IDs -- Not That Easy: Questions About Nationwide Identity Systems (2002)
Chapter: Executive Summary
Page 1
Executive Summary
Nationwide identity systems have been proposed as a solution for problems ranging from counterterrorism to fraud detection to enabling electoral reforms. In the wake of September 11, 2001, and renewed interest in the topic, the Committee on Authentication Technologies and Their Privacy Implications of the Computer Science and Telecommunications Board 1 developed this short report as part of its ongoing study process, in order to raise questions and catalyze a broader debate about such systems. The committee believes that serious and sustained analysis and discussion of the complex constellation of issues presented by nationwide identity systems are needed. Understanding the goals of such a system is a primary consideration. Indeed, before any decisions can be made about whether to attempt some kind of nationwide identity system, the question of what is being discussed (and why) must be answered.
There are numerous questions about the desirability and feasibility of a nationwide identity system. This report does not attempt to answer these questions comprehensively and does not propose moving toward such a system or backing away. Instead, it aims to highlight some of the significant and challenging policy, procedural, and technological issues
1See < http://www.cstb.org/web/project_authentication>.
Page 2
presented by such a system, with the goal of fostering a broad, deliberate, and sophisticated discussion among policy makers and stakeholders about whether such a system is desirable or feasible.
Policy questions that the committee believes should be considered when contemplating any kind of identity system include the following:
- What is the purpose of the system? Possibilities range from expediting and/or tracking travel to prospectively monitoring individuals' activities in order to identify and look for suspicious activity to retrospectively identifying perpetrators of crimes.
- What is the scope of the population that would be issued an “ID” and, presumably, be recorded in the system? How would the identities of these individuals be authenticated?
-
What is the scope of the data that would be gathered
about individuals participating in the system and correlated
with their national identity? While colloquially it is referred
to as an “identification system,” implying that all
the system would do is identify individuals, many proposals talk
about the ID as a key to a much larger collection of data. Would
these data be identity data only (and what is meant by identity
data)? Or would other data be collected, stored, and/or analyzed
as well? With what confidence would the accuracy and quality of
this data be established and subsequently determined?
-
Who would be the user(s) of the system (as opposed to
those who would participate in the system by having an ID)? One
assumption seems to be that the public sector/government will be
the primary user, but what parts of the government, in what
contexts, and with what constraints? In what setting(s) in the
public sphere would such a system be used? Would state and local
governments have access to the system? Would the private sector
be allowed to use the system? What entities within the
government or private sector would be allowed to use the system?
Who could contribute, view, and/or edit data in the system?
-
What types of use would be allowed? Who would be able
to ask for an ID, and under what circumstances? Assuming that
there are datasets associated with an individual's identity,
what types of queries would be permitted (e.g., “Is this
person allowed to travel?” “Does this person have a
criminal record?”)? Beyond simple queries, would analysis
and data mining of the information collected be permitted? If
so, who would be allowed to do such analysis and for what
purpose(s)?
-
Would participation in and/or identification by the system be
voluntary or mandatory? In addition, would participants
have to be aware of or consent to having their IDs checked (as
opposed to, for example, allowing surreptitious facial
recognition)?
Page 3
-
What legal structures protect the system's integrity
as well as the data subject's privacy and due process rights,
and determine the government and relying parties' liability for
system misuse or failure?
Each of these issues is elaborated on in the report. And each of the above questions evokes a larger set of issues and questions that must be resolved. In addition, many of these issues are interdependent, and choices made for each will bear on the options available for resolving other issues.
Decisions made at this level will also have ramifications for the technological underpinnings of the system, including what levels and kinds of system security will be required. In fact, “system” may be the most important (and heretofore least discussed) aspect of the term “nationwide identity system,” because it implies the linking together of many social, legal, and technological components in complex and interdependent ways. The success or failure of such a system is dependent not just on the individual components but also on the ways they work—or do not work— together. The control of these interdependencies, and the mitigation of security vulnerabilities and their unintended consequences, would determine the overall effectiveness of the system.
The committee believes that given the complexity and potential impact of nationwide identity systems, more analysis is needed with respect to both desirability and feasibility. In particular,
-
Given the potential economic costs, significant design and
implementation challenges, and risks to both security and
privacy, there should be broad agreement on what problem(s) a
nationwide identity system would address. Once there is
agreement on the problem(s) to be solved, alternatives to
identity systems should also be considered as potential
solutions to whatever problem(s) is identified and agreed upon.
-
The goals of a nationwide identity system must be clearly and
publicly identified and deliberated upon, with input sought from
all stakeholders; public review of these goals prior to
selecting a proposed system is essential.
-
Proponents of such a system should be required to present a very
compelling case, addressing the issues raised in this report and
soliciting input from a broad range of stakeholder communities.
-
Serious consideration must be given to the idea that—given
the broad range of uses, security needs, and privacy needs that
might be contemplated—no single system may suffice to meet
the needs of potential users of the system.
Page 4
-
Care must be taken to explore completely the potential
ramifications, because the costs of abandoning, correcting, or
redesigning a system after broad deployment might well be extremely
high.
The legal, policy, and technological issues associated with nationwide identity systems warrant much more detailed and comprehensive examination and assessment than are presented in this report. The committee hopes that the extensive set of questions and issues raised here will help to both further and inform the policy debate. The committee welcomes feedback on this brief report as it continues preparing its broader and more in-depth final report on the topic of authentication technologies and their privacy implications.
