Tag: identity crisis

Power Arrangements in Identity Systems

Since the launch of the Sovrin Foundation, Phil Windley has been blogging a lot (no, reallya lot and more, more, more, more, and more) about how self-sovereign identity works and can be used. His most interesting and accessible post for a liberty-minded identity-layperson might be “On Sovereignty,” in which he briefly lays out what it means to have a “self-sovereign” identity.

Sovereignty over your identity doesn’t mean having complete control over information about yourself, but it puts you in a peer relationship with others, including the larger organizations we deal with, such as governments. “The beauty of sovereignty,” Phil emphasizes, is the “balance of power that leads to negotiations about the nature of the relationships between various entities in the system.” I want to expand on this notion that there are power arrangements in identity systems.

In a centralized identity system, the identity provider (such as your Department of Motor Vehicles) determines whether you can assert information and what you can assert. Centralized systems also often share information about you, or facilitate such sharing, whether you want them to or not. Implementation of the REAL ID Act would essentially move these powers from state governments to the U.S. Department of Homeland Security.

A self-sovereign identity system, on the other hand, gives you power to assert information about yourself, which others may accept or reject. It also better positions you to decline to share information about yourself. Those powers are important.

“Power” is an elusive concept. We’re more familiar with talking about power in terms of political and legal arrangements, such as how the Constitution gives certain powers to the U.S. federal government or denies all U.S. governments other powers. But absent these rules, “pre-political” power is simply the ability to do something or act in a particular way, or the capacity to direct or influence the behavior of others or the course of events. Power comes down to what resources you can bring to bear in going after what you want.

Fake ID Foolishness

In this USA Today story, identity-based security mavens sputter about the availability of high-quality fake IDs that include digital holograms, credit-card quality plastics, and specialty inks found in “more secure” drivers’ licenses. Along with adding technical security measures to cards, states that once made driver licensing easier reversed course and discontinued issuing licenses over the counter so they could new-fangle their IDs. All this inconvenience and expense has done nothing but require bad guys (and college students) to order their driver’s licenses at sites like ID Chief.

One could have predicted all this:

The more valuable a driver’s license is for access to work, mobility, goods, and services, the more likely people will seek to acquire this document illegally. Reforms … may “stiffen” state-issued identification card processes, but they leave it brittle.

Meanwhile the expense and inconvenience of restricted access to identification cards will fall on all Americans—including the ones who need drivers’ licenses for the simple purpose of driving. Honest, law-abiding Americans will suffer impingement on their freedom of action, their individual power, and their security from identity-based frauds. The REAL ID Act is full of reforms that do not fix.

Instead of “strengthening” our national identification system, policies that reduce the value of breaking identification systems will improve identification. Jujitsu is needed much more than brawn.

That’s yours truly, writing in the 2006 Cato book, Identity Crisis: How Identification is Overused and Misunderstood.

“If He Approve, He Shall Sign It…”

The Patriot Act extension passed by Congress this week did not become the law of the land. It is void and without effect.

So may argue some future defendant whose conviction rests on evidence gotten under Patriot Act powers during the extended period Congress sought to establish in the bill it passed this week.

President Obama is at a meeting in Europe, so he had the bill signed by auto-pen. Representative Tom Graves (R-GA) has written a letter inquiring of the president whether he was presented the bill and truly intended to sign it.

Article I, Section 7 of the Constitution says:

Every Bill which shall have passed the House of Representatives and the Senate, shall, before it become a Law, be presented to the President of the United States; If he approve he shall sign it, but if not he shall return it…

Is presentment and signing a quaint formality? Something to put aside in light of modern technology and time-constraints? Or is it an important step in the law-making process, to be executed quite literally without deviation from past practice?

The answer lies mostly in consideration of what a signature is, and what it does. I looked into signatures, among many other identifiers and security techniques in my book, Identity Crisis.

Wikipedia has a definition of “signature” that’s good enough: “A signature is a handwritten (and sometimes stylized) depiction of someone’s name, nickname, or even a simple ‘X’ that a person writes on documents as a proof of identity and intent.” Key words: identity and intent.

In the world of identification and security, a signature is classed as a “behavioral biometric identifier.” That is, it’s a product of a given person’s bodily action that is distinctive enough to create strong evidence of the person’s presence.

