ID Cards - I’m Skeptical of the Skeptic
Tue April 13th, 2004 21:02 MSTBruce Schneier, in the following article argues that a national ID card system would not make us safer and in fact would be worse than useless.
Schneier is a very smart guy and a well respected practitioner in cryptography, but his arguments too often seem tainted by a bias towards privacy and against security concerns. Personally, if I want a code designed or evaluated, Schneier is one of the people I would go to first. But if I wanted a secure system involving humans, I would look at how the military does it, because they have vast experience and security requirements of tremendous importance, such as preventing accidental or rogue nuclear launches while maintaining the ability to launch in less that 15 minutes, verifying the identity of people with access to information that, if released, could cause grave harm to the nation, and doing this with many different sorts of people.
As a security technologist, I regularly encounter people who say the United States should adopt a national ID card. How could such a program not make us more secure, they ask?
The suggestion, when it’s made by a thoughtful civic-minded person like Nicholas Kristof (Star-Tribune, March 18), often takes on a tone that is regretful and ambivalent: Yes, indeed, the card would be a minor invasion of our privacy, and undoubtedly it would add to the growing list of interruptions and delays we encounter every day; but we live in dangerous times, we live in a new world…
It all sounds so reasonable, but there’s a lot to disagree with in such an attitude.
The potential privacy encroachments of an ID card system are far from minor.
The important words here are potential and privacy. I could certainly design such a system in a way that it was a vast encroachment on privacy. But there are better designs. There is a valid issue here, which is to weigh the value of the particular kind of privacy the might be put at risk, the odds of that actually happening, the cost to society if it does happen, and the cost to society if we let the issues veto the system.It is rapidly becoming apparent that civil libertarian privacy concerns, enforced through the “walls” being discussed in the 9-11 commission hearings, probably prevented the detection of the most damaging and deadly plot in US history, and the much reviled Patriot Act might very well have prevented that atrocity.
And the interruptions and delays caused by incessant ID checks could easily proliferate into a persistent traffic jam in office lobbies and airports and hospital waiting rooms and shopping malls.
And if done well, this would be rare.
But my primary objection isn’t the totalitarian potential of national IDs, nor the likelihood that they’ll create a whole immense new class of social and economic dislocations. Nor is it the opportunities they will create for colossal boondoggles by government contractors. My objection to the national ID card, at least for the purposes of this essay, is much simpler:It won’t work. It won’t make us more secure.
That is an assertion without adequate support, especially since the use of identity cards, including national identity cards, is a long standing and widespread practice, and likewise identity cards are part of virtually every military security system.
In fact, everything I’ve learned about security over the last 20 years tells me that once it is put in place, a national ID card program will actually make us less secure.My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.
Which is obvious to any security professional and many who are not. But what is also important, and rarely mentioned by Schneier, is that security is often improved, without being made perfect, by putting extra obstacles in the path of those who would violate it.Perhaps he ignores this because a common fallacy held by amateurs in his field, cryptography, is that multiple encodings or encipherments increase cryptographic security. Hence professionals like himself frequently encounter people who believe that naively layering cryptographic techniques improves security (the Japanese Navy falsely believed this in World War II, resulting in a code plus cypher system that the U.S. cryptanalysts could read in one step, faster than the Japanese who needed two). No doubt these professionals also encounter the many amateurs, ignorant of modern cryptographic basics, who claim to have made unbreakable codes. Perhaps because of this frequent foolishness regarding cryptography, he is extrapolating the propensity for this silliness to other areas.
It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.
But what also matters is how being forced to defeat that system may slow down that person, or defeat him, and make the most sophisticated more likely to be detected. A terrorist or terrorist organization operates within financial and very great security constraints. A terrorist who, for example, kills somebody to get ID is more likely to be caught than a terrorist who doesn’t have to do that. A terrorist who has to buy an ID is more likely to be caught than one who doesn’t. A terrorist who has to bribe a guard is more likely to be caught. A terrorist who acquires equipment to forge an ID spends extra resources and increases his odds of detection.A well designed ID card, which includes biometrics such as fingerprints, retinal scans or other measures is very hard to forge. In the near future, DNA fingerprinting may be possible due to the rapid progress in microfluidics and biochemical sensing arrays. Furthermore, contrary to popular opinion, identification using DNA does not require any techniques that can discover sensitive personal information (whether eye color or potential for disease) from the DNA. DNA fingerprints use, in that sense, a cryptographic hash.
