Bruce Schneier: Security at What Cost?
National ID System Is Not Worth The $23 Billion Price Tag
By Bruce Schneier
Minneapolis Star Tribune
February 23, 2008
The argument was so obvious it hardly needed repeating: We would all be safer if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and it's ridiculous that a modern country such as the United States doesn't have one. One result of this line of thinking is the planned Real ID Act, which forces all states to conform to common and more stringent rules for issuing driver's licenses.
But security is always a tradeoff; it must be balanced with the cost. We all do this intuitively. Few of us walk around wearing bulletproof vests. It's not because they're ineffective, it's because for most of us, the tradeoff isn't worth it. It's not worth the cost, the inconvenience, or the loss of fashion sense.
According to the Department of Homeland Security's own estimates, Real ID will cost Americans around $23 billion. So is this a good tradeoff for us -- are the security benefits worth the price tag?
When most people think of ID cards, they think of a small plastic card with their name and photograph. This isn't wrong, but it's only a small piece of any ID program. What starts out as a seemingly simple security device -- a card that binds a photograph with a name -- rapidly becomes a complex security system.
It doesn't really matter how well a Real ID works when used by the hundreds of millions of honest people who would carry it. What matters is how the system might fail when used by someone intent on subverting it:
- The card itself. No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we can't make it impossible. Real IDs will be forged.
- Legitimate cards in fraudulent names. Two of the Sept. 11 terrorists had valid Virginia driver's licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn't be bribed, cards are issued based on other identity documents -- all of which are easier to forge.
- Lost cards. About 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for such cases, a system that itself would be susceptible to abuse.
- The human link. Any ID system involves people -- people who regularly make mistakes. We've all heard stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It's not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures.
Real ID won't be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American, one widely and instantaneously accessible nationwide. The security risks of this database are enormous. Computer scientists don't know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
But even if we could solve all these problems, and within the putative $23 billion budget, we still wouldn't be getting very much security. A reliance on ID cards is based on a dangerous security myth: that if only we knew who everyone was, we could pick the bad guys out of the crowd.
In an ideal world, we'd want all terrorists to carry a card that said "evildoer" and everyone else to carry a card that said "honest person who won't try to hijack or blow up anything." Then security would be easy. We could just look at people's IDs, and, if they were evildoers, we wouldn't let them on the airplane or into the building.
This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you're likely to be an evildoer. But that's almost as ridiculous.
Even worse, as soon as you divide people into two categories -- more trusted and less trusted -- you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh, the Washington, D.C., snipers, the London subway bombers and many of the Sept. 11 terrorists had no previous links to terrorism.
There's another, even more dangerous failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. Think of all the problems with the government's no-fly list.
Real ID is a lousy security tradeoff. For $23 billion, we're not getting anywhere near the security we should.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..