Page 5

Page 6

tem would not lead to their apprehension. Another suggestion is that the data collected from the widespread use of nationwide IDs could help prevent terrorists from achieving their objectives. This might involve the detection of abnormal or suspicious patterns of behavior that accompany the planning and/or execution of a terrorist act.

Another potential role of a nationwide identity system is as an investigative tool in the aftermath of a crime or terrorist attack. Here, the data collected could help retrospectively in the identification, arrest, and prosecution of the perpetrators. Some argue that this is primarily (though not exclusively) a post facto activity, more useful for law enforcement than for counterterrorism, which is, in part, an a priori intelligence function.

Terrorism issues per se are beyond the scope of this report, which examines the concept of a nationwide identity system in the large, not solely with respect to counterterrorism. The committee believes that the concept of a nationwide identity system—including whether such a system is a good idea—must be examined on its own merits.

Indeed, nationwide identity systems have been sought for many purposes in addition to countering terrorism. They have been proposed to aid in fraud prevention (for example, in the administration of public benefits), catch “deadbeat dads,” enable electoral reforms, allow quick background checks for those buying guns or other monitored items, and prevent illegal aliens from working in the United States.

Depending on the nature of the population, the data collected, and the scope of use, a nationwide identity system might be able to help with other tasks as well. For example, a robust, accurate and comprehensive system might aid law-enforcement officials in tracking or finding people. ² It is possible that the correlation of social (for example, health, economic, demographic) information could be more easily accomplished with the use of a national identity system; statisticians, for example, note how a single identifier would facilitate some of their analyses. In addition, depending on implementation choices, e-commerce and e-government transactions might be simplified. However, there could also be negative consequences, ranging from infringement on rights and liberties (including loss of or invasion of personal privacy) to harm resulting from misidentification or misuse of the system, plus significant implementation and deployment costs. The trade-offs (enhanced security versus risks to pri-

²Examples include tracking fugitives, executing warrants, tracking noncitizens with expired visas, tracking illegal aliens, and confirming alibis for those innocent of criminal charges. A nationwide identity system could facilitate the work done by the National Crime Information Center, a computerized database at the Federal Bureau of Investigation that permits access by authorized users to documented criminal justice information.

Page 7

vacy, cost versus functionality, and so on) need to be carefully considered.

Many other countries have nationwide identity systems, which they often use for such diverse purposes as proof of age (e.g., Belgium), proof of citizenship, and for generating electronic signatures (e.g., Finland). In the United States, citizens' concern for civil liberties, their historic association of ID cards with repressive regimes, and states' rights concerns have discouraged movement toward a governmentally sanctioned nationwide identity system.³Additionally, because the country was settled by immigrants, a significant fraction of whom wanted to escape just such practices, many U.S. record systems were intentionally designed not to gather linking data.⁴Further, it appears that laws requiring individuals to show proof of legal status or citizenship result in increased discrimination based on national origin and/or appearance.⁵The human rights issues that could arise, such as increased demands for documentation from those who look or sound “foreign” and the deterioration of living and working conditions for aliens, are substantial.⁶Clearly, an examination of the legal and social framework surrounding identity systems, while outside the scope of this report, would be essential.⁷

Although discriminatory acts such as those alluded to above might be constrainable by law, the presentation of identifying documents—driver's licenses and credit cards, for example—is being demanded today in more

³The Electronic Privacy Information Center has compiled a set of resources and reports on the topic at its Web site, <http://www.epic.org/privacy/id_cards/>.

⁴An example that frustrates many genealogists is that U.S. birth certificates usually require identifying the town of birth only for parents born in the United States; for people born elsewhere, the country of birth is sufficient. Generally speaking, the mindset that such things are “no one's business” has deep roots.

⁵See U.S. General Accounting Office (GAO), Immigration Reform: Employer Sanctions and the Question of Discrimination, March 1990; Marvin Howe, “Immigration Law Leads to Job Bias, New York Reports,” New York Times, February 26, 1990, p. A1. The GAO report on the Immigration Reform and Control Act of 1986 (IRCA) cites a “widespread pattern of discrimination” resulting “solely from the implementation of IRCA.” Ten percent of employers discriminated on the basis of foreign accent or appearance, and nine percent discriminated by preferring certain authorized workers over others.

⁶Especially for communities of recent immigrants, there is likely to be significant controversy in shifting to a system that would prohibit or make difficult work and other activities without presentation of an ID. In considering the feasibility and desirability of a particular approach, designers of any such system should be aware of this potential opposition, as well as possible opposition from other segments of the population.

⁷It would be useful to examine how such systems have worked in other countries, as well as to examine nations where IDs have been proposed but not implemented (such as the United Kingdom).

