The ID Divide

Yesterday, the Center for American Progress published its paper on identification and identification technologies: “The ID Divide: Addressing the Challenges of Identification and Authentication in American Society.” I was one of the participants in the project that created this paper, and it’s worth reading.

Among other things, the paper identifies six principles for identification systems:

  • Achieve real security or other goals
  • Accuracy
  • Inclusion
  • Fairness and equality
  • Effective redress mechanisms
  • Equitable financing for systems

From the Executive Summary:

How can these principles be honored in practice? That’s where the “due diligence” process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.

In the pages that follow, we apply this due diligence process to some recurring technical problems with current and proposed identification programs. And we discover—as you’ll see toward the end of the report—that ID programs that rely on “shared secrets,” such as Social Security numbers or your mother’s maiden name, are becoming more insecure due to the increased use of identification. Similarly, ID programs based on biometrics such as fingerprints or iris scans are not the “silver bullets” that some proponents claim they are, but rather could become compromised rapidly if deployed in haphazard ways.

We then apply our progressive principles and due diligence insights to two current examples of identification programs. The first details why it would be bad policy to require government-issued photo ID for in-person voting. The second shows the basically sound policy rationale for the Transportation Worker Identification Card, used for workers with access to security-critical port facilities. By examining one identification program that is reasonable, and one that is not, our analysis shows the usefulness of the Progressive Principles for Identification Systems.

I participated in the panel discussion announcing this report, along with Jim Harper (Director of Information Policy Studies at the Cato Institute).

Tags: , , , ,

Posted on June 4, 2008 at 6:34 AM50 Comments

Comments

Fred P June 4, 2008 7:37 AM

I guess my point of confusion (which wasn’t cleared up by reading the paper in question) is why major port facilities are considered “security-critical”.

thseeling June 4, 2008 7:48 AM

bad policy to require government-issued photo ID for in-person voting

this is fact in germany for 60 years now and I’m not aware of major election being forged.

TheDoctor June 4, 2008 8:38 AM

Being a german too I would like someone to explain me in short words why there is such a dislike of “government-issued photo ID” in the US.

I don’t want to start a flame, I simply don’t understand it, but I’m willing to learn.

Chris S June 4, 2008 9:04 AM

Re: dislike of government-issued photo id

No guarantees on this answer, but I’ll try for a short version. It comes in two parts.

One – the U.S. was founded by people who were rebelling against their own government. A fundamental distrust of government exists to this day.

Two – in principle, almost all of the U.S. government system operates bottom-up. The assumption is that the very lowest level of government — the individual — has the ultimate authority, and authority is granted upwards only as needed. Google search on “states rights” to get some idea of this. Note that in the U.S., most police forces are local, and sheriffs are locally elected. Law is by default at the smallest level – the community – and devolves upward only as needed.

Government issued photo id smacks of the government controlling who you are. Without the id, you are nothing. The supported view is that the default condition is that humans do not need id, and you’ll have to conclusively prove something has to be done by government before the collective authority – the will of the people – can be brought to bear.

Of course — this is the principle — reality may be somewhat different.

Aaron Massey June 4, 2008 9:04 AM

bad policy to require government-issued photo ID for in-person voting

this is fact in germany for 60 years now and I’m not aware of major election being forged.

Absence of evidence is not evidence of absence. Regardless, I think the point is that generic “government-issued photo ID” is simply the wrong credential to be using for elections because it doesn’t achieve the goal.

TheDoctor June 4, 2008 9:15 AM

@Chris S:
Thanks, that’s what I was asking for, I understand the principle.

Davi Ottenheimer June 4, 2008 9:20 AM

Funny this should come up today. Just yesterday I spoke with someone visiting the US who told me they walked into a voter station and filled out a ballot. “What were you thinking?” I asked in disbelief. “It’s good to vote, isn’t it?” they responded. They explained: “When I walked in and told them I don’t live here but I wanted to know what was going on, they gave me a ballot and told me to fill it out. Is it ok that I said I am a Republican? What does that mean?”

True story.