A signature does many things, and inferences spill out from the presence of a mark on paper that is sufficiently similar to other marks made by a particular person. Because it’s left on the paper, a signature indicates that the person was in the presence of the document. This means in most cases that he or she could review it and had the opportunity, barring some exigency, to affirm its accuracy and completeness. By long-standing custom, absent duress or fraud, the signature indicates the giving of one’s assent or the placing of authority behind the content of the document. A signature supplies evidence—imperfect, to be sure—that a given person approved a given document.

Does a signature by auto-pen create the same inferences? Almost none of them. To know that President Obama indeed meant to affirm the bill, one would have to investigate how he was apprised of the bill’s content. Were there security measures in place to ensure that the communication about the document and the giving of assent were not altered or forged in transit from Washington, D.C. to Europe? One would need assurance that the controller of the auto-pen applied its mark to the exact document that the president was apprised of, and that no substitute document was inserted. All these problems are solved by bringing the person with authority into the same room with the document to manually apply the signature.

I haven’t a whiff of doubt that President Obama intended to sign the bill. The authority of the president and the gravity of bill-signing are such that I’m confident security measures were in place to control the security issues noted above.

But the question in a court case dealing with the presentment and signing requirement is not what happened with this particular bill. It is what should happen in all cases to help exclude the risks of fraud and duress in law-making—with much longer bills, for example, or some future circumstance when the president’s whereabouts or capacity might be unknown.

The authority of the president and the gravity of bill-signing actually cuts the other direction: The president should be in the same room as the actual document, applying his genuine signature to the artifact of a United States public law’s creation. It’s that important a function of the presidency.

Until biometrics and encryption are good enough that we can sign our mortgages remotely, it’s not too much to ask, having the president to sign legislation in person. If a criminal or two go free in the future because of the inadequacy of the process here, it will be worth it for the small security against fraudulent passage of legislation in a future full of uncertainties.

National Research Council Takes Biometrics Down a Notch

Late last month, the National Research Council released a book entitled Biometric Recognition: Challenges and Opportunities that exposes the many difficulties with biometric identification systems. Popular culture has portrayed biometrics as nearly infallible, but it’s just not so, the report emphasizes. Especially at scale, biometrics will encounter a lot of challenges, from engineering problems to social and legal considerations.

“[N]o biometric characteristic, including DNA, is known to be capable of reliably correct individualization over the size of the world’s population,” the report says (page 30). As with analog, in-person identification, biometrics produces a probabilistic identification (or exclusion), but not a certain one. Many biometrics change with time. Due to injury, illness, and other causes, a significant number of people do not have biometric characteristics like fingerprints and irises, requiring special accommodation.

At the scale often imagined for biometric systems, even a small number of false positives or false negatives (referred to in the report as false matches and false nonmatches) will produce considerable difficulties. “[F]alse alarms may consume large amounts of resources in situations where very few impostors exist in the system’s target population.” (page 45)

Consider a system that produces a false negative, excluding someone from access to a building, one time in a thousand. If there aren’t impostors attempting to defeat the biometric system on a regular basis, the managers of the system will quickly come to assume that the system is always mistaken when it produces a “nonmatch” and they will habituate to overruling the biometric system, rendering it impotent.

Context is everything. Biometric systems have to be engineered for particular usages, keeping the interests of the users and operators in mind, then tested and reviewed thoroughly to see if they are serving the purpose for which they’re intended. The report debunks the “magic wand” capability that has been imputed to biometrics: “[S]tating that a system is a biometric system or uses ‘biometrics’ does not provide much information about what the system is for or how difficult it is to successfully implement.” (page 60)

Biometric Recognition: Challenges and Opportunities” is a follow-on to the 2003 National Research Council report, “Who Goes There?: Authentication Through the Lens of Privacy.” That was one of few resources on identification processes and policy when I was researching my book, Identity Crisis: How Identification is Overused and Misunderstood. (Mine is quite a bit more accessible than this new book, so if you’re interested in the field, you might want to start there.)

There is nothing inherently wrong with biometrics. They will have their place, and they will make their way into use. But the dream of a security silver bullet in biometrics is not to be. Identity-based security—using the knowledge of who people are for protection—is valuable and useful in day-to-day life, but it does not scale. National or world ID systems would not secure, but they would carry large costs denominated in both dollars and privacy.

