Don't believe the Hype- Though unformed the Democrats ID plan is rife with threats to privacy and civil liberties
Posted by Jim Harper
Senate Democrats have solidified and given more definition to their plan to create a biometric national ID, the centerpiece of their immigration reform proposal. (For reasons unrelated to the national ID plan, Senator Lindsey Graham (R-SC) has dropped out of the picture for now.) The “Conceptual Proposal for Immigration Reform” they released last week gives much more detail to the sketchy plans I previously reviewed.
In my Cato Policy Analysis, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution for Illegal Immigration,” I wrote about the possibility of a work authorization document limited to that purpose—and my doubts that the government would adopt one.
A credential such as eligibility for employment under [the immigration laws] can be proved without creating a nationwide biometric tracking scheme. In fact, templates already exist. But it is unlikely to see adoption. . . . [I]dentification and tracking . . . shift the risk of error in the card-issuance process from the government to the citizen. . . . [T]racking preserves government power. A work-eligibility and tracking system . . . makes the individual’s employment eligibility subject to revision at a later time, if the government wants to change the rules or adapt the system to new purposes, for example.
Those doubts are validated by this plan, which appears to be a full-fledged national ID and national biometric database. Assurances that it won’t be used for purposes beyond immigration control are not persuasive. This is national identity and surveillance infrastructure that will be “switched on” by later policy changes.
They’re calling it “BELIEVE,” short for “Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment.” They can call it that. We’ll study it, and give credence to what we learn.
The plan is confusing, disorganized, repetitive, and sometimes contradictory. Summarizing it is a little like trying to piece together the egg when all you have is the omelet, but three themes emerge: First, this summary backs away from an earlier claim that there would not be a biometric national identity database. There will be a national biometric database. Second, repeating the word “fraud-proof” does not make this national ID system fraud proof. Third, this national ID system definitely paves the way for uses beyond work authorization. This is the comprehensive national identity system that people across the ideological and political spectrum oppose.
The national ID part of the Democrats’ proposal begins at the bottom of page eight. It’s a veritable word-cloud, suggesting a violation of the rule of thumb that simple solutions are usually the best. But let’s look at it, line by line.
Not later than 18 months after the date of enactment of this proposal, the Social Security Administration will begin issuing biometric social security cards.
That’s pretty darn ambitious. Watch for any national ID plan to take several years to get started, decades to complete. The REAL ID Act—a simpler proposal than this one—has been law for five years and not a single compliant card has yet been issued. Not one.
These cards will be fraud-resistant, tamper-resistant, wear resistant, and machine-readable social security cards containing a photograph and an electronically coded micro-processing chip which possesses a unique biometric identifier for the authorized card-bearer.
All these things are easier said than done. And “fraud-resistant”? That’s unlikely. We won’t know until we see details.
The card will also possess the following characteristics:
We’ll take them in chunks.
(1) biometric identifiers, in the form of templates, that definitively tie the individual user to the identity credential;
Cards have biometrics today—low-tech ones like your picture and a copy of your signature printed on it. Here, “biometric identifiers” probably refers to machine-readable biometrics like fingerprints or iris scans. The card wouldn’t have an image of the biometric itself, but rather a mathematical description of its key features—the arches, loops, and whorls in your fingerprint and their distances from one another, for example. Research continues into how secure these algorithms are against future high-tech versions of identity fraud.
(2) electronic authentication capability;
This is pretty opaque, but it confirms again that the card will have a computer chip. “Authentication” is a word without a distinct meaning—what fact will be proven to whom, and how will it be proven? We have to learn more.
(3) ability to verify the individual locally without requiring every employer to access a biometric database; (4) offline verification capability (eliminating the need for 24-hour, 7-days-per-week online databases);
This is two ways of saying roughly the same thing. How will this goal be achieved? Without more information, the privacy and security issues are hard to assess.
A freestanding ability to verify individuals without accessing a biometric database implies that there will be a biometric database, a likelihood I noted earlier.
(5) security features that protect the information stored on the card; (6) privacy protections that allow the user to control who is able to access the data on the card;
Security protects privacy so these two features are siblings if not one feature. But these opaque claims don’t tell us much at all. Knowing what exact card security features the plan envisions would allow an assessment of their quality. They could be anything from distributing RFID-chipped cards with a metallic sleeve that many users will lose or fail to use—almost no protection at all—to using a card that will only reveal data when the biometric of the authorized bearer is presented to the card.
