IS IT IN THE CARDS?
WHY NATIONAL IDENTIFICATION CARDS WON'T MAKE US SAFER
by Bruce Schneier

As a security technologist, I regularly encounter people who say the United States should adopt a national identification (ID) card. How could such a program not make us more secure, they ask? The suggestion, when it's made by a thoughtful civic-minded person like New York Times op-ed columnist Nicholas Kristof ["May I See Your ID?" March 17, 2004], often takes on a tone that is regretful and ambivalent: Yes, the card would be a minor invasion of our privacy, and undoubtedly it would add to the growing list of interruptions and delays we encounter every day. But we live in dangerous times, we live in a new world.... It all sounds so reasonable, but there's a lot to disagree with in such an attitude.

The potential privacy encroachments of an ID card system are far from minor. And the interruptions and delays caused by incessant ID checks could easily proliferate into a persistent traffic jam in office lobbies and airports, hospital waiting rooms and shopping malls.

But my primary objection isn't the totalitarian potential of national IDs, nor the likelihood that they'll create a whole immense new class of social and economic dislocations. Nor is it the opportunities they will create for colossal boondoggles by government contractors. My objection, at least for the purposes of this essay, is much simpler: It won't work. It won't make us more secure. In fact, everything I've learned about security over the last 20 years tells me that a national ID card program would actually make us less secure.

My argument centers around the notion that security must be evaluated based on how it fails. It doesn't really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system—how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. Even worse, people will get legitimate cards in fraudulent names. Two of the 9/11 terrorists had valid Virginia driver's licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn't be bribed, initial cardholder identity would be determined by other identity documents—all of which would be easier to forge.

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, another system that could be abused. Additionally, any ID system involves people—people who regularly make mistakes. We all have stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It's not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics (such as thumbprints) shows some promise, but brings its own set of exploitable failure modes.

The main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases—incompatible, full of erroneous data and unreliable. As computer scientists, we do not know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it. And when the inevitable worms, viruses, or random failures happen and the database goes down, what then? Is America supposed to shut down until it's restored?

Proponents of national ID cards want us to assume all these problems, and the tens of billions of dollars such a system would cost. For what? For the promise of being able to identify someone? What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the D.C. snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone's intentions, and their identity has very little to do with that.

Plus, there are security benefits in having a variety of different ID documents. A single national ID would be exceedingly valuable, and accordingly there would be a greater incentive to forge it. There is more security in alert guards paying attention to subtle social cues than bored minimum-wage guards blindly checking IDs.

That's why, when someone asks me to rate the security of a national ID card on a scale of one to 10, I can't give an answer. It doesn't even belong on a scale.

Bruce Schneier is an internationally renowned security technologist and the founder & CTO of Counterpane Internet Security. His books include "Applied Cryptography" and "Beyond Fear."

RECOMMENDED LINKS
http://www.schneier.com/crypto-gram.html

TO VISIT FAILURE MAGAZINE'S HOME PAGE
http://www.failuremag.com