National Identification Cards and National Security

by M. E. Kabay, PhD, CISSP-ISSMP

Professor of Computer Information Systems, School of Busines & Management, College of Professional Schools, Norwich University, Northfield VT


The Paper It’s Written On

The REAL ID Act < http://thomas.loc.gov/cgi-bin/bdquery/z?d109:H.R.418: > is currently [May 2007] the subject of hot debate in the Judiciary Committee of the Senate of the United States. < http://www.networkworld.com/news/2007/050407-privacy-groups-renew-push-against.html >, < http://www.washingtonpost.com/wp-dyn/content/article/2007/05/08/AR2007050801899.html >


Proponents of the Act argue that it “to make sure our driver’s licenses and government issued IDs can’t be faked. We need to hold employers accountable for hiring illegal workers, and real IDs will make this enforcement possible.” < http://www.gop.com/News/Read.aspx?ID=6222 > Even if one disapproves of the very idea of a national identity card – with all the privacy concerns that such a system raises, < http://www.epic.org/privacy/id_cards/ > it’s hard to disagree that the burden of extra paperwork would inconvenience some illegal immigrants to the US as well imposing additional nuisances on citizens and legal residents requesting drivers’ licenses.


However, the Department of Homeland Security has a startling assertion on its Website: “REAL ID is a nationwide effort intended to prevent terrorism. . . .” < http://www.dhs.gov/xprevprot/laws/gc1172767635686.shtm > One category of objections is exactly analogous to opposition to gun-control laws: the laws won’t work because criminals will ignore them. For example, Rep. Ron Paul (R-TX) wrote in 2005, “One overriding point has been forgotten: Criminals don’t obey laws! As with gun control, national ID cards will only affect law-abiding citizens. Do we really believe a terrorist bent on murder is going to dutifully obtain a federal ID card? Do we believe that people who openly flout our immigration laws will nonetheless respect our ID requirements? Any ID card can be forged; any federal agency or state DMV is susceptible to corruption. Criminals can and will obtain national ID cards, or operate without them. National ID cards will be used to track the law-abiding masses, not criminals.” < http://www.house.gov/paul/tst/tst2005/tst050905.htm > By this reasoning, we would have no laws at all.


I&A as a Tool for Security

A much more serious objection to REAL ID as a security measure is rooted in how we use identification and authentication for security. Bruce Schneier has written clearly about this issue in an essay from the 2004-02-15 “Crypto-Gram” newsletter. < http://www.schneier.com/crypto- gram-0402.html#6 > In “Identification and Security,” he makes the point that identification does not in itself tell us anything about the threat posed by an individual. Instead, an identifier allows authorities to compile profiles about individuals based on their recorded behavior – behavior that would be harder to compile without a unique, consistent identifier. Consider how much harder it is to track people who travel by bus and pay cash for their tickets than those who travel by air and use credit cards; but then ask yourself if travel patterns are sufficient to allow effective

identification of terrorists.


The 9/11 terrorists all had identification papers – some authentic, some forged. You can read extensive excerpts from 9/11 and Terrorist Travel: A Staff Report National Commission on Terrorist Attacks Upon the United States on the Amazon Web site < http://www.amazon.com/11-Terrorist-Travel-National-Commission/dp/1577363418 >.


If a suicide bomber is sitting beside you on your flight from Chicago to Tampa, I really don’t think that knowing that person’s name before or after the explosion makes very much difference

– in the absence of specific intelligence about that specific person. Simply having employees of state departments of motor vehicles demand birth certificates, green cards, US passports or other acceptable documentary evidence of legitimate standing as legal residents of the USA tells us NOTHING about the risks posed by any individual.


Identification versus Knowledge

The confusion of identification and security comes in part from the normal application of identification and authentication in restricted, known populations such as groups of employees. We are used to assuming – correctly, we hope – that employees have been vetted to some reasonable extent before they are hired. Therefore identifying someone who is on a list of employees and authenticating their identity makes sense: it helps to reduce risk.


But the situation is quite different when we simply label people with no information about their trustworthiness. Being born in the USA (or being a legal resident, for that matter) is no guarantee of safety or sanity; see the Southern Poverty Law Center’s Intelligence Project for some mood- souring details of the world of native-born American terrorists. < http://www.splcenter.org/intel/intpro.jsp >


The confusion between identification and knowledge reminds me of an incident that occurred in 1966 when I was a biology student at McGill University. The lab assistant told us that we would have to memorize the Latin names for the formal classification of ten plants. I asked, “What, just the names? Nothing about the plants themselves? No information about their habitat, life cycle, pests or anything? Just names??” Readers will not be surprised to find that I was an arrogant young man when I was 16 – after all, what would you expect, if you’ve read my stuff? Therefore I protested, “That’s ridiculous. Knowing a plant’s name tells us nothing more than how to point to it if someone else knows the name. Identifying a plant is not equivalent to knowing about its biology.” I should point out that I had been learning Latin names of plants and animals since I was a child – as part of what I liked to know about them. But when the quiz came around I crossed my arms and said loudly, “I refuse to participate in this farce.” I got zero, but I stand by my position even more than 40 years later. And not by the way, when students criticize my exam questions, I give them extra points if their objections and suggestions are well founded!


But back to security: I greatly fear that the emphasis on identifying people when they travel – by air, mind you, not by bus or even by some trains – is more a matter of political theater than a significant contribution to the security of travelers or to national security. Insisting on identification papers for air travelers has the same purpose and about the same value as asking all air travelers to remove their shoes in the security inspection: it makes people who don’t know much about security feel that The Nation is In Safe Hands but it does not have much to do with

improving security. And thank goodness that idiot Richard Reid didn’t put explosives in his underpants.< http://news.bbc.co.uk/1/hi/uk/1731568.stm >


If you are interested in reading more of my analysis of travel safety, please see the essay “Airport Safety.” < http://www2.norwich.edu/mkabay/opinion/airportsafety.pdf > or < http://www2.norwich.edu/mkabay/opinion/airportsafety.htm >.


This article is based on three short columns published in the Network World Security Strategies newsletter in May 2007. < http://www.networkworld.com/newsletters/sec/ >