Modernizing Authentication — What It Takes to Transform Secure Access
The idea of a national ID system, not surprisingly, sticks in the craw of many privacy advocates. The concept of a national ID lends itself far too easily to images of menacing police demanding ''your papers, please!'' at every street corner. In a less melodramatic, but still too Orwellian for comfort, vein many privacy advocates warn of a national ID becoming the peg upon which armies of governmental and corporate bureaucrats can hang information about your every move, every purchase, and every personal detail.
Meanwhile, proponents of a national ID counter these visions with the all-too-real images of death and destruction wrought by terrorists who have played our current immigration, border security, and transportation security systems like the proverbial $2 banjo, exploiting our weaknesses to their advantage.
In a country where identity theft is rampant, and a couple hundred bucks can buy you an authentic-looking driver's license, immigration document, passport, and other form of identification, the argument for a more uniform -- and uniformly secure -- ID has merit.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i I am a rarity among privacy advocates in that I generally support the idea of a national ID as a part of an intelligently designed national identification infrastructure.
My reasons are simple: First, today's system of insecure and easily stolen identification serves no one's interests. Second, and most importantly, there is very little risk in supporting it because such a thing will never see the light of day!
In case you've been asleep for the last 40 years or so, we already have a system of unique national identifiers -- such as the Social Security Number, mother's maiden name, and billing zip codes -- each of which are critical parts of today's de facto identity standards. With some combination of those pieces of data, just about anyone can get access to just about anyone else's private information. Those pieces of information do not contain any meaningful security features to prevent errors or abuses, except the most basic of security protections: slight obscurity.
A well-designed and well-secured national ID infrastructure could go a long way towards solving many of today's seemingly intractable identity theft problems. But at the end of the day, I just don't see America -- or more to the point, I don't see our American government -- as being capable of recognizing a well-designed national ID infrastructure, much less implementing it in a way that wouldn't become a comedy of errors.
For the record, I think that an intelligently designed infrastructure would have to address the concern of privacy advocates who worry about placing too many eggs in one basket. Indeed, there are some excellent conceptual frameworks that are actively being debated in the academic literature that would provide layered physical and cryptographic protections, which can both harden the basket and ensure that a limited number of eggs are at risk at any given moment.
But I just don't see any of this happening on a time frame shorter than that needed for pigs to evolve wings.
First, to implement a secure, best-of-breed national ID system would not merely require pigs to fly, but would necessitate the creation of an even more fanciful creature: a governmental entity that is truly independent of political and economic influences.
Such a department would have to be empowered to choose the best technologies from around the world based upon completely objective factors, without regard to whose Congressional District the supplier's factory is located. The agency also would have to be empowered to choose the 'objectively' better technology, even if it was more expensive in the long run. Then it would have to be given the money necessary to actually do that more expensive thing.
Not since General Leslie Groves led a pack of nomadic physicists into the deserts of New Mexico with a mandate to not come back until they'd invented the nuclear bomb, have we seen a government project that was given both the resources and the freedom needed to come up with the best results they could achieve. Even in the heady days of 1945 and with the pressure of a world war weighing on them, the birth of ''the bomb'' was not without bitter political and personal battles that threatened to derail everything on a weekly basis.
While comparing the debate over a national ID to the Manhattan Project may be a bit of a stretch, a little further digging suggests that a comparison is worthwhile. According to the Brookings Institution, the entire cost of the Manhattan Project was approximately $20 billion. Compare that figure to the cost of identity theft, which Congress estimated in 2003 as $48 billion to businesses and $5 billion in losses to individual victims.
You may not agree that either the war against terrorism or the need to create a national ID is comparable enough to the waning days of World War II to merit the creation of a new Manhattan Project. But given the costs involved, one wonders whether sending some cryptographers, computer security experts, and some privacy experts into the desert wouldn't save us all a lot of money at the end of the day.
A far more likely scenario for the deployment of a more universal ID is that we will continue to see entrepreneurs creating new technologies and methodologies, slowly enhancing today's pathetic IDs with new and improved approaches. But this slow approach is not without its perils too.
My fear is that while privacy advocates have shown themselves adept at quashing sweeping legislation that would mandate creation of a national ID on a specific date, they will not be as effective at stopping the slow metastasis of privacy threats within the innards of a thousand new entrepreneurial solutions.
It may yet be the case that a national ID Manhattan Project may offer a better venue for protecting civil liberties and guarding against short-sighted parochialism than letting nature take its inevitable course.
Ray Everett-Church is a principal with ePrivacy Group, a privacy and anti-spam consultancy. He is a founder of CAUCE, an anti-spam advocacy group, and he is co-author of ''Internet Privacy for Dummies.''