Alex June 4, 2008 9:26 AM

As an American in favor of a national ID (in spite of its flaws), I can try to explain it to you Germans. First, there’s a reticence about having the government assemble information on people – seeing it as an invasion of privacy. This argument appeals to conservatives and libertarians of left and right persuasions, and explains why a US governor would refuse to enforce federal ID requirements for flying.
Liberals, on the other hand, are opposed to ID requirements for voting because they are generally thought to disenfranchise the poor and minorities. Generally government-issued photo ID in the US is 1) something paid for by the individual, and 2) something associated with driving, and thus somewhat less necessary in the inner city. In fact, right wing activists have in the past used false rumors of ID requirements (and criminal record checks) to scare off inner city voters (who tend to lean left).
To me the solution would seem to be rather obvious – that government required photo ID should be provided by the government. (And also that the Social Security Administration should no longer be the primary overseer of identification in America. That’s just idiotic.)
I’ll leave the security and identity theft issues to Mr. Schneier.

Aaron Massey June 4, 2008 9:27 AM

@TheDoctor

The principle (Achieve real security or other goals) detailed in the paper that addresses this as applied to elections can be stated as: “The identification system for elections shall ensure that only eligible voters are allowed to cast their ballots.” All that is important is that the person wishing to vote is an eligible voter. Eligibility may mean that the voter is registered in the right county or that they haven’t already voted in this election, but it doesn’t have anything to do with having a government-issued photo ID.

Bruce makes a similar case about airport security. You don’t really care who all the people on your plane are. You care whether or not any of the people on the plane are planning to blow it up. These are different security goals.

In the case of the election, the kind of voter fraud that photo IDs are meant to address is the one-at-a-time kind, which is not only inefficient, but risky. The paper talks about this on pages 28 and 29 if you are interested.

@Chris S

Those are good points about the United States, but I think this principle applies more broadly. It’s not a philosophical or political debate, IMHO. The “solution” of government-issued photo ID is simply solving the wrong problem from a security standpoint. Just my two cents… 🙂

Peter Pearson June 4, 2008 9:55 AM

To clarify the voting situation for foreigners: Outside the building where I voted yesterday was a sheaf of about 25 pages listing the names and addresses of everybody registered to vote at that polling station. It is expected that many people will look at it before going inside to vote. Inside, all you need to do to get a ballot and vote is to assert that you are Person X from address Y, an assertion that a poll worker checks against a copy of the sheaf outside. The only ways you can get caught stealing Person X’s vote are (1) if the poll worker happens to know Person X, or (2) if Person X has already voted, in which case his name has been crossed off on the inside list. If Person X comes in later to vote, it will be discovered that there is a problem, but you won’t be caught.

I wish I could request a mark by my name that means “This voter wants you to check his photo ID.” People without ID wouldn’t request it, and people with ID could comfort themselves with the thought that anybody trying to steal their votes might get caught.

Paeniteo June 4, 2008 10:05 AM

“Eligibility may mean that the voter is registered in the right county or that they haven’t already voted in this election,”

How to do this without government ID?

You may vote if the local grocery store owner knows you?
Avoid repeat votes by forcing voters to stick a finger into a glass of ink?

Shane June 4, 2008 10:10 AM

I don’t really see eye to eye with this:

“12 nuns were turned away from voting booths during the Indiana presidential primary because they lacked state identification (none of them drives), a stark reminder that the recent Supreme Court ruling that upheld Indiana’s voter ID law poses lasting consequences to our democracy.
[…]
Those 12 nuns are among 20 million other voting age citizens without driver’s licenses, and they join those 26.5 million veterans and many millions of other Americans who suddenly find themselves on the wrong side of what we call the ID Divide.”

Be that as it may, not having a driver’s license does not prevent anyone from participating our ‘democracy’. There are at least two other forms of state/federal issued picture IDs that I can think of. If the nuns in question couldn’t be bothered to fulfill the prerequisites for voting in our ‘democracy’, then I’m not shedding any tears for their inability to vote during the primary. While it may not be even remotely fool-proof, it is at least a decent effort at maintaining the validity of said ‘democracy’ by at least attempting to prove that the person in question A) is a citizen of our country and a valid voter for the district in question, and B) hasn’t already done so.

Lame opening in my opinion…

Paeniteo June 4, 2008 10:12 AM

@Peter Pearson: “…list of voters…”

How does one get a name on that list?
While the election itself may be somewhat secure (you can still vote for people that you know won’t come to the ballot), it appears that it should be fairly easy to get oneself on the list twice or on lists of different districts. Don’t tell me that the public display of the list could prevent that apart from very obvious fakes.