No-Fly With Me

The ACLU is representing several plaintiffs in a recently filed lawsuit challenging the U.S. government’s ”No Fly” list. The video in this “Blog of Rights” post tells the story of two of the plaintiffs. “I wanna go home!” laughs U.S. Marine veteran Ayman Latif. “I wanna see my mom. I want her to see my babies.”

No-fly listing is a constitutional aberration in which the executive branch unilaterally imposes a disability on persons it selects using unpublished criteria. It often denies these individuals any recourse by obscuring the reasons why they aren’t permitted to fly. Bills in the House and Senate would extend the use of the “no-fly” list to use in gun control.

There is no way to clear up the “no-fly” status of innocent travelers once and for all. The DHS’ Traveler Redress Inquiry Program may be good for unraveling mistaken name matching, but evidently it hasn’t cured the problem for these travelers.

No-fly listing is also a weak security measure. It’s CYA—“See? We did something!”—but it creates a class of people too dangerous to let fly but not so dangerous that they are sought for arrest.

There is some merit to watch- and no-fly-listing in the international context, where the U.S. is often unable to pursue threatening individuals. But generally, as I wrote in my book, Identity Crisis, “this procedure is like posting a most-wanted list at a post office and then waiting for criminals to come to the post office. It is a singularly lazy way to ‘pursue’ terrorists.”

Another security demerit: No-fly listing gives away the store. It tells any terrorist on a list that he or she is a suspect.

Since 9/11, airports and air travel have been something of a constitution-free zone. Exigency in the first year after that stunning attack may have justified some of the practices begun then, but we are secure and confident enough today to adhere to the Constitution. This lawsuit may vindicate due process values and the important liberty interest in freedom of movement.

Senator Graham’s Inexplicable National ID Support

Compromise is catnip in Washington, D.C. That’s my best guess at why Senator Lindsey Graham (R-SC) would endorse New York Senator Chuck Schumer’s (D) widely reviled plan to create a mandatory biometric national ID system.

Schumer’s national ID plans have no more definition today than when he wrote about them in his 2007 campaign manifesto Postitively American. Among the thin gruel of that book is a two-page lump displaying more ignorance than understanding of how identity systems work and fail. Schumer doesn’t know the difference between an identifier—a characteristic used to distinguish or group people—and an identification card or system, which does the entire task of proving a person’s previously fixed identity. (My thin gruel on the topic is the book Identity Crisis: How Identification is Overused and Misunderstood.)

“All the national employment ID card will do is make forgery harder,” says Schumer.

No, that’s not all it would do: It would also subject every employment decision to the federal government’s approval. It would make surveillance of law-abiding citizens easier. It would allow the government to control access to health care. It would facilitate gun control. It would cost $100 billion dollars or more. It would draw bribery and corruption into the Social Security Administration. It would promote the development of sophisticated biometric identity fraud. How long should I go on?

Senator Graham’s take is equally simple: “We’ve all got Social Security cards,” he said to the Wall Street Journal. “They’re just easily tampered with. Make them tamper-proof. That’s all I’m saying.”

No, Senator, that’s not all you’re saying. You’re saying that native-born American citizens should be herded into Social Security Administration offices by the millions so they can have their biometrics collected in federal government databases. You’re saying that you’d like a system where working, traveling, going to the doctor, and using a credit card all depend on whether you can show your national ID. You’re saying that bigger government is the solution, not smaller government.

The point for these senators, of course, is not the substance. It’s the thrill they experience as nominal ideological opponents finding that they can agree on something, securing a potential breakthrough on the difficult immigration issue.

They’re only ”nominal” ideological opponents, though. Chuck Schumer has always been a big government guy—and long a supporter of having a national ID, despite the lessons of history. Lindsey Graham is not really his ideological opponent. Typical of politicians with years in Washington D.C., Graham is steadily migrating toward the big-government ideology that unites federal politicians and bureaucrats against the people.

The Future of DNA as an Identifier …

… is not in doubt. But as technology advances, it will not be as strong an identifier as it has been up to now. Scientists have demonstrated that they can fabricate it.

I wrote about the qualities of identifiers - fixity, distinctiveness, and permanence - in my book Identity Crisis. The ability to fabricate DNA renders it slightly less distinctive.