The best protection for privacy and data security is not collecting people’s identity information in one place at all, nor organizing it uniformly on a card everyone must have. A technically secure national ID card isn’t privacy protective when the bearer is practically or legally required to release the information on it. Pushing card security as a privacy feature is like looking for your keys under a lamp post. The light may be better there, but you haven’t solved the privacy issues by securing the card.
(7) compliance with authentication and biometric standards recognized by domestic and international standards organizations.
This feature conflicts with the privacy claims in the previous bullet. Compliance with standards increases the likelihood that the national ID system will interoperate with other national governments’ systems and with corporate systems. Picture a future not too far off when every government collects and shares data on every citizen and foreigner using a consistent identity system. This is an efficiency feature with huge privacy and liberty costs for individuals.
The new biometric social security card shall enable the following outcomes:
One by one:
(1) permit the individual cardholder to control who can access their information;
This is the same as characteristic (6) above.
(2) allow electronic authentication of the credential to determine work authorization;
We got this from characteristic (2) above.
(3) possession of scalability of authentication capability depending on the requirement of the application.
This jargon cloud doesn’t mean anything discernible, but it does suggest that this national ID system is being designed for multiple uses. Let’s start with some terms:
“Scalability” is the idea that a technology still works well “at scale.” A system that works will with 10 users may not work well with 10,000, and a system that works well with 10,000 users may not work well with 10,000,000 or 100,000,000. So the idea here is that it will work well with many users. It’s not enough just to say that, of course. We should know specifically how it would meet the challenges of scale.
“Authentication”—again, a poorly defined term—means adequately proving some fact, such as a person’s identity, his or her work authorization, and so on.
“Application”—another favorite word in the tech lingo—simply means “use.” A hammer has many different applications: pounding in nails, denting metal, bonking intruders on the head, and so on.
So the sentence translates roughly to: “The card system will handle large numbers of people no matter what it’s used for.”
That’s telling, because the next line in the plan claims that the system will only be used for work authorization. If it’s only used for work authorization, why would it need to handle large scale for other authorization applications?
Possession of a fraud-proof social security card will only serve as evidence of lawful work-authorization but will in no way be permitted to serve—or shall be required to be shown—as proof of citizenship or lawful immigration status.
Repeat: If this is true, why does the card work at scale for other authorization applications?
The use of the word “permitted” suggests that the card will be capable of other uses, but such uses will be barred by law. Once again, if the plan is to use the cards only for work authorization, why not design the cards to serve only that purpose and no other?
And there’s “fraud-proof” again. The plan says little or nothing about what makes the card fraud-proof. In my earlier assessment of the national ID plan as it stood then, I discussed the three different meanings the concept of “fraud-proof” may have in an identity system, and the difficulties of achieving all three.
It will be unlawful for any person, corporation; organization local, state, or federal law enforcement officer; local or state government; or any other entity to require or even ask an individual cardholder to produce their social security card for any purpose other than electronic verification of employment eligibility and verification of identity for Social Security Administration purposes.
Confirmed: This will be a multi-purpose identity card. Most of the public will be barred by law from asking for the cards, but it will perform “verification of identity for Social Security Administration purposes.” That means, at the very least, that it can display Social Security Number and probably name. It will be convertible to lots of other purposes when mission creep takes hold.
Legal rules against using the card for new purposes don’t mean very much. If you create a system with rules like that in place, they might be in place for a while, but policymakers will think of new uses for the card, people and organizations use the card unlawfully for a while, and the weight of these “misuses” will break down the legal barriers. The national ID system created for one limited purpose will be “switched on” and it will become the full-scale surveillance device that freedom-loving Americans abhor.
No personal information will be stored on the electronic chip contained within the social security card other than the individual’s name, date of birth, social security number, and unique biometric identifier.
What more do you need? Presenting these identifiers allows organizations, public and private, to easily identify people distinctly in their data stores. Highly accurate tracking systems will grow up around this identity system, many of which provide convenience and other benefits, but the sum total of which will be a federal-government-fostered surveillance society.
And, by the way, an encrypted work authorization (see below) can act as an identifier—that’s more personal information—unless the card’s design takes some very impressive steps to prevent that.
Under no circumstances will any other information, including medical information or position-tracking information, be contained within the card.
