IDs Not That Easy Questions About Nationwide Identity Systems 1st Edition Edition Stephen T. Kent

Visit https://ebookultra.com to download the full version and
explore more ebooks
IDs Not That Easy Questions About Nationwide
Identity Systems 1st Edition Edition Stephen T.
Kent
_____ Click the link below to download _____
https://ebookultra.com/download/ids-not-that-easy-
questions-about-nationwide-identity-systems-1st-
edition-edition-stephen-t-kent/
Explore and download more ebooks at ebookultra.com

Here are some suggested products you might be interested in.
Click the link to download
100 Questions Answers About Congestive Heart Failure 100
Questions Answers about 1st Edition Campion Quinn
https://ebookultra.com/download/100-questions-answers-about-
congestive-heart-failure-100-questions-answers-about-1st-edition-
campion-quinn/
The Only Three Questions That Count Investing by Knowing
What Others Don t 1st Edition Kenneth L. Fisher
https://ebookultra.com/download/the-only-three-questions-that-count-
investing-by-knowing-what-others-don-t-1st-edition-kenneth-l-fisher/
Questions That Work How to Ask Questions That Will Help
You Succeed in Any Business Situation 1st Edition Andrew
Finlayson
https://ebookultra.com/download/questions-that-work-how-to-ask-
questions-that-will-help-you-succeed-in-any-business-situation-1st-
edition-andrew-finlayson/
100 Questions Answers About Macular Degeneration 1st
Edition Jeffrey Heier
https://ebookultra.com/download/100-questions-answers-about-macular-
degeneration-1st-edition-jeffrey-heier/

It s Not Just About Wrinkles 1st Edition Dr. Neal Schultz
https://ebookultra.com/download/it-s-not-just-about-wrinkles-1st-
edition-dr-neal-schultz/
100 Questions and Answers About Asthma 1st Edition Claudia
S. Plotte
https://ebookultra.com/download/100-questions-and-answers-about-
asthma-1st-edition-claudia-s-plotte/
100 Questions Answers About Kidney Dialysis 1st Edition
Lawrence E. Stam
https://ebookultra.com/download/100-questions-answers-about-kidney-
dialysis-1st-edition-lawrence-e-stam/
100 Questions Answers About Sports Nutrition 1st Edition
Lilah Al-Masri
https://ebookultra.com/download/100-questions-answers-about-sports-
nutrition-1st-edition-lilah-al-masri/
100 Questions Answers About Osteoporosis and Osteopenia
Ivy Alexander
https://ebookultra.com/download/100-questions-answers-about-
osteoporosis-and-osteopenia-ivy-alexander/

IDs Not That Easy Questions About Nationwide Identity
Systems 1st Edition Edition Stephen T. Kent Digital
Instant Download
Author(s): Stephen T. Kent, Lynette I. Millett
ISBN(s): 9786610183753, 6610183759
Edition: 1st Edition
File Details: PDF, 1.12 MB
Year: 2002
Language: english

IDs—Not That Easy
Questions About Nationwide Identity Systems
Stephen T. Kent and Lynette I. Millett, Editors
Committee on Authentication Technologies and
Their Privacy Implications
Computer Science and Telecommunications Board
Division on Engineering and Physical Sciences
National Research Council
NATIONAL ACADEMY PRESS
Washington, D.C.

NATIONAL ACADEMY PRESS • 2101 Constitution Avenue, N.W. • Washington DC 20418
NOTICE: The project from which this report was generated was approved by the
Governing Board of the National Research Council, whose members are drawn
from the councils of the National Academy of Sciences, the National Academy of
Engineering, and the Institute of Medicine. The members of the committee re-
sponsible for the report were chosen for their special competences and with re-
gard for appropriate balance.
Support for this project was provided by the National Science Foundation, the
Office of Naval Research, the General Services Administration, the Federal Chief
Information Officers’ Council, and the Social Security Administration. Support
for this special report was provided by the Vadasz Family Foundation, a contribu-
tor to the Computer Science and Telecommunications Board’s program on infor-
mation technology and society. Any opinions, findings, conclusions, or recom-
mendations expressed in this material are those of the authors and do not
necessarily reflect the views of the sponsors.
International Standard Book Number 0-309-08430-X
Additional copies of this report are available from:
National Academy Press
2101 Constitution Avenue, N.W.
Box 285
Washington, DC 20055
800/624-6242
202/334-3313 (in the Washington metropolitan area)
The report is also available online at <http://www.nap.edu> and <http://
www.cstb.org/>
Copyright 2002 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America

