The earliers posts by Sneider explain it better: Crypto-gram: April 15, 2004 - Schneier on Security
As a security technologist, I regularly encounter people who say the United States should adopt a national ID card. How could such a program not make us more secure, they ask?
The suggestion, when it’s made by a thoughtful civic-minded person like Nicholas Kristof in the New York Times, often takes on a tone that is regretful and ambivalent: Yes, indeed, the card would be a minor invasion of our privacy, and undoubtedly it would add to the growing list of interruptions and delays we encounter every day; but we live in dangerous times, we live in a new world…
It all sounds so reasonable, but there’s a lot to disagree with in such an attitude.
The potential privacy encroachments of an ID card system are far from minor. And the interruptions and delays caused by incessant ID checks could easily proliferate into a persistent traffic jam in office lobbies and airports and hospital waiting rooms and shopping malls.
But my primary objection isn’t the totalitarian potential of national IDs, nor the likelihood that they’ll create a whole immense new class of social and economic dislocations. Nor is it the opportunities they will create for colossal boondoggles by government contractors. My objection to the national ID card, at least for the purposes of this essay, is much simpler.
It won’t work. It won’t make us more secure.
In fact, everything I’ve learned about security over the last 20 years tells me that once it is put in place, a national ID card program will actually make us less secure.
My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.
It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.
The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names.
Two of the 9/11 terrorists had valid Virginia driver’s licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn’t be bribed, initial cardholder identity would be determined by other identity documents… all of which would be easier to forge.
Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse.
Additionally, any ID system involves people… people who regularly make mistakes. We all have stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It’s not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints show some promise here, but bring with them their own set of exploitable failure modes.
But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American – one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.
The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. As computer scientists, we do not know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
And when the inevitable worms, viruses, or random failures happen and the database goes down, what then? Is America supposed to shut down until it’s restored?
Proponents of national ID cards want us to assume all these problems, and the tens of billions of dollars such a system would cost – for what? For the promise of being able to identify someone?
What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.
And there are security benefits in having a variety of different ID documents. A single national ID is an exceedingly valuable document, and accordingly there’s greater incentive to forge it. There is more security in alert guards paying attention to subtle social cues than bored minimum-wage guards blindly checking IDs.
That’s why, when someone asks me to rate the security of a national ID card on a scale of one to 10, I can’t give an answer. It doesn’t even belong on a scale.
Identification and Security
In recent years there has been an increased use of identification checks as a security measure. Airlines always demand photo IDs, and hotels increasingly do so. They’re often required for admittance into government buildings, and sometimes even hospitals. Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that’s just not so. In most cases, identification has very little to do with security.
Let’s debunk the myths one by one. First, verifying that someone has a photo ID is a completely useless security measure. All the 9/11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver’s licenses for all fifty states, good enough to fool anyone who isn’t paying close attention, are available on the Internet. Or if you don’t want to buy IDs online, just ask any teenager where to get a fake ID.
Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.
Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we’d want is some kind of ID that denotes intention. We’d want all terrorists to carry a card that says “evildoer” and everyone else to carry a card that said “honest person who won’t try to hijack or blow up anything.” Then, security would be easy. We’d just look at people’s IDs and, if they were evildoers, we wouldn’t let them on the airplane or into the building.
This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. This is the basis behind CAPPS-2, the government’s new airline passenger profiling system. People are divided into two categories based on various criteria: the traveler’s address, credit history, and police and tax records; flight origin and destination; whether the ticket was purchased by cash, check, or credit card; whether the ticket is one way or round trip; whether the traveler is alone or with a larger party; how frequently the traveler flies; and how long before departure the ticket was purchased.
Profiling has two very dangerous failure modes. The first one is obvious. The intent of profiling is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully. But any such system will create a third, and very dangerous, category: evildoers who don’t fit the profile.
Oklahoma City bomber Timothy McVeigh, DC sniper John Allen Muhammed, and many of the 9/11 terrorists had no previous links to terrorism. The Unabomber taught mathematics at Berkeley. The Palestinians have demonstrated that they can recruit suicide bombers with no previous record of anti-Israeli activities. Even the 9/11 hijackers went out of their way to establish a normal-looking profile; frequent-flier numbers, a history of first-class travel, etc. Evildoers can also engage in identity theft, and steal the identity-and profile-of an honest person. Profiling can actually result in less security by giving certain people an easy way to skirt security.
There’s another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because actual evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. This not only wastes investigative resources that might be better spent elsewhere, but it causes grave harm to those innocents who fit the profile. Whether it’s something as simple as “driving while black” or “flying while Arab,” or something more complicated like taking scuba lessons or protesting the current administration, profiling harms society because it causes us all to live in fear…not from the evildoers, but from the police.
Security is a trade-off; we have to weigh the security we get against the price we pay for it. Better trade-offs are to spend money on intelligence and analysis, investigation, and making ourselves less of a pariah on the world stage. And to spend money on the other, non-terrorist, security issues that affect far more Americans every year.
Identification and profiling don’t provide very good security, and they do so at an enormous cost. Dropping ID checks completely, and engaging in random screening where appropriate, is a far better security trade-off. People who know they’re being watched, and that their innocent actions can result in police scrutiny, are people who become scared to step out of line. They know that they can be put on a “bad list” at any time. People living in this kind of society are not free, despite any illusionary security they receive. It’s contrary to all the ideals that went into founding the United States.
