Schneier on Security
A blog covering security and security technology.
« Three Security Anecdotes from the Insect World |
| Commentary on the UK Government National Security Strategy »
March 4, 2009
Michael Froomkin on Identity Cards
University of Miami law professor Michael Froomkin writes about ID cards and society in "Identity Cards and Identity Romanticism."
This book chapter for "Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society" (New York: Oxford University Press, 2009)—a forthcoming comparative examination of approaches to the regulation of anonymity edited by Ian Kerr—discusses the sources of hostility to National ID Cards in common law countries. It traces that hostility in the United States to a romantic vision of free movement and in England to an equally romantic vision of the 'rights of Englishmen'.
Governments in the United Kingdom, United States, Australia, and other countries are responding to perceived security threats by introducing various forms of mandatory or nearly mandatory domestic civilian national identity documents. This chapter argues that these ID cards pose threats to privacy and freedom, especially in countries without strong data protection rules. The threats created by weak data protection in these new identification schemes differ significantly from previous threats, making the romantic vision a poor basis from which to critique (highly flawed) contemporary proposals.
One small excerpt:
...it is important to note that each ratchet up in an ID card regime—the introduction of a non-mandatory ID card scheme, improvements to authentication, the transition from an optional regime to a mandatory one, or the inclusion of multiple biometric identifiers—increases the need for attention to how the data collected at the time the card is created will be stored and accessed. Similarly, as ID cards become ubiquitous, a de facto necessity even when not required de jure, the card becomes the visible instantiation of a large, otherwise unseen, set of databases. If each use of the card also creates a data trail, the resulting profile becomes an ongoing temptation to both ordinary and predictive profiling.
Posted on March 4, 2009 at 7:25 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I live in Germany where we have ID cards. But you know what? I never need it. Haven't been required to show it in years. A few years ago I had one which was expired for about 5 years and never really cared.
When I was in the US I constantly was asked for ID, all kinds of personal data and even had to give fingerprints (this was pre 9/11).
ooops. Posted too early.
Here in germany it's mainly the government which wants to see my ID. In the US every Dick and Harry wanted to know all kinds of personal data. Combine that with nearly nonexistent privacy laws and I really wonder what all that freedom romanticism is all about. The real problem isn't the ID card. It's the lack of sensible privacy standards.
Yay Froomkin. Someone finally approaching the real problem, instead of the tin-foil fantasies of border-line schizophrenics. Yes, the problem is how ID is organized, collected, used and disseminated. Every industrialized country in the world has either a de jure or de facto national identity scheme -- and it's actually more dangerous to have the de facto kind which are unexamined and which allow the nut jobs to avoid examining the actual threats, but instead derail the conversation over movie plot threats.
there is already a 'de-facto' ID card,
the 'Driver's License'
although it is sobering how often 'false' Driver's Licenses can be prepared with relatively little difficulty ...
as an aside,
if an un-forgeable ID is the goal,
would a DNA database serve as a reliable un-forgeable biometric ?
"Every industrialized country in the world has either a de jure or de facto national identity scheme"
No, it doesn't. Britain doesn't have a national identity scheme, for example.
@Nostromo: the key word is de facto. Although Britain doesn't have a national identity scheme, there are still very clear requirements for what you need to prove your identity in specific circumstances.
As a Brit, I am personally revolted at the idea of a mandatory ID card, regardless of the actual arguments against it. Frankly, I will not be carrying one, and if I end up leaving, so be it.
@A nonny bunny
If you're going to go to the trouble of looking something up and referencing it you should at least take the trouble to read the article properly!
From the first sentence of the Wikipedia article you linked to:
"...that will eventually be issued to all residents..."
"will eventually = doesn't currently exist
I value privacy greatly. However, I think being able to identify who you are dealing with in a transaction, and verify their or learn reputation, is extremely important.
Government abuse aside, if I am transacting with someone and I care who they are and their reputation, I want to know absolutely they are the unique person I think they are. I want to google them to see how they have popped up in the news.