Carlo Graziani June 4, 2008 10:42 AM

In most Western nations, the identification issue is bound up with the census issue, in the sense that there exists a national registry to which every citizen is entered at birth, and from which every citizen is removed at death. The registry is operated by the government — and in fact, this is recognized by consensus as a core function of government. All identification can be traced back through a layer or two to this registry.

Since the government is generally trusted with this function, identification is uncontroversial. Generally-speaking the system has not been abused, and certainly not been used as a tool of tyranny. The registry also allows the government to know the nation’s demographic profiling, and so to allocate democratic representation appropriately.

In the U.S., where we are incapable of learning any lessons from abroad, it is considered axiomatic that to grant such knowledge to the government is to guarantee its abuse and invite tyranny. But of course this ideological attitude doesn’t change the necessity of strong identification, authentication, and demographic profile, so instead, we adopt a patchwork of comically ineffective workarounds.

We attempt to ascertain our key demographic profile through the decennial farce of the National Census, which naturally regularly devolves into a highly politicized feces-throwing party over who may or may not be counted, and how.

We let banks and phone companies vouch that we are who we say we are, despite the fact that they really have neither the means to do so nor any interest in providing this sort of service with any meaningful level of guarantee.

And, in another patho-ideological self-inflicted injury, we allow our worship of private enterprise to blind us to the fact that the agencies to whom we have delegated the strongest and most pervasive identification authority — credit agencies — are essentially unregulated, unaccountable to us, have zero interest in privacy, and regard personal data integrity guarantees not as an absolute requirement, but rather as something to be traded off against built-in fraud levels to achieve optimal business efficiency.

The other Western nations have got it right. Personal identification is a core function of government. It cannot be delegated, any more than national defense (Blackwater notwithstanding). I think it might require a national catastrophe — levels of fraud making U.S. identification the equivalent of Weimar currency — to force us to accept this, though.

peri June 4, 2008 10:50 AM

@Paeniteo:”How to do this without government ID?”

In the full report there were ~40 pages divided into six sections; one of those sections was entitled “Authentication over Identification,” although it might just as easily have been titled “How to do this without government ID.”

I would summarize the answer as to getting exactly one “magical token” to each voter. These tokens have the property that they evaporate when the leave the intended voter’s custody — either when the person votes or attempts to sell their right to vote. This token is “magical” in the sense that any technology we don’t understand yet is magic. Further into the paper it becomes evident that cell phones seem a promising means of implementing magical tokens.

Daedala June 4, 2008 10:53 AM

Another problem with government-issued IDs being used for voting is that they arguably become a de facto poll tax. The U.S. has a nasty history of using poll taxes to disenfranchise groups of people.

Poll taxes are against the 24th Amendment. Is a state-issued ID a poll tax? Well, the last poll tax in the U.S. was $2 in 1966 in Mississppi (yeah, using Wikipedia for this). According to the inflation calculator, that’s $13.02 in today’s money. If I read the Mississippi DMV web site correctly, the fee for a new ID card is…$13. http://www.dps.state.ms.us/dps/dps.nsf/divpages/hp2ds-fees?OpenDocument

Ok, I had no idea that would work out so neatly. Wow.

The requirements for RealID are such that it seems likely those cards would cost more.

alan June 4, 2008 10:54 AM

The problem here is that the list of “acceptable documents” keeps getting smaller and smaller. It is assumed that everyone can get a copy of a birth certificate. That works if you are young. It does not work for people who lived in the age of flammable paper records. Court houses burn. Records are lost. If you have had all the other documentation, lived here all your life and then someone starts asking for a document that you have never seen and cannot get, what do you do?

Most of the “proof of papers” requirements for voting have been to disenfranchise people who are more likely to vote for one political party over another.

Many of the “proof of papers” requirements have been designed to make it harder for non-white people to get jobs.

These requirements almost always have another motive, rarely ever a good one.

EntropyIncreases June 4, 2008 11:05 AM

I was amused to see the presentation recommending the cell phone as computerized device to aid in identification and authentication. The security on PDAs has recently come into focus as being extremely weak, weaker than laptops.

While there is a nod to the fact that this technique is subject to those with a device available, it is remarkable this document which Mr. Schneier pushes contains the advocacy of cell phone use to bridge the id divide in a document which finds a photo id to be too burdensome and which requires government pay for it (a not unreasonable request). I guess the government should supply a smart id device to everyone.

