Tag: biometric national ID

WaPo: Let’s Have a National Identity System

There can be no denying the link between the E-Verify system prominent in discussions of immigration reform and the policy of having a national identification system. The Washington Post editorialized about it this past weekend, saying “a universal national identity card” must be part of “any sensible overhaul of the nation’s immigration system.”

I’ve written about it many times, as I certainly will in the future. Today, though, I’ll commend to you a well-written piece by David Bier on the Competitive Enterprise Institute’s “Open Market” blog. In “The New National Identification System Is Coming,” Bier writes:

“Maybe we should just brand all the babies.” With this joke, Ronald Reagan swatted down a national identification card — or an enhanced Social Security card — proposed by his attorney general in 1981. For more than three decades since, attempts to implement the proposal have all met with failure, but now national ID is back, and it’s worse than ever.

Read the whole thing.

The irony is that appropriate immigration reforms—those that align the law with our country’s need for immigrant workers—could dispense entirely with “internal enforcement,” national employment surveillance, and deputization of businesses as immigration agents.

“We’re Going to Have to Come Up with Something.”

And that something is a national ID.

The quote is Senator Chuck Schumer’s (D-NY), speaking about immigration reform at Politico’s Playbook Breakfast. The national ID gloss is mine, based on the immutable logic of “internal enforcement.”

Senators Schumer and McCain (R-AZ) say that the “Gang of Eight” senators who are working up an immigration reform package are united on the idea of making it impossible for illegal immigrants to get work in the United States. The only way to do that is to put all working Americans—if you work, that means you—into a national ID system.

“People say, ‘National ID card,’” Senator Schumer says. They do because that is what he’s talking about.

Now, they haven’t gotten all the way through the logic of their plans. Senator Schumer talks about a “non-forgeable [Social Security] card,” but a Social Security card only proves that a certain name is linked to a certain number. If a system is going to prove that a given person is entitled to work in the United States, it must be an identity system. It must compare the identifiers of the person to the identifiers in the system, whether held on a card or in a database, so that it can assess their legal status, including natural-born citizenship.

This is why Senator Schumer also talks about biometrics. The system must biometrically identity everyone who works—you, me, and every working American you know. There is no way to do internal enforcement of immigration law without a biometric national identity system.

It looks as though E-Verify, an incipient national ID system, will be a part of most or all comprehensive immigration reform proposals. Ironically, immigration reform that aligns the law with our country’s economic need for labor would obviate the need for E-Verify and a national ID. 

There are lots of ways to become familiar with the national ID issues that have yet to bubble up in this early stage of the immigration reform debate. My 2006 book, Identity Crisis, is a decent primer on identity and national ID generally. I examined the direct line between internal enforcement of immigration law and a national ID in my 2008 paper: “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration.” And my article in last year’s special Cato Journal on immigration reform was called: “Internal Enforcement, E-Verify, and the Road to a National ID.”

‘How an E-Verify Requirement Can Help’

I know little about a House Judiciary Committee hearing tomorrow on E-Verify, but the title of it has a peculiar odor: “Document Fraud in Employment Authorization: How an E-Verify Requirement Can Help.”

You see, the immigration policies Congress has set are the source of the problem. Document fraud is made more likely by employment authorization requirements meant to enforce them, which are also—let’s remember—intrusive and costly business regulation.

In my Cato Policy Analysis “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration,” I wrote about restrictive immigration policies and the intrusive “internal enforcement” programs they have spawned. In a section titled “Counterattacks and Complications,” I examined how workers and employers will collude to avoid and frustrate worker verification. Mandatory E-Verify will increase identity and document fraud because it makes these frauds profitable. Trying to solve this problem, the government will naturally gravitate toward more powerful identity systems, including biometric identity cards and tracking.

Sure enough, House Judiciary Committee chairman Lamar Smith’s bill, the “Legal Workforce Act,” has a “pilot program” for a biometric national identity card.

When committing fraud is the pathway to productive employment, you know something is out of whack. Among the things out of whack are: too-restrictive immigration policy, internal enforcement, and E-Verify. This is supposed to be a free country where willingness and ability are the keys to employment.