I am sympathetic to the idea of publishing a national identity number for every guest or citizen of a country, along with their name.
Can this be done in a manner that allows for valid private use, like checking on tennants with eviction histories (assuming their landlord blogs), without government abuse (ie. rounding everyone up with zellers points)?
Doug Ransom: that could just as easily be accomplished in a system where identity cards are voluntary. It would still be up to you to decide whether you want to do business with a particular individual. Whether or not they have verifiable ID would probably be part of that decision. People who are not interested in "transacting" with you should not have to give up their choice to remain anonymous to make it easier for you to research the ones who are.
@'german folks claiming they never need their ID cards'
Guess what, here in The Netherlands, _most_ people never get checked for their ID's either! Cool, eh? Unless of course, you have the "wrong" looks (hair, skin color, clothing).
During a certain period after moving to the NL, one out of two times I went to market (daytime, to buy groceries), I would get a request for papers. Somehow that *never* happened to any of the Dutch colleagues I had at the time (who would all shop at the same place). I had a Greek friend, that would be often with me, police would ask *me* for papers, but not to him.
"there is already a 'de-facto' ID card, the 'Driver's License'"
This is probably true from a US-centric perspective, but getting a driver license in other parts of the world is hard, expensive and even not needed in countries with a good public transportation infrastructure (Switzerland, Japan, etc...).
At the same time the government seeks to remove all privacy for its public, it also needs to increase its own privacy, and the privacy of its agents. In some places it is unlawful to reveal the home address of a police officer. A judge can make it unlawful to disclose information about a trial or crime or witness. As far as I know, nobody has the right to know the name, badge number, or jurisdiction of a police officer.
Ironic how public officers conducting the public business in public need to keep their secrets from their public.
Don't forget that other de facto identifier, the cell phone. That coupled with your internet access trail, tells more about you than any other identifer.
During WW2, "identity cards" were issued in the UK and checked by police etc. In the way of things, the cards survived the end of the war. In 1951 it took one man refusing to show his card to a policeman to collapse the system. The subsequent court cases were before Lord Chief Justice Goddard who said..
"Because the police have powers, it does not follow that they ought to exercise them on all occasions as a matter of routine."
"From what we have been told it is obvious that the police now, as a matter of routine, demand the production of a national registration card whenever they stop or interrogate a motorist for whatever cause. This Act was passed for security purposes: it was never intended for the purposes for which it is now being used."
A year later, ID cards were abolished.
This neatly shows the problem with ID cards, function creep.
(There is also the pathetic assumption that the vast national database that is required to maintain the cards will be full of accurate information. I estimate that 5 to 10% of all addresses will be incorrect at any given time.)
"If you're going to go to the trouble of looking something up and referencing it you should at least take the trouble to read the article properly!"
I did. The scheme exists. That it hasn't been carried out yet is immaterial. You should perhaps read what I was commenting on if you're going to go to the trouble of replying to it.
Excessive use of Latin when there are simple English equivalent phrases does not impress me.
@Nostromo, re DNA as identifier
Yes- but even that can be spoofed. See the movie Gataca.
It's also important (as Bruce has pointed out time and time again) to remember the distinction between identifier and authentication. If someone gets your password, you can revoke it and make a new one. If someone gets a sample/spoofs/clones some of your DNA - how to you revoke that? Ditto for all forms of biometric (retina, vein patterns, fingerprint, etc)
I'm not sure what you believe qualifies as the tin foil hat crowd in this instance. There are plenty of good reasons to reject a national ID card based on evidence of how nations have handled identity in the past.
Our social security cards used to read "NOT FOR IDENTIFICATION." Notice how that lie bore out. Now all of the government agencies (and tons of private institutions) use the number to identify you, and there's no security in a number. It's the key number to steal if you want to commit identity theft. One would guess that problems just like that were envisioned by the very people who instructed that the above message be printed on every card in the first place.
