Tag: biometrics

Biometrics—-and the Curious Relevance of Occupational Licensing

Yesterday, I testified (by remote communications) in the Alaska House of Representatives’ Health and Social Services Committee, which is considering a bill to heavily regulate the collection and use of biometrics. The bill is inspired by a man who was denied entry into the CPA exam when he refused to have his fingerprints scanned for that purpose. You can read more about his campaign at the PrivacyNOWalaska.org site.

I’m entirely sympathetic to his concerns about potential overcollection of biometrics in digital form, and what may happen to biometric data after it is collected. As I said in my testimony, “a digital record of a biometric can be stored indefinitely, copied an infinite number of times, and transmitted around the globe at the speed of light. This creates security and privacy concerns cutting against the use of machine-biometrics.” On the other hand, the CPA exam apparently has a problem with imposter fraud and faux test-takers who go simply to memorize questions and sell them on a test-prep black market.

Unfortunately, the bill is not callibrated to balance the competing interests at stake. It would create a “notice and consent” regime for biometrics collection, an idea that has failed to produce privacy protection in other areas. It would require massive and expensive re-tooling of data systems to provide consumers a right to amend or revoke their permission to use biometrics or order destruction of biometric data. And it would flatly outlaw marketing that uses biometric information—not just the stuff we learned to be spooked about in the film Minority Report, but knowingly agreed-to tailoring of discounts at the grocery store if we used a biometrically-secured payment system, for example.

I urged the Alaska legislators to ensure that biometrics collectors account for and prevent potential harm to Alaskans when they design and use their systems, but not to constrain biometrics so much that their security benefits never materialize.

There are a number of things Alaska and other states could do to help society callibrate the use of biometrics. They could ensure that biometrics collectors are liable and subject to jurisdiction in the state of collection when contract violations and harms arise from the use or misuse of biometric data.

Alaska could also establish that there is no “third-party doctrine” under its state constitution. A person sharing data under contractual or regulatory protections should maintain his or her search-and-seizure rights in that data. The government should not be able to access such data—though shared—without proper suspicion, warrants, and subpoenas.

Alaska has rejected the REAL ID Act, and it could do more to prevent the emergence of national identity systems by rejecting any E-Verify mandate. I encouraged the Alaskans to follow the lead of New Hampshire and bar state identity data from being shared with any national ID system.

The root of the problem in Alaska, though, may be the accountancy cartel. This is an area I know precious little about, but it appears that you must take the CPA exam to act as an accountant in the state. This positions the administrators of the CPA exam to make unreasonable, privacy-invasive demands for biometric data on a take-it-or-leave-it basis.

Oh what a tangled web we weave, when first we practise to … restrict the right to earn a living!

My testimony starts with a primer on biometrics. We have much to learn yet about biometric technologies, their uses, and their consequences. Banning them would deny the public many benefits. Using them promiscuously would have many costs.

Congress Pushes Biometrics

The Federal Trade Commission has no jurisdiction over government entities so when it looks with concern at the use of facial recognition technology, it’s looking at the private sector.

Facial recognition is only one of many biometric technologies, of course, and Congress is pushing hard for biometrics that can help track and control us for various purposes. If anyone should be looking with concern, it should be us looking at the federal government.

There are legitimate uses for biometrics, of course, and well-designed implementations will undoubtedly benefit us all. But biometrics programs implemented for the government will tend to prioritize hoovering up federal cash over striking delicate balances among cost, effectiveness, privacy, and civil liberties.

So let’s look at how Congress is pressing—and in one case insufficiently restraining—the rapid advance of biometrics.

H.R. 658, the FAA Reauthorization and Reform Act of 2011, has passed the House and awaits action in the Senate. It says that “improved pilot licenses” must be capable “of accommodating a digital photograph, a biometric identifier, and any other unique identifier that the Administrator considers necessary.”

H.R. 1690, the MODERN Security Credentials Act, establishes that air carriers, airport operators, and governments may not employ or contract for the services of a person who has been denied a TWIC card. “TWIC” stands for “Transportation Worker Identity Card,” the vain post-9/11 effort to secure transportation facilities from bad people. TWIC cards use biometrics.

The Army deploys biometrics. Public Law 112-10, the Department of Defense and Full-Year Continuing Appropriations Act, 2011 (cost per U.S. family: $13,500+) allowed spending on Army field operating agencies “established to improve the effectiveness and efficiencies of biometric activities and to integrate common biometric technologies throughout the Department of Defense.”

There are lots of biometrics plans in the immigration area. H.R. 1842 is an immigration bill called the Development, Relief, and Education for Alien Minors Act of 2011. (Senate version: S. 952) It would allow an otherwise qualified immigrant to get conditional permanent resident status only after submitting biometric and biographic data for use in security and law enforcement background checks. (Alternative procedures would be available for applicants unable to provide such data because of a physical impairment.)

