Schneier on Security
A blog covering security and security technology.
« Terrorists Targeting High-Profile Events |
| Emotional Epidemiology »
December 8, 2009
Using Fake Documents to Get a Valid U.S. Passport
I missed this story:
Since 2007, the U.S. State Department has been issuing high-tech "e-passports," which contain computer chips carrying biometric data to prevent forgery. Unfortunately, according to a March report from the Government Accountability Office (GAO), getting one of these supersecure passports under false pretenses isn't particularly difficult for anyone with even basic forgery skills.
A GAO investigator managed to obtain four genuine U.S. passports using fake names and fraudulent documents. In one case, he used the Social Security number of a man who had died in 1965. In another, he used the Social Security number of a fictitious 5-year-old child created for a previous investigation, along with an ID showing that he was 53 years old. The investigator then used one of the fake passports to buy a plane ticket, obtain a boarding pass, and make it through a security checkpoint at a major U.S. airport. (When presented with the results of the GAO investigation, the State Department agreed that there was a "major vulnerability" in the passport issuance process and agreed to study the matter.)
More than 70 countries have adopted the biometric passports, which officials describe as a revolution in immigration security. However, the GAO's investigation proves that even the best technology can't keep a country safe when the bureaucracy behind it fails.
No credential can be more secure than its breeder documents and issuance procedures.
Posted on December 8, 2009 at 6:05 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"even the best technology can't keep a country safe when the bureaucracy behind it fails"
And the bigger the bureaucracy the more chance for failure.
Speaking of passports:
8:27 GMT, Monday, 7 December 2009
'Fake fingerprint' Chinese woman fools Japan controls
A Chinese woman managed to enter Japan illegally by having plastic surgery to alter her fingerprints, thus fooling immigration controls, police claim.
Lin Rong, 27, had previously been deported from Japan for overstaying her visa. She was only discovered when she was arrested on separate charges.
Tokyo police said she had paid $15,000 (£9,000) to have the surgery in China.
It is Japan's first case of alleged biometric fraud, but police believe the practice may be widespread.
first to do: educate your police, and other (security) personnel.
i don't know how the most passports (or driving licence, IDs, other docments) in the world look like. and i don't know how to recognise counterfeit.
i have to think about a little story i read in the german book "Ratloser Übergang" by Bernd-Lutz Lange. the story (3-4 pages) "Back to the German Reich" (in German of course) is about the author meeting a man greeting him with the words "Heil dem Deutschen Reich" (you understand that?).
He is astonished, and finds out that he met someone from the "Deutsches Reich"-movement.
They have IDs, and driving licenses and even a chancellor (whoever votes the guy). and now the joke: Mr. Lange wrotes, that it's not falsification of documents, because there is no German Reich. legally the documents are only fantasy IDs.
i did no research, maybe he is just entertaining. but a good book.
In Britain and Ireland and (I think) other European countries it is standard for a passport to be verified through two forms of security -- the official (birth certificate, etc) and the personal -- the photograph has to be signed by someone who really knows the applicant. For Britain the person signing needs to be someone who holds a passport, isn't a relative, and has known the applicant for at least two years, for Ireland they need to be a bank manager, priest, teacher or doctor. This isn't foolproof, obviously, but it's the kind of intersection of systems that makes it harder to fool -- you'd have to be able to forge the document and get someone to go along with you knowing they would later be traceable if you were discovered.
I think it's because passports have this double layer of security that we feel so very annoyed at being additionally fingerprinted every time we enter the US.
This is an issue of "input validation" it seems. When the data of the application are put into the computer system, those discrepancies should easily be detected.
As it's Xmas time and it' (historacly) on topic,
Can anyone remember just why Joseph and a heavily pregnant Mary spent six days walking 160 miles to end up in a stable?
Yup to get their ID checked.
With a large and mainly unknown population you have three choices,
1, Top down ID system
2, A Web of trust
3, Realise you are wasting your time.
Most passport systems are at the "web of trust" stage. The idea of Bio-passports will eventualy use your genetics to decide if you are who you say you are.
However as can easily be seen moving from a web of trust to a top down system is fraught with issues.
Also we are discovering through the likes of Publick Key systems that the top down process has as many flaws as the web of trust.
At the end of the day you are who you say you are unless some one says otherwise.
The assumption is of course that there is no legitamate reason to be somebody else.
Why go through the back door when the front is open anyway.
I was issued tags for my vehicle three years ago, in one particular state. When I attempted to renew them the following year, they could find no record of the license. I pushed back and contacted the DMV in the capital. They spent a week looking, but finally told me to just get new ones. They could not find any information on that tag number.
I'm not sure this is entirely relevant, but I realized after this is was possible to break bureau records, even in a heavily guarded computer based system. More red tape does not make it work better.
Just for the fun of it have a think on this.
Those born in NI have the right to hold a UK passport or a Eire passport.
Both countries have a simple process by which you can change your name.
To add to the fun in the EU an EU citizen currently has a right of residence in any part of the EU.
At one time in France joining the FL and doing what you where told to do for a suitable period of time entitled you to a "Clean French Citizenship".
Can anybody realy see passports getting sorted out in the next three generations?
