Tag: Identity

Power Arrangements in Identity Systems

Since the launch of the Sovrin Foundation, Phil Windley has been blogging a lot (no, reallya lot and more, more, more, more, and more) about how self-sovereign identity works and can be used. His most interesting and accessible post for a liberty-minded identity-layperson might be “On Sovereignty,” in which he briefly lays out what it means to have a “self-sovereign” identity.

Sovereignty over your identity doesn’t mean having complete control over information about yourself, but it puts you in a peer relationship with others, including the larger organizations we deal with, such as governments. “The beauty of sovereignty,” Phil emphasizes, is the “balance of power that leads to negotiations about the nature of the relationships between various entities in the system.” I want to expand on this notion that there are power arrangements in identity systems.

In a centralized identity system, the identity provider (such as your Department of Motor Vehicles) determines whether you can assert information and what you can assert. Centralized systems also often share information about you, or facilitate such sharing, whether you want them to or not. Implementation of the REAL ID Act would essentially move these powers from state governments to the U.S. Department of Homeland Security.

A self-sovereign identity system, on the other hand, gives you power to assert information about yourself, which others may accept or reject. It also better positions you to decline to share information about yourself. Those powers are important.

“Power” is an elusive concept. We’re more familiar with talking about power in terms of political and legal arrangements, such as how the Constitution gives certain powers to the U.S. federal government or denies all U.S. governments other powers. But absent these rules, “pre-political” power is simply the ability to do something or act in a particular way, or the capacity to direct or influence the behavior of others or the course of events. Power comes down to what resources you can bring to bear in going after what you want.

The Boundaries of Westphalia

The Peace of Westphalia in the mid-17th Century established the idea of state sovereignty. Under Westphalian principles, each state has exclusive authority over its territory and domestic affairs.  That’s been pretty good for kings, ruling elites, and the lucky few who live in top-class democracies or benevolent dictatorships.

But Westphalia is on the way out. Individual sovereignty is coming in.

Territorial state sovereignty is just one way to organize human affairs. It was probably an improvement on constant tribal war, but it’s not the last step in political evolution. It’s exciting to see how the boundaries of Westphalia can be surpassed in favor of individual empowerment. People are increasingly able to conduct their intellectual affairs—speaking, transacting, and so on—without reference to nation-states.

I’m reminded of this far-sighted (or far-out) notion by a relatively practical observation from identity expert and former Utah CIO Phil Windley. In “Self-Sovereign Identity and Legal Identity” Phil says:

We’ve finally gotten to a place where self-sovereign identities are technically possible. This is a huge milestone. The next hurdle is getting organizations, including governments to allow the use of self-sovereign identities as the basis for their administrative identities.

Facebook as Identity Provider

It might take Facebook awhile to turn identity provision into a revenue opportunity, but if it is a money-maker, it could be a substantial one. Simson Garfinkel has a piece in Technology Review that goes into some of the things Facebook is doing with its “Connect” service.

As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.

It’s a good, relatively short article, worth a read.

As an online identity provider, Facebook could facilitate secure commerce and communication in a way that’s easy and familiar for consumers. That adds value to the Internet ecosystem, and Facebook may be able to extract some of the surplus for itself—perhaps by charging sites and services that are heavy users small amounts per login via Connect. The security challenges of such a system would grow as more sites and services rely on it, of course, and Garfinkel highlights them in an accessible way—accessible as you’re going to get, anyway.

Quibbles are always more interesting, so I’ll note that I cocked my head to one side where Garfinkel asks “whether it’s a good thing for one company to hold such a position of power.” Strange.

Taking “power” in its philosophical sense to mean “a measure of an entity’s ability to control its environment, including the behavior of other entities,” Facebook Connect gives the company very little power. Separate, per-site logins—or a parallel service that might be created by Google, for example—are near at hand and easy to switch to for anyone who doesn’t like Facebook’s offering.

Ironically, Garfinkel refers to these identity services as “Internet driver’s licenses,” inviting a comparison with the power structure in the real-world licensing area. If you want to drive a car legally, there are no alternatives to dealing with the state, so the state can impose onerous conditions on licensing. Drivers’ licenses require one to share a great deal of information, they cost a lot of money (relative to Facebook’s dollar price of “free”), and switching is not an option if the issuer starts to change the bargain and enroll licensees in a national ID system. Garfinkel himself noted how drivers’ licenses enhance state power in a good 1994 Wired article.