The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names.
It is possible to make effectively unforgeable cards, just as a one time code, properly produced, is unbreakable. It is not easy to design these cards and they require independent verification database, but there are powerful cryptographic techniques, such as public key encryption, that allow production and use of unforgeable cards. More precisely, the cards may be duplicated, but the biometric information cannot be replaced with that of the intended carrier of the forged card.Designing such a system is not easy, and one would want most (but not all) of the details to be public and would want Schneier and experts in other areas of security to have the opportunity to critique the design thoroughly. We should start, right now, the design and research needed, just in case.
Two of the 9/11 terrorists had valid Virginia driver’s licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn’t be bribed, initial cardholder identity would be determined by other identity documents … all of which would be easier to forge.
Getting ID’s in false or stolen names is not a problem easily solved in the short term, but it need not be solved perfectly. Over time, if such a system is put in place, it will be harder and harder to do this, as the biometric data can be stored and checked when cards are issued. Essentially, with a good card system, it gradually becomes more important to know the ID code on the card than the name of the person who owns it.
Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse.
I wish Schneier would put effort into trying to design one which is harder to abuse, rather than asserting this. The combination of good cryptography, good biometrics, and extremely high military-class security methods to control the core databases can make such a system very hard to abuse. Not perfect, but unless the fault in the system is systematic, predictable and known to the enemy, such a system greatly increases the odds against success by an attacker, and increases the likelihood that the attacker, just by trying to defeat the system, will be detected, which is of immense value in preventing terrorism and gathering related intelligence.Additionally, any ID system involves people… people who regularly make mistakes. We all have stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. It’s not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints show some promise here, but bring with them their own set of exploitable failure modes.
What is important in such a system is not that it always work, but that its failures be random, and as much as possible, invisible to attackers. This could be substantially better at verifying identity than any system we have today. And if its failures are unpredictable and undetectable by attackers, it is very difficult and dangerous to try to exploit those failures.Biometrics has problems. In a situation like this, the worst problem is false negatives, the failure to recognize someone as the valid holder of the card. This leads to inconvenience, which if bad enough, will result in human error – humans letting unverified people through because of social pressure. Even that doesn’t make the system useless unless it gets out of hand, but it makes it less than perfect, as an attacker could try to create such a situation.
But consider a system in which the biometric false negatives, rather than always resulting in an immediate fuss, instead often and randomly led to additional covert scrutiny. Such a system makes its failures hard to predict by the attacker, reduces the human inconvenience, greatly increases the risk to the attacker, and thus helps keep the system secure.
But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American — one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.
This is an assertion that I find surprising. Yes, of course it requires a database.So does a bank. And your bank’s database has private and sensitive information in it (especially your PIN) and the database can be accessed from literally millions of places. But, not all of the information is easily accessible.
For example, the database doesn’t actually contain your PIN. It contains your encrypted PIN. The level of penetration required to actually retrieve your pin involves efforts on the same level as required to cause a rogue launch of a nuclear missile. Likewise, your balance is probably unavailable to the vast majority of users – it may be used to deny a check, but it can’t be read by most terminals which can access it. The same is true with credit cards – literally millions of vendors can validate your credit card, but none of them can find much of the information in the database, such as your actual balance.Hence this is an inadequate criticism. There are good techniques, which I have worked with in the past, used by banks for their security. These same techniques, modified by the big brains at the NSA and the personnel security methods of the military and intelligence agencies, can make that data safe to the point where your odds of getting hit by lightning are greater than the odds of that system being successfully attacked.
The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. As computer scientists, we do not know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
We are getting to the point where we may have to define what “safe” means. One senses that Schneier is using it in the sense of a discrete mathematician, which is absolutist, instead of that of a statistician or someone more focussed on attainable goals.In contradiction, computer systems designers do indeed know how to keep databases secure, in those few cases where high levels of security are required. They do it at banks, after all. And that is with old techniques and without much help from modern cryptography and government security efforts.