S. 1258 does roughly the same thing with regard to any lawful immigration status. This bill is called the Comprehensive Immigration Reform Act of 2011, one of many attempts at comprehensive reform. In addition to requiring immigrants to submit biometrics, it also requires the government to issue “documentary evidence of lawful prospective immigrant status” that includes a digitized photograph and at least one other biometric identifier. The bill would also reinforce the use of biometrics in employer background checks and at the border.

H.R. 2463, the Border Security Technology Innovation Act of 2011, calls for continued study of mobile biometric technologies at the border. The Under Secretary for Science and Technology of the Department of Homeland Security would coordinate this research with other biometric identification programs within DHS.

H.R. 2895, the Legal Agricultural Workforce Act, would create a nonimmigrant agricultural worker program. In the program each nonimmigrant agricultural worker would get an identification card that contains biometric identifiers, including fingerprints and a digital photograph.

S. 1384, The HARVEST Act of 2011, is similar. In providing for the temporary employment of foreign agricultural workers, it calls for “a single machine-readable, tamper-resistant, and counterfeit-resistant document” that verifies the identity of the alien through the use of at least one biometric identifier.

There’s more than just immigration. Pursuing waste, fraud, and abuse, H.R. 3735, the Medicare Fraud Enforcement and Prevention Act of 2011, would establish a biometric technology pilot program. The five-year pilot program would use biometric technology seeking to ensure that Medicare beneficiaries “are physically present” when receiving items and services reimbursable under Medicare. How many biometric scanners would have to be out there for that to work?

S. 744, the Passport Identity Verification Act, calls on the Secretary of State to conduct a study into whether people applying for or renewing passports should provide biometric information, including photographs that facilitate the use of facial recognition technology. I bet the answer they get back is “Yes!” That’s how you build programs in the federal government: do a study, then a pilot program, and then—bingo—you’ve got a full-fledged, permanent drain on the public fisc.

Speaking of money, S. 1604, the Emergency Port of Entry Personnel and Infrastructure Funding Act of 2011, establishes a grant program in which the Department of Homeland Security would give cash out to state and local law enforcement for the purchase of various technologies including “biometric devices.”

I mentioned that there is a bill that would restrain biometrics insufficiently. H.R. 654 is the Do Not Track Me Online Act. It would direct the Federal Trade Commission to prescribe regulations regarding the collection and use of information obtained by tracking the Internet activity of an individual. The bill would treat unique biometric data, including fingerprints and retina scans, as “sensitive information” while allowing the FTC to modify its definitions.

And the FTC would have to modify the definitions because one’s face is unique biometric data, meaning that anyone who stores photographs online would be subject to regulation under the bill—oh, except the government.

The bill specifically excludes “the Federal Government or any instrumentality of the Federal Government, nor the government of any State or political subdivision of a State.” Too bad biometric sensors don’t pick up hypocrisy.

So there you have it. The Congress is quite engaged in pushing biometrics, including facial recognition. The one bill I found to restrain their use doesn’t apply to the federal government or the states. I’ll be keeping an eye on all this, while the government uses lasers and infra-red scanners to watch all of us….

Biometrics Collection = Risk Creation

Why shouldn’t the government collect biometric data unless absolutely necessary? Things like this can happen to it:

The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis—including children—and detailed health information on individual citizens.

It’s a good, short write-up from Fast Company. Read the whole thing and pass it along.

Does Risk Management Counsel in Favor of a Biometric Traveler Identity System?

Writing on Reason’s Hit & Run blog, Robert Poole argues that the Transportation Security Administration should use a risk-based approach to security. As I noted in my recent “’Strip-or-Grope’ vs. Risk Management” post, the Department of Homeland Security often talks about risk but fails to actually do risk management. Poole and I agree—everyone agrees—that DHS should use risk management. They just don’t.

With the pleasure of remembering our excellent 2005 Reason debate, “Transportation Security Aggravation,” I must again differ with Poole’s prescription, however.

Poole says TSA should separate travelers into three basic groups (quoting at length):

  1. Trusted Travelers, who have passed a background check and are issued a biometric ID card that proves (when they arrive at the security checkpoint) that they are the person who was cleared. This group would include cockpit crews, anyone holding a government security clearance, anyone already a member of the Department of Homeland Security’s Global Entry, Sentri, and Nexus, and anyone who applied and was accepted into a new Trusted Traveler program. These people would get to bypass regular security lanes  upon having their biometric card checked at the airport, subject only to random screening of a small fraction.
  2. High-risk travelers, either those about whom no information is known or who are flagged by the various Department of Homeland Security (DHS) intelligence lists as warranting “Selectee” status. They would be the only ones facing body-scanners or pat-downs as mandatory, routine screening.
  3. Ordinary travelers—basically everyone else, who would go through metal detector and put carry-ons through 2-D X-ray machines. They would not have to remove shoes or jackets, and could travel with liquids. A small fraction of this group would be subject to random “Selectee”-type screening.

He believes, and has argued for years, that dividing ”good guys” from “bad guys” will effectively secure. It’s certainly intuitive. Poole’s a good guy. I’m a good guy. You’re a good guy (in a non-gender-specific sense).