In sum, the upsides of an identity marketplace are there, for both consumers and for Facebook. The downsides are relatively small. The “power” exercised by any provider in a marketplace for identity provision is small compared to the alternative of using states as identity providers.

PATRIOT Powers: Roving Wiretaps

Last week, I wrote a piece for Reason in which I took a close look at the USA PATRIOT Act’s “lone wolf” provision—set to expire at the end of the year, though almost certain to be renewed—and argued that it should be allowed to lapse. Originally, I’d planned to survey the whole array of authorities that are either sunsetting or candidates for reform, but ultimately decided it made more sense to give a thorough treatment to one than trying to squeeze an inevitably shallow gloss on four or five complex areas of law into the same space. But the Internets are infinite, so I’ve decided I’d turn the Reason piece into Part I of a continuing series on PATRIOT powers.  In this edition: Section 206, roving wiretap authority.

The idea behind a roving wiretap should be familiar if you’ve ever watched The Wire, where dealers used disposable “burner” cell phones to evade police eavesdropping. A roving wiretap is used when a target is thought to be employing such measures to frustrate investigators, and allows the eavesdropper to quickly begin listening on whatever new phone line or Internet account his quarry may be using, without having to go back to a judge for a new warrant every time. Such authority has long existed for criminal investigations—that’s “Title III” wiretaps if you want to sound clever at cocktail parties—and pretty much everyone, including the staunchest civil liberties advocates, seems to agree that it also ought to be available for terror investigations under the Foreign Intelligence Surveillance Act. So what’s the problem here?

 

To understand the reasons for potential concern, we need to take a little detour into the differences between electronic surveillance warrants under Title III and FISA. The Fourth Amendment imposes two big requirements on criminal warrants: “probable cause” and “particularity”. That is, you need evidence that the surveillance you’re proposing has some connection to criminal activity, and you have to “particularly [describe] the place to be searched and the persons or things to be seized.” For an ordinary non-roving wiretap, that means you show a judge the “nexus” between evidence of a crime and a particular “place” (a phone line, an e-mail address, or a physical location you want to bug). You will often have a named target, but you don’t need one: If you have good evidence gang members are meeting in some location or routinely using a specific payphone to plan their crimes, you can get a warrant to bug it without necessarily knowing the names of the individuals who are going to show up. On the other hand, though, you do always need that criminal nexus: No bugging Tony Soprano’s AA meeting unless you have some reason to think he’s discussing his mob activity there. Since places and communications facilities may be used for both criminal and innocent persons, the officer monitoring the facility is only supposed to record what’s pertinent to the investigation.

When the tap goes roving, things obviously have to work a bit differently. For roving taps, the warrant shows a nexus between the suspected crime and an identified target. Then, as surveillance gets underway, the eavesdroppers can go up on a line once they’ve got a reasonable belief that the target is “proximate” to a location or communications facility. It stretches that “particularity” requirement a bit, to be sure, but the courts have thus far apparently considered it within bounds. It may help that they’re not used with great frequency: Eleven were issued last year, all to state-level investigators, for narcotics and racketeering investigations.

Surveillance law, however, is not plug-and-play. Importing a power from the Title III context into FISA is a little like dropping an unfamiliar organism into a new environment—the consequences are unpredictable, and may well be dramatic. The biggest relevant difference is that with FISA warrants, there’s always a “target”, and the “probable cause” showing is not of criminal activity, but of a connection between that target and a “foreign power,” which includes terror groups like Al Qaeda. However, for a variety of reasons, both regular and roving FISA warrants are allowed to provide only a description of the target, rather than the target’s identity. Perhaps just as important, FISA has a broader definition of the “person” to be specified as a “target” than Title III. For the purposes of criminal wiretaps, a “person” means any “individual, partnership, association, joint stock company, trust, or corporation.” The FISA definition of “person” includes all of those, but may also be any “group, entity, …or foreign power.” Some, then, worry that roving authority could be used to secure “John Doe” warrants that don’t specify a particular location, phone line, or Internet account—yet don’t sufficiently identify a particular target either. Congress took some steps to attempt to address such concerns when they reauthorized Section 206 back in 2005, and other legislators have proposed further changes—which I’ll get to in a minute. But we actually need to understand a few more things about the peculiarities of FISA wiretaps to see why the risk of overbroad collection is especially high here.

