Page 34

¹Association of an identity card with its holder has to be verified before the identity information it contains can be relied upon (otherwise, stealing the card would permit the theft of the cardholder's identity).

Page 35

Fraud (and security in general) is a significant concern in any system, even the most technologically sophisticated. ² The nationwide scale of such a system would require knowing that all aspects of the system are scalable—a daunting problem for lesser systems. ³ In any case, the challenges of building robust and trustworthy information systems—they are extensive and well-documented ⁴ —are accompanied by the even greater challenge of making the systems resistant to attacks by well-funded adversaries.

Architectural issues include the degree of centralization of the underlying databases as well as the location and cost of data storage, computation, and communication, which can all be done at different places. ⁵ For example, how would authorized entities obtain the records they wanted, under what circumstances, and with what degree of authorization? Would there be daily or weekly downloads of selected records to more permanent storage media? Would a real-time network feed be required (perhaps similar to those used in real-time credit authorization systems)? Would it be possible to secure such a feed sufficiently? ⁶

Choices among architectural options, as well as other options, would depend on the functional goal(s) of the system. Architecture influences scalability, cost, and usability/human factors. It also interacts with proce

Page 36

dure: Decisions must be made about who would be in charge of issuing, reissuing, renewing, revoking, and administering the cards, along with maintaining, updating, and granting access to the database. A further concern is the need for graceful recovery from failure as well as substitute mechanisms when the system is compromised or not adequately responsive at the time verification of an identity is needed. All of these factors influence cost, as well as effectiveness.

Cost needs to be analyzed completely, on a life-cycle basis and with attention to numerous trade-offs. Even if software and hardware costs are minimized, experience with lesser systems—from SSNs to state drivers' licenses to military identification systems—shows that there will be significant ongoing administrative costs for training, issuing cards, verification, maintenance (keeping whatever information is associated with an individual and his or her ID up to date), and detection and investigation of counterfeiting. ⁷ In particular, the costs—and technological and administrative complexity—of assuring the integrity and security of an identity infrastructure are likely to be large. They would depend in part on whether technology for automated checking of an ID—as opposed to a visual check used today with SSNs or drivers' licenses—is required, which in turn depends on the choice of ID technology (see Box 3.1).

For example, in response to legislation enacted in August 1996, ⁸ the Social Security Administration (SSA) conducted an analysis and produced a report on options for enhancing the Social Security card. ⁹ Citing a number of key business and technology assumptions that appeared valid at the time of the study (1997), SSA estimated that issuing enhanced cards might have a life-cycle cost of $5.2 billion to $10.5 billion, depending on the technology developed and deployed. These estimates included assumptions about the need for reissuing cards, issuing new cards, and maintaining the systems in order to store data related to the cards and keep that data up to date. The study did not assume that each SSN and its related card would relate to just one individual, because SSA estimated that at the time, approximately 10 million of the 269 million valid SSNs

Page 37

were duplicates (that is, two or more persons had been given the same SSN). There was a variety of reasons for such duplication, including error on the part of SSA and malfeasance on the part of some individuals.

As with the design of any system, decisions about trade-offs would need to be made in advance. The security, efficiency, and effectiveness options chosen would depend on the goals and policies (see Chapter 2) and the planned uses of the system. For example, a “trusted traveler” system whose sole function was to authenticate individuals who had been previously certified as “trusted” in the particular context of travel might place more emphasis on efficiency in travel-related queues and on eliminating false positives than on protecting the fact that a particular person has been certified as trusted (or untrusted). A secure driver's license system, in which the license is used as an ID for many activities beyond driving on a public roadway, might trade ease of replacing a lost license against the rigorous authentication of individuals who request a replacement. In making decisions about trade-offs, understanding the potential threats and risks will be a large component of assessing the security requirements of a system.

Page 38

Page 39

Page 40

a “live capture” of the biometric could be carried out when an individual presents the card. The captured data would then be compared with the data stored on the card. Depending on what kinds of cryptographic protections are used, this system could be susceptible to forgery as well— for example, someone might recreate the card with his or her own biometric information in combination with another person's identity information.

Another scenario might be to have the person present a biometric to a controlled scanner and present the card that contains reference information. Both pieces of information are then validated in combination against a backend server. However, this creates a requirement for high availability (that is, the system should be usable essentially all of the time) and a dependence on reliable, secure network and communications infrastructures.