Knowing who people are works for us in every day life: Because we can find people who borrow our stuff, for example—and because we know that we can be found—we husband our behavior and generally don’t steal things from each other, we, the decent people with a stake in society.

Poole’s thinking takes our common experience and scales it up to a national program. Capture people’s identities, link enough biography to those identities, and—voila!—we know who the good guys are and who are the (potential) bad.

But precisely what biographical information assures that a person is “good”? (The proposal is for government action: it would be a violation of due process to keep the criteria secret and an equal protection violation to unfairly divide good and bad.) How do we know a person hasn’t gone bad from the time that their goodness was established?

The attacker we face with air security measures is not among the decent cohort whose behavior is channeled by identification. That attacker’s path to mischief is nicely mapped out by Poole’s proposal: Get into the Trusted Traveler group, or find someone who can get in it. (It’s easy to know if you’re a part of it. They give you a card! You can also test the system to see if you’ve been designated “high-risk” or “ordinary.”)

With a Trusted Traveler positioned to do wrong, chances are good that he or she won’t be subjected to screening and can carry whatever dangerous articles onto a plane. The end result? Predictable gnashing of teeth and wailing about a “failure to connect the dots.”

All this is not to say that Poole’s plan should not be adopted. If he can convince an airline of its merits, and the airline can convince its shareholders, insurers, airports, and their customers, they should implement the program to their heart’s content. They should reap the economic gain, too, when they prove that they have found a way to better serve the public’s safety, convenience, privacy, and transportation needs.

It is the TSA that should not implement this program. Along with what are significant security defects, it is the creation of a program that the government might use to control access to other goods, services, and infrastructure throughout society. The TSA would migrate toward conditioning all travel on having a government-issued biometric identity card. Fundamentally, the government should not be making these decisions or operating airline security systems.

A very interesting paper surfaced by recent public attention to this issue predicts that annual highway deaths will increase (from an already significant number) by between 11 and 275 because of people’s avoidance of privacy-invasive airport procedures. But what caught my eye in it were the following numbers:

During the past decade, terrorist attacks, with respect to air travel in the United States, have occurred three times involving six aircraft. Four planes were hijacked on 9/11, the shoe bomber incident occurred in December 2001, and, most recently, the Christmas Day underwear bomber attempted an attack in 2009. In that same span of time, over 99 million planes took off and landed within the United States, carrying over 7 billion passengers.

Especially because 9/11’s ”commandeering” attack on air travel has been essentially foreclosed by hardened cockpit doors and passenger/crew awareness, these numbers suggest the smallness of the chance that somone can elude worldwide investigatory pressure, prepare an explosive and detonator that actually work, smuggle both through conventional security, and successfully use them to take down a plane. It hasn’t happened in nearly 100 million flights.

This is not an argument to “let up” on security or to stop searching for measures that will cost-effectively drive the chance of attacker success even closer to zero.  But more thorough risk management analysis than mine or Bob Poole’s would probably show that accepting the above risk is preferable to either delaying and invading the bodily privacy of travelers or creating a biometric identity and background-check system.

National Research Council Takes Biometrics Down a Notch

Late last month, the National Research Council released a book entitled Biometric Recognition: Challenges and Opportunities that exposes the many difficulties with biometric identification systems. Popular culture has portrayed biometrics as nearly infallible, but it’s just not so, the report emphasizes. Especially at scale, biometrics will encounter a lot of challenges, from engineering problems to social and legal considerations.

“[N]o biometric characteristic, including DNA, is known to be capable of reliably correct individualization over the size of the world’s population,” the report says (page 30). As with analog, in-person identification, biometrics produces a probabilistic identification (or exclusion), but not a certain one. Many biometrics change with time. Due to injury, illness, and other causes, a significant number of people do not have biometric characteristics like fingerprints and irises, requiring special accommodation.

At the scale often imagined for biometric systems, even a small number of false positives or false negatives (referred to in the report as false matches and false nonmatches) will produce considerable difficulties. “[F]alse alarms may consume large amounts of resources in situations where very few impostors exist in the system’s target population.” (page 45)

Consider a system that produces a false negative, excluding someone from access to a building, one time in a thousand. If there aren’t impostors attempting to defeat the biometric system on a regular basis, the managers of the system will quickly come to assume that the system is always mistaken when it produces a “nonmatch” and they will habituate to overruling the biometric system, rendering it impotent.

Context is everything. Biometric systems have to be engineered for particular usages, keeping the interests of the users and operators in mind, then tested and reviewed thoroughly to see if they are serving the purpose for which they’re intended. The report debunks the “magic wand” capability that has been imputed to biometrics: “[S]tating that a system is a biometric system or uses ‘biometrics’ does not provide much information about what the system is for or how difficult it is to successfully implement.” (page 60)

Biometric Recognition: Challenges and Opportunities” is a follow-on to the 2003 National Research Council report, “Who Goes There?: Authentication Through the Lens of Privacy.” That was one of few resources on identification processes and policy when I was researching my book, Identity Crisis: How Identification is Overused and Misunderstood. (Mine is quite a bit more accessible than this new book, so if you’re interested in the field, you might want to start there.)