Page 8

and more generic circumstances. There is also evidence of growing efforts in the public and private sectors to collect, maintain, correlate, and use more and more information on citizens' activities based on existing identifiers such as Social Security numbers (SSNs). Initially designed only for administering social security benefits, SSNs are now common data elements in public and private sector databases, allowing for easy sharing and correlation of disparate records. This is a classic example of function “creep”—continuous expansion in the use of a system first intended for a limited purpose.⁸

Before any decisions can be made about whether to attempt to formalize some kind of nationwide identity system, the question of what is being discussed must be answered. Thus the committee believes that substantive and sustained analysis is needed on the issue.

There is no recognized universal model for a nationwide identity system. Because different people mean different things when they discuss the concept, evaluating it requires clarification of what is intended. The range of possibilities for identity systems is broad and includes alternative approaches such as the following:

⁸Some might argue that the SSN is already a de facto national identifier. The General Accounting Office makes this assertion and also points out that no one law governs the use of SSNs. While originally intended to identify retirees who qualified for the Social Security retirement system, the SSN is now required, in some cases by law, to be used to identify individuals who seek federal assistance. In addition, of course, the SSN has been adopted as a taxpayer ID number. In his book Database Nation, Simson Garfinkel provides a history of the expanded use of the SSN. Provisions of the Social Security Act, the Privacy Act, and the Computer Matching Act are among the laws that attempt to limit the conditions under which SSNs and associated data are used (General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28, February 1999). For example, the Privacy Act of 1974, available at <http://www.usdoj.gov/foia/privstat.htm>, requires the disclosure of how the SSN will be used by all government agencies. In 1986, the Office of Technology Assessment addressed the issue of ubiquitous use of the SSN as well (U.S. Congress, Office of Technology Assessment, Government Information Technology: Electronic Records Systems and Individual Privacy, OTA-CIT-296, Washington, D.C., U.S. Government Printing Office, June 1986).

⁹Note that there are additional discussions about systems aimed exclusively at noncitizens, including, for example, proposals that would more rigorously track foreign students within the United States.

Page 9

The above possibilities (there are others as well) emphasize the need for answers to a number of questions before a more substantive analysis can proceed. Several policy questions should be asked when considering any kind of identity system (see also Figure 1.1):

¹⁰In general, the narrower the goals, the simpler and, perhaps, less controversial a system is likely to be, although even a narrowly focused system can run into function creep and problems associated with misidentification.

Page 10

~ enlarge ~

FIGURE 1.1 Interconnecting policy choices. The choices made for each of the questions posed will bear, with differing degrees of influence, on the choices made with respect to all of the other issues. For example, the goals of the system will influence what data are collected about individuals. What data are collected about individuals will constrain the possible goals of the system. Who is allowed to use the system will have a bearing on what legal structures are needed. What legal structures are put in place will bear on what kinds of access to the system are allowed. And so on.

Page 11

These questions will drive technological considerations (described in Chapter 3), including what kinds and what levels of system security would be required.

Throughout this report, the term “nationwide identity system” is used in lieu of the more colloquial “national ID” or “national ID card.” Many of the proposals are often presented in terms of a national identity card, though technologies exist—possibly including biometrics, which measures and analyzes unique physiological and behavioral characteristics of individuals—that might serve some of the same proposed purposes without requiring a physical card. Nevertheless, the emphasis in this report is on card-based models simply because they have been proposed most frequently. In addition, many of the policy questions and database-related technical issues apply both to card-based systems and those that do not require a physical card (see Chapter 3).

With respect to the chosen phrase, nationwide identity system, “nationwide” is meant to underscore the scale (both geographic and in terms of numbers of users) needed, without implying that IDs would necessarily be generated from a single central location or, implicit in the term “national,” that only citizens would need an ID.

The notion of identity is complicated, even when only the identity of persons (and not things, arguments, systems, etc.) is being referred to, as this report is doing. This report distinguishes between an identifier (the name or sign by which a person is known), which can be thought of as a label by which an individual is known in and to society and with which he or she conducts his or her affairs within society, and the identity of a person as seen by others. For the purposes of this report, “identity” refers to a set of information about a person X believed to be true by Y. More colloquially, identity is associated with an individual as a convenient way to characterize that individual to others. The set of information and the identifier (name, label, or sign) by which a person is known are also sometimes referred to as that person's “identity.” The choice of information may be arbitrary, linked to the purpose of the identity verification (also referred to as authentication) in any given context, or linked intrinsically to the person—as in the case of biometrics (see Box 1.1). ¹¹ For

¹¹Although biometrics are proposed with increasing frequency for a variety of identification and authentication purposes, they pose many difficult issues for system design, implementation, and use. These will be explored in the committee's final report.

Page 12

example, the information corresponding to an identity may contain facts (such as eye color, age, address), capabilities (for example, licensed to drive a car), medical history, financial activity, and so forth. Generally, not all such information will be contained in the same identity, allowing a multiplicity of identities, each of which will contain information relevant to the purpose at hand. In the phrase “nationwide identity system,” the word “identity” implies that decisions must be made about what constitutes an identity within a system and that an identity will be established for participants.