In part because courts have suggested that the constraints of the Fourth Amendment bind more loosely in the foreign intelligence context, FISA surveillance is generally far more sweeping in its acquisition of information. In 2004, the FBI gathered some 87 years worth of foreign language audio recordings alone pursuant to FISA warrants. As David Kris (now assistant attorney general for the Justice Department’s National Security Division) explains in his definitive text on the subject, a FISA warrant typically “permits aquisition of nearly all information from a monitored facility or a searched location.” (This may be somewhat more limited for roving taps; I’ll return to the point shortly.) As a rare public opinion from the FISA Court put it in 2002: “Virtually all information seized, whether by electronic surveillance or physical search, is minimized hours, days, or weeks after collection.” The way this is supposed to be squared with the Fourth Amendment rights of innocent Americans who may be swept up in such broad interception is via those “minimization” procedures, employed after the fact to filter out irrelevant information.

That puts a fairly serious burden on these minimization procedures, however, and it’s not clear that they well bear it. First, consider the standard applied. The FISA Court explains that “communications of or concerning United States persons that could not be foreign intelligence information or are not evidence of a crime… may not be logged or summarized” (emphasis added). This makes a certain amount of sense: FISA intercepts will often be in unfamiliar languages, foreign agents will often speak in coded language, and the significance of a particular statement may not be clear initially. But such a deferential standard does mean they’re retaining an awful lot of data. And indeed, it’s important to recognize that “minimization” does not mean “deletion,” as the Court’s reference to “logs” and “summaries” hints. Typically intercepts that are “minimized” simply aren’t logged for easy retrieval in a database. In the 80s, this may have been nearly as good for practical purposes as deletion; with the advent of powerful audio search algorithms capable of scanning many hours of recording quickly for particular words or voices, it may not make much difference. And we know that much more material than is officially “retained” remains available to agents. In the 2003 case U.S. v. Sattar, pursuant to FISA surveillance, “approximately 5,175 pertinent voice calls .. were not minimized.”  But when it came time for the discovery phase of a criminal trial against the FISA targets, the FBI “retrieved and disclosed to the defendants over 85,000 audio files … obtained through FISA surveillance.”

Cognizant of these concerns, Congress tried to add some safeguards in 2005 when they reauthorized the PATRIOT Act. FISA warrants are still permitted to work on descriptions of a target, but the word “specific” was added, presumably to reinforce that the description must be precise enough to uniquely pick out a person or group. They also stipulated that eavesdroppers must inform the FISA Court within ten days of any new facility they eavesdrop on, and explain the “facts justifying a belief that the target is using, or is about to use, that new facility or place.”

Better, to be sure; but without access to the classified opinions of the FISA Court, it’s quite difficult to know just what this means in practice. In criminal investigations, we have a reasonable idea of what the “proximity” standard for roving taps entails. Maybe a target checks into a hotel with a phone in the room, or a dealer is observed to walk up to a pay phone, or to buy a “burner.” It is much harder to guess how the “is using or is about to use” standard will be construed in light of FISA’s vastly broader presumption of sweeping up-front acquisition. Again, we know that the courts have been satisfied to place enormous weight on after-the-fact minimization of communications, and it seems inevitable that they will do so to an even greater extent when they only learn of a new tap ten days (or 60 days with good reason) after eavesdropping has commenced.

We also don’t know how much is built into that requirement that warrants name a “specific” target, and there’s a special problem here when surveillance roves across not only facilities but types of facility. Suppose, for instance, that a FISA warrant is issued for me, but investigators have somehow been unable to learn my identity. Among the data they have obtained for their description, however, are a photograph, a voiceprint from a recording of my phone conversation with a previous target, and the fact that I work at the Cato Institute. Now, this is surely sufficient to pick me out specifically for the purposes of a warrant initially meant for telephone or oral surveillance.  The voiceprint can be used to pluck all and only my conversations from the calls on Cato’s lines. But a description sufficient to specify a unique target in that context may not be sufficient in the context of, say, Internet surveillance, as certain elements of the description become irrelevant, and the remaining threaten to cover a much larger pool of people. Alternatively, if someone has a very unusual regional dialect, that may be sufficiently specific to pinpoint their voice in one location or community using a looser matching algorithm (perhaps because there is no actual recording, or it is brief or of low quality), but insufficient if they travel to another location where many more people have similar accents.