Paeniteo June 4, 2008 11:18 AM

@peri: “…magical token…”

I admit not having read the article (yet)… ;-(

Anyhow, with a magic token, an attacker would need to attempt to obtain more than one token (i.e. two mobile phones).
Same issue like with the public voter lists by Peter. You just move the attack one step in front of the actual election.

Quercus June 4, 2008 11:50 AM

Re: Gov’t ID in the U.S., there are two issues:
1) Creating a new national ID. There are emotional objections to central authority as well as technical concerns about doing it poorly (such as ending up with too many security eggs in one basket).
2) is requiring some kind of (currently existing) ID to vote. While in theory there may be plausible justification, in fact there have been no documented cases of even suspected fraud that such a requirement would have prevented. The requirements are actually being pushed by Republicans because virtually all of the affected voters (urban, minority, student, and/or elderly) vote Democratic.

peri June 4, 2008 11:56 AM

@Paeniteo: “Same issue like with the public voter lists by Peter.”

It’s not the same issue because if “magical tokens” are broken then voting is broken. With national IDs when voting is broken you also get identity theft for free.

Anonymous June 4, 2008 12:05 PM

You can in AmeriKa decline to provide ID when challenged for ID and not be arrested for lack of ID.

t June 4, 2008 12:13 PM

“Inside, all you need to do to get a ballot and vote is to assert that you are Person X from address Y, an assertion that a poll worker checks against a copy of the sheaf outside.”

Take it up with your state legislators. In Indiana, the rolls aren’t posted, and voters’ signatures are recorded. It was this way even before we started requiring government ID.

“Avoid repeat votes by forcing voters to stick a finger into a glass of ink?”

What’s wrong with that? Simple and effective.

Anonymous June 4, 2008 12:34 PM

@TheDoctor

The real reason we don’t like the idea of a national ID is:

a) at present all ID except tax-id and federal employee ID is locally based. My local government has my birth certificate, issues my driving license, and has all my property records. The Feds just know where I work and how much money I owe them (mostly they know that, sometimes we have disputes) (generally I am right but they win).

b) given this lack of uniform infrastructure, the Feds will have to make the requirements and procedures uniform, and each of the 50 states start with different requirements, forms, and infrastructure around collecting and issuing ID information. Some don’t even have photos on the ID, some require more or different proof-papers, etc. All have a staff and fee structure for issuing ID. Most States will have to change their procedures in some way, generating costs and departing from the will of their citizens. (the rules got that way somehow, changing them will offend someone. Usually the ones that made the rules)

c) In most jurisdictions, the power to create, keep and (most importantly) collect fees for all this infrastructure is a political plum and a source of revenue. Not that they charge extra or line official’s pockets, but the officials get paid and they employ people to do the work, and the fees pay for the work. And which people get appointed to the paying jobs and employed to issue ID is largely up to the party in power. If the Feds nationalize IDs, all those jobs, that money, and most importantly that power to influence who gets the jobs and money, transfers away from the State to the Federal government (where the party in power may be different, but in any case is less impressed by local influences).

d) Oh and all that constitutional and cultural stuff is valid, also. These are just some of the more practical concerns 😉

Jeff Dege June 4, 2008 12:47 PM

That they are applying “their progressive principles” in their analysis suggests, to me, that they engaged in partisan politics, not research.

Aaron Massey June 4, 2008 1:39 PM

@Paeniteo Re: “How to do this without government ID?”

Consider for a moment the simplest “magic token” there is: a physical, paper-based, vote card given out to voters when they register. This card could contain information such as the county or district in which they registered and a randomly assigned, untraceable card number. The number could be recorded at the time the vote is taken to prevent repeat votes.

There are obvious flaws: What prevents someone from stealing, selling, or manufacturing a vote card? Of course, these are also flaws with driver’s licenses and many other government-issued photo IDs.

Are there any benefits? Well, one difference is that when someone illicitly obtains a driver’s license, they can now use if for anything we use driver’s licenses for. Given the ubiquity of use, a driver’s license is pretty valuable. A vote card is a credential that could only be used for voting. Thus, even a very, very simple solution might be better.