Page 13

A critical question—which goes beyond the scope of this report, but which must be considered in the larger law-enforcement and national-security context—is whether establishing and verifying identity is either necessary or sufficient for achieving any of the desired objectives of the system. It may be that they require collection and analysis of data and/or prospective or retrospective tracking or surveillance, well beyond mere identity verification. ¹² Note that even the question of whether to institute collection of data and surveillance is not binary (see Box 1.2).

“System” may be the most important (and heretofore least discussed) aspect of the term “nationwide identity system,” because it implies the linking together of many social, legal, and technological components in complex and interdependent ways. The success or failure of such a system is dependent not just on the individual components, but on the ways they work—or do not work—together. Each individual component could, in isolation, function flawlessly yet the total system fail to meet its objectives. ¹³ The control of these interdependencies, and the mitigation of security vulnerabilities and their unintended consequences, would determine the effectiveness of the system.

A nationwide identity system would also consist of more than simply a database, communications networks, card readers, and hundreds of millions of physical ID cards. The system would need to encompass policies and procedures and to take into account security and privacy considerations and issues of scalability, along with human factors and manageability considerations (if the requirements of use prove too onerous or put up too many barriers to meeting the goal of the relying party, that party might try to bypass the system). The system might need to specify the participants who will be enrolled, the users (individuals, organizations, governments) that would have access to the data, the permitted

¹²For example, if the goal were to track the activities or whereabouts of an individual to detect illegal activity or suspicious patterns, surveillance of the behavior and activities of said individual would be needed after identification was accomplished. Surveillance might require a warrant or other judicial intervention, depending on the approach taken. If the goal were to detect suspicious activity by previously unsuspected individuals (in order to prevent illegal activity), correlation of surveyed actions would be required after identification and surveillance were accomplished. Such correlation would presumably have to be done before establishment of probable cause for a search in order for it to be useful.

¹³There are examples of this in security mechanisms—for example, where individual techniques to provide additional security interact unexpectedly in such a way as to make the system less secure. Charles Perrow explores the broad concept more thoroughly in Normal Accidents, McGraw-Hill, 1986. In addition, the Web site < http://www.safeware-eng.com/software-safety/accidents.shtml> describes the distinction between component failure accidents and system accidents.

Page 14

uses of the data, and the legal and operational policies and procedures within which the system would operate. In addition, a process would need to be in place to register individuals, manipulate (enter, store, update, search and return) identity information about them, issue credentials (if needed), and verify search requests, among other things. The word “system” suggests the complicated nature of what would be required in a way that the colloquial phrase “national ID card” does not.

It is important to note that a variety of identity systems fit within the scope of what is being discussed in this report. The recent AAMVA proposal ¹⁴ to link state motor-vehicle databases is a nationwide identity system. So is the recent proposal to create a traveler ID and database to expedite security checks at airports. Each of these systems could and should be subjected to the kind of analysis and critique described in this

¹⁴See < http://www.aamva.org/> for more information. The committee received a briefing describing some of the issues facing AAMVA in developing a more secure driver's license infrastructure in a context where use of driver's licenses is expanding beyond their nominal function.

Page 15

report. Some of the issues raised here will be more applicable to some systems than to others, but virtually any large-scale identity system will need to take into consideration a number of policy and technological issues; in fact, before deciding to build any identity system, the issues outlined in this report should be explored.

A top-down, monolithic system controlled by the federal government is not the only kind of nationwide identity system that this report addresses. For example, unifying document formats and linking the databases of state driver's licenses and ID-issuing systems would provide broad (though not complete) coverage without creating a federally controlled nationwide identity system. Further, the successes and failures of the various nationwide identity systems in use in other countries should be examined in order to have a fully informed discussion in the United States. However, when studying such systems, questions of scale must be kept in mind. Experience with a system for a population of tens of millions is not necessarily applicable to a system that might incorporate hundreds of millions. In any case, many of the questions raised in this report assume large-scale systems and widespread participation in and use of such systems.

Without attempting to answer comprehensively the many questions surrounding a nationwide identity system and without making assertions about whether to move toward or away from a nationwide identity system, the report aims to highlight some of the significant policy, procedural, and technical challenges presented by such a system, with the overall goal of prompting a broad discussion among and between policy makers and stakeholders.

This brief document is intended to inform the policy debate. Complete policy analysis is outside its scope, though several of the broad themes outlined here will be addressed more fully in the committee's final report. Chapter 2 describes what the committee believes is the most important issue in the debate—namely, the system goals—along with other policy issues that the committee believes should be considered in advance of implementation and deployment. Chapter 3 explores some of the technological issues involved in implementing a reliable and secure nationwide identity system while minimizing unintended consequences, such as compromises of privacy or the creation of new vulnerabilities. Chapter 4 offers concluding remarks and suggestions.