In principle, a card coupled with biometrics and the appropriate infrastructure for reading and verifying biometric data may offer the greatest confidence with respect to linking persons and their cards. But getting biometrics technology right (including control of the risks of compromise) and widely distributed is not easy. ^{12 , 13} There are additional issues associated with the use of biometrics, such as some popular resistance. ¹⁴

Note that biometrics allows for cardless system options: A database-only system based solely on biometrics eliminates the risk of card loss or theft, but real-time database accessibility then becomes a major consideration. In addition, compromise of the database is an even greater concern than in card-based systems, where the cards can be used to provide a check against corrupted data in the database. Further, a cardless system implies that anyone wishing to use the system (even for activities needing only moderate to low levels of security) would have to invest in the equipment needed to access the infrastructure in real time.

¹²“Advice on the Selection of Biometric Products: Issue 1.0,” (U.K.) Communication Electronic Security Group, November 23, 2001, available at < http://www.cesg.gov.uk/technology/biometrics>.

¹³J.D.M. Ashbourn, Biometrics: Advanced Identity Verification: The Complete Guide, Springer, London, 2000.

¹⁴For further information, see the recent RAND report Army Biometric Applications: Identifying and Addressing Sociocultural Concerns, 2001. In addition, an accuracy issue arises with biometrics because it uses what are known as probabilistic measures of similarity. No two images of the same biometric pattern (even fingerprints) from the same person are exactly alike. Consequently, biometrics is based on pattern-matching techniques that return sufficiently close measures of similarity. With enough (or not enough) information about the application environment and user population, it is possible to convert those measures into probabilities of a match or nonmatch. Thus, incorrect decisions occur randomly with a probability that can be measured.

Page 41

Cryptographic protection and digital signatures, in combination with offline verification of the signature and a properly deployed public key infrastructure (PKI), ¹⁵ could provide a measure of protection for the information associated with IDs and guard against misuse. But for any technology, some degree of imperfection will exist. Therefore, it is necessary to decide on thresholds for false rejection rates (false negatives) and false acceptance rates (false positives), not only for when the ID is used but also at the time of issuance, reissuance, and renewal. Policy decisions—perhaps with corresponding legal backing—need to be made about what happens in the event of a false negative or false positive. Creation of exception-handling procedures for dealing with incorrect decisions opens up additional vulnerabilities for the system, as impostors might claim to have been falsely rejected and request handling as an exception.

Page 42

commerce that required identity verification (for example, purchase of guns or certain chemicals).

Note that availability would be a key aspect of any online component of a nationwide identity system. While the desire for cost savings might lead to such a backend system being accessible via the public Internet (as opposed to a dedicated network), this would expose the system to yet more attacks, both direct and indirect, on shared infrastructure, such as the routing systems and hardware, the domain name system, or shared bandwidth. As noted previously, it has proven extremely difficult to secure systems that utilize the Internet; a nationwide identity system would likewise need to be widely accessible and would inevitably be the target of malicious attacks as well as subject to unintentional or incidental damage. Failure modes of the system would have to be very carefully studied, and backup plans and procedures would have to be designed and tested for all critical systems that depend on use of the nationwide identity system.

A further complication would result if it were decided that different users should be granted different levels of access to the database, whether for aggregated data or information about individuals. This raises query capability, access control, and security issues. Related to the size of the user base (that is, those who use the identity system to make some sort of determination about an individual) is the question of whether the same security measures need to hold for each user. For example, if the system were used broadly in the private sector, a clerk at a liquor store might be relatively less concerned about detecting counterfeit cards than would be an intelligence or law-enforcement agent granting access to national security-related sites or information. In addition, the clerk would need less information (for example, age of individual is greater than 21) verified through the system than would the agent.

It is a significant challenge to develop an infrastructure that would allow multiple kinds of queries, differing constraints on queries (based on who was making them), restrictions on the data displayed to what was needed for the particular transaction or interaction, and varying thresholds for security based on the requirements of the user. Determining the scope of use and the breadth of the user population in advance would dictate which functionalities are needed.

A further challenge resulting from a wide variety of users and uses is data integrity. Different users (even if the system were used only by agencies within the government) would undoubtedly have different perceptions of how critical the accuracy of the data is. Therefore, to maintain the quality of the data, controls over who could input data, and with what degree of specificity and security, must also be a factor in the design of the system.

