Councilmember Cheh and members of the committee,
Thank you for asking me to testify today regarding the DC Onecard program.
At the Cato Institute, I serve as director of information policystudies, and among my specialties are identification andcredentialing systems. I have testified about identificationsystems in legislatures around the country and several times beforeCongress.
I also serve on the Department of Homeland Security's DataPrivacy and Integrity Advisory Committee, which often deals withthe privacy and civil liberties consequences of identity-basedsecurity. My book, "Identity Crisis: How Identification is Overusedand Misunderstood," explores identification theory and theconsiderations that should go into public policies aboutidentification and credentialing.
Though they are invariably put forward for good purposes,identity card systems hold many risks to values that we hold dearlike privacy and civil liberties. Given the wonders of technology,people often imagine ID cards to be a panacea for a wide array ofeconomic and social problems, and they imagine that ID card systemsadvance national security goals like protection from terrorism. IDcard systems are not suited to many of these goals, and uniform IDsystems compromise or threaten important values.
Luckily, the DC One card program does not have such grand aims.As the program exists today, I'm happy to report that I have foundlittle to criticize in it. The DC One card can help avoid some ofthe expense of operating multiple card systems among multipleagencies without creating a surveillance system in the process.However, I will caution against future expansions of theprogram.
First, let me say how glad I am that you are examining the DCOne card program early in its life. Many of the programs andsystems I deal with at the federal level have been planned oroperating for years, or they are products of congressional actionthat lacked sufficient deliberation and that Congress does not wantto revisit. Sometimes both!
Because decisions about them were made without regard forprivacy and civil liberties, and because they have inertia, theseprograms will be the subject of policy battles for years. Millionsof dollars will be wasted on these unacceptable programs as theydie long, slow deaths.
Your care in examining and continuing to monitor the DC One cardprogram can help avoid conflict with civil liberties and privacy,basic values of this country and community. The end result can be aprogram that meets your efficiency objectives because it enjoyswidespread uptake.
Understanding Identification-Economic and SocialGlue
Identification and credentialing is complex. It is important tounderstand in some detail the policy issues a card system like theDC One card might encounter.
First, think of identification and identity cards as economicand social glue. Identification is what holds people andorganizations together when they want to deal with one another.Quite simply, for example, having a library card makes it easier touse a library, and it helps the library administer its processes.You only have to think for a minute how difficult life would be ifwe had to get reacquainted with someone every time we met, or if wehad to prove everything about ourselves to a government agency eachtime we dealt with it.
More precisely, identification allows people and organizationsto keep records about each other, picking up where they left offwhen they encounter one another a second, third, fourth, orsubsequent time. This is essential to have a well-functioningsociety.
The problem with identification, though, particularly as we moveinto the digital age, is that it can get a little too "sticky."
Think about how we constantly vary the information we share inour personal dealings. A simple example is the person who declinesto give another person a phone number, or who shares her worknumber rather than her home number. This is an importantprotection, allowing us to maintain separation from people andentities we may not want to deal with.
Many digital identification systems are unresponsive to theseneeds. They will identify a person more accurately than is neededand provide the relying party (the one "checking ID") withinformation that is not relevant to a transaction. Imagine shakinghands with someone at a party and finding him instantly transportedto your living room with your photo album in his lap. This is atleast discomforting, and a threat to civil liberties in thegovernmental context. It is what digital identification systemsoften do.
Privacy and Data Security Risks
To be a little bit more precise about these privacy risks, Icharacterize them as "in system" and "out of system" risks.
"In system" refers to the card system itself. Does the cardissuer collect just enough information to provide a reliableidentification in the circumstances, or does it collect moreinformation than is needed? A card system that has many uses, thathas "high-value"/high-security uses, or that is part of a"federated" system will often require and contain more informationthan any one transaction requires.
Drivers' licenses and the budding national policy of "onedriver-one license" bring all these dynamics together. Throughinadvertence, the driver's license has become not just proof ofentitlement to drive, but also proof of identity for financialtransactions, proof of age, and even (mistakenly) a nationalsecurity document at the airport, among many other things. Gettinga driver's license now requires a deep dive into biographicalinformation, collection of identity documents, and increasinglycollection of biometrics.