Government-issued photo ID is actually not traditionally required to vote. In fact, only three states currently require it, so it makes sense to look at traditional approaches. As the report mentions, these include allowing a person to state their identity on penalty of perjury or allowing someone to use privately-issued means of identification such as a bank statement or utility bill.

Remember that the key security problem in elections is not to avoid the onesy-twosy opportunities for voter fraud. The key is to avoid voter fraud on a scale large enough to swing an election. The report details how requiring a government-issued photo ID would disenfranchise voters on that sort of scale.

Markus F. June 4, 2008 1:56 PM

Maybe it’s interesting to someone to see, how the ID is working here in Germany:

Our ID-cards are issued by the Landkreis (~ county), so they are not coming from the federal gouvernment. The Landkreise are responsible to maintain a register of residents (Einwohnermelderegister). Everybody is entered first time at the register of his or her place of birth. This register will keep a record of this persons whereabouts for all his or her life.

If you move your place of residence, you have to give notice to your former register and register yourself with the new Landkreis within one week (in theory, in practice anything under three months has never been a problem). The new register puts a stamp with your new address over the old one on your ID-card and sends a notice to the register at your place of birth.

If you need a new ID-card, you apply at your register of residence, hand over a recent photo, sign the form (the signature will be transfered to the ID card), and you pay 8 Euro (~$11). Two to five weeks later the ID card is ready for pickup and valid for the next ten years.

It is mandatory for every citizen over the age of 16 to own an ID-card, but you are not obliged to carry it around. Almost everyone does none the less, because it is the easiest way to prove your identity in whatever case that might be useful.

The cards are trustworthy, almost impossible to fake or alter unauthorized. So everyone uses them for every kind of identification. Identity theft is virtually unknown here, because an identity check is so easy.

Aliens with a place of residence in Germany get a Meldebestätigung, which is essentially the same thing, just not with the certificate of citizenship and valid only together with that persons passport.

Skorj June 4, 2008 2:45 PM

@Daedala

I like your math on the poll tax. Imagine a world in which a government that collects billions in tax revenue could issue an ID card without charging a fee specific to the card, allowing ID without a poll tax. It would be cool to live in that world: they’re smarter than we are.

++Don June 4, 2008 4:11 PM

@Daedala:
That did work out very conveniently, but you’re overlooking one thing. You only pay for a driver’s license once every several years: when you initially get it, and then every time you renew it. But you have to pay a poll tax every single time you vote. I’m not saying that the ID requirement isn’t a de facto poll tax, just that the $13 coincidence isn’t as relevant as it appears at first blush.

Horatio June 4, 2008 5:26 PM

“That they are applying “their progressive principles” in their analysis suggests, to me, that they engaged in partisan politics, not research.”

You beat me to the punch. The use of the word “progressive” carries all sorts of baggage associated with a political philosophy that is anathema to roughly half the country.

Eliminating this word from the report (and the associated positions that reflect the connotation of the word) would have made it more effective in reaching more people. I stopped reading when I scanned the PDF document and saw “progressive” used numerous times. My reaction was – “What political agenda are these folks pushing?

Paeniteo June 4, 2008 5:59 PM

@Aaron: “Consider for a moment the simplest “magic token” there is: a physical, paper-based, vote card given out to voters when they register.”

Assuming that the paper card itself is secure, the issue of obtaining two or more cards at the voters’ registration remains.
No matter where, you need to make sure that the same person cannot do something twice: Either voting or registering to vote.

btw, explicit registration for voting is another weird thing in the US (in german eyes 😉

JX June 4, 2008 7:48 PM

@ Markus F

“The cards are trustworthy, almost impossible to fake or alter unauthorized.”

I would suggest that this isn’t the case at all. All ID cards can be faked. It’s not like they are priceless Picassos in a museum–which would require the forger to go to the museum to examine it…the item to be forged is in your wallet right now.

The reason the German ID card is “trustworthy” and fraud low is simply the fact that it doesn’t do anything all that spectacular. It’s mostly a bureaucratic document that handles a lot of minor transactions. Ask yourself the question…how much money (or money equivalents) can you get for having a card with someone else’s name on it? Typically the answer from a European is “not much.”

In the US, identity theft is an issue more because you can achieve so much so quickly with someone else’s identity. Our on demand credit system is a lot of the problem.

Compare to the time when we didn’t have photos on our licenses–no fraud at all. Not because the document was impossible to forge…it was crazy easy to forge, it was just that there was no point in doing so.