The National Academy of Sciences is a private, nonprofit, self-perpetuating soci-
ety of distinguished scholars engaged in scientific and engineering research, dedi-
cated to the furtherance of science and technology and to their use for the general
welfare. Upon the authority of the charter granted to it by the Congress in 1863,
the Academy has a mandate that requires it to advise the federal government on
scientific and technical matters. Dr. Bruce M. Alberts is president of the National
Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter
of the National Academy of Sciences, as a parallel organization of outstanding
engineers. It is autonomous in its administration and in the selection of its mem-
bers, sharing with the National Academy of Sciences the responsibility for advis-
ing the federal government. The National Academy of Engineering also sponsors
engineering programs aimed at meeting national needs, encourages education
and research, and recognizes the superior achievements of engineers. Dr. Wm. A.
Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of
Sciences to secure the services of eminent members of appropriate professions in
the examination of policy matters pertaining to the health of the public. The
Institute acts under the responsibility given to the National Academy of Sciences
by its congressional charter to be an adviser to the federal government and, upon
its own initiative, to identify issues of medical care, research, and education.
Dr. Kenneth I. Shine is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sci-
ences in 1916 to associate the broad community of science and technology with
the Academy’s purposes of furthering knowledge and advising the federal gov-
ernment. Functioning in accordance with general policies determined by the Acad-
emy, the Council has become the principal operating agency of both the National
Academy of Sciences and the National Academy of Engineering in providing
services to the government, the public, and the scientific and engineering commu-
nities. The Council is administered jointly by both Academies and the Institute of
Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chairman and vice
chairman, respectively, of the National Research Council.
National Academy of Sciences
National Academy of Engineering
Institute of Medicine
National Research Council

COMMITTEE ON AUTHENTICATION TECHNOLOGIES AND
THEIR PRIVACY IMPLICATIONS
STEPHEN T. KENT, BBN Technologies, Chair
MICHAEL ANGELO, Compaq Computer Corporation
STEVEN BELLOVIN, AT&T Labs Research
BOB BLAKLEY, IBM Tivoli Software
DREW DEAN, SRI International
BARBARA FOX, Microsoft Corporation
STEPHEN H. HOLDEN, University of Maryland at Baltimore County
DEIRDRE MULLIGAN, University of California at Berkeley
JUDITH S. OLSON, University of Michigan
JOE PATO, HP Labs Cambridge
RADIA PERLMAN, Sun Microsystems
PRISCILLA M. REGAN, George Mason University
JEFFREY I. SCHILLER, Massachusetts Institute of Technology
SOUMITRA SENGUPTA, Columbia University
JAMES L. WAYMAN, San Jose State University
DANIEL J. WEITZNER, Massachusetts Institute of Technology
Staff
LYNETTE I. MILLETT, Study Director and Program Officer
JENNIFER BISHOP, Senior Project Assistant
iv

v
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
DAVID D. CLARK, Massachusetts Institute of Technology, Chair
DAVID E. BORTH, Motorola Labs
JAMES CHIDDIX, AOL Time Warner
JOHN M. CIOFFI, Stanford University
ELAINE COHEN, University of Utah
W. BRUCE CROFT, University of Massachusetts at Amherst
THOMAS E. DARCIE, AT&T Labs Research
JOSEPH V. FARRELL, University of California at Berkeley
JEFFREY M. JAFFE, Bell Laboratories, Lucent Technologies
ANNA KARLIN, University of Washington
BUTLER W. LAMPSON, Microsoft Corporation
EDWARD D. LAZOWSKA, University of Washington
DAVID E. LIDDLE, U.S. Venture Partners
TOM M. MITCHELL, Carnegie Mellon University
DONALD A. NORMAN, Nielsen Norman Group
DAVID A. PATTERSON, University of California at Berkeley
HENRY (HANK) PERRITT, JR., Chicago-Kent College of Law
BURTON J. SMITH, Cray Inc.
TERRY R. SMITH, University of California at Santa Barbara
LEE S. SPROULL, New York University
JEANNETTE M. WING, Carnegie Mellon University
MARJORY S. BLUMENTHAL, Director
HERBERT S. LIN, Senior Scientist
ALAN S. INOUYE, Senior Program Officer
JON EISENBERG, Senior Program Officer
LYNETTE I. MILLETT, Program Officer
CYNTHIA A. PATTERSON, Program Officer
STEVEN WOO, Program Officer
JANET BRISCOE, Administrative Officer
DAVID PADGHAM, Research Associate
MARGARET HUYNH, Senior Project Assistant
DAVID DRAKE, Senior Project Assistant
JANICE SABUDA, Senior Project Assistant
JENNIFER M. BISHOP, Senior Project Assistant
BRANDYE WILLIAMS, Staff Assistant