Furthermore, such a database need not be a kludge of existing databases. In fact, that would be a rather silly way to build such a system. If one defines the purpose of a national ID card as the ability to identify somebody as the same person who was issued the card, the problem gets much easier. That use of the card, even if you cannot tie it initially to a fully identified individual, can be very important in security issues because it creates traceability and the ability to block the use of that card by its possibly misidentified holder.
The card need not resolve to one’s name, address, birth-date, and taste in food in order to improve security. The single most important use is to produce reproducible authentication, not perfect identification. Other uses can then be tied to the card, allowing its user perhaps to gain additional freedoms – for example, quicker access to airplanes, while improving the information content of the database.
And when the inevitable worms, viruses, or random failures happen and the database goes down, what then? Is America supposed to shut down until it’s restored?
No, the best thing is for the terminal nodes of the system to behave as if it is still operating, even to the point of generating the same level of false positives, etc. After all, terrorists are not going to be able to take advantage of a rare failure if they can’t predict it and can’t detect it or measure its patterns..Worms and viruses are not inevitable on specialized systems. Only a fool would design this sort of system to be susceptible to these attacks. This is not a serious argument.
Furthermore, we need not speculate on how hard it is to create such systems – they already exist. What happens to the world if Visa’s very centralized system (which I have worked with) breaks down? Retail commerce shuts down. So the Visa system doesn’t go down.
Does that system get attacked by worms and viruses? No.
Visa is just one example of a long existing, extremely high volume, internationally connected, extremely valuable secrets-holding system that works and works very well
Proponents of national ID cards want us to assume all these problems, and the tens of billions of dollars such a system would cost — for what? For the promise of being able to identify someone?What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.
It is always possible to cite examples which the system doesn’t prevent. Does that mean we should give up? Does it mean that it won’t stop other operations? After all, the LAX Millenium bombing was halted due to a search for drugs, and yet nobody believes that the U.S. Customs posts are perfect. By Schneier’s logic, that station would not have been manned, and a major terrorist attack would have happened.Additional barriers do work. They are not perfect, and nobody can guarantee security. But layered security is a well known technique to people with truly serious security issues, such as the CIA or those responsible for controlling our nuclear arsenal
A national ID system is most effective if it records uses of the cards and maintains those records for some time. This suggestion, of course, will cause frothing by the same civil libertarians who built the wall between the FBI and CIA and between counterintelligence and police work, a wall which may very well have been the most critical element in our failure to prevent the 9-11 attacks.
Again, it is possible to build such systems that are not the privacy horror civil libertarians so fear. Of course, a little bit of trust is required – you have to trust the procedures and the cross checks, which is why we have courts involved. But you also have to trust the government not to send out an FBI agent to shoot you just for the heck of it.
In general, “trust but verify” is a good way to deal with such issues. There are ways, including citizen commissions, security clearances, judicial review, congressional review, audit trails, strong physical security and cryptography which can prevent abuse of such systems except in cases where society has broken down so badly that other more essential freedoms are already lost.
If the technical specialists so concerned about civil liberties put as much effort into devising systems that will help, privacy problems can be essentially eliminated. Furthermore, these opponents should all recognize that the first time a nuclear weapon goes off in a United States city, nobody will listen to them at all for a long time, unless they produce solutions, not objections. unfortunately, it is at that time that a well designed and reviewed system will not be built, because an immediate solution will be demanded, and will be built, without adequate design or review that could otherwise be aided ahead of time by these experts.
It is telling that, when told of the 9-11 attacks, one of the leading privacy advocate’s first comments was “Now what will happen to privacy?” I can think of many far more important issues at that moment, and it shows how zealots can lose their perspective. Now, that advocate can be prepared, and help create a minimally disruptive system. However, I haven’t seen that happening.
And there are security benefits in having a variety of different ID documents. A single national ID is an exceedingly valuable document, and accordingly there’s greater incentive to forge it. There is more security in alert guards paying attention to subtle social cues than bored minimum-wage guards blindly checking IDs.