This is nice protection—and if it’s a bar on radio frequency identification, fine—but putting these protections in law is rather quaint, though. A bar on additional data going on the card may hold up for a few decades, but it will ultimately give way to new demands for data on the card to fix some new policy problem.
And, remember, the card itself is not the only source of privacy concern. The card will facilitate highly accurate record-keeping about people’s locations when they use the cards. Location tracking may not be integral to the card, but the card will be integral to location tracking.
The Secretary of Homeland Security shall work with other agencies to secure enrollment locations at sites operated by the federal government.
Yes, you need to secure enrollment facilities or people will break in and steal equipment and data. I’m not impressed that DHS will be involved in providing physical security to SSA, and I bet SSA isn’t either.
Prior to issuing an individual a new fraud-proof social security card, the Social Security Administration will be required to verify the individual’s identity and employment eligibility by asking for production of acceptable documents to be provided by the individual as proof of identity and employment eligibility.
Yes, that’s how you do it. This is the step in the card issuance process that is probably the weakest. Forgery and corruption attacks are a function of the value to which the card controls access.
(Again with the unsubstantiated “fraud-proof”!)
The Secretary of Homeland Security will work with the Commissioner of the Social Security Administration to verify non-citizens’ employment authorization.
As they must. DHS has the info on naturalized citizens and non-citizens legally in the country.
SSA will also be required to engage in background screening verification techniques currently used by private corporations that use publicly available information that can be derived from the individual’s social security number.
This is a new one—doing database background checks on applicants for the new national ID. Rather than using only the documents proffered by the applicant for the card, the Social Security Administration would look up the claimed SSN of the applicant and see if his or her story checks out. For example, the system might compare the address claimed by the applicant to addresses that are found in public or private records. (“Publicly available” is ambiguous.)
This is a way of reducing fraud in the issuance of cards. (Mind you, it doesn’t make the process “fraud-proof!”) But it also raises new issues, particularly if the background check on the applicant will be run against private commercial data. The DHS Privacy Committee has twice issued cautionary documents about using commercial data in government applications. There are many issues, including privacy and due process, if indeed the intent is to use private databases to run background checks on applicants for a government benefit.
An administrative adjudication process can be invoked in the event that an individual is unable to establish his or her identity or lawful immigration status. Adverse decisions can be reviewed in the federal courts.
You’re gonna need it. The full range of appeals will be required if this card indeed will be used to control access to work. Some important decisions have to be made about whether a person can work while their appeal is pending. If an appeal fails, should the appellant be arrested and deported as a presumptive illegal immigrant? Expect to see stories of people who lack documentation and fixed addresses—the very poor, recovering drug addicts, and so on—who cannot prove their existence to the SSA or who don’t pass their background checks. They will find themselves unable to work because their government has denied them an officially recognized identity.
There will be a multi-stage process of re-verification if an individual claims he lost his previously issued fraud-proof social security card to ensure that there is no identity-theft or unlawful collaboration of identity.
I noted in my previous analysis that a database-free identity system is very difficult to administer, such as for replacing lost cards. The plan to address this challenge is unclear. Someone who has lost a card will have to return to the SSA and take part in this “multi-stage process of re-verification”—whatever it is—perhaps waiting to work until it has been completed. I have no idea what “unlawful collaboration of identity” is.
There will also be a multi-stage process for resolution of proper identity if an individual claims an identity tied to a social security number that has been claimed by another individual.
More undefined, but “multi-stage” processes, when a person comes to the Social Security Administration and finds that someone else has already claimed the same identity. Will they be able to work during the pendency of their “multi-stage” processing?
Tough penalties will be put in place for fraud in procurement of a fraud-proof social security card.
This raises a metaphysical question: Can there be fraud in a “fraud-proof” card? Of course there can. There is no fraud-proof card, which is why you have to penalize fraud, hoping to suppress it.
The same penalties shall apply for conspiracy to commit fraud if false information is intentionally provided.
Let’s spend just a moment on the capacity of criminal penalties to suppress fraud. It’s easy for people like us—wealthy and highly educated—to assume from the comfort of our offices that criminal penalties will suppress fraud. After all, prison looks pretty awful compared to an office. But an illegal immigrant has a different calculus. Going to jail and getting “three hots and a cot” is not a bad outcome compared to repatriation to a life of hunger and political instability in one’s home country. Committing fraud in the interest of “legitimate” work is preferable to theft or violence aimed at getting money and food here. Criminal penalties won’t suppress fraud as well as many might imagine.