Caleb D June 4, 2008 8:26 PM

I was one of the participants in the project that created this paper, and it’s worth reading.
Bruce not that I don’t think anything you write, or collaborated on writing, is not worth reading, I wouldn’t be reading your blog otherwise. That being said I was wondering if you thought there was anything you had written that was worth reading?

@Daedala
Driver licenses supposedly are supposed to help pay for our roads. They don’t and that’s why it pisses me off every time anyone says anything about how we shouldn’t subsidize amtrac.

Caleb D June 4, 2008 8:32 PM

That being said I was wondering if you thought there was anything you had written that *wasn’t worth reading?

Caleb D June 4, 2008 8:33 PM

That being said I was wondering if you thought there was anything you had written that *wasn’t worth reading?

Fusion June 4, 2008 11:43 PM

Am I missing something? Today I read that Washington DC police are preparing to cordon off neighborhoods and let no one in who can’t show that they live there or have good reason to visit – and can be arrested if insufficiently convincing…

And RealID is supposed to become necessary to go aboard an airliner…

Then there’s the cliche, right out of 1930s Germany and the USSR: “Your papers, citizen?”

There’s a whiff of totalitarian control in any widespread ID system that needs to be scotched outright.

ths June 5, 2008 2:23 AM

to add some more information about election in Germany (leaving aside some special cases like mayor elections and run-off ballots): when preparing an election, notices are sent out as postcards to all registered citizens eligible for that election. All postcards have a serial #. You have to bring either you ID or the post card (recommended both) to the place of election. The postcard is only valid for exactly this place of election unless you applied in advance to elect somewhere else in which case you’d have received a differently printed postcard (quite easy to achieve).
At the time of election the postcard is compared against the register of issued postcards, and ticked off (to make its usage a singleton) and then you are handed out the ballot. If you are not personally known you might get asked for your ID to verify that it matches the postcard you showed. If you lost the postcard you can still vote by showing your ID. If in this case the postcard serial# is already ticked off in the register you have a proof of an attempted forgery. As soon as the postcard serial# is ticked off it cannot be used. If the thief then showed up afterwards …
The fact of sending out election postcards is announced in the local papers so you know you have to expect your postcard in the next few days, and you can complain if you don’t receive it.

Paeniteo June 5, 2008 6:06 AM

@JX: “Ask yourself the question…how much money (or money equivalents) can you get for having a card with someone else’s name on it? Typically the answer from a European is “not much.””

You could for example use it to open a back account which you then can use for all kinds of fraud.
It is not strictly necessary to get “someone else’s name” on the ID card. A pure fantasy name will be sufficient.

It’s still probably not worth it to try and fake an ID card – but at least partially this is because they are rather hard to forge to begin with.

peri June 5, 2008 9:18 AM

@Paeniteo: “It’s still probably not worth it to try and fake an ID card – but at least partially this is because they are rather hard to forge to begin with.”

As covered in the paper, when an ID (Personalausweis) is used everywhere then a forgery can also be used everywhere.

Further, Froogle quantifies “rather hard” at $7,000 (€4,567):

http://de.wikipedia.org/wiki/Personalausweis
http://www.idzone.com/Merchant2/merchant.mvc?Screen=PROD&Product_Code=P520i-0000U&utm_source=froogle&utm_medium=cse

Markus F. June 5, 2008 11:09 AM

@JX: “All ID cards can be faked.”

No, there are only a handful of forged German ID-cards a year and all of them are really bad. German ID-cards are fake proof, probably unless you have a highly modern government-like forgery at hand.

Our ID-cards have a photo, a holographic digital representation of the same photo, signature, several kinds of microprint, several traditional watermarks, one only visible in UV-light, two more different holographic watermarks (one of them a “red dot”, that can only be read by special equipment and so far there is no known way to reproduce) and the sheet, the card is laminated with, has itself another watermark.

Here is a list of the security features (German only):
http://www.bundesdruckerei.de/de/kunden/kunden_government/governm_persPass/persPass_sichmPersausw.html

The Bundesdruckerei, the company that produces them, is the leading printer of secure documents in the world.

I have never heard of any decent forgery, and I probably would have. A few months ago the president of the Munich police force confirmed to an audience that included me, that they have never seen any forgery worth a third look.

