Yesterday my local newspaper ran an editorial entitled Death to Real ID. That link will turn into a pumpkin in five days, but here’s the intro:
Although the Bush administration today is announcing possible delays in the Real ID program, it’s beginning to look as if New Hampshire could play a role in killing the thing outright. That would be a welcome development.
Real ID, passed by Congress in 2005, is designed to turn state drivers licenses into “electronically readable” national identity cards. As the law now stands, beginning on May 11, 2008, Americans will be required to show the cards before they board airplanes, open bank accounts, collect Social Security payments or receive almost any other government service.
And of course it won’t be long before every huckster and propane salesman in the country will be demanding to examine your Real ID card along with your Social Security number before doing business with you.
Now I rather enjoy New Hampshire’s “Live Free or Die” state motto, and I’m not an uncritical supporter of Real ID, but in the US as a whole, and in New Hampshire in particular, it’s hard to even have a discussion about digital identity and I think that’s a shame.
My letter to the editor, below, does not argue for Real ID. It’s just an effort to avoid foreclosing all discussion on the subject of digital identity. Is it effective? What other arguments would help?
To the editor:
At a moment in history when the President of the United States is asserting that the government has the right to intercept phone calls and emails without a warrant, it’s a good idea to raise the totalitarianism alert level from orange to red. But Real ID isn’t a black and white, or green and red, issue. The Sentinel’s March 1 red flag (“Death to Real ID”) fails to address, or even acknowledge, the complex and evolving story of digital identity.
Real ID, we’re told, “is designed to turn state drivers licenses into ‘electronically readable’ national identity cards” that we’re required to show before boarding planes or accessing bank accounts.
That’s true.
Today, by contrast, our drivers licenses are electronically unreadable national identity cards that we’re required to show in all the same circumstances.
That’s better how?
It’s fascinating to compare our national stance on identity cards, epitomized by New Hampshire’s state motto, with that of other countries. Last fall, at the 40th International Council for Information Technology in Government Administration, I met the guy who runs Belgium’s national ID card program. Belgians are receiving these cards at the rate of 10,000 a month, and will all have them by 2009.
There’s also a youth version of the eID. When Belgian children turn 12, they’ll receive a smartcard and a reader from the government. Americans would regard this program as an Orwellian intrusion. For Belgians, it’s a way to help protect kids without compromising their privacy.
One of the first uses of the youth eIDs will be to prove age to age-restricted web sites. There’s no technical requirement to disclose identity, and a strong cultural preference not to. Kids will need only prove (by knowing the card’s PIN) that they are citizens, and prove (by selectively disclosing their birth date) that they meet the age requirement.
Selective disclosure is one of the privacy-enhancing features that electronic ID cards, unlike regular cards, can offer. When you show your drivers license at the liquor store, for example, all the clerk really needs to know is your birth date. An electronic card can be configured to disclose only that fact, and none of your other personal information.
Phil Windley, who was CIO of Utah and is the author of a leading book on the subject of digital identity, said this in an interview with me last year:
“If you talk to people from a number of countries in Europe, they would just laugh at the idea that we don’t have a national ID. But they would be scared to death of the fact that we don’t have strong privacy laws.”
The issues surrounding digital identity are complex and subtle, but they’re not going away. When the Sentinel reduces those issues to “totalitarianism” and “police-state claptrap” it does readers a disservice.
Jon,
You are right on the money on this one. Reflexive scorn against the concept of digital IDs is bad for security AND bad for privacy, and I’m getting really sick of it. Your call for other arguments shall be heeded on my blog as soon as I’ve had some more coffee.
– p
I think your letter need to stress more heavily the idea that discussion on the topic needs to proceed rather than be shut down unconditionally by the unreasonable stigma that is currently attached to the topic. Comparing to European practices is only so effective, as many people (myself included) do NOT necessarily want to have much in common with the Continental crowd. Too much talk about “how Europe does it” will alienate some people who don’t want to be anything like “them.”
I think you need a couple of more sentences about the idea of being open to the subject instead of just shutting our minds against it.
There’s no security created by providing ID to board an aircraft. Same with trains and buses. Would you feel wierd presenting ID to a cab driver so s/he can report your whereabouts? How about where you go on your lunch break? I don’t mind security precautions, such as material detectors and even the x-ray is ok with me, as long as it’s not storing the images. Bomb scanners continue to get better. Heck a working “tricorder” was just unveiled. And remember that Boyscout who built the shoe-bomb detector in his garage? Having to show ID everywhere doesn’t benefit society. A devil’s advocate would say “So you think escaped criminals should be able to travel freely?” What a scary thought. Too bad it’s too uncommon to even consider. Thanks for spreading the FUD though.
Read about John Gilmore’s battle to board aircraft without ID.
http://arstechnica.com/news.ars/post/20060817-7533.html
Most don’t realize what’s going on though. Most people don’t read this blog. Most people aren’t informed. If my plane crashes, a passenger list might help inform my wife efficiently of my demise, but I also have the ability to tell her the flight number before I leave. Or subscribe to a private service that will eventually be created.