Because there are separate licensing entities around thecountry, a "one driver-one license" policy will require alljurisdictions to share a great deal of data with otherjurisdictions to make sure people aren't licensed to drive in twoplaces. This system is an orgy of data collection and data sharing.Pity the poor soul who just wants to be able to drive a car.
"Out of system" privacy risks refer to the data that a systemallows a relying party to collect. Many state drivers' licenseshave a 2D bar code that quickly conveys in digital form not onlythe information printed on the card, but other information too. The2D bar code standard selected by the Department of HomelandSecurity for compliance with the REAL ID law includes race data,for example, and the Department's rules did not bar states fromincluding race information. This could be collected and databasedduring any transaction in which someone is required to share his orher driver's license.
The scan of digital information from a driver's license is justthe beginning. This data will be combined with "meta-data"-the timeand location at which the data was collected, the purpose for whichit was collected, and so on. Throughout a person's day, multiplescans of a license can create a digital trail, revealing much abouta person's interests, preferences, and habits, as well as his orher associates if they, too, are leaving digital trails.
As yet, driver's licenses aren't scanned very often, but it willhappen much more often if a nationally uniform driver's license iscreated. A nationally uniform system will create economies of scalearound scanners, middleware, and database technology to capturedriver license data and meta-data.
Additional problems arise in these systems when "high-value"transactions are placed on them. If having a certain card will givesomeone access to benefits or payments, if having a fake card canfacilitate fraud, and so on, attacks on that card system willpredictably rise. Efforts to match the value of having a card willgo into creating forged cards, using forged documents to get realcards, or corrupting card-issuing officials to get one. Theseattacks create not only problems for the direct victims of fraud,but for the people who fraudsters may impersonate.
When a card system moves to high-value uses like the transfer offunds, access to employment, and so on, myriad attacks on thesystem, countermeasures, and counterattacks will deeply complicatethings. In the process, the privacy of the citizen can be ignoredor overridden.
A Modest System With Minimal Privacy Risks
Luckily, the DC One card program is not so grand a system.Though valued by the community, access to recreational facilities,schools, and summer work programs are not the "high-value" usesthat will inspire fraud and forgery.
I was delighted to learn that the 1D bar code on the cardcontains only the serial number of the card. When a District agencyscans the bar code, it uses this number to pull up its recordsabout the person, and to assure that the person is entitled toaccess facilities, check out books, and so on.
This number is an identifier, of course, and if it were usedthroughout the local economy it would become a tracking number inthe same way that the driver's license can be, or that the SocialSecurity Number is nationally in financial services and healthcare. But given the limited uses of the system today, this simpleidentifier is the data-minimizing way to administer access tovarious D.C. public services.
Given the appropriate simplicity of the DC One card program, themajority of the privacy issues I see are with the programs that useit. They hold the bulk of the data about their customers, and theirpolicies should include providing users access to information aboutthemselves and timely data destruction policies. The most securedata is the data that is never collected or that has been destroyedwhen it is no longer needed.
The Horizon: Keeping DC One Successful
My testimony has probably made obvious that identification andcredentialing policies are complex. The complexities multiplyrapidly when an identification system is put to new uses.
My advice, accordingly, is to use the DC One card system for thegovernment services that it is suited to, but not to assume thatits success in some areas will guarantee success in new ones.Accesses to libraries, school, and summer programs are importantbut "low value" uses, and you can get efficiencies by combiningthem on a single card. But converting this to a security card orsmart card system, to a driver's license, general purpose ID card,or using it to administer benefits will bring new complications tothe system and new threats to privacy.
Adding new uses to the DC One card system should occur slowlyand carefully, with due consideration to the type of use, theattacks it may draw to the system, and the privacy implications ofsecuring the system against those attacks. You will probably findthat the efficiencies made by trying to consolidate some cardsystems in the District drop off or are outweighed by otherconsiderations like privacy and security.
A diversity of identification cards, card issuers, andcredentials is not a failure of efficient government. It is aproduct of balancing efficiency with other important values likeprivacy, personal security, and civil liberties.
Congratulations again for examining these issues before you haveencountered problems. Thank you again for inviting me to testifyand for considering my views.