A simple analysis of the problem will show that the cost far out weighs the savings. At around 500USD equivalent per person with over 6 Billion people world wide we are talking mind numbing sums that for many countries is beyond their gross national production.
So it's probably always going to be a system with more holes than a second hand pair of string underpants...
> For Britain the person signing needs to be someone who holds a passport,
So: No one in Britain has a passport? How did the first passport get issued, if no one could sign it? (Yes, I know the answer to this question, however it emphasizes the point that this type of standard is absurd as it was grafted on to an existing system.)
> but it's the kind of intersection of systems that makes it harder to fool
It seems to me that it just creates a grey market in passport photo signatures.
"I realized after this is was possible to break bureau records"
You are onto something here - I learned this from a colleague who went on to become a world-class computer security analyst: if you can make a system crash, you (likely) can break its security. This concept surprised me: it wasn't intuitive, but I came to understand it.
When a system is capable of making gross errors (like losing the license record), such a flaw can be subverted by a fraudster.
The problem with using seed documents is, at a theortical level, unsolvable. We keep trying to push it back as far as possible, but birth certificates aren't particularly secure, not everybody has one, and they don not provide any proof of identiy, just proof of birth. We want but can't have a system that proves "I am who I say I am." The best that we can do is a system that is persuasive proof that "I am the same person who claimed to be who I say I am at some time in the past." The sooner that national ID proponents and the public realize this, the sooner we can have a dialog on whether that second statement is worth the costs of programs that are intended to look like they prove the first statement.
It's even funnier than that. Irish citizens don't need a passport or ID to enter Britain.
So when ID cards are made compulsory in Britain the only people not required to carry them will be that section of the Northern Ireland community that have, shall we say, strongly identified with the Irish republic !
In American terms thats rather like exempting only Shite Iraqi's from needing a Visa to enter the US!
Having a member of a profession sign the passport photo worked in the 1950s but not today.
They recently expanded the 'professions' allowed - so chiropodists and airline pilots can now swear who you are, as can any religous minister, journalist or local counicllor (now there's a trustworthy bunch).
The computer system to check that the birth certificate copy you are supplying doesn't have a matching death certificate (the day of the jackal attack) is still delayed.
The best you can really hope for is that you stipulate: if you select an identity, you have to stick with it. To a certain extent, when you consider juvenile legality etc, it doesn't matter if your parents christened you Jim Clarke and you wish to conduct your life and business as Ahmed Rafsanijad. As long as this identity is maintained tied to all your activity across driver's license, state ID, and passport since the age of 16, 18, 21, or whatever. This isn't perfect, but then at least, the system only has to oversee that people maintain this identity and don't have multiples.
Last week the UK government started issuing UK ID cards to volunteers in the Greater Manchester area. There are about 2.5 million people in the area and about 1000 had previously signed up as interested in obtaining an ID card. A government minister admitted that there were currently less than 700 people in the ID database (the total UK population is about 60 million.)
You have to apply in person, and provide some evidence of ID (such as a passport!) If you pass whatever tests they think appropriate in the interview, photographs and fingerprints are taken. You then have to provide answers to five out of 20 questions. Questions such as "Favourite pet?", "Best subject in school" etc. All questions that are probably answered on the applicants FaceBook page :-)
So, not only do you have to travel some distance to the interview, you ideally need an existing passport. Your shiny new ID card will cost you about £30 ($50) and the only thing you can do with it is travel within the EU without a passport (which you probably have anyway.) It is now your responsibility to keep the card details up to date with fines in the range of £1000 ($1500) for each offence.
Oh, and there is a vast computer database costing billions.
Obviously nothing there could possibly go wrong...
I agree with the previous posters' complaints on birth certificates: they only prove birth. We'd need to get some biometric data on the infant as soon as he or she was cleaned up and that data (e.g. fingerprint) mustn't change as it ages, or false positives/neg.'s slip through.
I guess a temporary solution would be applying the web of trust approach to a centralized database. Essentially, we would act like we were just issuing biometric authentication credentials, but not actually identifying. As more identity proofs were used, they'd be added to the database. That person's trust factor would increase. At the same time, the measures for getting and validating the other identity documents could be strengthened.
Honestly, though, I'm grasping at straws here. In a country like USA, nothing immediately comes to mind that would solve our identity problems. There's just too much to be gained by too many people in remaining unidentifiable. And many in power like this to a degree, like the influx of cheap, exploitable labor. If they did do national identity scheme, that would be severely impacted right off the bat. They'd have to pass a guest worker program immediately or begin shipping folks out. This issue is just one negative economic side effect of positive national ID. Add the privacy issues and, again, it's hard for me to see a way for it to happen & be trustworthy.
Require and obtain DNA at birth. Require and obtain DNA from anyone getting any form of any new government issued ID or employment (including employees of those contracting/receiving federal funds). Deny entry to anyone who does not have such a record. Anyone internal without such a record is obstructed from any form of travel (govt owns the roads and subsidizes the skys), medical attention, government aid, etc. until such time that the record can be created....
Sounds like a fun future.. Oh wait, they already started. My bad.
I was about to write in to disagree with people criticising the system of "guarantors" -- professionals who certify that they have known the applicant's identity for N years. It has a lot of advantages over the "document bootstrapping" method, including that it is simultaneously more equitable, cheaper, *and* more difficult to suborn if done properly.