Russ Feingold (D-WI) has proposed amending the roving wiretap language so as to require that a roving tap identify the target. In fact, it’s not clear that this quite does the trick either. First, just conceptually, I don’t know that a sufficiently precise description can be distinguished from an “identity.” There’s an old and convoluted debate in the philosophy of language about whether proper names refer directly to their objects or rather are “disguised definite descriptions,” such that “Julian Sanchez” means “the person who is habitually called that by his friends, works at Cato, annoys others by singing along to Smiths songs incessantly…” and so on.  Whatever the right answer to that philosophical puzzle, clearly for the practical purposes at issue here, a name is just one more kind of description. And for roving taps, there’s the same kind of scope issue: Within Washington, DC, the name “Julian Sanchez” probably either picks me out uniquely or at least narrows the target pool down to a handful of people. In Spain or Latin America—or, more relevant for our purposes, in parts of the country with very large Hispanic communities—it’s a little like being “John Smith.”

This may all sound a bit fanciful. Surely sophisticated intelligence officers are not going to confuse Cato Research Fellow Julian Sanchez with, say, Duke University Multicultural Affairs Director Julian Sanchez? And of course, that is quite unlikely—I’ve picked an absurdly simplistic example for purposes of illustration. But there is quite a lot of evidence in the public record to suggest that intelligence investigations have taken advantage of new technologies to employ “targeting procedures” that do not fit our ordinary conception of how search warrants work. I mentioned voiceprint analysis above; keyword searches of both audio and text present another possibility.

We also know that individuals can often be uniquely identified by their pattern of social or communicative connections. For instance, researchers have found that they can take a completely anonymized “graph” of the social connections on a site like Facebook—basically giving everyone a name instead of a number, but preserving the pattern of who is friends with whom—and then use that graph to relink the numbers to names using the data of a differentbut overlapping social network like Flickr or Twitter. We know the same can be (and is) done with calling records—since in a sense your phone bill is a picture of another kind of social network. Using such methods of pattern analysis, investigators might determine when a new “burner” phone is being used by the same person they’d previously been targeting at another number, even if most or all of his contacts have alsoswitched phone numbers. Since, recall, the “person” who is the “target” of FISA surveillance may be a “group” or other “entity,” and since I don’t think Al Qaeda issues membership cards, the “description” of the target might consist of a pattern of connections thought to reliably distinguish those who are part of the group from those who merely have some casual link to another member.

This brings us to the final concern about roving surveillance under FISA. Criminal wiretaps are always eventually disclosed to their targets after the fact, and typically undertaken with a criminal trial in mind—a trial where defense lawyers will pore over the actions of investigators in search of any impropriety. FISA wiretaps are covert; the targets typically will never learn that they occurred. FISA judges and legislators may be informed, at least in a summary way, about what surveillance was undertaken and what targeting methods were used, but especially if those methods are of the technologically sophisticated type I alluded to above, they are likely to have little choice but to defer to investigators on questions of their accuracy and specificity. Even assuming total honesty by the investigators, judges may not think to question whether a method of pattern analysis that is precise and accurate when applied (say) within a single city or metro area will be as precise at the national level, or whether, given changing social behavior, a method that was precise last year will also be precise next year. Does it matter if an Internet service initially used by a few thousands—including, perhaps, surveillance targets—comes to be embraced by millions? Precisely because the surveillance is so secretive, it is incredibly hard to know which concerns are urgent and which are not really a problem, let alone how to think about addressing the ones that merit some legislative response.

I nevertheless intend to give it a shot in a broader paper on modern surveillance I’m working on, but for the moment I’ll just say: “It’s tricky.”  What is absolutely essential to take away from this, though, is that these loose and lazy analogies to roving wiretaps in criminal investigations are utterly unhelpful in thinking about the specific problems of roving FISA surveillance. That investigators have long been using “these” powers under Title III is no answer at all to the questions that arise here. Legislators who invoke that fact as though it should soothe every civil libertarian brow are simply evading their responsibilities.

Fun With DHS Press Releases!

Let’s fisk a DHS press release! It’s the “Statement by DHS Press Secretary Sara Kuban on Markup of the Pass ID Bill by the Senate Homeland Security and Government Affairs Committee.” Here goes:

On the same day that Secretary Napolitano highlighted the Department’s efforts to combat terrorism and keep our country safe during a speech in New York City,

This part is true: Secretary Napolitano was in New York speaking about terrorism.

Congress took a major step forward on the PASS ID secure identification legislation.

There was a markup of PASS ID in the Homeland Security and Governmental Affairs Committee. It’s a step – not sure how major.