There is nothing inherently wrong with biometrics. They will have their place, and they will make their way into use. But the dream of a security silver bullet in biometrics is not to be. Identity-based security—using the knowledge of who people are for protection—is valuable and useful in day-to-day life, but it does not scale. National or world ID systems would not secure, but they would carry large costs denominated in both dollars and privacy.

Don’t BELIEVE the Hype—Though Unformed, the Democrats’ National ID Plan Is Rife With Threats to Privacy and Civil Liberties

Senate Democrats have solidified and given more definition to their plan to create a biometric national ID, the centerpiece of their immigration reform proposal. (For reasons unrelated to the national ID plan, Senator Lindsey Graham (R-SC) has dropped out of the picture for now.) The “Conceptual Proposal for Immigration Reform” they released last week gives much more detail to the sketchy plans I previously reviewed.

In my Cato Policy Analysis, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution for Illegal Immigration,” I wrote about the possibility of a work authorization document limited to that purpose—and my doubts that the government would adopt one.

A credential such as eligibility for employment under [the immigration laws] can be proved without creating a nationwide biometric tracking scheme. In fact, templates already exist. But it is unlikely to see adoption… . [I]dentification and tracking … shift the risk of error in the card-issuance process from the government to the citizen… . [T]racking preserves government power. A work-eligibility and tracking system … makes the individual’s employment eligibility subject to revision at a later time, if the government wants to change the rules or adapt the system to new purposes, for example.

Those doubts are validated by this plan, which appears to be a full-fledged national ID and national biometric database. Assurances that it won’t be used for purposes beyond immigration control are not persuasive. This is national identity and surveillance infrastructure that will be “switched on” by later policy changes.

They’re calling it “BELIEVE,” short for “Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment.” They can call it that. We’ll study it, and give credence to what we learn.

The plan is confusing, disorganized, repetitive, and sometimes contradictory. Summarizing it is a little like trying to piece together the egg when all you have is the omelet, but three themes emerge: First, this summary backs away from an earlier claim that there would not be a biometric national identity database. There will be a national biometric database. Second, repeating the word “fraud-proof” does not make this national ID system fraud proof. Third, this national ID system definitely paves the way for uses beyond work authorization. This is the comprehensive national identity system that people across the ideological and political spectrum oppose.

The national ID part of the Democrats’ proposal begins at the bottom of page eight. It’s a veritable word-cloud, suggesting a violation of the rule of thumb that simple solutions are usually the best. But let’s look at it, line by line.

Not later than 18 months after the date of enactment of this proposal, the Social Security Administration will begin issuing biometric social security cards.

That’s pretty darn ambitious. Watch for any national ID plan to take several years to get started, decades to complete. The REAL ID Act—a simpler proposal than this one—has been law for five years and not a single compliant card has yet been issued. Not one.

These cards will be fraud-resistant, tamper-resistant, wear resistant, and machine-readable social security cards containing a photograph and an electronically coded micro-processing chip which possesses a unique biometric identifier for the authorized card-bearer.

All these things are easier said than done. And “fraud-resistant”? That’s unlikely. We won’t know until we see details.

The card will also possess the following characteristics:

We’ll take them in chunks.

(1) biometric identifiers, in the form of templates, that definitively tie the individual user to the identity credential;

Cards have biometrics today—low-tech ones like your picture and a copy of your signature printed on it. Here, “biometric identifiers” probably refers to machine-readable biometrics like fingerprints or iris scans. The card wouldn’t have an image of the biometric itself, but rather a mathematical description of its key features—the arches, loops, and whorls in your fingerprint and their distances from one another, for example. Research continues into how secure these algorithms are against future high-tech versions of identity fraud.

(2) electronic authentication capability;

This is pretty opaque, but it confirms again that the card will have a computer chip. “Authentication” is a word without a distinct meaning—what fact will be proven to whom, and how will it be proven? We have to learn more.

(3) ability to verify the individual locally without requiring every employer to access a biometric database; (4) offline verification capability (eliminating the need for 24-hour, 7-days-per-week online databases);

This is two ways of saying roughly the same thing. How will this goal be achieved? Without more information, the privacy and security issues are hard to assess. 

A freestanding ability to verify individuals without accessing a biometric database implies that there will be a biometric database, a likelihood I noted earlier.

(5) security features that protect the information stored on the card; (6) privacy protections that allow the user to control who is able to access the data on the card;

Security protects privacy so these two features are siblings if not one feature. But these opaque claims don’t tell us much at all. Knowing what exact card security features the plan envisions would allow an assessment of their quality. They could be anything from distributing RFID-chipped cards with a metallic sleeve that many users will lose or fail to use—almost no protection at all—to using a card that will only reveal data when the biometric of the authorized bearer is presented to the card.