However on looking up the current rules I see that the system here in Australia has indeed been seriously weakened since I last applied ~10 years ago. It's OK to broaden the list of allowed guarantors so long as they have 4 simple properties:
1. They know members of the community through their professional relationships, rather than personally;
2. They are themselves definitely identifiable within the community, so they can be easily located if an investigation is required;
3. The cost to their professional career from fraudulently certifying the document greatly outweighs the potential benefits; and
4. The nature of the profession means the person is bright enough to understand point 3.
There are indeed many, many professions which qualify in this way, including chiropodists and airline pilots -- although perhaps not journalists. However in Australia the new rules seem to allow many people who meet *none* of these requirements, and at the same time reduced from 5 years to 1 year the period for which they certify you have been using that name.
Oh, boy. I just looked at the documentation requirements, and they too seem to have been massively weakened since I last applied, when I needed a manila folder to carry everything. You can now apply for an Australian passport with just a "birth card" (certificate extract) plus a credit card!
"Japan's first case of alleged biometric fraud"
Is it really fraud though? It's her fingers on her body, and presumably she can do pretty much whatever she wants with them.
If the system is so fragile that it depends on no one ever changing their appearance, the system is flawed, no? There are plenty of other ways that a fingerprint might get corrupted - heavy manual work, fire, acid, amputation, etc. Swapping digit prints might be seen as an extreme form of body art, or a political statment, or ... meh, whatever. Granted that *I* wouldn't chose to do it, and also granted that the most probable explanation is an attempt to subvert border controls, but I still think that's hardly a case for labelling it fraud.
"No credential can be more secure than its breeder documents and issuance procedures."
We need Real ID!! That will make the driver's license secure and we'll all live happily ever after.
@ Nick P,
"I agree with the previous posters' complaints on birth certificates: they only prove birth."
I hate to disagree with you but no it does not prove birth.
All it proves is an entry was made in the register on date X and it contains a statment that at some point prior to that a "birth was said to have happened".
Let me explain...
As a woman who has a house in say France and a house in say Belgium. You decide you want to work the system.
You register with two doctors one in France and one in Belgium.
You keep visiting each one all through your pregnancy.
You then have your baby out of hospital close to the border. You then visit both doctors to be medicaly examined and have the birth recorded medicaly.
You then go with the documents to get the birth registered in both countries.
Now your child is both French and Belgium...
This works because the birth registrar gets a record that the birth has been medicaly registered but the doctor does not have to have attended the actual birth.
Unless somebody gets suspicious then you get away with it...
Australian Passports: from passports.gov.au
"Copies or extracts of a birth certificate are not acceptable. If born in Australia, an original full birth certificate issued by a state or territory Registrar of Births, Deaths and Marriages must be presented"
You also need a combination of other documents, one of which can be a birth card. But a birth card and a credit card are not sufficient.
When I got my passport last year the central document was my driver's licence. That's all I needed to get my birth certificate (although I did need to know the "city" I was born in and I seem to recall they wanted the suburb Subiaco, not the city Perth) and it's a major part of getting the passport. But to get the birth certificate I faxed a copy of the driver's licence! A halfway decent forgery should cope with that.
What isn't at all clear is if any of this is checked. Does the registrar in Perth check with NSW if that licence is valid? Plus you can bet that it's a low paid low ranked public servant doing the work, a bit of bribery shouldn't be too hard in one department or another.
The guarantor just has to be on the electoral roll and "known" me for a year. That is probably the weakest part.
"Is it really fraud though? It's her fingers on her body, and presumably she can do pretty much whatever she wants with them."
Yes and no...
No :- I suspect there is no crime of "biometric fraud" on the statute books (I could be wrong though)
Yes :- it is fraud but not by the way you are thinking.
Depending where you are fraud is oftend defined as "knowingly gaining an advantage by deception".
She knowingly said she was someone who she was not (deception), and therby gained (an advantage of) entry into Japan that she knew she was not entitled to.
So yes fraud plain and simple, I suspect that calling it "biometric fraud" is "journolistic sexing up".
Nice counterpoint. No need to "hate to disagree" with me on that one: my message was focused on how birth certificates don't prove identity, merely focusing on a birth happening. I wasn't really thinking hard when I wrote that they "prove birth." Oops...
Real ID is not even electronically verifiable. So it probably would be easier to make a fake rather than apply under a false name.
Good irony. In addition, Real ID is not even electronically verifiable. So it might be easier to make a fake rather than apply under a false name.
Sen. Tom Udall (D-NM): As you know, more than 30 states including New Mexico are unlikely to meet the December 31st deadline to become materially compliant with the Real ID Act of 2005.
Will you commit now to extending the deadline for compliance with Real ID if Congress has not addressed the issue by December 31st?
Sec. Napolitano: Well, Senator, thank you, and yes, I -- here is the problem. Congress passed Real ID as a footnote in an appropriations bill and that did not have the benefit of hearings nor consultation with the states, which caused vast revolt among the states of which Arizona was one, and so we went and worked with the governors on a bipartisan basis to fix Real ID and that gave birth to a piece of legislation known as Pass ID. It has been through committee. It's been marked up. It is ready for floor action. It deals with a lot of the issues that -- it solves the governors' problems with Real ID.