PASS ID is critical national security legislation

People who have studied identity-based security know that knowing people’s identities doesn’t secure against serious threats, so this is exaggeration.

that will break a long-standing stalemate with state governments

Thirteen states have barred themselves by law from implementing REAL ID, the national ID law. DHS hopes that changing the name and offering them money will change their minds.

that has prevented the implementation of a critical 9/11 recommendation to establish national standards for driver’s licenses.

The 9/11 Commission devoted three-quarters of a page to identity security – out of 400+ substantive pages. That’s more of a throwaway recommendation or afterthought. False identification wasn’t a modus operandi in the 9/11 attacks, and the 9/11 Commission didn’t explain how identity would defeat future attacks. (Also, using “critical” twice in the same sentence is a stylistic no-no.)

As the 9/11 Commission report noted, fraudulent identification documents are dangerous weapons for terrorists,

No, it said “travel documents are as important as weapons.” It was talking about passports and visas, not drivers’ licenses. Oh – and it was exaggerating.

but progress has stalled towards securing identification documents under the top-down, proscriptive approach of the REAL ID Act

True, rather than following top-down prescription, states have set their own policies to increase driver’s license security. It’s not necessarily needed, but if they want to they can, and they don’t need federal conscription of their DMVs to do it.

– an approach that has led thirteen states to enact legislation prohibiting compliance with the Act.

“… which is why we’re trying to get it passed again with a different name!”

Rather than a continuing stalemate with the states,

Non-compliant states stared Secretary Chertoff down when he threatened to disrupt their residents’ air travel, and they can do the same to Secretary Napolitano.

PASS ID provides crucial security gains now by establishing common security standards for driver’s licenses

Weak security gains, possibly in five years. In computer science – to which identification and credentialing is akin – monoculture is regarded as a source of vulnerability.

and a path forward for ensuring that states can electronically verify source documents, including birth certificates.

We’re on the way to that cradle-to-grave biometric tracking system that will give government so much power over every single citizen and resident.

See? That was fun!

Assessing the Claim that CDT Opposes a National ID

It was good of Ari Schwartz to respond last week to my recent post querying whether the Center for Democracy and Technology outright opposes a national ID or simply “does not support” one.

Ari says CDT does oppose a national ID, and I believe that he honestly believes that. But it’s worth taking a look at whether the group’s actions are consistent with opposition to a national ID. I believe CDT’s actions – most recently its support of the PASS ID Act – support the creation of a national ID.

(The title of his post and some of his commentary suggest I have engaged in rhetorical excess and mischaracterized his views. Please do judge for yourself whether I’m being shrill or unfair, which is not my intention.)

First I want to address an unusual claim of Ari’s – that we already have a national ID system. If that is true, his support for PASS ID is more sensible because it is an opportunity to inject federal privacy protections into the existing system (putting aside whether it is a federal responsibility to manage a state system or systems).

Do We Already Have a National ID?

I have heard a few people suggest that we have a national ID in the form of the Social Security Number. I believe the SSN is a national identifier, but it fails the test of a national identification card or system because it is not used for identification. As we know well from the scourge of identity fraud, there is no definitive way to tie an SSN to a person. The SSN is not used for identification (at least not reliably and not alone), which is the third part of my national ID definition. (Senator Schumer might like the SSN to form the basis of a national ID system, of course.)

But Ari says something different. He does not claim any definition of “national ID” or “national ID system.” Instead, he appeals to the authority of a 2003 report from a National Academy of Sciences group entitled “Who Goes There?: Authentication Through the Lens of Privacy.” That report indeed says, “State-issued driver’s licenses are a de facto nationwide identity system” – on the second-to-last substantive page of its second-to-last substantive chapter

But this is a highly selective use of quotation. The year before, that same group issued a report called “IDs – Not That Easy: Questions About Nationwide Identity Systems.” From the beginning and throughout, that report discussed the many issues around proposals to create a “nationwide” identity system. If the NAS panel had already concluded that we have a national ID system, it would not have issued an entire report critiquing that prospect. It would have discussed the existing one as such. Ari’s one quote doesn’t do much to support the notion that we already have a national ID.

What’s more, CDT’s own public comments on the proposed REAL ID Act regulations in May 2007 said that its data-intensive “one person – one license/ID card – one record” policy would ”create a national identification system.”

If a national ID system already existed, the new policy wouldn’t create one. This is another authority at odds with the idea that we have a national ID system already.