The best protection for privacy and data security is not collecting people’s identity information in one place at all, nor organizing it uniformly on a card everyone must have. A technically secure national ID card isn’t privacy protective when the bearer is practically or legally required to release the information on it. Pushing card security as a privacy feature is like looking for your keys under a lamp post. The light may be better there, but you haven’t solved the privacy issues by securing the card.

(7) compliance with authentication and biometric standards recognized by domestic and international standards organizations.

This feature conflicts with the privacy claims in the previous bullet. Compliance with standards increases the likelihood that the national ID system will interoperate with other national governments’ systems and with corporate systems. Picture a future not too far off when every government collects and shares data on every citizen and foreigner using a consistent identity system. This is an efficiency feature with huge privacy and liberty costs for individuals.

The new biometric social security card shall enable the following outcomes:

One by one:

(1) permit the individual cardholder to control who can access their information;

This is the same as characteristic (6) above.

(2) allow electronic authentication of the credential to determine work authorization;

We got this from characteristic (2) above.

(3) possession of scalability of authentication capability depending on the requirement of the application.

This jargon cloud doesn’t mean anything discernible, but it does suggest that this national ID system is being designed for multiple uses. Let’s start with some terms:

“Scalability” is the idea that a technology still works well “at scale.” A system that works will with 10 users may not work well with 10,000, and a system that works well with 10,000 users may not work well with 10,000,000 or 100,000,000. So the idea here is that it will work well with many users. It’s not enough just to say that, of course. We should know specifically how it would meet the challenges of scale.

“Authentication”—again, a poorly defined term—means adequately proving some fact, such as a person’s identity, his or her work authorization, and so on.

“Application”—another favorite word in the tech lingo—simply means “use.” A hammer has many different applications: pounding in nails, denting metal, bonking intruders on the head, and so on.

So the sentence translates roughly to: “The card system will handle large numbers of people no matter what it’s used for.”

That’s telling, because the next line in the plan claims that the system will only be used for work authorization. If it’s only used for work authorization, why would it need to handle large scale for other authorization applications?

Possession of a fraud-proof social security card will only serve as evidence of lawful work-authorization but will in no way be permitted to serve—or shall be required to be shown—as proof of citizenship or lawful immigration status.

Repeat: If this is true, why does the card work at scale for other authorization applications?

The use of the word “permitted” suggests that the card will be capable of other uses, but such uses will be barred by law. Once again, if the plan is to use the cards only for work authorization, why not design the cards to serve only that purpose and no other?

And there’s “fraud-proof” again. The plan says little or nothing about what makes the card fraud-proof. In my earlier assessment of the national ID plan as it stood then, I discussed the three different meanings the concept of “fraud-proof” may have in an identity system, and the difficulties of achieving all three.

It will be unlawful for any person, corporation; organization local, state, or federal law enforcement officer; local or state government; or any other entity to require or even ask an individual cardholder to produce their social security card for any purpose other than electronic verification of employment eligibility and verification of identity for Social Security Administration purposes.

Confirmed: This will be a multi-purpose identity card. Most of the public will be barred by law from asking for the cards, but it will perform “verification of identity for Social Security Administration purposes.” That means, at the very least, that it can display Social Security Number and probably name. It will be convertible to lots of other purposes when mission creep takes hold.

Legal rules against using the card for new purposes don’t mean very much. If you create a system with rules like that in place, they might be in place for a while, but policymakers will think of new uses for the card, people and organizations use the card unlawfully for a while, and the weight of these “misuses” will break down the legal barriers. The national ID system created for one limited purpose will be “switched on” and it will become the full-scale surveillance device that freedom-loving Americans abhor.

No personal information will be stored on the electronic chip contained within the social security card other than the individual’s name, date of birth, social security number, and unique biometric identifier.

What more do you need? Presenting these identifiers allows organizations, public and private, to easily identify people distinctly in their data stores. Highly accurate tracking systems will grow up around this identity system, many of which provide convenience and other benefits, but the sum total of which will be a federal-government-fostered surveillance society.

And, by the way, an encrypted work authorization (see below) can act as an identifier—that’s more personal information—unless the card’s design takes some very impressive steps to prevent that.

Under no circumstances will any other information, including medical information or position-tracking information, be contained within the card.

This is nice protection—and if it’s a bar on radio frequency identification, fine—but putting these protections in law is rather quaint, though. A bar on additional data going on the card may hold up for a few decades, but it will ultimately give way to new demands for data on the card to fix some new policy problem.

And, remember, the card itself is not the only source of privacy concern. The card will facilitate highly accurate record-keeping about people’s locations when they use the cards. Location tracking may not be integral to the card, but the card will be integral to location tracking.

The Secretary of Homeland Security shall work with other agencies to secure enrollment locations at sites operated by the federal government.

Yes, you need to secure enrollment facilities or people will break in and steal equipment and data. I’m not impressed that DHS will be involved in providing physical security to SSA, and I bet SSA isn’t either.