Don’t BELIEVE the Hype—Though Unformed, the Democrats’ National ID Plan Is Rife With Threats to Privacy and Civil Liberties

Senate Democrats have solidified and given more definition to their plan to create a biometric national ID, the centerpiece of their immigration reform proposal. (For reasons unrelated to the national ID plan, Senator Lindsey Graham (R-SC) has dropped out of the picture for now.) The “Conceptual Proposal for Immigration Reform” they released last week gives much more detail to the sketchy plans I previously reviewed.

In my Cato Policy Analysis, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution for Illegal Immigration,” I wrote about the possibility of a work authorization document limited to that purpose—and my doubts that the government would adopt one.

A credential such as eligibility for employment under [the immigration laws] can be proved without creating a nationwide biometric tracking scheme. In fact, templates already exist. But it is unlikely to see adoption… . [I]dentification and tracking … shift the risk of error in the card-issuance process from the government to the citizen… . [T]racking preserves government power. A work-eligibility and tracking system … makes the individual’s employment eligibility subject to revision at a later time, if the government wants to change the rules or adapt the system to new purposes, for example.

Those doubts are validated by this plan, which appears to be a full-fledged national ID and national biometric database. Assurances that it won’t be used for purposes beyond immigration control are not persuasive. This is national identity and surveillance infrastructure that will be “switched on” by later policy changes.

They’re calling it “BELIEVE,” short for “Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment.” They can call it that. We’ll study it, and give credence to what we learn.

The plan is confusing, disorganized, repetitive, and sometimes contradictory. Summarizing it is a little like trying to piece together the egg when all you have is the omelet, but three themes emerge: First, this summary backs away from an earlier claim that there would not be a biometric national identity database. There will be a national biometric database. Second, repeating the word “fraud-proof” does not make this national ID system fraud proof. Third, this national ID system definitely paves the way for uses beyond work authorization. This is the comprehensive national identity system that people across the ideological and political spectrum oppose.

The national ID part of the Democrats’ proposal begins at the bottom of page eight. It’s a veritable word-cloud, suggesting a violation of the rule of thumb that simple solutions are usually the best. But let’s look at it, line by line.

Not later than 18 months after the date of enactment of this proposal, the Social Security Administration will begin issuing biometric social security cards.

That’s pretty darn ambitious. Watch for any national ID plan to take several years to get started, decades to complete. The REAL ID Act—a simpler proposal than this one—has been law for five years and not a single compliant card has yet been issued. Not one.

These cards will be fraud-resistant, tamper-resistant, wear resistant, and machine-readable social security cards containing a photograph and an electronically coded micro-processing chip which possesses a unique biometric identifier for the authorized card-bearer.

All these things are easier said than done. And “fraud-resistant”? That’s unlikely. We won’t know until we see details.

The card will also possess the following characteristics:

We’ll take them in chunks.

(1) biometric identifiers, in the form of templates, that definitively tie the individual user to the identity credential;

Cards have biometrics today—low-tech ones like your picture and a copy of your signature printed on it. Here, “biometric identifiers” probably refers to machine-readable biometrics like fingerprints or iris scans. The card wouldn’t have an image of the biometric itself, but rather a mathematical description of its key features—the arches, loops, and whorls in your fingerprint and their distances from one another, for example. Research continues into how secure these algorithms are against future high-tech versions of identity fraud.

(2) electronic authentication capability;

This is pretty opaque, but it confirms again that the card will have a computer chip. “Authentication” is a word without a distinct meaning—what fact will be proven to whom, and how will it be proven? We have to learn more.

(3) ability to verify the individual locally without requiring every employer to access a biometric database; (4) offline verification capability (eliminating the need for 24-hour, 7-days-per-week online databases);

This is two ways of saying roughly the same thing. How will this goal be achieved? Without more information, the privacy and security issues are hard to assess. 

A freestanding ability to verify individuals without accessing a biometric database implies that there will be a biometric database, a likelihood I noted earlier.