Preface
T
he terrorist attacks of September 11, 2001, and subsequent discus-
sions have brought fresh urgency to the challenges of providing
information security. In the wake of these and other recent events,
numerous proposals have been circulating both in policy circles and the
national media.
One proposal that has received a fair amount of attention is a national
identification card—or, more precisely, a nationwide identity system. The
Bush administration has indicated that a national identification card is
not within the scope of options it is contemplating. Congress, however,
has been considering various alternatives—for example, a measure in the
Enhanced Border Security and Visa Entry Reform Act of 2001 would
require biometric identifiers to be employed on visas and other travel and
entry documents for aliens (H.R. 3525, Section 303). Additional sugges-
tions include a proposal by the American Association of Motor Vehicle
Administrators (AAMVA) to link state motor vehicle departments and a
proposed “trusted traveler” system for airports.
The persistence of public discussion on the topic and the expectation
that other proposals will be offered argue for an informed analysis and
critique of the concept of a nationwide identity system.
In early 2001, the Computer Science and Telecommunications Board,
(CSTB) a unit of the National Research Council with a long history of
vii

viii PREFACE
examining information technology, security, and related issues,1 launched
a study to examine authentication technologies and their privacy implica-
tions. Sponsored by the National Science Foundation, the Office of Naval
Research, the General Services Administration, the Federal Chief Infor-
mation Officers’ Council, and the Social Security Administration, the
study aims to assess emerging approaches to user authentication in com-
puting and communications systems, and it specifically focuses on the
implications of these authentication technologies for privacy.
The study is being conducted by the multidisciplinary Committee on
Authentication Technologies and Their Privacy Implications, whose mem-
bers include experts in the design, implementation, deployment, and use
of information systems generally and information systems security in
particular, along with experts in privacy law and policy (see Appendix A
for committee and staff biographies). Given that identification and au-
thentication systems constitute a large portion of the committee’s agenda,
it is well positioned to comment on the technology and policy issues
surrounding a nationwide identity system and its supporting infrastruc-
tures (hereinafter referred to as a nationwide identity system). In fact,
CSTB asked the committee to do so, in the interest of providing a timely
contribution to the public debate. Additional resources from the Vadasz
Family Foundation enabled development of this report.
The committee’s broader and more comprehensive final report is ex-
pected in late 2002, but its members felt compelled to issue a brief report
at this time because of the real possibility that further debate on a nation-
wide identity system, and even action on the topic, could take place prior
to the final report’s issuance. Thus the present effort outlines the issues
the committee believes must be addressed and raises a number of ques-
tions that the committee believes should be answered as part of any con-
sideration of a nationwide identity system.
This brief report is a product of the committee’s deliberations, draw-
ing on its members’ areas of expertise. But, given time and resource
limitations, it is not an exhaustive assessment. It is intended to catalyze a
1See, for example, CSTB reports such as Growing Vulnerability of the Public Switched Net-
works (1989), Computers at Risk (1991), Evolving the High Performance Computing and Commu-
nications Initiative to Support the Nation’s Information Infrastructure (1995), Cryptography’s Role
in Securing the Information Society (1996), For the Record: Protecting Electronic Health Informa-
tion (1997), Trust in Cyberspace (1999), The Internet’s Coming of Age (2000), Embedded, Every-
where: A Research Agenda for Networked Systems of Embedded Computers (2001), and Cyber-
security Today and Tomorrow: Pay Now or Pay Later (2002). See <http://www.cstb.org/web/
topic_security> for a complete list of CSTB reports related to security, assurance, and
privacy.

PREFACE ix
broader and more sophisticated discussion. Clearly, the legal, policy, and
technological issues associated with nationwide identity systems warrant
a much more detailed and comprehensive examination. The committee
invites feedback on this brief report as it continues the process of prepar-
ing its broader and more in-depth final report on the topic of authentica-
tion technologies and their implications for privacy.
The committee thanks David D. Clark, chair of the CSTB, and Marjory
S. Blumenthal, CSTB’s director, for their commentary and feedback on
draft versions of the report. The committee also wishes to thank the
various members of the CSTB staff who helped to make it happen. Jenni-
fer Bishop took over as senior project assistant for the authentication study
midway through the project, managing logistics, organizing materials,
and coping with an unplanned brief report and review with aplomb. She
also assisted in developing the diagrams in the report and designed its
cover. Janet Briscoe, CSTB’s administrative officer, provided crucial ad-
ministrative and logistical support as well as the suggestion that ulti-
mately led to the report’s title. Andy White, director of the NRC’s Com-
mittee on National Statistics, provided feedback during the formulation
and review phases. The committee also thanks Steven J. Marcus, a free-
lance editor, for assistance at multiple stages of the report’s development.
Liz Fikre at the National Research Council also made significant editorial
contributions to the final manuscript. Lynette Millett is the study director
for this project; she synthesized this report, coordinating contributions
from committee members and drafting the response to reviewers.
Stephen T. Kent, Chair
Committee on Authentication
Technologies and Their
Privacy Implications