Employers hiring workers in the future will be required to use the newly created Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment (BELIEVE) System as a means of verification. There will be strict employer penalties for failure to participate in the BELIEVE system after being notified of a requirement to do so by the Secretary of Homeland Security or after the BELIEVE system has been fully implemented nationwide such that it is required to be used by all employers.
E-Verify has too many problems. Renaming it will help!
Prospective employees will present a machine-readable, fraud proof, biometric Social Security card to their employers, who will swipe the cards through a card-reader to confirm the cardholder’s identity and work authorization.
More than two pages into the summary, we’re back to the basics of the card and what it does. We already know that the card is not fraud proof. What’s new here is that employers will have to have card readers—an additional inconvenience, expense, and barrier to hiring new employees.
What this fails to mention is that the machine will have to be able to process machine biometrics—fingerprint reading or iris scanning, for example. These are not inexpensive machines, their use will probably require training, and they must have very high accuracy in all conditions or they will produce a mountainous administrative burden on employers and workers.
We also learn from this—again—that this will not be a simple work authorization system, but a national identity system. Running the card through a machine (and checking the bearer’s biometrics) will reveal identity.
Again, we’re looking at mission creep: With all these cards and machines in place, able to prove identity, why wouldn’t they be applied to new purposes like airline security? Checking in at hotels? Confirming identity at office building entrances? Administration of government benefits? Proof of identity in credit card transactions? Night and weekend access to office buildings and parking lots? Traffic stops?
The cardholder’s work authorization will be verified by matching a digital encryption key contained within the card to a digital encryption key contained within the work authorization database being searched.
Here’s a new notion—the use of encryption. But how encryption would be used is far from clear. Presumably, a signal that the bearer of the card is work authorized (referred to here as an “encryption key”) would be released by the card and matched against information (also referred to as an “encryption key”) in a database. It is highly doubtful that either item of data is actually an encryption key, as an encryption key is the code used to encrypt or decrypt the information you are trying to work with. Most likely, work authorization data will be encrypted on the card. Somehow or another, once presented, that encrypted data will be decrypted and show that the bearer of the card is work authorized.
This contradicts statements above saying that the system won’t require access to a central database. Perhaps it envisions public key encryption, in which a private key scrambles the work authorization data and a public key de-scrambles it. I doubt that PKI is up to this. If the private key were released or reverse-engineered, the system would fail because forgery of work authorizations would then be easy.
This project has a long way to go before it articulates a card system that can securely confirm work authorization without connecting to a database.
The cardholder’s identity will be verified by matching the biometric identifier stored within the micro-processing chip on the card to the identifier provided by the cardholder that shall be read by the scanner used by the employer.
This is confirmation that it is not just a card reader, but a biometric reader. It is also confirmation that the system will confirm identity, not just work authorization. Prepare for mission creep.
Two-and-a-half pages of summary information reveals little more than the wall of complexities behind the Democrats’ plan for a national identity system. It repeats as an incantation the words “fraud-proof” even while it admits that criminal penalties are needed to tamp down fraud. The summary ratchets back from the dubious claim made earlier that there wouldn’t be a national biometric database—there almost certainly would be. The summary confirms that the card system would be used to confirm identity, not just work authorization. That sets it up for mission creep—expansion to new uses and data collections that plunge us into a surveillance society.
Indeed the mission creep begins with this very plan. When employer sanctions don’t sweep the country clean of visa overstayers, these ID cards will be used to hunt them down inside the country. From page five:
In addition to increasing border enforcement, this proposal will substantially enhance our capabilities to detect, apprehend, and remove persons who entered the United States unlawfully and persons who entered lawfully on temporary visas but failed to leave the country when designated.
Will these removal plans be carried out through a system of checkpoints at which all Americans have to present their national ID card? Will private providers of financial services, health care, housing, or retailing be required to check a person’s national ID card? Or will the entire nation adopt an Arizona-style law that requires law enforcement to examining the papers of people “reasonably suspected” of remaining in the country illegally?
The Democrats’ national ID plan raises all these questions and many more. My colleague Dan Griswold has the true answer: To control the border, you must first reform immigration law.