(5) security features that protect the information stored on the card; (6) privacy protections that allow the user to control who is able to access the data on the card;

Security protects privacy so these two features are siblings if not one feature. But these opaque claims don’t tell us much at all. Knowing what exact card security features the plan envisions would allow an assessment of their quality. They could be anything from distributing RFID-chipped cards with a metallic sleeve that many users will lose or fail to use—almost no protection at all—to using a card that will only reveal data when the biometric of the authorized bearer is presented to the card.

The best protection for privacy and data security is not collecting people’s identity information in one place at all, nor organizing it uniformly on a card everyone must have. A technically secure national ID card isn’t privacy protective when the bearer is practically or legally required to release the information on it. Pushing card security as a privacy feature is like looking for your keys under a lamp post. The light may be better there, but you haven’t solved the privacy issues by securing the card.

(7) compliance with authentication and biometric standards recognized by domestic and international standards organizations.

This feature conflicts with the privacy claims in the previous bullet. Compliance with standards increases the likelihood that the national ID system will interoperate with other national governments’ systems and with corporate systems. Picture a future not too far off when every government collects and shares data on every citizen and foreigner using a consistent identity system. This is an efficiency feature with huge privacy and liberty costs for individuals.

The new biometric social security card shall enable the following outcomes:

One by one:

(1) permit the individual cardholder to control who can access their information;

This is the same as characteristic (6) above.

(2) allow electronic authentication of the credential to determine work authorization;

We got this from characteristic (2) above.

(3) possession of scalability of authentication capability depending on the requirement of the application.

This jargon cloud doesn’t mean anything discernible, but it does suggest that this national ID system is being designed for multiple uses. Let’s start with some terms:

“Scalability” is the idea that a technology still works well “at scale.” A system that works will with 10 users may not work well with 10,000, and a system that works well with 10,000 users may not work well with 10,000,000 or 100,000,000. So the idea here is that it will work well with many users. It’s not enough just to say that, of course. We should know specifically how it would meet the challenges of scale.

“Authentication”—again, a poorly defined term—means adequately proving some fact, such as a person’s identity, his or her work authorization, and so on.

“Application”—another favorite word in the tech lingo—simply means “use.” A hammer has many different applications: pounding in nails, denting metal, bonking intruders on the head, and so on.

So the sentence translates roughly to: “The card system will handle large numbers of people no matter what it’s used for.”

That’s telling, because the next line in the plan claims that the system will only be used for work authorization. If it’s only used for work authorization, why would it need to handle large scale for other authorization applications?

Possession of a fraud-proof social security card will only serve as evidence of lawful work-authorization but will in no way be permitted to serve—or shall be required to be shown—as proof of citizenship or lawful immigration status.

Repeat: If this is true, why does the card work at scale for other authorization applications?

The use of the word “permitted” suggests that the card will be capable of other uses, but such uses will be barred by law. Once again, if the plan is to use the cards only for work authorization, why not design the cards to serve only that purpose and no other?

And there’s “fraud-proof” again. The plan says little or nothing about what makes the card fraud-proof. In my earlier assessment of the national ID plan as it stood then, I discussed the three different meanings the concept of “fraud-proof” may have in an identity system, and the difficulties of achieving all three.

It will be unlawful for any person, corporation; organization local, state, or federal law enforcement officer; local or state government; or any other entity to require or even ask an individual cardholder to produce their social security card for any purpose other than electronic verification of employment eligibility and verification of identity for Social Security Administration purposes.

Confirmed: This will be a multi-purpose identity card. Most of the public will be barred by law from asking for the cards, but it will perform “verification of identity for Social Security Administration purposes.” That means, at the very least, that it can display Social Security Number and probably name. It will be convertible to lots of other purposes when mission creep takes hold.

Legal rules against using the card for new purposes don’t mean very much. If you create a system with rules like that in place, they might be in place for a while, but policymakers will think of new uses for the card, people and organizations use the card unlawfully for a while, and the weight of these “misuses” will break down the legal barriers. The national ID system created for one limited purpose will be “switched on” and it will become the full-scale surveillance device that freedom-loving Americans abhor.