Prior to issuing an individual a new fraud-proof social security card, the Social Security Administration will be required to verify the individual’s identity and employment eligibility by asking for production of acceptable documents to be provided by the individual as proof of identity and employment eligibility.

Yes, that’s how you do it. This is the step in the card issuance process that is probably the weakest. Forgery and corruption attacks are a function of the value to which the card controls access.

(Again with the unsubstantiated “fraud-proof”!)

The Secretary of Homeland Security will work with the Commissioner of the Social Security Administration to verify non-citizens’ employment authorization.

As they must. DHS has the info on naturalized citizens and non-citizens legally in the country.

SSA will also be required to engage in background screening verification techniques currently used by private corporations that use publicly available information that can be derived from the individual’s social security number.

This is a new one—doing database background checks on applicants for the new national ID. Rather than using only the documents proffered by the applicant for the card, the Social Security Administration would look up the claimed SSN of the applicant and see if his or her story checks out. For example, the system might compare the address claimed by the applicant to addresses that are found in public or private records. (“Publicly available” is ambiguous.)

This is a way of reducing fraud in the issuance of cards. (Mind you, it doesn’t make the process “fraud-proof!”) But it also raises new issues, particularly if the background check on the applicant will be run against private commercial data. The DHS Privacy Committee has twice issued cautionary documents about using commercial data in government applications. There are many issues, including privacy and due process, if indeed the intent is to use private databases to run background checks on applicants for a government benefit.

An administrative adjudication process can be invoked in the event that an individual is unable to establish his or her identity or lawful immigration status. Adverse decisions can be reviewed in the federal courts.

You’re gonna need it. The full range of appeals will be required if this card indeed will be used to control access to work. Some important decisions have to be made about whether a person can work while their appeal is pending. If an appeal fails, should the appellant be arrested and deported as a presumptive illegal immigrant? Expect to see stories of people who lack documentation and fixed addresses—the very poor, recovering drug addicts, and so on—who cannot prove their existence to the SSA or who don’t pass their background checks. They will find themselves unable to work because their government has denied them an officially recognized identity.

There will be a multi-stage process of re-verification if an individual claims he lost his previously issued fraud-proof social security card to ensure that there is no identity-theft or unlawful collaboration of identity.

I noted in my previous analysis that a database-free identity system is very difficult to administer, such as for replacing lost cards. The plan to address this challenge is unclear. Someone who has lost a card will have to return to the SSA and take part in this “multi-stage process of re-verification”—whatever it is—perhaps waiting to work until it has been completed. I have no idea what “unlawful collaboration of identity” is.

There will also be a multi-stage process for resolution of proper identity if an individual claims an identity tied to a social security number that has been claimed by another individual.

More undefined, but “multi-stage” processes, when a person comes to the Social Security Administration and finds that someone else has already claimed the same identity. Will they be able to work during the pendency of their “multi-stage” processing?

Tough penalties will be put in place for fraud in procurement of a fraud-proof social security card.

This raises a metaphysical question: Can there be fraud in a “fraud-proof” card? Of course there can. There is no fraud-proof card, which is why you have to penalize fraud, hoping to suppress it.

The same penalties shall apply for conspiracy to commit fraud if false information is intentionally provided.

Let’s spend just a moment on the capacity of criminal penalties to suppress fraud. It’s easy for people like us—wealthy and highly educated—to assume from the comfort of our offices that criminal penalties will suppress fraud. After all, prison looks pretty awful compared to an office. But an illegal immigrant has a different calculus. Going to jail and getting “three hots and a cot” is not a bad outcome compared to repatriation to a life of hunger and political instability in one’s home country. Committing fraud in the interest of “legitimate” work is preferable to theft or violence aimed at getting money and food here. Criminal penalties won’t suppress fraud as well as many might imagine.

Employers hiring workers in the future will be required to use the newly created Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment (BELIEVE) System as a means of verification. There will be strict employer penalties for failure to participate in the BELIEVE system after being notified of a requirement to do so by the Secretary of Homeland Security or after the BELIEVE system has been fully implemented nationwide such that it is required to be used by all employers.

E-Verify has too many problems. Renaming it will help!

Prospective employees will present a machine-readable, fraud proof, biometric Social Security card to their employers, who will swipe the cards through a card-reader to confirm the cardholder’s identity and work authorization.

More than two pages into the summary, we’re back to the basics of the card and what it does. We already know that the card is not fraud proof. What’s new here is that employers will have to have card readers—an additional inconvenience, expense, and barrier to hiring new employees.

What this fails to mention is that the machine will have to be able to process machine biometrics—fingerprint reading or iris scanning, for example. These are not inexpensive machines, their use will probably require training, and they must have very high accuracy in all conditions or they will produce a mountainous administrative burden on employers and workers.

We also learn from this—again—that this will not be a simple work authorization system, but a national identity system. Running the card through a machine (and checking the bearer’s biometrics) will reveal identity.