Support of PASS ID might be forgiven if we had a national ID system and if PASS ID would improve it. But the claim we already have one is weak.

“Political Reality” and Its Manufacture

But the heart of Ari’s claim is that supporting PASS ID reflects good judgment in light of political reality.

Despite the fact that there are no federal politicians, no governors and no appointed officials from any party publicly supporting repeal of REAL ID today, CDT still says that repeal is an acceptable option. However, PASS ID would get to the same outcome, or better, in practice and has the added benefit of actually being a political possibility… . I realize that Harper has invested a lot of time fighting for the word “repeal,” but at some point we have to look at the political reality.

A “Dear Colleague” letter inviting support for a bill to repeal REAL ID circulated on the Hill last week. How many legislators will hesitate to sign on to the bill because they have heard that the PASS ID Act, and not repeal of REAL ID, is CDT’s preferred way forward?

The phrase “political reality” is more often used by advocates to craft the political reality they prefer than to describe anything truly real. Like the observer effect in experimental research, statements about “political reality” change political reality.  Convince enough people that a thing is “political reality” and the sought-after political reality becomes, simply, reality.

I wrote here before about how the National Governors Association, sensing profit, has worked diligently to make REAL ID a “political reality.” And it has certainly made some headway (though not enough). In the last Congress, the only legislation aimed at resolving the REAL ID impasse were bills to repeal REAL ID. Since then, the political reality is that Barack Obama was elected president and an administration far less friendly to a national ID took office. Democrats – who are on average less friendly to a national ID – made gains in both the House and Senate.

But how are political realities crafted? It has often been described as trying to get people on a bus. To pass a bill, you change it to get more people on the bus than get off.

The REAL ID bus was missing some important riders. It had security hawks, the Department of Homeland Security, anti-immigrant groups, DMV bureaucrats, public safety advocates, and the Bush Administration. But it didn’t have: state legislators and governors, privacy and civil liberties groups, and certain religious communities, among others.

PASS ID is for the most part an effort to bring on state legislators and governors. The NGA is hoping to broker the sale of state power to the federal government, locking in its own institutional role as a supplicant in Washington, D.C. for state political leaders.

But look who else was hanging around the bus station looking for rides! – CDT, the nominal civil liberties group. Alone it jumped on the bus, communicating to others less familiar with the issues that PASS ID represented a good way forward.

Happily, few have taken this signal. The authors of PASS ID were unable to escape the name “REAL ID,” which is a far more powerful beacon flashing national ID and all the ills that entails than CDT’s signal to the contrary.

This is not the first time that CDT’s penchant for compromise has assisted the national ID effort, though.

Compromising Toward National ID

The current push for a national ID has a short history that I summarized three years ago in a righteously titled post on the TechLiberationFront blog: “The Markle Foundation: Font of Evil II.”

Briefly, in December 2003, a group called the Markle Foundation Task Force on National Security in the Information Age recommended “both near-term measures and a longer-term research agenda to increase the reliability of identification while protecting privacy.” (Never mind that false identification was not a modus operandi of the 9/11 attacks.)

The 9/11 Commission, citing Markle, found that “[t]he federal government should set standards for the issuance of birth certificates and sources of identification, such as drivers licenses.” In December 2004, Congress passed the Intelligence Reform and Terrorism Prevention Act, implementing the recommendations of the 9/11 Commission, including national standards for drivers’ licenses and identification cards, the national ID system recommended by the Markle Task Force. And in May 2005, Congress passed a strengthened national ID system in the REAL ID Act.

An earlier post, “The Markle Foundation: Font of Evil,” has more – and the text of a PoliTech debate between myself and Stewart Baker. Security hawk Baker was a participant in the Markle Foundation group, as was national ID advocate Amitai Etzioni. So was the Center for Democracy and Technology’s Jim Dempsey.

I had many reservations about the Markle Foundation Task Force and its work product, and in an April 2005 meeting of the DHS Privacy Committee, I asked Dempsey about what qualified people to serve on that task force, whether people were invited, and what might exclude them. A month before REAL ID passed, he said:

I think the Markle Task Force at least sought balance. And people came to the table committed to dialogue. And those who came with a particular point of view, I think, were all committed to listening. And I think people’s minds were changed… . What we were committed to in the Markle Task Force was changing our minds and trying to find a common ground and to try to understand each other. And we spent the time at it. And that, I think, is reflected in the product of the task force.