No personal information will be stored on the electronic chip contained within the social security card other than the individual’s name, date of birth, social security number, and unique biometric identifier.

What more do you need? Presenting these identifiers allows organizations, public and private, to easily identify people distinctly in their data stores. Highly accurate tracking systems will grow up around this identity system, many of which provide convenience and other benefits, but the sum total of which will be a federal-government-fostered surveillance society.

And, by the way, an encrypted work authorization (see below) can act as an identifier—that’s more personal information—unless the card’s design takes some very impressive steps to prevent that.

Under no circumstances will any other information, including medical information or position-tracking information, be contained within the card.

This is nice protection—and if it’s a bar on radio frequency identification, fine—but putting these protections in law is rather quaint, though. A bar on additional data going on the card may hold up for a few decades, but it will ultimately give way to new demands for data on the card to fix some new policy problem.

And, remember, the card itself is not the only source of privacy concern. The card will facilitate highly accurate record-keeping about people’s locations when they use the cards. Location tracking may not be integral to the card, but the card will be integral to location tracking.

The Secretary of Homeland Security shall work with other agencies to secure enrollment locations at sites operated by the federal government.

Yes, you need to secure enrollment facilities or people will break in and steal equipment and data. I’m not impressed that DHS will be involved in providing physical security to SSA, and I bet SSA isn’t either.

Prior to issuing an individual a new fraud-proof social security card, the Social Security Administration will be required to verify the individual’s identity and employment eligibility by asking for production of acceptable documents to be provided by the individual as proof of identity and employment eligibility.

Yes, that’s how you do it. This is the step in the card issuance process that is probably the weakest. Forgery and corruption attacks are a function of the value to which the card controls access.

(Again with the unsubstantiated “fraud-proof”!)

The Secretary of Homeland Security will work with the Commissioner of the Social Security Administration to verify non-citizens’ employment authorization.

As they must. DHS has the info on naturalized citizens and non-citizens legally in the country.

SSA will also be required to engage in background screening verification techniques currently used by private corporations that use publicly available information that can be derived from the individual’s social security number.

This is a new one—doing database background checks on applicants for the new national ID. Rather than using only the documents proffered by the applicant for the card, the Social Security Administration would look up the claimed SSN of the applicant and see if his or her story checks out. For example, the system might compare the address claimed by the applicant to addresses that are found in public or private records. (“Publicly available” is ambiguous.)

This is a way of reducing fraud in the issuance of cards. (Mind you, it doesn’t make the process “fraud-proof!”) But it also raises new issues, particularly if the background check on the applicant will be run against private commercial data. The DHS Privacy Committee has twice issued cautionary documents about using commercial data in government applications. There are many issues, including privacy and due process, if indeed the intent is to use private databases to run background checks on applicants for a government benefit.

An administrative adjudication process can be invoked in the event that an individual is unable to establish his or her identity or lawful immigration status. Adverse decisions can be reviewed in the federal courts.

You’re gonna need it. The full range of appeals will be required if this card indeed will be used to control access to work. Some important decisions have to be made about whether a person can work while their appeal is pending. If an appeal fails, should the appellant be arrested and deported as a presumptive illegal immigrant? Expect to see stories of people who lack documentation and fixed addresses—the very poor, recovering drug addicts, and so on—who cannot prove their existence to the SSA or who don’t pass their background checks. They will find themselves unable to work because their government has denied them an officially recognized identity.

There will be a multi-stage process of re-verification if an individual claims he lost his previously issued fraud-proof social security card to ensure that there is no identity-theft or unlawful collaboration of identity.

I noted in my previous analysis that a database-free identity system is very difficult to administer, such as for replacing lost cards. The plan to address this challenge is unclear. Someone who has lost a card will have to return to the SSA and take part in this “multi-stage process of re-verification”—whatever it is—perhaps waiting to work until it has been completed. I have no idea what “unlawful collaboration of identity” is.

There will also be a multi-stage process for resolution of proper identity if an individual claims an identity tied to a social security number that has been claimed by another individual.

