched on some of these issues, though it did not explore them in the depth necessary for a system of such magnitude and such consequence. Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate.
I've written about REAL ID here.
Posted on June 6, 2007 at 2:55 PM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is entirely too thoughtful and reasonable to be a government-issued report.
I'm betting that all or most of these recommendations will be rejected as too onerous to the states for an unfunded mandate - the exact argument that many states are using to fight REAL ID itself.
Yada, yada, yada.
dubya wants to take a leaf out of tony & Gordo's book and not make it mandatory, but just part of normal travel, employment, non-employment, social services, social benefits, access to public services (trains, buses, roads, footpaths etc.) and breathing. This ensures that people who object can simply avoid these activities.
ID cards are pointless, they should let the cat out of the bag and just tell everyone: we want your biometrics, so the police can stop you, and use a handheld device to verify who you really are.
Now *that* had sooooo many benefits to security, but is more than a bit 1984 (or like in 'Barbed Wire', for the younger generation).
Personally, I think the ultimate aim is noble, but being lied about the path to it is not.
Blunkett even said ID cards would prevent illegal immigrants getting healthcare - saving the government money. NHS doctors quickly stated that under *no circumstances* would health care be held back to anyone who needed it, ID card, or no ID card.
I'm actually surprised ID cards haven't been touted as a cure for global warming, but I guess that's no help to the US government, who don't believe it is. Even if the world was getting hotter, that would clearly be because of a combination of Al-Qaeda plots, Iran's nuclear programme and people sharing music tracks and videos.
Putin should be lucky that AllOfMP3.com isn't on the 'Axis of Evil', with North Korea, Iran and Canada.
Homeland Insecurity forgets that most states just do not want this.
Your blog is getting more and more political. Maybe you could separate into two, into politics of security, and technicals of crypto and security
Interestingly enough there don't seem to be any recommendations on data quality. They recommend that details of data verification measures be published in privacy notices, and they recommend a redress procedure to address data errors, but I didn't see any recommendations regarding making sure the data is correct in the first place
Bruce's books talk about how security doesn't work when you think about crypto algorithms and ignore the people who use 'secret007' as an encryption key, or leave the back door open because the office is too hot or cold.
Security is getting more political and politics are obsessed with security. Get used to it.
You can't separate politics and security these days, especially when governments use security as an excuse for questionable policies that will cost vast amounts of taxpayers' money and curtail the liberties that our forebears fought for.
In any case, it's every citizen's duty to question the actions and motives of government.
A real problem with the "one ID to bind them all" approach is that it makes that one ID hugely valuable. This week, in the UK, a member of staff at the vehicle licensing department was caught issuing real licenses for fake people. It doesn't matter how "secure" the ID is if you can buy real fakes.
That's exactly why the 'identity token' (card, chip, document, whatever) will always be the weak spot.
Going straight from biometrics, (plus 'something you know') to the database is simpler to implement.
You get challenged, and you can verify. The current systems support checking name/address (something you know), and adding biometrics to this would be straightfoward. "He says he's Bob from No. 42, but his combined biometric confidence is 'low', and he doesn't know Bob's PIN. We're going to run some more checks..."
Eventually biometric systems will hopefully mature to the point that not only identify verification, but identify itself ('I've scanned you: You're Charlie Smith.'). This would depreciate any need for 'things people know'.
But all time people try to get to this point, through arcane middle technologies like 'id cards', there is going to be a world of pain.
Notably, many, if not all of the points in this report are not about the cards, but the data - and are therefore totally applicable to any identity database.
"You get challenged,"
Your Papers, Comrade!
Having lived for the past 15 years in various countries where registration, ID cards etc are compulsory I wonder what all the fuss is about.
The fact that everybody should have an official id does reduce fraud (or "identity theft" in modern slang).
It offers zilch protection against terrorism as terrorists have identities too, and, anyway nobody wakes up in the morning and thinks "I am a terrorist" they wake up thinking "I am a courageous and moral human being who will today further the cause of (/god/animal rights/freedom/my country/ delete as appropriate)" and as such are difficult to distinguish from other well behaved citizens.
There is a single salient fact which the Blair/Bush Ballsup should take note of: in no country where ID cards are compulsory is the government even thinking of putting biometric gee whizery on their ID cards.
I commend the UK for its lack of hypocrisy on the issue; they really don’t have ID cards or any pseudo ids.
On the other hand the USA has the farcical situation where it’s impossible to fly without a driver’s license; how is this not an ID card when people who don’t drive cars are forced to get a drivers license which specifically forbids them from driving cars.
"There is a single salient fact which the Blair/Bush Ballsup should take note of: in no country where ID cards are compulsory is the government even thinking of putting biometric gee whizery on their ID cards."
Not true, unfortunately. South Africa was making a lot of noise about doing this a year or two back, although I haven't heard anything lately, thank goodness.
The way to fix "identity theft" is to stop using identity-based secrets as a credential, not to introduce ID cards.
The use of ID as a proxy for authentication to reduce fraud through "identity theft" is the wrong approach, driven by the laziness of the banking industry who don't want to take on the liability of maintaining a proper authentication architecture.
As you say, unforgeable ID cards do not do anything to stop terrorism.
But they can most definitely be used as a means of political or personal persecution. At the risk of Godwinning this whole thread, consider, for example, the uses to which the Nazis or Pol Pot would have put unforgeable biometric ID.
Many people are just beginning to see the impact that politics can have on security. There are at least 5 P's involved in security:
* Processes (Business Processes)
@Dom De Vitto: "Eventually biometric systems will hopefully mature to the point that not only identify verification, but identify itself ('I've scanned you: You're Charlie Smith.'). This would depreciate any need for 'things people know'"
...until, of course, some enterprising soul hacks the database. Or, more likely, the security services start establishing bogus "cover ID's".
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.