Then there's the problem of the actual technology intended to be deployed. Watch this video ( http://video.google.com/googleplayer.swf?... ) for a look at how easily (and how far away) some government-issued RFID cards can be cloned. It's a long video, but worth it if you're interested in the technology used — which is different from traditional RFID systems and is not the same as Real ID, assuming Real ID would use inductance-based technology like most RFID systems, but has all of the same inherent problems.
All of that said, "Ihre papiere, bitte" is not what I want to hear at those fancy new government checkpoints. The government has no business knowing who I am on the street, should I choose not to tell them, so long as I commit no crimes.
My favorite example of drivers license identity mixups is the Irish police investigation of "Prawo Jazdy".
Someone eventually figured out that's polish for "Drivers License" and not a name.
Since you really don't care about evaluating a past history, will you lend me 50K. Don't worry about my past of defaulted on my auto loan, my last mortgage, and that I only make $20K a year.
Kangaroo, please tone down your rhetoric.
Another Bruce, feel free to try that again when you calm down a little. You started out well, but threats against other commenters are absolutely unacceptable, and your last paragraph was frankly just creepy.
@vedall, et al (DNA)
If DNA was a database field, its relationship with identity would have to be many-to-many. Not a good choice for a primary key!
One DNA to multiple people: identical twins and bone marrow transplants
One person to multiple DNAs: chimeras (supposedly rare, but you can bet it'd be more common if you DNA tested the whole population!), and bone marrow transplants again.
Also the current DNA markers are not designed to be "collision free" at a national database level.
From the article:
"Governments in [...], Australia, and other countries are responding to perceived security threats by introducing various forms of mandatory or nearly mandatory domestic civilian national identity documents."
They are? I live in Australia, and haven't heard anything about this. More than a year ago, there was a push for a unified card, to be called the "Access Card", for access to four specific social services programs of the federal government. In public debate it was feared the scheme could turn into a national ID card system because one of those four programs was the national medical insurance program, Medicare, which is used by nearly everyone.
However the scheme was cancelled in 2007. If that is what is being referred to here, Froomkin's information is more than a year out of date. If it isn't, then I can't think what the heck he could be talking about.
(Caveat: it really bugs me when people criticise a linked article when they obviously haven't read it. However, I tried for several minutes to download it from SSRN and gave up.)
Like Roger, I could not download the article from SSRN.
I value privacy greatly. However, I think being able to identify who you are dealing with in a transaction, and verify their or learn reputation, is extremely important.
Thing is that "identity" and "reputation" are not the same thing. It's this idea which makes "identity theft/fraud" such a problem.
In some cases "identity" can be of little value. e.g. a list of the names, addresses and dates of birth of known shoplifters isn't going to help if you want to know who to keep an eye on in your shop.
i did **not** threaten another commenter. i was responding to "kangaroo"'s torrent of billingsgate, which you left standing. i am accustomed to seeing the false threat characterization as an everyday incident of libertarian v. statist dialogue; seeing it directed against me on a blog which is all about parsing and neutralizing threats only adds to the irony, and i love irony. regarding your unhelpfully unspecific characterization of my text as "creepy", i can only provide the short answer...
american creeps have civil rights too.
you have multiple credit defaults, you only make $20k/year and you want to borrow $50k from me. i have good news for you, you've come to the right place. hard-money lenders don't care about your character, we assume that because you're coming to us (because your bank won't touch you), there may be some checkers in your past. all we care about is the collateral and the interest rate, so....
you must provide local, seizable collateral worth at least $100k (a 50% ltv ratio is prudent in this economy because yes, equities could indeed drop another 50%). you must have clear, unencumbered title, because prudent lenders in this sector don't take back junior encumbrances. you must be willing to sign a positively usurious promissory note...
and one other thing. if your real name is something like osama bin laden, you must get it off the u.s. treasury watchlist of people we're not allowed to do business with, because we don't like the food in federal prison. you do all of these things, and a hard-money lender can get you funded in approximately four business days. i've set up loans for murder convicts, for people who consort with inflatable dolls, for people with thomas kinkaid paintings all over their walls. if you need $50k, find out just how nonjudgmental your local hard-money lender is today!