More undefined, but “multi-stage” processes, when a person comes to the Social Security Administration and finds that someone else has already claimed the same identity. Will they be able to work during the pendency of their “multi-stage” processing?

Tough penalties will be put in place for fraud in procurement of a fraud-proof social security card.

This raises a metaphysical question: Can there be fraud in a “fraud-proof” card? Of course there can. There is no fraud-proof card, which is why you have to penalize fraud, hoping to suppress it.

The same penalties shall apply for conspiracy to commit fraud if false information is intentionally provided.

Let’s spend just a moment on the capacity of criminal penalties to suppress fraud. It’s easy for people like us—wealthy and highly educated—to assume from the comfort of our offices that criminal penalties will suppress fraud. After all, prison looks pretty awful compared to an office. But an illegal immigrant has a different calculus. Going to jail and getting “three hots and a cot” is not a bad outcome compared to repatriation to a life of hunger and political instability in one’s home country. Committing fraud in the interest of “legitimate” work is preferable to theft or violence aimed at getting money and food here. Criminal penalties won’t suppress fraud as well as many might imagine.

Employers hiring workers in the future will be required to use the newly created Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment (BELIEVE) System as a means of verification. There will be strict employer penalties for failure to participate in the BELIEVE system after being notified of a requirement to do so by the Secretary of Homeland Security or after the BELIEVE system has been fully implemented nationwide such that it is required to be used by all employers.

E-Verify has too many problems. Renaming it will help!

Prospective employees will present a machine-readable, fraud proof, biometric Social Security card to their employers, who will swipe the cards through a card-reader to confirm the cardholder’s identity and work authorization.

More than two pages into the summary, we’re back to the basics of the card and what it does. We already know that the card is not fraud proof. What’s new here is that employers will have to have card readers—an additional inconvenience, expense, and barrier to hiring new employees.

What this fails to mention is that the machine will have to be able to process machine biometrics—fingerprint reading or iris scanning, for example. These are not inexpensive machines, their use will probably require training, and they must have very high accuracy in all conditions or they will produce a mountainous administrative burden on employers and workers.

We also learn from this—again—that this will not be a simple work authorization system, but a national identity system. Running the card through a machine (and checking the bearer’s biometrics) will reveal identity.

Again, we’re looking at mission creep: With all these cards and machines in place, able to prove identity, why wouldn’t they be applied to new purposes like airline security? Checking in at hotels? Confirming identity at office building entrances? Administration of government benefits? Proof of identity in credit card transactions? Night and weekend access to office buildings and parking lots? Traffic stops?

The cardholder’s work authorization will be verified by matching a digital encryption key contained within the card to a digital encryption key contained within the work authorization database being searched.

Here’s a new notion—the use of encryption. But how encryption would be used is far from clear. Presumably, a signal that the bearer of the card is work authorized (referred to here as an “encryption key”) would be released by the card and matched against information (also referred to as an “encryption key”) in a database. It is highly doubtful that either item of data is actually an encryption key, as an encryption key is the code used to encrypt or decrypt the information you are trying to work with. Most likely, work authorization data will be encrypted on the card. Somehow or another, once presented, that encrypted data will be decrypted and show that the bearer of the card is work authorized.

This contradicts statements above saying that the system won’t require access to a central database. Perhaps it envisions public key encryption, in which a private key scrambles the work authorization data and a public key de-scrambles it. I doubt that PKI is up to this. If the private key were released or reverse-engineered, the system would fail because forgery of work authorizations would then be easy.

This project has a long way to go before it articulates a card system that can securely confirm work authorization without connecting to a database.

The cardholder’s identity will be verified by matching the biometric identifier stored within the micro-processing chip on the card to the identifier provided by the cardholder that shall be read by the scanner used by the employer.

This is confirmation that it is not just a card reader, but a biometric reader. It is also confirmation that the system will confirm identity, not just work authorization. Prepare for mission creep.