Which is why, of course, we use biometrics and computers, not bored guards. The guard’s job is to make sure that the person is verified by the system, and to look for other suspicious indicators, not to “check an ID.” With such a system, we might be even be able to reduce the number of guards or redirect some to areas currently not being adequately handled. Again, the ID card is an addition to security, not a magic piece of plastic that guarantees safety.While a National ID provides a very valuable target, there are again methods that can be used to reduce the exposure. One is to have different systems holding information for different cards. You only have one card, but you don’t know which system has the information and which algorithms it is using. Again, here the academic cryptographer would be aghast because information is being hidden, while (for good reasons) cryptographers believe algorithms should be public. And again, there are reasonable compromises that can be made to solve the problem – compromises that have the advantages of both public access and security. What is needed is thinking about solutions instead of just problems.
That’s why, when someone asks me to rate the security of a national ID card on a scale of one to 10, I can’t give an answer. It doesn’t even belong on a scale.
Which is why, if I want to design a system as critical as a National ID card would be, I would try to get Bruce Schneier to work on the problem of how to defeat it, rather than how to build it. The design of any serious system like this require the use of “tiger teams” - experts who will try to make it fail or predict how it will fail. But great effort and expertise also needs to be applied to design it, and that isn’t being done.Again, if I wanted a security system to guard something extremely precious, I’d try to find out how the military did it (although they would not tell me, because they recognize the values of keeping some things secret).
A National ID card system is folly. The same technology available to responsible governments is available to forgers and counterfeiters. We’d only inconvencienc the law-abiding without making a dent in the baddies. Let’s just enforce the laws we have rather than burden our people more.
Cephas is right. There are enough laws combined with the necessary mechanisms to secure our country. The state that solidifies identity is the state with the means to control it. One of the wonderful features of our society is the right to anonymity, the right NOT to vote, to live apart if you wish, to separate yourself. Individuation is essential for freedom.
The social contract we make to live freely requires a lot of us, none of which is enhanced by a manifestation of identity, only the willingness to participate in our duties as citizens. When a statement of identity becomes mingled with our social obligations, some part of us is in danger.
Who is Cephas?
Rhod, I must respectfully disagree. People thought that before 9-11 and look where it brought us. We have too many laws in some areas, but not in others.
Anonymity is nice. But is it an essential freedom? I think not.
Hi John -
Cephas? I don’t know, just someone I agree with on this issue.
I can’t claim that I fully understand it, but the 911 conspirators were lost to the system because student visas and work permits had expired, were not renewed or were otherwise ignored. Our immigration policies are nothing short of suicidal, as you probably know, living as you do in the Southwest. We don’t have the simplest estimate of who is here, how many are here (of any group) and what they are doing. A national ID system is a long way from the chaos that characterized the entire system now. It would be like putting a traffic signal twelve blocks from the coffin corner and hoping that it stops routine collisions.
One of my disagreements with the current administration is immigration, and the Bush sentimentality for Mexican immigration, which influences our policies on all other forms of immigration. Anonymity isn’t an essential freedom to me, it is a derivative freedom, emanating from other essential freedoms.
Until we clear the decks, and get over the ethnic profiling fetish which prohibits emphasis on young Arab-looking males, and break through the walls of legalistic b***sh** erected by forty years of demented liberalism
….sorry about that….erected by forty years of demented liberalism, I do not trust The State with this new power. I am opposed to it as a matter of principle, but would agree if The State in ANY of its other enterprises, was efficient, uncorrupted and competent. It fails every single test in those departments.
I guess this is the first time we have disagreed on anything.
Rhod,
We have three issues here:
1)Possible effectiveness and usefulness of National ID cards.
2)Threat of the state using the cards for nefarious purposes.
When I meant that civil libertarians went overboard and were largely responsible for 9-11, I meant the walls between the CIA & FBI, and the internal FBI wall between counter-intelligence (including counter-terrorism) and criminal investigations. Without the latter wall, Moussoui’s hard drive would have been read, revealing the existence of the plot and many details. That very likely would have prevented 9-11.
As far as anonymity… I happen to think it is a grossly overrated “right.” (I put that in quotes because it appears nowhere in the Constitution and could only possibly be considered a right in terms of the 9th Amendment which is generally ignored).
In this age of identity theft, a good card system could be very useful. And, as I pointed out above, the government need not even know who owned a card (although that would be better).
Furthermore, we already have two national ID cards: social security card and number, and driver’s license. The DL is in the NCIC which means any policeman can access it and all sorts of associated information.