These ID cards will be forgeable. They create a false sense of security. They will not prevent people from committing crimes or being a nuisance on a plane. They do not improve security and they cost billions of our dollars through taxes and another wallet hit in time and picking it up.
The Department of Homeland Security is already extremely behind on all the other department responsibilities they have decided to commandeer. The backlog of immigration processing is one issue that many don’t appreciate right now. Not just for new immigrants but even for green card renewals of our permanent residents from all countries. Funneling money into this project is going to make it worse. Are we able to increase our random shipment checks at ports? Have we updated all the airlines equipment and trained the staff as much as possible? No. Are we able to increase the random checks on port shipments? No. Is the DHS handling it’s responsibilities so well it can take on another one? No.
Oh and by the way, when the ID cards are made and standardized, I guarantee you that I can find someone in my neighborhood that can home-build a device that will let them read yours, and your children’s ID card likely from several feet away. Now I know where you live. Now I know where your daughter goes to school and how old she is. Are you safer yet?
Don’t worry though, these cards will be beneficial to a lot of people right? Especially the “independent information consultant” who is loitering outside the supermarket scanning people on their way out and creating his database for sale to anyone who wants the exploit the information. Is that illegal? It won’t matter once the information is sold. For the consultant, it’s probably worth the risks.
Give some more thought to why ID Card 2.0 will really keep you and your family safe. You should be able to spend that money on improving your home and personal security if you are scared to live in a free-roaming society. Or you can fly the airlines that subscribe to these ID card requirements and I’ll fly the ones that don’t. Give me that freedom of choice.
An honest discussion of the issues is a good thing. Here in the UK it seems that government politicians are not interested in such discussions.
The web site “www.no2id.net” lists some of its concerns with the proposed British ID cards
http://www.no2id.net/IDSchemes/whyNot.php
The issues around identity, digital or not, are subtle and complex, and not going away. I have concerns about a national ID, largely that it encourages people to forget that various forms of identification provide information about a person(in the case of a drivers license, largely that they have gone through the process of obtaining it), rather than conferring an identity upon that person, while simultaneously increasing the consequences of that mistake. There are 8 states the size of Belgium or larger, and dozens more that are of substantially similar size; the issues that they can safely handle at a national level do not necessarily translate to the US.
The persistent labeling of fraud as ‘identity theft’ is a case in point, nothing is stolen from the victim, and often they did nothing to expose themselves, but they are made to bear the majority of the consequences of the breakdown in the identification system. To the extent that it works, a stronger id fights this, but to the extent that it strengthens the association of identity with the possession of a given credential, it also makes it harder to clean up after, as ‘it must have been you’.
The clerk at the liquor store is also an interesting example. If we ask the clerk to check id, he doesn’t have to take any responsibility for selling to anybody with a proper id; if we ask him to be responsible about who he sells alcohol to, he doesn’t necessarily have to check id at all. It’s cheaper for the store owner to not pay him to be responsible, probably gives us better prices, and isn’t a serious privacy issue, but it is a two way street.
If there is a real need for a common digital id, it seems like something that can be well served by private industry, with the advantages that brings; participation is optional, it is paid for by those who want it most, obsolete technology can be abandoned without legislation. For me, it is ideal that government attempt to get by on the least information possible, as it is a uniquely powerful and persistent institution.
“Give some more thought to why ID Card 2.0 will really keep you and your family safe.”
I have not made that argument, and would not.
The precise question is whether, in a regime where ID is already required in a variety of ways, there is a rational basis for rejecting an electronic version of the ID.
Jon – Though I’m likely more on your side than not in this discussion, the one word answer to your query is: efficiency. Sometimes it’s not an unalloyed good. There could be all the difference in the world between an inefficient, inconsistently applied ID scheme – what we have now – and a truly efficient, universally applied ID scheme – what we might end up with. This is not a trivial distinction – a little friction can go a long way.
Given the sentiment in the Keene Sentinel article, it’s ironic that before they allow you to add a comment to the story, the paper insists you provide not just your name but your email address and phone number too. Couldn’t it just ask for your smart card ID instead? :-)
Hi Jon, your arguments assume that the US would be able to design a proper electronic ID with user control. I am extremely doubtful that this is within our government’s capability. My guess is that the Sentinel editors have a similar intuition on the matter.
Belgium is a small country. Imagine if New Hampshire implemented electronic IDs only for itself, and the state had comparable funds to those of Belgium. Which effort is more likely to come up with an electronic ID card with the user-control benefits you advocate– that of a small state with only state, county, and town governments invoved, or that of the federal government with all the states, the congress, all of the myriad executive agencies, the FBI, involved?
Hi Jon,
I’ve written a post about how a new standard initiative I’m involved (Identity Governance Framework) could potentially help provide the necessary safeguards at:
http://blogs.oracle.com/mwilcox/2007/03/05#a99
Not to mention the self-examination that revealed more than a few ugly truths. ,