Two-and-a-half pages of summary information reveals little more than the wall of complexities behind the Democrats’ plan for a national identity system. It repeats as an incantation the words “fraud-proof” even while it admits that criminal penalties are needed to tamp down fraud. The summary ratchets back from the dubious claim made earlier that there wouldn’t be a national biometric database—there almost certainly would be. The summary confirms that the card system would be used to confirm identity, not just work authorization. That sets it up for mission creep—expansion to new uses and data collections that plunge us into a surveillance society.

Indeed the mission creep begins with this very plan. When employer sanctions don’t sweep the country clean of visa overstayers, these ID cards will be used to hunt them down inside the country. From page five:

In addition to increasing border enforcement, this proposal will substantially enhance our capabilities to detect, apprehend, and remove persons who entered the United States unlawfully and persons who entered lawfully on temporary visas but failed to leave the country when designated.

Will these removal plans be carried out through a system of checkpoints at which all Americans have to present their national ID card? Will private providers of financial services, health care, housing, or retailing be required to check a person’s national ID card? Or will the entire nation adopt an Arizona-style law that requires law enforcement to examining the papers of people “reasonably suspected” of remaining in the country illegally?

The Democrats’ national ID plan raises all these questions and many more. My colleague Dan Griswold has the true answer:  To control the border, you must first reform immigration law.

Schumer and Graham on Immigration Reform: Why Not Do it Without the Biometric National ID?

There is much to commend in the op-ed on immigration reform that Senators Chuck Schumer (D-NY) and Lindsey Graham (R-SC) published in this morning’s Washington Post. Unfortunately, they lead with their worst idea: a biometric national ID card, mandatory for all American workers.

Here’s the good: “Americans overwhelmingly oppose illegal immigration and support legal immigration,” they say. “Throughout our history, immigrants have contributed to making this country more vibrant and economically dynamic.”

Their plan includes problem-solving proposals: “creating a process for admitting temporary workers” and “implementing a tough but fair path to legalization.” The latter would reduce the population of illegal aliens in the U.S.—good—and the former would reduce the need to enter illegally in the first place—also good.

Joined with the enhanced border security they propose, these ideas would address the immigration challenge as well as anyone knows how. (Details matter, and my colleagues will have more to say, I’m sure.)

But then there is their gratuitous national ID proposal for all American workers, and stepped up interior enforcement. “Interior enforcement” is a euphemism for “rounding up illegal workers” under some administrations and “raiding employers” under others.

This is the most specific Senator Schumer has ever been about his biometric national ID proposal, though he’s had it in mind since at least 2007. But it is hardly satisfactory, and the claim there will be no national ID database is almost certainly not true.

Here is the paragraph that captures the senators’ plan:

We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card. Each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information. The cards would not contain any private information, medical information, nor tracking devices. The card will be a high-tech version of the Social Security card that citizens already have.

I’ll parse the senators’ description of their national ID plan here. In a later post, I’ll examine how the Schumer-Graham biometric national ID stacks up in terms of privacy, cost, and other considerations. Of course, in the decade or two it will take to build this extravagant national identity system, we will learn much more than I can predict.

We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card.

First, let there be no doubt that this is a national ID card. As I’ve written in past, a national ID has three characteristics: It is national—this is. It’s practically or legally required—this is. And it’s for identification—yep.

Students of card security will recognize one of the adjectives in the sentence as rather extravagant.  No, it’s not “high-tech”—that’s a throwaway. The extravagant claim is “fraud-proof.”

The senators may mean one of  three things, only one of which might be true. All three have to be true or their implication of a bullet-proof card system is false:

1) Impervious to fraud in issuance. Issuance is the weakest link in card security. Today at the hundreds and hundreds of DMVs across the country, ingenious young people (under 21—understand their motivation?) regularly submit identity documents falsely—siblings’ birth certificates or driver’s licenses, for example, or fake Social Security cards, utility bills, and such. Illegal aliens do too. Many DMV workers are gulls. Some can be made willing gulls for the right price. The same will be true of Social Security Administration workers. If the motivation is high enough, there is no practical way of making a national identity document fraud-proof in issuance.

2) Impervious to alteration. With various printing methods, secure card stocks, and encryption, card security is the easiest to do. It is possible to create a card that can’t be altered except at extraordinary expense.