Again, we’re looking at mission creep: With all these cards and machines in place, able to prove identity, why wouldn’t they be applied to new purposes like airline security? Checking in at hotels? Confirming identity at office building entrances? Administration of government benefits? Proof of identity in credit card transactions? Night and weekend access to office buildings and parking lots? Traffic stops?

The cardholder’s work authorization will be verified by matching a digital encryption key contained within the card to a digital encryption key contained within the work authorization database being searched.

Here’s a new notion—the use of encryption. But how encryption would be used is far from clear. Presumably, a signal that the bearer of the card is work authorized (referred to here as an “encryption key”) would be released by the card and matched against information (also referred to as an “encryption key”) in a database. It is highly doubtful that either item of data is actually an encryption key, as an encryption key is the code used to encrypt or decrypt the information you are trying to work with. Most likely, work authorization data will be encrypted on the card. Somehow or another, once presented, that encrypted data will be decrypted and show that the bearer of the card is work authorized.

This contradicts statements above saying that the system won’t require access to a central database. Perhaps it envisions public key encryption, in which a private key scrambles the work authorization data and a public key de-scrambles it. I doubt that PKI is up to this. If the private key were released or reverse-engineered, the system would fail because forgery of work authorizations would then be easy.

This project has a long way to go before it articulates a card system that can securely confirm work authorization without connecting to a database.

The cardholder’s identity will be verified by matching the biometric identifier stored within the micro-processing chip on the card to the identifier provided by the cardholder that shall be read by the scanner used by the employer.

This is confirmation that it is not just a card reader, but a biometric reader. It is also confirmation that the system will confirm identity, not just work authorization. Prepare for mission creep.

Two-and-a-half pages of summary information reveals little more than the wall of complexities behind the Democrats’ plan for a national identity system. It repeats as an incantation the words “fraud-proof” even while it admits that criminal penalties are needed to tamp down fraud. The summary ratchets back from the dubious claim made earlier that there wouldn’t be a national biometric database—there almost certainly would be. The summary confirms that the card system would be used to confirm identity, not just work authorization. That sets it up for mission creep—expansion to new uses and data collections that plunge us into a surveillance society.

Indeed the mission creep begins with this very plan. When employer sanctions don’t sweep the country clean of visa overstayers, these ID cards will be used to hunt them down inside the country. From page five:

In addition to increasing border enforcement, this proposal will substantially enhance our capabilities to detect, apprehend, and remove persons who entered the United States unlawfully and persons who entered lawfully on temporary visas but failed to leave the country when designated.

Will these removal plans be carried out through a system of checkpoints at which all Americans have to present their national ID card? Will private providers of financial services, health care, housing, or retailing be required to check a person’s national ID card? Or will the entire nation adopt an Arizona-style law that requires law enforcement to examining the papers of people “reasonably suspected” of remaining in the country illegally?

The Democrats’ national ID plan raises all these questions and many more. My colleague Dan Griswold has the true answer:  To control the border, you must first reform immigration law.

Schumer and Graham on Immigration Reform: Why Not Do it Without the Biometric National ID?

There is much to commend in the op-ed on immigration reform that Senators Chuck Schumer (D-NY) and Lindsey Graham (R-SC) published in this morning’s Washington Post. Unfortunately, they lead with their worst idea: a biometric national ID card, mandatory for all American workers.

Here’s the good: “Americans overwhelmingly oppose illegal immigration and support legal immigration,” they say. “Throughout our history, immigrants have contributed to making this country more vibrant and economically dynamic.”

Their plan includes problem-solving proposals: “creating a process for admitting temporary workers” and “implementing a tough but fair path to legalization.” The latter would reduce the population of illegal aliens in the U.S.—good—and the former would reduce the need to enter illegally in the first place—also good.

Joined with the enhanced border security they propose, these ideas would address the immigration challenge as well as anyone knows how. (Details matter, and my colleagues will have more to say, I’m sure.)

But then there is their gratuitous national ID proposal for all American workers, and stepped up interior enforcement. “Interior enforcement” is a euphemism for “rounding up illegal workers” under some administrations and “raiding employers” under others.

This is the most specific Senator Schumer has ever been about his biometric national ID proposal, though he’s had it in mind since at least 2007. But it is hardly satisfactory, and the claim there will be no national ID database is almost certainly not true.

Here is the paragraph that captures the senators’ plan:

We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card. Each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information. The cards would not contain any private information, medical information, nor tracking devices. The card will be a high-tech version of the Social Security card that citizens already have.

I’ll parse the senators’ description of their national ID plan here. In a later post, I’ll examine how the Schumer-Graham biometric national ID stacks up in terms of privacy, cost, and other considerations. Of course, in the decade or two it will take to build this extravagant national identity system, we will learn much more than I can predict.

We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card.

First, let there be no doubt that this is a national ID card. As I’ve written in past, a national ID has three characteristics: It is national—this is. It’s practically or legally required—this is. And it’s for identification—yep.