I would -- before I get to the question of extensions, one of the reasons we had Real ID and now Pass ID is because the 9/11 commission had a recommendation that we improve the security quality of driver's licenses, and because Real ID has been rejected by the states just by granting extension after extension after extension we're not getting to the pathway to have more secure driver's licenses. Pass ID helps us meet the 9/11 commission recommendations and at the same time addresses issues that were legitimately raised by the states. And so what I would prefer to urge the Senate to do and use the -- this hearing as an opportunity to really urge it to do is to move to floor action and move Pass ID through so we can get it over to the House. I think it could go very quickly over there and we could solve this issue, as opposed to extension after extension, which not only doesn't deal with the 9/11 commission recommendation but it's just another year of uncertainty.
Sen. Udall: Yeah. Well, as you are probably aware, the situation that we're in now -- we have health care on the floor -- where if tried to move to anything else I think it would make it much more difficult procedurally. So I think if -- I don't see us getting to Pass ID on the Senate floor between now and the end of the year. So I think it would be very helpful for you to issue a statement -- you might use this as an opportunity to do it -- to assure people that after December 31st they will be able to travel with something other than a passport. I don't know if you want to do that at this point but if you decline that's fine.
Sec. Napolitano: I think I will not accept that invitation at this point in time.
By the way the UK national ID Card system (nee universal benifit card) is a political fudge that various civil servants have been trying to push down the throats of UK residents for years.
The two things that got it off the shelf this time was the Banks winging about EU money laundering laws
And the fact it "looks sexy" to idiots that don't know any better.
As Stella Rimington (previous head of MI) observed it will not nor can it prove identity or any other status about an individual.
Oh and by the way you can issue your own passport as has been proved by "Sealand" and it is perfectly acceptable legaly...
The law in the UK was at one point in time quite simple "you are who you say you are" it is not a crime unless you are trying to gain "advantage" by it.
As regards passports open the front cover and read what it says inside.
In the UK Passport it says,
"Her Britanic Majesty's Secretary of State Requests and requires in the Name of Her Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as maybe necessary"
Have a think about it, it is a document of passage not of identity. Originaly passports where pieces of paper actually signed by a government minister. I have one that belonged to my father that was issued during WWII all it has on it as way of identification is his name.
A further clue is the wonderfull bit,
"Her Britanic Majesty's Secretary of State Requests and requires..."
Her Majesty's "writ" only applies to her "domain".
Hence the "request" for outside her domain and "requires" for inside her domain.
So it is actually only a document of substance when entering or in Her Majestys domain and nowhere else...
I think you will find the equivalent in most passports.
Thus you have an interesting paradox. If I have a passport for country A and I'm actually from country C and I present it country B have I actually commited a crime?
The document has no legal status in country B (unless it choses to recognise it as such) and the only country it has legal status in A I'm not using it in, nor am I from country A so it has no legal binding on me as I'm not a citizen of country A so do not fall under it's extra teratorial juresdiction.
Such is the fun of such things, the law on such things appears to be a fudge of treaties often based around extradition.
Oh then there are the legaly "displaced persons" who for whatever reason are not citizens of any country...
The whole thing is a fudge worked out during the last century originaly as an attempt to control spying...
@Clive: Country B probably has a "lying when you try to get in" law.
A letter saying I've been offered a job has no formal legal recognition, but if I used a fake one to get a loan or something I'm pretty sure I'd be in trouble for fraud and/or forgery and/or acquiring something or other through false pretenses.
Just a guess, but: I'll bet that there are some variations on what you describe that would fall through the cracks. However, I'm also going to bet that there are enough non-specific laws about inaccurate or misleading documents or statements.
Those are some interesting paradoxes, but often mean little in practice for citizens of many countries. gopi's mention of "non-specific laws" reveals why: most governments give themselves more authority than they actually have and since the whole checks and balances scheme is in the government itself, they will often get away with it. Small countries will often not fight big ones like the US over petty trials or actions, esp. if US threatens them to coerce submissiveness. (Caribbean tax havens come to mind)
For example, lets say Britain gets tired of people having privacy and freedom via Sealand passports. They'll likely just not recognize Sealand's sovreignty and interpret relevant passport laws as they see fit. In the United States, people have almost no rights whatsoever: the US government routinely ignores international treaties, declares citizens "enemy combatants" (stripping rights away) and abuses legislative powers to give itself more power. I don't see an obscure legal argument holding up when they jail you and freeze your assets, then reserve the right to discount evidence that back you up. Britain is hardly better on this regard, esp. if taxes, drugs or terrorism are mentioned. So, these things make nice food for thought but their effectiveness is uncommon in the real world.
"Country B probably has a "lying when you try to get in" law."
Sorry I didn't make it clear. I'm not saying that the passport is fake or that I'm using a fake name etc.
The point I was making is that a passport is only a document of entry into the country that issued it (and possibly of residence).
A country can issue a passport to a citizen of any other country it see's fit to do so (some countries such as Turks&Cacos and Belize do this).
It's just that the passport "appears" to most people to say you are a citizen of that country when you are actualy not.
As I said earlier the French used to issue passports to members of the Forign Legion who had served their time, in any name that they wished no questions asked.