Page 43

Another necessary component of system and data integrity is auditing capability. Keeping track of who has accessed what parts of the system and which data would be necessary for reasons of technology (to track down errors and bugs, for example) and liability. ¹⁶

Procedurally, such a large system would require many people to be authorized to maintain and administer it. Even if perfect technological security were achievable, there would still be the security risk of compromised insiders, given the very large numbers of people needed to maintain and administer the system. ^{17 , 18} The human factor would also be an issue with regard to data entry and possible errors in the database. This is well known among statisticians, and various technical and procedural steps can be taken to offset risks of inaccuracy. In general, therefore, correction mechanisms would need to be created; however, these mechanisms provide additional opportunity for fraud. Given the uses to which such a system is expected to be put, however, and potential impacts on individuals' reputations and freedom to function as social and economic actors, mechanisms that allow individuals to know what is in the database and to contest and/or correct alleged inaccuracies would be desirable and politically essential (and, if run by the federal government, legally required). While such mechanisms can be found in credit-reporting and medical databases, ¹⁹ the law-enforcement and national-security frameworks that are motivating proposals for a nationwide identity system pose unique accessibility and disclosure challenges.

Another concern is that depending solely on feedback from participants to correct inaccuracies would catch only a fraction of the errors. People may tend to notice and report only those errors that interfere with something they are attempting to accomplish. An incorrectly entered birth date, for example, may not be noticed or corrected for decades and may only come to light when the person applies for, say, Medicare. An

¹⁶Indeed, major federal agencies such as the Internal Revenue Service have run into problems with tracking and controlling access to information. For a discussion of this as it relates to privacy, see Peter P. Swire, “Financial Privacy and the Theory of High-Tech Government Surveillance,” Washington University Law Quarterly 177(2):461-512 (1999).

¹⁷CSTB held a planning meeting on the topic of the insider threat in late 2000. For more information, see < http://www.cstb.org/web/whitepaper_insiderthreat>.

¹⁸The President's Commission on Critical Infrastructure Protection at < http://www.ciao.gov/PCCIP/PCCIP_Report.pdf> discusses cyberthreats, including the insider threat. Fortune has examined the cost of insider attacks online at < www.fortune.com/sitelets/sections/fortune/tech/2001_01esecurity2.html>.

¹⁹See, for example, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Information, National Academy Press, Washington, D.C., 1997.

Page 44

accumulation of latent errors is inevitable and leads to at least two problems: (1) by the time the error is discovered it may be hard to locate the information needed to verify the claim of error and (2) the act of making the correction may interfere with or delay some action that should be allowed by the system. Creating a workable nationwide identity system that can compensate in effective ways for these inevitabilities is clearly a nontrivial task.

²⁰A forthcoming CSTB report will explore issues on critical information infrastructure protection and the law, including a preliminary analysis of the issue of information sharing between the public and private sectors. For more information, see < http://www.cstb.org/web/project_cip>.

²¹See, for example, Larry Ellison's October 8, 2001, article in the Wall Street Journal, “Digital IDs Can Help Prevent Terrorism,” and Cara Garretson's December 2001 article in CIO, “Government Info Sharing Key to Fighting Terrorism,” at < http://www.cio.com/government/edit/122001_share.html>.

²²Loss of ID cards presents its own challenges to the system; if all of the individuals with lost IDs were to become immediately “suspect” in the system, intolerable backlogs and/or overload could result.

Page 45

or detecting socially detrimental activities, because it avoids the uncertainty and confusion that may arise from multiple identities (notwithstanding that multiple identities can serve useful and socially desirable purposes, as described previously). Credit card companies, for example, can conduct behavior-pattern analysis for fraud detection. ²³ Similar technologies must be used to detect behavior indicative of impending criminal or terrorist activities, although this raises concerns about profiling.

On the negative side, such analysis also enables invasions of personal privacy. The extent to which this occurs would depend heavily on the circumstances under which an individual can be compelled to present an ID, what information is retained, and which activities are tracked within the system (a topic explored above). Indeed, detecting a problem might only be possible in some instances through broad analysis. This would necessitate examining the behavior of many people who do not pose a risk—most human behavior involves law-abiding citizens pursuing constitutionally protected activities—in order to identify the few who do. ²⁴

²³Credit card companies make these correlations using both standard statistical methods and neural networks.

²⁴For a discussion of some of the effects and implications of ubiquitous surveillance cameras, see the October 7, 2001, article by Jeffrey Rosen, “A Watchful State,” New York Times Magazine.