By having a single, well-designed, national ID card system, we can improve on the failures of the existing systems and I don’t think we will love any anonymity as a result - because we have already lost it.
I am an expert on the sorts of computer systems I described - there are not many people in the world who know how to design these systems and I have been invovled in the design of several and the chief architect of one of them. I also know enough about cryptography to be able to talk reasonably about the security issues, although I would want some professional cryptographers (private and NSA) to be involved in designing such a system.
Bottom line: a National ID card does not reduce your anonymity if you own a driver’s license that is valid or if you have a credit card that you use much. It can reduce fraud, because we can mandate it as a security issue, for example making it much easier to detect illegal aliens and preventing them from voting.
Finally, on the issue of trusting the government - we have to trust them to some degree - we gave them the right to have superior firepower. Certainly if we were a totalitarian state, a national ID card would be useful to the oppressors, but that doesn’t mean that having a national ID card leads to oppression.
Rhod,
We have three issues here:
1)Possible effectiveness and usefulness of National ID cards.
2)Threat of the state using the cards for nefarious purposes.
When I meant that civil libertarians went overboard and were largely responsible for 9-11, I meant the walls between the CIA & FBI, and the internal FBI wall between counter-intelligence (including counter-terrorism) and criminal investigations. Without the latter wall, Moussoui’s hard drive would have been read, revealing the existence of the plot and many details. That very likely would have prevented 9-11.
As far as anonymity… I happen to think it is a grossly overrated “right.” (I put that in quotes because it appears nowhere in the Constitution and could only possibly be considered a right in terms of the 9th Amendment which is generally ignored).
In this age of identity theft, a good card system could be very useful. And, as I pointed out above, the government need not even know who owned a card (although that would be better).
Furthermore, we already have two national ID cards: social security card and number, and driver’s license. The DL is in the NCIC which means any policeman can access it and all sorts of associated information.
By having a single, well-designed, national ID card system, we can improve on the failures of the existing systems and I don’t think we will love any anonymity as a result - because we have already lost it.
I am an expert on the sorts of computer systems I described - there are not many people in the world who know how to design these systems and I have been invovled in the design of several and the chief architect of one of them. I also know enough about cryptography to be able to talk reasonably about the security issues, although I would want some professional cryptographers (private and NSA) to be involved in designing such a system.
Bottom line: a National ID card does not reduce your anonymity if you own a driver’s license that is valid or if you have a credit card that you use much. It can reduce fraud, because we can mandate it as a security issue, for example making it much easier to detect illegal aliens and preventing them from voting.
Finally, on the issue of trusting the government - we have to trust them to some degree - we gave them the right to have superior firepower. Certainly if we were a totalitarian state, a national ID card would be useful to the oppressors, but that doesn’t mean that having a national ID card leads to oppression.
Cephas
The technology is available, but as I argue, that adds a burden to the enemies that is greater than the burden it adds to our citizens. This is especially true if we use certain kinds of material and restrict critical materials (some of which will find its way into the black market, but again, this is not about making it perfect, it is about making it difficult).
Furthermore, by combining cryptography and biometrics, it is possible to make cards that cannot be forged.
I say that again: they cannot be forged.
Without getting into cryptography deeply, assume that I have a code that has two keys, one of which is in the equipment that makes the cards and which is kept in a very secure environment. One key is enough to turn the information in the card, including the biometrics, into an unreadable mess to anyone who doesn’t have the other key.
The other key is kept in Fort Knox with the gold, in a way that no human being ever knows it or can learn it.
You can duplicate a card by copying the information on it, but that doesn’t defeat the biometrics. The same applies if you steal the card. If you try to make a card, you will be unable to produce data which can be read at Fort Knox, so your card will not work.
There are many, many possible attacks and many good answers to them. I don’t have the time to describe all of them but am familiar with plenty that have been used in the past.
The security of this card depends a particular type of cryptography - one which uses a different key to encrypt from the one used to decrypt, and which is effectively unbreakable (there are complex cryptological arguments about that issue, but believe me, far more important things than a nationial ID card are protected by cryptography).
As far as burdening the populace, I think such a card can reduce burdens. Properly done, the system can protect you from identity theft - a major problem. It can reduce the waits in security checks, while making them more effective.