Further if you have dual nationality you are not commiting an offence (as far as I am aware) by changing your legal name in one of those countries but not the other.
The real point is that your name your nationality the countries you can live in are all fairly arbitary, all other countries can reasonably do is refuse you entry.
We have to decide if this is a problem or not (and I think on the whole not) and what we want to do about it before we waste billions of dollars etc on a pointless system, that does not achive anything nor can prevent anything.
re: clive r:
Just so. My grandfather knew Fritjof Nansen
who created the Nansen Passport for 'Stateless Persons' after WWI,
and I have had students in the last few years
who are travelling on a Nansen Passport.
Further, during the worst days of the Cold War,
it was routine for U.S. Journalists visiting ghostile countries
(absent good working relationships with the U.S.)
to secure and travel on Canadian Passports,
because Her Majesty's government had a far better record of rescuing subjects,
before allowing Cold War diplomacy to supercede.
Before that, also, my swimming coach was issued a Canadian Passport
to become a Royal Navy Frogman [trainer] before 1941,
and my best friend's father was issued a Chinese passport
to enable him to fly fighter aircraft from ChunKing.
Speaking of documents, it looks like TSA lacks the ability to properly redact documents. Both DHS and TSA are in full damage control mode.
Granted I'm not in the security business, and I don't know if this has been suggested or not, but couldn't the solution to generating a "proper ID" simply be to have an ID number / Government "Official name" that was simply (for lack of a better description) a one-way hash function of one's DNA (or some other unique biomarker that doesn't change over time)?
It would be readily verifiable, and difficult for another to forge. Applying for an ID card wouldn't require any previous documents, and checking for a fake ID card would be equally simple for anyone who cared to do a fingerstick, etc. Perhaps identical twins might prove troublesome, and granted this would need some modifications to make it time effective for an ID check, but I'm sure there are some clever people out there who might make it work...
"No credential can be more secure than its breeder documents and issuance procedures."
Couldn't a credential increase in security over time, if for example, it was periodically signed by trusted parties or otherwise had a way to represent the _reputation_ of the holder?
I believe the solution is not to find a document that ultimately identifies an individual, but rather find a way to capture the aggregate reputation over time - much like the credit card agencies do for financial reputation.
In my opinion, such a system would best be served by a decentralized but regulated system.
@ Marc W,
"I don't know if this has been suggested or not, but couldn't the solution to generating a "proper ID" simply be to have an ID number / Government "Official name" that was simply (for lack of a better description) a one-way hash function of one's DNA (or some other unique biomarker that doesn't change over time)?"
Although sounding very simple and seductivly appealing, for a whole host of reasons that is a bad collection of ideas.
Not that, that fact has stopped people chasing a "pipe dream" to do it (UK Gov), and are thus imposing the rewards of their stupidity on others (UK populace) as fast as they can.
What you are essentialy saying is,
1, One ID only
2, The ID is non refutable
3, The ID is thus assumed to be non forgable.
4, The ID is thus assumed to be the signiture of all your actions.
Problem 1 - "one ID" is a bad idea for many reasons,
The first is that we just do not run our lives that way we have multiple unrelated roles and society at a very fundemental level demands that we remain that way for our safety and sanity likewise for those around us.
The second is it will become like the insecure and very unfunny joke that is the US SSN (or UK NI Number or other countries equivlent).
I could give you further details as to why ad nausium but that would be well off topic (and if Bruce is running true to form it will be todays or tomorows Op Ed or very soon :)
Problem 2 - a "non refutable ID" is a disaster waiting to happen.
Firstly it would act as an "eternal prison sentance" even for those that had done no wrong.
The classic example is the UK child support agency with what is effectivly "retrospective legislation". Essentialy it is turning people into criminals for not commiting a crime and in return is causing major social disruption and lost income to the country. Rather than admit the whole idea was compleatly stupid from start to finish the UK Gov is activly seeking to make it worse. They do not seem to have learnt the lessons of the "Poll Tax Riots".
Further the UK Gov are implementing the "childrens DB" where any "official idiot" can add what they feel about a child or their home circumstances without any kind of evidence. Neither the child or their parents have the right to see this and thus have no right to refute. The plan for this DB is to make it available to interested parties for the rest of a persons life. Interested being potential employers, potential creditors, courts, local council busy bodies, etc etc. Thus it will very likely end up in private DBs in other parts of the world where you have absolutly no control over it.
Problem 3 - the incorrect idea that because something appears "irefutable" it must be true, thus forgary is not possible.
DNA is an unreliable identifier I currently have atleast four peoples DNA sloshing around inside of me. Further it appears that a bone marrow transplant can perminantly change your DNA. As time goes on and if "stem cell" research goes the way many hope then your fundemental DNA could end up being somebody elses.
As far as we can tell there is no "readily available" bio-metric that cannot be altered either temporarily or perminently if people are crazy enough to undergo the required surgury. As for non "readily available" I'm not happy about having a brain or spinal biopsy just to please some "officialy designated idiot".
Then there is the issue of collection and duplication of DNA. We leave DNA just about where every we go as skin cells, hair, mucouse and a whole host of other bodily fluids etc. Thus your DNA is a matter of being publicaly available to use for forgary by any individual that choses to pick it up...