There isn’t a nicer, more genuine person working in public policy than Jim Dempsey. He is the consummate honest broker, and this statement of his intentions for the Markle Foundation I believe to be characteristically truthful and earnest.

But consider the possibility that others participating on the Markle Foundation Task Force did not share Jim’s predilection for honest dialogue and compromise. It is even possible that they mouthed these ideals while working intently to advance their goals, including creation of a national ID.

Stewart Baker, who I personally like, is canny and wily, and he wants to win. I see no evidence that Amitai Etzioni changed his mind about having a national ID when he authored the recommendation in the Markle report that ultimately produced REAL ID.

Other Markle participants I have talked to were unaware of what the report said about identity-based security, national identity standards, or a national ID. They don’t even know (or didn’t at the time) that lending your name to a report also lends it your credibility. Whatever privacy or civil liberties advocates were involved with the Markle Task Force got rolled – big-time – by the pro-national-ID team.

CDT is a sophisticated Washington, D.C. operation. It is supposed to understand these dynamics. I can’t give it the pass that outsiders to Washington might get. By committing to compromise rather than any principle, and by lending its name to the Markle Foundation Task Force report, CDT gave credibility to a bad idea – the creation of a national ID.

CDT helped produce the REAL ID Act, which has taken years of struggle to beat back. And now they are at it again with “pragmatic” support for PASS ID.

CDT has been consistently compromising on national ID issues while proponents of a national ID have been doggedly and persistently pursuing their interests. This is not the behavior of a civil liberties organization. It’s why I asked in the post that precipitated this debate whether there is anything that would cause CDT to push back from the table and say No.

Despite words to the contrary, I don’t see evidence that CDT opposes having a national ID. It certainly works around the edges to improve privacy in the context of having a national ID – reducing the wetness of the water, as it were – but at key junctures, CDT’s actions have tended to support having a U.S. national ID. I remain open to seeing contrary evidence.

Review of the Big REAL ID Hearing

The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.

Good News!

Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.

First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.

She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.

Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”

Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.

REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.

A Fake Crisis

Some other issue-framing is worth pointing out. Chairman Lieberman and Secretary Napolitano took pains to point out the importance of acting on PASS ID soon, claiming that the TSA would have to seriously inconvenience travelers with secondary searches at the end of the year if nothing was done.

But this is the same “crisis” that the DHS navigated a little over a year ago. States across the country were refusing to implement REAL ID. The DHS Secretary rattled his saber about inconveniencing travelers. And the DHS Secretary ended up giving all states a deadline extension. Secretary Napolitano will do the same thing if PASS ID fails - saber-rattling included. There is no crisis.

Vermont Governor Jim Douglas Supports a National ID

As I noted above, PASS ID is a national ID, just like REAL ID.

By testifying in support of PASS ID, Vermont governor Jim Douglas (R) put himself on record as supporting a U.S. national ID. He can pretend it’s not a national ID, of course, and he did his best to paper over the issue when Senator Burris asked about it. But Governor Douglas supports a national ID.

There was a time when Republicans stood for resisting federal incursions on state power. In the 104th Congress, the Senate Judiciary Committee had a subcommittee that focused on federalism and the preservation of state power (the Subcommittee on the Constitution, Federalism, and Property Rights). But the National Governors Association, with Douglas at the helm, is now in the process of negotiating the sale of state power over driver licensing and identification policy to the federal government.

Rampant Security Ignorance

The reason why he supports this national ID law, Governor Douglas said, is that he, like every governor, “is a security governor.”

With so many Senators and panelists conjuring security and the 9/11 Commission report, it would be a delight if someone actually examined the security benefits of a national ID. The information is there for them. Again, my testimony to the committee two years ago supplied at least some. Then, I said, “Implementation of REAL ID would impose more costs on our society than it would provide in security or other benefits,” and I articulated how and why a national ID fails to secure.

But Senator Lieberman said he “assumes” REAL ID provides national security benefits. Assumes? He and his staff apparently haven’t familiarized themselves with the level of national security that a national ID would create, taking into account the counterattacks and complications of such a system.

Five years after the vaunted 9/11 Commission report - and the three-quarters of a page it devoted to identity security - Senator Lieberman, the chairman of a committee dealing with domestic security, has yet to look into the merits.

In case Senator Lieberman needs some help …

I’m So Sick of the 9/11 Commission Report!

Speaking of the 9/11 Commission, it has been five years since that report came out, and people continue to parrot the line that REAL ID was a “key 9/11 Commission recommendation.”