"As far as I know, nobody has the right to know the name, badge number, or jurisdiction of a police officer" from "Roy"
In Hawaii, policy and procedure dictates that all police officers are required to give their names and badge numbers upon request.
As a side note. There are those posting here who support a national identity card but seem hesitant to post there real names and e-mail addresses here in this forum. Do you honestly think your government is more trustworthy that this site??
In France we have non mandatory ID cards, which are basically marginally more needed for ID purposes than a driving license for most people. If you have one you can voluntarily show it to justify your identity but no one but national police forces can request it. If you don't have one you typically show your driving license or a passport to somebody asking for justification of your identity (for example to pay by check) or requested by national police forces. Indeed when the police request that you justify your claimed identity you are free to use anything, even oral declaration of a properly identified friend.
There are restricted (but not necessarily classified) areas you can not enter without an ID card (entrance is not controlled by the police so you are still free to refuse to give yours, but in this case this would have the unfortunate side effect that you just can not enter...), so for certain jobs the optionality of the ID card is virtual, but you are nevertheless protected by the fact that for the remaining part of the population it is really optional and you are also protected by privacy laws.
Databases can not contain the ID card number (there might be few exception for governmentally operated databases, the obvious one being the ID card database)... Saving other kind of identifying informations in databases is under a declarative regime, but for certain kind of sensitive informations for your privacy (like the SSN) it is a regime of authorization (and I don't think authorizations are given to private operators in the case of the SSN if they don't have a very good reason, like they are a clinic :). And crossing two different databases using nominative or assimilated informations is just forbidden.
Back to cards : if you temporarily let your ID card to somebody (for example to enter in a restricted area as described above) he becomes completely responsible for it until you get it back. Indeed right now I don't have mine on me because I left a restricted area a bit late in the evening last week and the the person in charge of cards had already left, but I'm too lazy to go back there just to get it so I'll wait until I return there for work - for now my ID card is just waiting in a safe, and I can still justify my identity at any moment as requested by law with both my driving license and my social security card (or by calling a friend :)
Citizen of countries in the Schegen space can travel freely to other countries of the Schegen space with just an ID card.
This was to show that ID cards are not necessarily evil. It just depends on how they are used. Of course mandatory (in a whole country) ID cards are IMO a lot more evil that optional ones - especially without reasonable privacy protecting laws. I don't know what is the situation of the United States in this domain.
"This is probably true from a US-centric perspective, but getting a driver license in other parts of the world is hard, expensive and even not needed in countries with a good public transportation infrastructure (Switzerland, Japan, etc...)."
That's a bit of a circular problem, and it would be best to look at the history of each country or region. If large-scale public transit started before uniform national IDs, then its existence tends to pre-empty driver licenses as a official IDs. If driver licensing started before large-scale public transit, then driver licenses become a widely deployed official ID, even if that was not their original purpose.
It's like any other system: you have to look at its history and its interactions with other systems to understand its current state.
@ Ward S. Denker
"Our social security cards used to read "NOT FOR IDENTIFICATION." Notice how that lie bore out. Now all of the government agencies (and tons of private institutions) use the number to identify you, and there's no security in a number."
There is if it's the right kind of number. Otherwise cryptography, which uses numbers, wouldn't work.
The problem with SSNs as ID is the way they're used. They are often treated as if they are a shared secret, known only to the owner and the trusted party (bank, lender, whatever). They are almost as often treated as a publicly known identifier, e.g. embedded in the acct number of my health insurance. It can't work both ways.
I would have no problem whatsoever with publishing my SSN for all to see, if I could be assured that none of the third parties currently having it don't treat it as a secret. But I'm certain that third parties DO use it as a secret, even the credit reporting agencies who should know better by now. That problem won't get solved, though, because for them, it's an externality and not illegal.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.