As evidence collection has shown Bio-ID is not exactly a reliable identifier of very much (just that the object that your Bio-ID is on is at a particular place in time, without explination as to how it got there).
Problem 4 - then there is the problem of how do you reliably link any ID to an action or object?
Short of signing in your (unreliable) blood how do you propose to link the two together?
Any other system is as we know open to trivial levels of abuse such as a change to a DB record.
As I said further up "we are who we say we are" and fundementaly there is not much else that can be done about it.
Spending any amount of money on trying to change this is a provable waste of resorces and effort.
Which begs the question who gains by this huge waste of tax payers money?
it is not possible to have 100% identification. It can always only rely on the context and therefore one can forge the context (fake friends, refrences) or input data (tempered fingerprints, bribery etc).
Using DNA or lifelong IDs looks tempting - but is it worth the overall costs? How about the presumption of innocence in case DNA was found somewhere and the database spits our your name? How about forged DNA-samples (http://www.wrongfulconvictionlawsuitdefense.com/tags/dan-frumkin/) ? And what about the potential value of the collected data? If a valid adress with name and age and email and profession is worth 5$ on the grey market for spammers and scammers - how much is the DNA profile? What could a whole database get the seller? How about political changes - do we know, that society will be the same in 40years? What if it turns toward fascism - only with our data still in the dictators hands? There are still old people around in europe who have seen an emperor, a failing republic, a fascist dictatorship, a failed socialist state and now a capitalistic society. All in one country, all in one lifetime, including several changes in currency.
It may save your life someday to be able to throw away your passport and start anew. Bureaucracy should never be perfect - because society itself is not.
@Clive "who gains by this huge waste of tax payers money?"
that is easy: the manufacturers of the infrastructure (scanner, databases and so on), agencies (new databases are always on theri wishlist), potential surpressors (the more data about an individual the better to control the individual)
missing security or society on the list? me too
Why exactly lying about one's own name to Autoritah is an offence? Cops and politicos are lying all the time. It's fair to allow mere people to do the same.
I'd think easily forgeable passports are better than hard-to-forge ones. Simply because they make our masters less powerful, and leave a way to escape from them in an emergency. Like when they decide they want to get you because you opened your mouth and said something they didn't like.
Security is not value-free. Good security may be seriously morally bad. Security of passports is one such case.
"missing security or society on the list? me too"
That and our elected officials who vote for this waste...
In the UK one of the largest potential biders for work on this UK ID scheam is Capita (also known as Crapita by those who have been unfortunate to come into contact with them).
It is known that one of their directors made a "personal donation" into the current incumbrants part political funds.
Also it appears that many civil senior civil servants and ministers have been "wined and dined" by Capita and other companies and their lobbying groups. Also that contary to the Civil Service and Ministerial rules both civil servants and ministers have "jumped ship" into lucrative executive positions with these organisations.
But that's ok because there cannot be any question of impropriaty with our "snouts in the trough" politicians and their gravy train brothers in the civil service.
After all what are a few votes worth to a politician who knows that their chance of being re-elected is vanishing to nothing.
Just about every political foundation stone to prevent impropriaty in office in the UK that somebody looks under appears to be floating on a sea of sleaze...
Cash for questions, Cash for honours, MP's expenses, Civil Servants expenses, members and civil servants "interests", likewise "gifts and hospitality", consultancy, etc, etc,
I'm sure you can spot a few I've left of that list...
Ever had the fealing we are "being played for mugs" by inept "con men" "feathering their own nests" "at our expense" and the system is such we cannot get rid of them.
I'd better stop or I'll get the "off topic" "yellow card" from the moderator.
here are a lot of people arguing the pro and contra of IDs. in germany we have the Personalausweis (first time with age 16). you need it if you want to by beer or cigarettes (and look too young), sometimes the postman wants to see it, of course when you get your driving licence, and some public authorities. but to be true, the most of the time i don't need it. no policeman ever asked for the ID, maybe i'm too honest (no bar fights;)
i can't remember if i needed anything like a birth certificate when i got my first ID. but here in germany the people are registered in a local registration office.
IDs are helpful for police etc., but IDs are not a magic bullet.
Your 3:31 and my 3:23 are so similar people will think one or both of us is a sock pupet ;)
So can I check your ID please? (Just joking 8)
@ Fred Blotz,
"Speaking of documents, it looks like TSA lacks the ability to properly redact documents. Both DHS and TSA are in full damage control mode."
Would you like to enlarge on that a bit?
In my mind I smell something juicy every time I see "redact" and a government agency name.
And like Pavlov's dog I start to slaver at the sound of that particular bell 8)
Ah well time to find out if the Quacks are deciding to add yet another unit of somebody elses DNA (and god alone knows what else) into my system so I can get enough oxygen around the system to stand up without fainting 8(
> Australian Passports: from passports.gov.au
> "Copies or extracts of a birth certificate are not acceptable. If born in Australia, an original full birth certificate issued by a state or territory Registrar of Births, Deaths and Marriages must be presented"
> You also need a combination of other documents, one of which can be a birth card. But a birth card and a credit card are not sufficient.