Students of card security will recognize one of the adjectives in the sentence as rather extravagant.  No, it’s not “high-tech”—that’s a throwaway. The extravagant claim is “fraud-proof.”

The senators may mean one of  three things, only one of which might be true. All three have to be true or their implication of a bullet-proof card system is false:

1) Impervious to fraud in issuance. Issuance is the weakest link in card security. Today at the hundreds and hundreds of DMVs across the country, ingenious young people (under 21—understand their motivation?) regularly submit identity documents falsely—siblings’ birth certificates or driver’s licenses, for example, or fake Social Security cards, utility bills, and such. Illegal aliens do too. Many DMV workers are gulls. Some can be made willing gulls for the right price. The same will be true of Social Security Administration workers. If the motivation is high enough, there is no practical way of making a national identity document fraud-proof in issuance.

2) Impervious to alteration. With various printing methods, secure card stocks, and encryption, card security is the easiest to do. It is possible to create a card that can’t be altered except at extraordinary expense.

3) Impervious to forgery. Odd though it may seem, technology does not govern whether a card can be forged—motivation does. Any card can can be forged if the price is right. Were a single card to provide entrée  to work in the United States, it’s virtually guaranteed that criminal enterprises would forge the physical card and defeat the digital systems they need to.

The idea of a “fraud-proof” card (in whatever sense the senators mean) sounds nice. But it doesn’t bear up under the stresses to be encountered by a national ID system that governs whether people can earn a living (and probably much more). During the decade or more that this system is being designed and implemented, new ways of attacking biometrics and encryption will emerge. A reasonably ”fraud-proof” card today is not still fraud-proof in 2020.

Each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information.

It is possible to have a biometric card without a biometric database. The card would hold a digital description of the relevant biometric (such as fingerprint or iris scan). That algorithm would be compared by the card or by a reader to the person presenting it, determining wether it should be accepted as theirs.

The promise not to create a biometric database is a welcome one. The senators should require—in law—that the enrollment process and technology be fully open and transparent so that non-government technologists can ensure that the system does not secretly or mistakenly collect biometrics.

But the promise not to create a national identity database is almost certainly false.

Let’s review how an identity card is issued at a motor vehicle office today: People take the required documents to a DMV and hand them over. If the DMV accepts their documentation, the DMV creates a file about the person containing at least the material that will be printed on the card—including the person’s photograph. Then the DMV gives the person a card.

What would happen if DMVs didn’t keep this file? A couple of things—things that make the senators’ claim not to be creating a national identity database highly doubtful.

If there were no file and a card were lost or stolen, for example, the person would have to return to the card issuer again—with all the documents—and run through the entire process again. Because they have databases, DMVs today can produce a new ID and mail it to the address of record based on a phone call or Internet visit. (They each have their own databases—much better than a single database or databases networked together.)

If no file exists, multiple people could use the very same documents to create ID card after ID card after ID card in the same name but with different biometrics. Workers in the card issuing office could accept bribes with near impunity because there would be no documents proving that they had issued cards wrongly. Criminal use of the system would swamp it.

So that they can provide customer service, and for security reasons, state DMVs keep information about license holders, including a biometric of a sort—a photograph. Senators Schumer and Graham may think that they are designing a database-free biometric identity system—such a thing can exist—but the realities they confront will drive it to become a full-scale biometric national identity database.

The cards would not contain any private information, medical information, nor tracking devices.

This is a welcome pledge, and to fulfill it, they should bar—in law—the use of writeable chips or RFID chips. And there is no way to prevent the card itself from acting as a tracking device. It will be a pointer to private medical information, financial information, and much more.

Understand that the Social Security number is an identifier. It is already used in government, throughout the financial services system, and in much of health care to administer services and benefits, and to perform surveillance (both for good or for bad).

With a uniform biometric Social Security card in the hands of every worker, the card would be demanded at more and more points in society. Americans would have to present their national ID when they use credit cards, when they check into hotels, at bars, in airports, pharmacies, doctors’ offices, and so on.

A card may contain only a biometric algorithm and a Social Security number—unlikely though that may be. It will still act as a tracking device when it integrates with the card readers and databases that grow up around it.

The card will be a high-tech version of the Social Security card that citizens already have.

This claim—to be making a simple, sensible change to the Social Security card—is wrong. The biometric national identification scheme Senators Schumer and Graham propose is much, much more than a “high-tech” Social Security card. It’s the biggest, most difficult identity system ever proposed. It will take decades and tens or hundreds of billions of taxpayer dollars to build.

About the only similarity between today’s Social Security card and the biometric national ID card these senators propose is that they’re both rectangular.

In an earlier post, I called Senator Graham’s support of Schumer’s national ID plan inexplicable (before taking a stab at explaining it). Seeing the outline of their entire proposal, which would alleviate various pressures and begin a welcome transition back toward the rule of law in the immigration area, I am truly at a loss to understand why they would attach this grauitous and punitive plan to force law-abiding American citizens into a biometric national ID system.

Senators, why not do it without the national ID?