State the Issues - January 2006

State the Issues

by Dr. Robert Atkinson, Ari Schwartz, Nancy Libin

by Dr. Robert Atkinson

Since the primary form of identification in the United States is issued by the states’ departments of motor vehicles, there is no need for a national ID. There is, however, a need for states to modernize their ID systems, including adding smart-card technology.

The Sept. 11 hijackings illuminated long-standing flaws in our state-issued ID system. Four of the five hijackers who crashed into the Pentagon, for example, had fraudulent ID cards obtained in Virginia.

Fixing the state-issued ID system will involve a number of steps, but one of the most important is using smart card technology – ID cards implanted with small computer chips that can hold data and perform other functions. Smart card technology can make cards virtually unforgeable because forgers would have to crack the strong encryption on the card, an almost impossible task. Moreover, because the cards hold an encrypted version of a unique biometric identifier, such as a digital scan of a thumbprint, it would be extremely difficult for a terrorist on a watch list to fraudulently switch ID cards with a person not on the watch list.

But unless Congress requires all 50 states to adopt robust, interoperable solutions, we run the risk of creating a system where the security chain is only as strong as its weakest link, in this case, a state with IDs that can be easily forged. Consequently, as the Bush administration implements the Real ID Act, it needs to ensure that all states adopt interoperable smart card technology.

What about privacy? In spite of what some privacy advocates might say, putting smart cards on state IDs will not create a "National ID". Instead, it will create more secure state IDs. Moreover, adopting smart card technology wouldn’t empower jack-booted officers to require us to "show our papers." Government would be subject to exactly the same rules as it is today with respect to when a citizen is required to present ID. Moreover, there will be no national database, no fingerprint database, no ability to capture data surreptitiously, only more secure ID cards. In fact, compared to current IDs, smart cards would actually increase citizen privacy and security, in part because it would reduce ID theft.

Sept. 11 was a wake-up call to boost our homeland security on many fronts. Let’s hope that we heed the call on the ID front.

by Ari Schwartz and Nancy Libin

As our economy moves increasingly into a networked world, more information is collected and retained on the activities of individuals. The use by individuals of a single card – a smart card – that could merge all of these interactions and transactions raises privacy and security issues. Smart cards should not be used widely unless these concerns have been sufficiently addressed.

Smart cards are diverse, ranging from single-function cards like credit cards to student ID cards that allow access to buildings, pay for meals and serve as library cards. While they offer diverse functions, all smart cards share a common basic purpose: authentication.

Authentication mechanisms are necessary for a thriving networked economy, but they raise important individual privacy, security and social concerns for consumers. These concerns multiply as we begin to use smart cards to bundle different services. Some examples of these concerns are:

• Centralization of personal information: The use of a single multi-function card could create a centralized warehouse of data about an individual’s activities. Today, our banks, doctors and credit card companies keep separate records about our interactions with them. This distribution limits the damage to individual privacy that occurs through either misuse or unauthorized access. If all transactions were recorded at the same source, we would create a powerful center of data on all citizens that would be ripe for misuse and abuse.

• Means for new social controls: The issuing, revoking or withholding of a smart card could be used to control social behavior, limit an individual’s activities, or punish unrelated activities. Today, specific tokens enable specific activities. While loss of a driver’s license may limit a person’s ability to drive, it does not impact on his or her ability to purchase goods or seek healthcare.

• Greater collection and use of personal information: A multi-function smart card could become a default personal identification or national ID card. A single certifier will result in more data being collected than is needed for many interactions and could create an electronic trail of all personal interactions.

Smart cards will only succeed if consumers trust them. Therefore, the industry should build into the cards privacy-enhancing and security features to assuage concerns about the tracking ability and security vulnerabilities that currently exist.

Dr. Robert Atkinson, Ari Schwartz, Nancy Libin
Dr. Robert Atkinson is vice president of the Progressive Policy Institute. Ari Schwartz is associate director of the Center for Democracy and Technology. Nancy Libin is staff counsel for the same organization.