Sorry, you are right; in my haste I somehow skipped section one, which requires either a birth certificate, citizenship certificate, or previous passport. I was only looking at section 2 (from the same site) which reads:
"2. You will need to provide one of the following three combinations of original documents that support your identity:
* One document from category A
* One document from category B "
Category A includes 4 types of documents (two of them only acceptable when applying from overseas, bizarrely), one of which is: "Birth card issued by an Australian Registrar of Births, Deaths and Marriages (this is not a birth certificate)"
Category B includes 8 types of documents (four of them only acceptable overseas), one of which is: "Credit card or bank account card"
(A "birth card" is a document issued, so far as I am aware, only in NSW (the most populous state) up until late last year, when issuance was discontinued (but issued birth cards remain valid until their expiry dates.) Except that it is credit card size and has an expiry date on it, it is *exactly* the same as birth certificate extract. I don't know why they were discontinued but rumour has it that it is because they were easily and widely forged by under-age teens trying to sneak into pubs and nightclubs.)
So mea culpa: the minimum appears to be birth certificate or citizenship certificate, extract, and credit card, or any of several approximate equivalents (some of which are arguably even weaker.) At any rate, my point stands: this is vastly less paperwork than I had to come up with ~10 years ago. I don't recall the exact details but seem to remember something like the "100 points" system where each document was worth a certain number of points, and you had to reach at least 100 points total, except that you also had to provide one of a small set of "primary documents" (like the section 1 in this system), which couldn't count as any of your points. At any rate I definitely recall that I ended up with a dozen or so documents in a manila folder, not two pocket-sized slips of paper.
@Clive - no, i'm very conservative in showing my ID to anyone. ;-) It even annoys me if they ask for ID when paying with EC. Token (card) and knowledge (PIN) should be enough...
We have in germany some equivalent to Capita - its called Bundesdruckerei ("federal print office"). This was in former times a state-owned print office responsible for printing all passports and driving licences and so on. It was decided to sell it "to the market and reduce costs while keeping the high quality standards". Nice move. Private data in the hand of a company with sharholder interests in mind and not public service. Turns out, they poorly managed the print office and needed some offical boost - along comes the interior minister and announces the need for new biometric data and RFID in passports and the exchange of the old ones. The newer ones are significantly more expensive. A sure thing for the monopolist on the market. After his term this minister (Otto Schily) switches sides and is now on the board of a company involved with RFID in passports for the monopolist. Final joke: the government is now considering to buy Bundesdruckerei back (fear of technology transfer).
What use are sophisticated passports with RFID and biometric data and so on, if the manufacturer is owned by someone whose main interest is ROI and not public safety?
Off topic: Hope you get well soon!
Another problem with a system based on a individuals who supposedly know the person in question: it means that people who keep mostly to themselves and/or move on a regular basis can't get ID. I still remember my embarrassment some years back when I applied for a library card in the town we'd just moved to. In addition to everything else, there was a line on the form for the name of someone in the community who knew me and would vouch for my book-returning intentions. Boss? Freelance. Doctor? Didn't have one yet. Minister? Not a churchgoer. And so forth.
@Paul: why emberrassment? You just moved into town.
Never heard of such a policy here in germany though. Of course there is the status of a bailsman but this is afaik only for financial toppics...
The story isn't that surprising. Criminals get passports under an alias all the time.
"Hope you get well soon!"
That makes two of us ;)
(The nurses in this hospital are not quite as nice as the one I mentioned befor 8(
"What use are sophisticated passports with RFID and biometric data and so on, if the manufacturer is owned by someone whose main interest is ROI and not public safety?"
I've yet to see any worthwhile argument (plenty of Political gas though) that any identity document will act as a constraint on a person who wishes to kill them selves for a political cause.
The argument that "it keeps them out of the country" is jingoistic nonsance. Nearly all bombers in the UK for the past 100 years or so (and there have been many) where born in this country or one of it's "domain" and are thus entitled to legitimate doccuments of entry and residence.
Likewise I've seen no convincing argument that it will stop "illegal immigrants" or the "black economy". In fact most of the convincing arguments suggest that in fact it will aid both as it represents a single point of weakness.
Likewise there is absolutly no evidence that the UK Gov can actually build the systems required. What was the worlds largest IT Contract the NHS IT centralised system has been a compleate and unmitigated disaster (just like Russian Central planning, no wonder we call them IT Czars ;)
Further evidence abounds that there is considerably more fraud and theft involved with UK Gov IT projects than in equivalent projects in the private sector.
And contary to what we are led to belive the rate of pay in the UK civil service is often actualy better for "proffesional" white collar activities than in the private sector (and that's basic pay before you take their pension scheams into account as well).
Anyway I must resist the urge to "pig stick" UK Gov (it's not realy on topic).
What is known is that something over 75% of ICT contracts issued by UK Gov are not just failures but also "give away" intelectual property rights and have unreasonable escape clauses for those providing the failing systems (have a shufty at the UK Computer World for a run down on just how bad these systems realy are).
We do not need a national ID card we do not need bio-metrics and we do not need the banks conning politicians into such systems just to externalise their liabilities under money laundering legislation.
Unless you mark all babies at the moment of birth, you can never have a secure ID system.
Even then, you have to ensure that trusted midwifes are present at every birth, be it in a hospital, at home, at the roadside...
