Read the full report (pdf)
Identification and Authentication Resources page
Watch the video: Bruce Schneier talks about ID security on Science Progress.
Watch the video: Bruce Schneier answers the question: What are biometrics?
How individuals identify themselves in our country grows more complex by the year. Just last month, 12 nuns were turned away from voting booths during the Indiana presidential primary because they lacked state identification (none of them drives), a stark reminder that the recent Supreme Court ruling that upheld Indiana’s voter ID law poses lasting consequences to our democracy. And two years ago last month the personal identification data of 26.5 million veterans were lost from a government laptop, the latest in a series of data breaches that threaten the integrity of everyone’s identification.
Those 12 nuns are among 20 million other voting age citizens without driver’s licenses, and they join those 26.5 million veterans and many millions of other Americans who suddenly find themselves on the wrong side of what we call the ID Divide—Americans who lack official identification, suffer from identity theft, are improperly placed on watch lists, or otherwise face burdens when asked for identification. The problems of these uncredentialed people are largely invisible to credentialed Americans, many of whom have a wallet full of proofs of identity. Yet those on the wrong side of the ID Divide are finding themselves squeezed out of many parts of daily life, including finding a job, opening a bank account, flying on an airplane, and even exercising the right to vote.
For many reasons, the number of ID checks in American life has climbed sharply in recent years, especially in the wake of the 9/11 terrorist attacks on our country in 2001. In fact, the growing ID Divide is similar in many ways to the “Digital Divide” that exists for those who lack access to computers and the Internet, which in turn leaves them without access to numerous opportunities for education, commerce, and participation in civic and community affairs. The ID Divide leaves those without proper means of identification or with compromised ID unable to participate in the most basic functions of everyday life in our economy and democracy.
What’s worse, Americans and their representatives in government at the federal, state, and local levels are divided about what to do about these problems. Some want stricter identification systems, most prominently to fight terrorism and to limit immigration. Their voices are joined by those who see massive profits to be had if the United States embraces ever more intrusive forms of personal identification—beyond fingerprints to iris scans, embedded ID chips, DNA profiles, and other forms of ID that, combined with personal and public financial records, would in fact throw more and more Americans onto the wrong side of the ID Divide. Others have a starkly different view. They are skeptical in general of new programs that require proof of ID, for cost, computer security, privacy, and civil liberties reasons.
These divisions are most visible in recent debates about whether the REAL ID Act, which would set strict federal standards for states to follow in issuing driver’s licenses, would create a national ID system and should be implemented. The Department of Homeland Security has proposed regulations to implement REAL ID, but the next administration will face crucial choices about whether, or how, to continue with that approach.
Amid this debate, we recognize that there are circumstances where strong identification is required in the service of certain goals, such as national and homeland security. But in light of the many problems that can arise from use of identification, we support a process of careful vetting, or “due diligence” (to borrow a phrase from the financial world) for any new ID proposals. There should be scrutiny on cost and technical feasibility. There should be a detailed examination of whether an authentication procedure is reasonable given the goals rather than simply feasible because a new way to identify an individual is now possible.
In particular, we believe such due diligence would illustrate that many of the claims of ID vendors and other identity system proponents do not stand up well to such scrutiny. Fingerprint-based systems, for example, have much greater long-term flaws than most proponents and observers understand—and this form of ID has been around for decades. Due diligence must also include careful consideration of other important values, including: unequal effects on the poor and other disadvantaged groups; avoidance of excessive and uncompensated burdens on individuals (such as those wrongly put on watch lists); and burdens on important rights including privacy and the right to vote.
Our report first explores the background of the issue, including the sharp rise in recent years in how often Americans are asked for proof of identity. We then examine the facts of the ID Divide in detail, identifying at least four important types of problems:
- A large population affected by identity theft and data breaches
- The growing effects of watch lists
- Specific groups that disproportionately lack IDs today
- The effects of new and stricter ID and matching requirements
These problems raise clear reasons for caution about implementing identification systems, which often have large, negative effects on those on the wrong side of the ID Divide. When systems need to be implemented, these problems show the great importance of designing systems with policies to address them. We argue that a strong set of progressive principles for identification systems (see sidebar below) must first determine whether to create the system at all; and if so, how to do it. Those decisions should be based on:
- Real security or other goals
- Accuracy
- Inclusion
- Fairness and equality
- Effective redress mechanisms
- Equitable financing for systems
How can these principles be honored in practice? That’s where the “due diligence” process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.
In the pages that follow, we apply this due diligence process to some recurring technical problems with current and proposed identification programs. And we discover—as you’ll see toward the end of the report—that ID programs that rely on “shared secrets,” such as Social Security numbers or your mother’s maiden name, are becoming more insecure due to the increased use of identification. Similarly, ID programs based on biometrics such as fingerprints or iris scans are not the “silver bullets” that some proponents claim they are, but rather could become compromised rapidly if deployed in haphazard ways.
We then apply our progressive principles and due diligence insights to two current examples of identification programs. The first details why it would be bad policy to require government-issued photo ID for in-person voting. The second shows the basically sound policy rationale for the Transportation Worker Identification Card, used for workers with access to security-critical port facilities. By examining one identification program that is reasonable, and one that is not, our analysis shows the usefulness of the Progressive Principles for Identification Systems.
We believe the approach developed in this report favors well-designed identification systems where they are carefully implemented and in the common interest. Design of identification systems should take full account of the Progressive Principles. If that occurs, then the problems of the ID Divide will become far more manageable.
Read the full report (pdf)
Identification and Authentication Resources page