3) Impervious to forgery. Odd though it may seem, technology does not govern whether a card can be forged—motivation does. Any card can can be forged if the price is right. Were a single card to provide entrée  to work in the United States, it’s virtually guaranteed that criminal enterprises would forge the physical card and defeat the digital systems they need to.

The idea of a “fraud-proof” card (in whatever sense the senators mean) sounds nice. But it doesn’t bear up under the stresses to be encountered by a national ID system that governs whether people can earn a living (and probably much more). During the decade or more that this system is being designed and implemented, new ways of attacking biometrics and encryption will emerge. A reasonably ”fraud-proof” card today is not still fraud-proof in 2020.

Each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information.

It is possible to have a biometric card without a biometric database. The card would hold a digital description of the relevant biometric (such as fingerprint or iris scan). That algorithm would be compared by the card or by a reader to the person presenting it, determining wether it should be accepted as theirs.

The promise not to create a biometric database is a welcome one. The senators should require—in law—that the enrollment process and technology be fully open and transparent so that non-government technologists can ensure that the system does not secretly or mistakenly collect biometrics.

But the promise not to create a national identity database is almost certainly false.

Let’s review how an identity card is issued at a motor vehicle office today: People take the required documents to a DMV and hand them over. If the DMV accepts their documentation, the DMV creates a file about the person containing at least the material that will be printed on the card—including the person’s photograph. Then the DMV gives the person a card.

What would happen if DMVs didn’t keep this file? A couple of things—things that make the senators’ claim not to be creating a national identity database highly doubtful.

If there were no file and a card were lost or stolen, for example, the person would have to return to the card issuer again—with all the documents—and run through the entire process again. Because they have databases, DMVs today can produce a new ID and mail it to the address of record based on a phone call or Internet visit. (They each have their own databases—much better than a single database or databases networked together.)

If no file exists, multiple people could use the very same documents to create ID card after ID card after ID card in the same name but with different biometrics. Workers in the card issuing office could accept bribes with near impunity because there would be no documents proving that they had issued cards wrongly. Criminal use of the system would swamp it.

So that they can provide customer service, and for security reasons, state DMVs keep information about license holders, including a biometric of a sort—a photograph. Senators Schumer and Graham may think that they are designing a database-free biometric identity system—such a thing can exist—but the realities they confront will drive it to become a full-scale biometric national identity database.

The cards would not contain any private information, medical information, nor tracking devices.

This is a welcome pledge, and to fulfill it, they should bar—in law—the use of writeable chips or RFID chips. And there is no way to prevent the card itself from acting as a tracking device. It will be a pointer to private medical information, financial information, and much more.

Understand that the Social Security number is an identifier. It is already used in government, throughout the financial services system, and in much of health care to administer services and benefits, and to perform surveillance (both for good or for bad).

With a uniform biometric Social Security card in the hands of every worker, the card would be demanded at more and more points in society. Americans would have to present their national ID when they use credit cards, when they check into hotels, at bars, in airports, pharmacies, doctors’ offices, and so on.

A card may contain only a biometric algorithm and a Social Security number—unlikely though that may be. It will still act as a tracking device when it integrates with the card readers and databases that grow up around it.

The card will be a high-tech version of the Social Security card that citizens already have.

This claim—to be making a simple, sensible change to the Social Security card—is wrong. The biometric national identification scheme Senators Schumer and Graham propose is much, much more than a “high-tech” Social Security card. It’s the biggest, most difficult identity system ever proposed. It will take decades and tens or hundreds of billions of taxpayer dollars to build.

About the only similarity between today’s Social Security card and the biometric national ID card these senators propose is that they’re both rectangular.

In an earlier post, I called Senator Graham’s support of Schumer’s national ID plan inexplicable (before taking a stab at explaining it). Seeing the outline of their entire proposal, which would alleviate various pressures and begin a welcome transition back toward the rule of law in the immigration area, I am truly at a loss to understand why they would attach this grauitous and punitive plan to force law-abiding American citizens into a biometric national ID system.

Senators, why not do it without the national ID?