John -
I can’t make an informed judgement on the technical issues you raise, and probably never will be able to do so. I will read more about the issues you raise. I might also have referred to “anonymity” as a “right”, which was an error. I have some familiarity with questions in Constitutional Law, a degree in it,in fact, which is otherwise useless but helps order my thinking with respect to The State and The Individual.
I take Alexander Hamilton’s view that the Bill of Rights was a mistake, that “rights” are better enumerated in a treatise on ethics rather than a Constitution. For one thing, The Bill of Rights has given us TWO incompatible types of Constitutions rather than one, and the tension between the two has muddied our lives since at least 1804. Our “Constitution” never granted the Federal Government the powers implied in The Bill of Rights in the first place, but that is too complicated for a discussion here.
Codifying rights leads to the type of comment you made, which was that some “rights” (quotes copied) are “overrated” or don’t appear in the Constitution. “Overrated” means that John Moore don’t assign much value to it, and not appearing in the Consitution does not mean that it doesn’t exist. Neither of these opinions is an argument in favor of a National ID System. In any case, “anonymity” is a state of mind, which either appeals to you or doesn’t. It derives not from any legal formulation but from 19th century ideas about the existential aspects of being a free person.
People in authority over us make the types of judgements you made every day. If it can’t be deduced from the Bill of Rights then it is irrelevant, and even if it can, if it derives from an unpopular court interpretation, then it is to be disregarded. This is not an indictment of your view, John, because you have in every way defended the things worth defending. Your efforts on these websites is evidence of that.
I am concerned, however, about the degree to which conservativism has mutated into utilitarianism, where what works is ipso facto of value. A National ID System may work very well, may in fact solve ID Theft problems. But in a environment where we are ambivalent about what human “rights” are, and have a sliding scale as to the relative value of one “right” over another, what concerns me is not the elegance of the system, but the people who administer it.
A great deal of your argument relies on “biometrics” - yet biometrics are and will be relatively easily fakable for the forseeable future.
Consider: short of drawing blood (and maybe not even then), how are you going to guarantee that any tissue collected actually belongs to the person you are looking at? Any surface level collection can be EASILY faked. Anything deper than that is far too inconvenient for almost any of the stuff you are discussing.
The exception here would be retinal exams… which can also be faked (or that capability will exist very shortly after a good reason to fake them exists), unless you make everyone remove their contacts prior to use, which would again be an enormous inconvenience to many people (and still wouldn’t stop the fakers for long).
So, the biometrics, in my opinion fails, which makes the whole thing pointless.
And, not to be rude, as this is what you do, but asid from keeping thir system up, etc, etc, what good is Visa for identification? I mean, that’s the ENTIRE PROBLEM with identity theft (visa, driver’s livense, etc). If you can’t tie the card to the PERSON, you aren’t improving anything (well, unforgeable would be an improvement, in terms of making things a little more difficult, but that could be accomplished without a NID).
So, in short, this whole thing depends on biometrics, which can be beaten (and will be more easily beaten as time goes by).
All of that without touching the issues of getting into the system “legally” (knowing someone who has access of something).
Oh, and I don’t really care about the “privacy” issue, so my concerns all have to do with bang for the buck and abusability, which would be low/high, which is exactly the opposite of what I would want.
Deoxy,
You are correct that much of this relies on biometrics, and many commercial biometrics systems can be spoofed, some surprisingly easily. Obviously we could do an even better job with an implantable chip (which could destroy itself if excised), but the point is to minimize disruption.
However, it is possible to build biometrics that are harder to spoof (for example, using techniques to make sure they are seeing living tissues, etc). Try spoofing a retinal scanner that is also watching the pulse go through the retinal capillaries - and doing it in front of a guard. Maybe you know how. I don’t.
Furthermore, in the future biometrics can be made better. After all, there hasn’t been much money available for the field, and a good program would use several biometric measures (maybe not all at the same place), and the system designers would employ skilled tiger teams to try to break it. Most of the efforts I have seen are from small commercial companies who don’t have the money or the interest to use tiger teams.
Also, note that my approach does not let attackers know when they are successful, it has significant uncertainty into it on purpose. This very much complicates the spoofing problem. The point is to look hard for methods to make it work, and then have others look hard for ways to make it fail. Not much of this has been done (except probably in the classified world). Our society has not put adequate effort into this problem.