JX June 5, 2008 12:08 PM

@ Markus F

Again, I maintain that all ID cards can be faked. Some harder than others to be sure…and that might lead to other methods instead (bribery of officials, using bad breeder documents.)

Law enforcement often spin the line about not seeing any fake ID cards, but in this instance I believe it to be the case, mostly because, again, there really isn’t much of a value to a faked Personalausweis–so there’s not much reason to try.

But again, I come from a security culture which has a low faith in the companies and institutions which support the ID card system and a high faith in the abilities of counterfeiters and fraudsters. (And I’ve not seen anything which has changed my opinion in this regard.)

For me, your statements are unnervingly naive and quaint, but for you, my statements are…haha…I don’t know, I’m not you. 🙂

Christoph June 5, 2008 12:48 PM

JX: You are probably right the cards can be faked, but I am pretty sure that you would need very expensive equipment for that. And one thing is certain: It is far more secure than using a social security number for authentication purposes. And I do not think that a German ID card is worthless: If you have an ID card with someone else’s name (and date of birth), you could probably go to his bank and get all his money; you could travel under his identity, and so on.

jnarvey June 5, 2008 2:17 PM

Evidently, one would be mistaken to presume that due diligence is already an SOP for governments and institutions adopting identity management technology. Good for Bruce to call them on it. At boonbox.net, we’ve been devising solutions for identity and password management (Read more here). It’s not just an issue for people trying to protect their information (in the voting booth, at the border or online). There’s a huge loss of productivity (and a corresponding hit to the bottom line) when IT departments don’t have an automated solution on hand to manage IDs for a large group.

djproscribe June 6, 2008 12:08 PM

In terms of the German system, you are missing the clear differences in terms of numbers of people and space. Comparatively speaking, Germany is not that big and does not have that many people.

It is comparatively easy to die and not have it recorded anywhere in the US. It is less simple to be born and not have it recorded, but it happens.

When you look at the amount of data that would have to be collected and maintained accurately by the federal government to create and manage accurate, reliable citizen ID cards — well, it simply cannot be done.

And if the ID card held sufficient value, there would be people driven and smart enough to find a way around it.

Perhaps those nuns chose not to participate in the day-to-day life of the community and previously had no need for an ID. Requiring someone to take the time and travel and wait for an official ID creates a de facto poll tax.

peri June 6, 2008 1:14 PM

@Markus “the Munich police force confirmed to an audience that included me, that they have never seen any forgery worth a third look

How many times they were accepted before they were recognized as fakes?

Markus F. June 7, 2008 4:09 AM

@djproscribe: Comparatively speaking, Germany is not that big and does not have that many people.

Germany has a population of 83 Million people. Compared to the 300 Million of the US, that’s the same order of magnitude.

paul June 8, 2008 8:46 PM

Forgery of the ID by an outside party is not that high on the list of ways to get a fraudulent government-approved ID. Deceiving or suborning an employee in the ID-issuing authority gets you the real materials with false information on them.

And any time you convert to a “fraud-proof” method you have to either do background checks on every citizen or else accept that all current false ID will now become real.

(Another explanation for the US aversion to centrally-administered ID may arise in the fairly recent history of corrupt or criminal local governments demanding identification of members of various disfavored groups.)

JimFive June 9, 2008 9:50 AM

@Horatio and Dege

Learn English. Progressive (in this context) means that it progresses from level 1 to level 2 to level 3, etc. Each level building upon the foundation of the previous levels.

You might note that the Cato institute is a libertarian (leaning) organization.

JimFive

peri June 11, 2008 4:55 PM

http://news.wired.com/dynamic/stories/T/TEC_HACKING_UTILITIES?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2008-06-11-07-48-41

Citect: It doesn’t connect to the interet. CitectSCADA is unbreakable!

Security Expert N: Seems some people have connected it to the internet…

Citect: (high pitched) What!? They’re not supposed ot do that!

Security Expert N: Oh look, your buffer overflows are quite a handy feature for allowing anyone on the internet to remotely control utility grids…

Citect: (uncomfortable silence)

Security Expert N: Sorry who was next in line? Wasn’t there someone going on about how “German ID-cards are fake proof”?

windscar June 12, 2008 3:01 AM

The Center for American Progress is a smart left-wing think tank, just as the American Enterprise Institute is a smart right-wing think tank.

Don’t both sides have something to offer?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.