Otherwise, all that you can prove, is that you are the person who also did another thing (such as "I am the person who applied for this passport").
@ Steve Parker,
"Otherwise, all that you can prove, is that you are the person who also did another thing (such as "I am the person who applied for this passport")."
Nice - I see you understand step 1 of the problem (you'll never make a politician ;)
Which is the point Stella Rimington made several years ago.
Now for step 2,
We know these systems are (from independent evaluations) going to cost the tax payer ~500USD/person. For a Nation of 300million that's 150,000,000,000 USD.
The world population is ~6,000,000,000 and more would have to be done. One etimate I've seen puts that at ~1000USD/person or 6,000,000,000,000 USD.
Perform a ROI calculation for the US and the World to show what this investment is going to return and over what period...
Try and find any other project of comparable size that has come in budget and delivered on the requirments spec.
Then ask OK what's in it for the Joe Average, who is going to pay for it.
Oh and the last question in these days of financial restraint. Projects a lot smaller than this need to become "profit centers" ask how the Gov can break even let alone make a profit on the anual runing costs...
Be afraid, be very afraid.
@Clive: my best wishes and get well soon too (and regarding the nurses: not one with a short skirt, long legs and bedroom eyes for you? I will write santa with this wish for you :-)
big IT projects are a constant failure. this is system inherent. Call for bids have clauses that only big companies can fulfill (insurance costs, manpower requirement etc.) and the bid with the lowest number wins (or with the most influence - talk ex-politcians on their board). The list is looong: in germany recent examples are the road charge system (even the contracts are confidential - but wikileaks published them now) which was late for several years and did cost hundrets of millions more than expected. the digital emergency service radio is still not implemented (several millions in euro and several years out of schedule) and so on.
Latest attempt: a digital health insurance card with a chip: complete failure. after ~400mio EUR it is now stalled. But this is good - the thought of a single database with every health record of everybody is a security and privacy nightmare.
Sometimes it seems the only thing preventing the quick erosion of society towards an orwellian regime is the incompetence of the major participants.
I think Bruce, and many of the responders, are missing the point of biometric passports.
Of course it's obvious that any competent Al Qaeda operative, foreign agent, well-funded criminal, etc will easily be able to get one (or more) of these. Pointing this out is a waste of time, it's irrelevant.
The people who pushed this through are (1) bureaucrats who want to expand their departments, (2) lobbyists for the companies who will get the govt contracts, (3) pols and bureaucrats who saw a chance to increase their power over the peons.
Introduction of biometric passports will further the interests of (1)-(3) above. Mission accomplished, case closed.
"The people who pushed this through are
(1) bureaucrats who want to expand their departments,
(2) lobbyists for the companies who will get the govt contracts,
(3) pols and bureaucrats who saw a chance to increase their power over the peons."
You missed the one subtal but important motivation that makes the whole work.
Kickback from those who fund step 2,
It comes in two forms
1, Kickback into Party Political Funds.
2, Kickback as personal enrichment of pols and bureaucrats.
Kickback comes way further up the list than your (3) in their greedy litle porcine minds.
In Switzerland you have to present a birth certificate, which is only issued once by your community of origin, to get your first passport. For any subsequent new one, you only have to present your formerly expired passport document. Which I did to get my current one, in which they did manage to inverse my two additional first names. I only hope this will never cause any confusion or even less amusing disagreement.
Were I to present my original birth certificate, I'd be screwed since I lost that document somewhere over time and this equals my very non-existence wrt to officials. Except for paying taxes and the like, of course. :(
It is important to keep in mind that in any system of ID that is intended to be universal, a big problem is dealing with exceptions. A system that is 99% accurate isn't much use if 00.75% consists of scammers and fraudsters. People are still born outside of hospitals. Heck, my grandmother had two birth certificates, dated a year apart and with slightly different names. A friend of mine's mother in law had some real difficulties getting a copy of her birth certificate while in France because after she emmigrated to the U.S. she married and changed her last name. And of course the local U.S. county clerk never sent paper work to the arondisment of her birth notifying them of her name change. No procedure like that exists in the U.S. The French bureaucrats kept saying that they couldn't give her a copy of her birth certificate, since they had received no notification of her name change. The sysem ground to a halt because nobody knew how to deal with this exception to normal procedure.
If you ignore the neccessity for waivers and exceptions or make them too difficult to obtain, you deny people the rights/services that they are entitled to. But people who want to commit fraud will quickly find and exploit any waiver system that too easy to get.
One thing that didn't get raised here, and might be useful:
Most modern ID schemes will have some sort of back door, because of law enforcement wanting to do undercover work, witness protection programs, etc.
If an ID really was seamless, then those things would no longer be possible.
If a back door *does* exist, then it can be exploited, though human means as well as technological.
As Bruce says, All security is a tradeoff.
Exactly how does holding a real passport make you NOT a terrorist?
I don't know about the rest of you, but I don't care WHO else is with me on a plane. I care that none of them were allowed on with bombs, and that there are "enough" trusted people carrying guns to thwart a hijacking. The names and identities of ANYONE are irrelevant except perhaps positively identifying the people allowed on to the plane with loaded weapons. Anyone else should be able to board anonymously as long as they have paid for their ticket.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..