I could suggest other tricks off the top of my head. For example, fast acoustic or UWB imaging of bone structure - very hard to defeat. Combine that with a fingerprint sensor that measures temperature and pulse and blood oxygen levels, or a retinal sensor.
Again, if the many very smart people who hack or intellectually attack these systems had to design them instead, we would achieve tremendous improvements in some of the approaches - both in biometrics and at the system level.
I fully expected people to attack biometrics as the weak point. It is the weak point. That doesn’t make it fatally weak, especially with the approaches I suggest and with a serious expert to creating this systems. Now it may be that too many of the hackers and academic experts are so infused with privacy ideology that it won’t be possible to get their input, which would be a shame.
You say that it will be easily fakable for the forseeable future. That depends on how you forsee the future. Things move slowly today because of a lack of urgency. And yet, if you look at the history of systems development in WW-II, you would find that in about 6 years (including British input);
The first practical digital computer (Colossus) was built and used to crack a sophisticated German code.
The nuclear weapon went from a vague concept to the destruction of two cities. This took enormous advances in chemical engineering, metallurgy, physics, explosives technology, electronics and a number of other areas. Most of that work was done in 3 years.
Radar went from a very crude and low resolution system that required a building to house it to airborne systems with high precision.
Precision, terminal guidance bombs were developed and used.
Military rocketry went from crude, unguided Katyusha rockets to hypersonic IRBM’s (V-2).
In other words, in many technologies, emergency needs lead to rapid development. In other technologies, you only achieve the effect of pushing a rope… it doesn’t get better. Biometrics, given that possible technologies are not even close to having been adequately explored, is subject to the former effect.
By the way, there are methods other than biometrics. I chose that one (knowing the problems with the unclassified state of the art) because if done right, it is relatively secure.
Regarding Visa, the point is that you can have a system that not only is amazingly reliable, but carries large amounts of sensitive information without providing a way for most users to access that information, which by counter-example easily defeats some of Dr. Schneier’s arguments.
Another method is the “token plus secret” approach. You have to have the card and you have to know a secret. This is they way ATM cards work, where the card is the token and the secret is the PIN. Unfortunately, this system can be attacked via blackmail and theft.
But again, I am suggesting a serious project to do this. Insead of miscellaneous scattered undercapitalized attempts, provide capital to multiple parallel (i.e. different approach) projects which know they will be hit with tiger teams, and iterate. Provide significant financial incentive to winners.
You want bang for the buck. If you have a better solution that achieves the same “bang”, I’d love to hear it. Heck, I love to see it implemented.
But remember, there is another way to look at bang for the buck: bang prevented for the buck, when the consequence of the “bang” results in many trillions of dollars of cost (as opposed to the one trillion from 9-11) and tens of thousands of bucks.
The administration is attempting to achieve the bang prevention by directly attacking the source of the problem: the state of the Muslim world - especially around the middle east. This sort of thing is necessary (although I think we could do it better - especially in propaganda and occupation than we are doing, but nobody ever gets this stuff right).
But defenses also are needed.
So how will you achieve the bang for the buck?
And how many bucks is it worth to reduce the the probability of domestic megaterrorism by, say, 50%? I’d say it’s worth at least a trillion dollars.
Finally, remember the following very important point: if a megaterror attack happens, the people will demand that “something be done.” We will be better off if technologists and civil libertarians have a solution in hand than if we go with whatever ad-hoc approach comes out of congress so that congressmen aren’t recalled and ridden out of Washington on a rail!
In other words, imagine a nuke going off at, say, the Long Beach docks. What would be the public reaction? How about an anthrax attack with a truly weaponized (i.e. antibiotic resistant) product rather than the half-weaponized (optimal spore dispersal) material reportedly used in the 2001 attacks?
What will happen?
I guarantee it won’t be pretty. And you can be absolutely sure one of the first steps will be the requirement to carry national IDs.
Wouldn’t it be nice if we had a best-possible approach at that time?
I have yet to have anyone address this point, and it is the strongest argument for National ID Card technology development: the extremely high probability that they will be demanded after one of these high probability attacks.