The 9/11 Commission dedicated three-quarters of a page to the question of identity security, out of 400+ substantive pages. Its entire treatment of the subject is on page 390.

The 9/11 Commission did not articulate how a national ID system would defeat future terror attacks. It did not even articulate how a national ID would have defeated the 9/11 attacks had it been in place. A minor shift in behavior by the 9/11 attackers, such as using their passports to board planes, would have defeated REAL ID and PASS ID, were we somehow allowed “do-overs.”

We are not allowed “do-overs,” and the problem we face is not 9/11, but securing against current and future threats - including people who might shift their behavior in light of security measures we take.

These shifts in behavior might include taking a few extra steps to get the documentation they need, for access to the country or targets. These shifts in behavior might include attacking targets that do not require documentation. Identity-based security is a Maginot Line.

The 9/11 Commission report was written at a time when little research on identity-based security had been done. It was written by fallible humans who knew little about identity-based security, and who got it wrong. The report is not a religious text.

The report did say something important, though: “For terrorists, travel documents are as important as weapons”! (page 384) It’s a terrific turn of phrase because it shuts down the logic centers in the brain - eek, terrorists! - and ends the discussion.

The “travel documents” the report was talking about, though, were passports and visas, not drivers’ licenses and birth certificates - the things foreign terrorists use to get into the country. If we’re going to turn the driver’s license into an internal passport - and TSA checkpoints are the beginning of such a policy - then perhaps these are travel documents. Just, please, Secretary Napolitano, train your TSA agents to not say, “Your papers, please.”

Even as to international travel documents, though, the 9/11 Commission got it wrong. Weapons are the only things as important as weapons. And the 9/11 terrorists didn’t actually use weapons any more substantial than box cutters. They “weaponized” a non-weapon. (Security is complicated, you see.)

Denying terrorists travel documents, drivers’ licenses, and IDs simply presents them some inconveniences - such as using people with no record of terrorism. Seventeen of nineteen 9/11 attackers were unknown to U.S. officials as threats, so it’s obviously not that much of an inconvenience.

Evading identity-based security is so easy. People do it all the time. And it won’t stop under anyone’s version of a national ID. But the 9/11 Commission said … !

Something New to Worry About

Much of the national ID battle happens at the federal level with these national ID laws, of course, but it’s important to realize that federal officials, state officials, companies, and non-profit groups are working to knit together a cradle-to-grave national ID system no matter what happens with REAL ID and PASS ID.

Here’s one worth highlighting: Thirteen states apparently are already scanning, or have scanned, their birth certificates into databases for use in the national ID system. The effort is being led by the National Association for Public Health Statistics and Information Systems in Silver Spring, Maryland. This group will undoubtedly have access to your private health information should federal e-health records be implemented, so you might want to familiarize yourself with them.

Is your state one of them? How many copies of your birth certificate can be found in how many places around the country? You might want to ask your state legislators about that. The future of this effort is to collect biometrics at birth, of course. This is a privacy problem.

But maybe all the privacy concerns have been taken care of. The proponents of REAL/PASS ID found themselves a fig leaf on that score.

Token Cover on Privacy Issues

Ari Schwartz from the Center for Democracy and Technology testified in favor of PASS ID. (Senator Akaka noted in his opening statement that CDT endorses PASS ID.)

He characterized opponents of REAL/PASS ID as wanting to “do nothing.” It’s a classic ploy - but cheaper than we’re used to seeing from Ari and CDT - to mischaracterize opponents as wanting to “do nothing.” As Ari knows well, I have advocated endlessly for a diverse and competitive identification and credentialing system that would provide all the security ID systems can, without government surveillance.

But Ari testified imaginatively about how PASS ID makes a national ID okay. He has concerns with it, of course, yadda yadda yadda - the privacy fig leaf obliged to wear a fig leaf himself.

And this is the unexpected bad news from the hearing. The Center for Democracy and Technology supports having a national ID in the United States.

Many would find this inexplicable, but it’s not. Though the people who work at CDT personally want very much to do the right thing, there are no principles to the organization beside compromise and having a seat at the table (neither of which are actually principles, of course).

CDT plays a wonderful convening role on many issues, and the name of the organization implies that it reconciles technology programs with fundamental societal values. But here it has given political cover to the push for a national ID in the United States. One can’t help wondering if there is anything that would cause CDT to push back from the table and say No.