Acknowledgment of Reviewers
This report has been reviewed in draft form by individuals chosen for
their diverse perspectives and technical expertise, in accordance with pro-
cedures approved by the National Research Council’s Report Review
Committee. The purpose of this independent review is to provide candid
and critical comments that will assist the institution in making its pub-
lished report as sound as possible and to ensure that the report meets
institutional standards for objectivity, evidence, and responsiveness to
the study charge. The review comments and draft manuscript remain
confidential to protect the integrity of the deliberative process. We wish
to thank the following individuals for their review of this report:
Alfred Blumstein, Carnegie Mellon University,
Michael Caloyannides, Mitretek Systems, Inc.,
Julie E. Cohen, Georgetown University Law Center,
Jerome H. Saltzer, Massachusetts Institute of Technology,
Peter Swire, George Washington University, and
Lee M. Zeichner, LegalNet Works, Inc.
Although the reviewers listed above have provided many construc-
tive comments and suggestions, they were not asked to endorse the con-
clusions or recommendations, nor did they see the final draft of the report
before its release. The review of this report was overseen by Willis Ware
of RAND. Appointed by the National Research Council, he was respon-
sible for making certain that an independent examination of this report
was carried out in accordance with institutional procedures and that all
review comments were carefully considered. Responsibility for the final
content of this report rests entirely with the authoring committee and the
institution.
x

Contents
EXECUTIVE SUMMARY 1
1 INTRODUCTION AND OVERVIEW 5
2 POLICY CONSIDERATIONS 16
What Does Identity Provide?, 16
To Whom and for What?, 19
Permitted Users of the System, 24
Permitted Uses of the System, 26
Voluntary or Mandatory?, 28
What Legal Structures?, 29
Benefits and Drawbacks, 30
3 TECHNOLOGICAL CHALLENGES 34
Binding Persons to Identities, 37
Backend Systems, 41
Data Correlation and Privacy, 44
4 CONCLUDING REMARKS 46
APPENDIXES
A Committee Member and Staff Biographies 51
B What Is CSTB? 60
xi

1
Executive Summary
N
ationwide identity systems have been proposed as a solution for
problems ranging from counterterrorism to fraud detection to
enabling electoral reforms. In the wake of September 11, 2001,
and renewed interest in the topic, the Committee on Authentication Tech-
nologies and Their Privacy Implications of the Computer Science and
Telecommunications Board1 developed this short report as part of its on-
going study process, in order to raise questions and catalyze a broader
debate about such systems. The committee believes that serious and
sustained analysis and discussion of the complex constellation of issues
presented by nationwide identity systems are needed. Understanding
the goals of such a system is a primary consideration. Indeed, before any
decisions can be made about whether to attempt some kind of nationwide
identity system, the question of what is being discussed (and why) must
be answered.
There are numerous questions about the desirability and feasibility of
a nationwide identity system. This report does not attempt to answer
these questions comprehensively and does not propose moving toward
such a system or backing away. Instead, it aims to highlight some of the
significant and challenging policy, procedural, and technological issues
1See <http://www.cstb.org/web/project_authentication>.

2 IDs—NOT THAT EASY
presented by such a system, with the goal of fostering a broad, deliberate,
and sophisticated discussion among policy makers and stakeholders
about whether such a system is desirable or feasible.
Policy questions that the committee believes should be considered
when contemplating any kind of identity system include the following:
• What is the purpose of the system? Possibilities range from expedit-
ing and/or tracking travel to prospectively monitoring individuals’ ac-
tivities in order to identify and look for suspicious activity to retrospec-
tively identifying perpetrators of crimes.
• What is the scope of the population that would be issued an “ID” and,
presumably, be recorded in the system? How would the identities of
these individuals be authenticated?
• What is the scope of the data that would be gathered about individu-
als participating in the system and correlated with their national identity?
While colloquially it is referred to as an “identification system,” implying
that all the system would do is identify individuals, many proposals talk
about the ID as a key to a much larger collection of data. Would these
data be identity data only (and what is meant by identity data)? Or would
other data be collected, stored, and/or analyzed as well? With what
confidence would the accuracy and quality of this data be established and
subsequently determined?
• Who would be the user(s) of the system (as opposed to those who
would participate in the system by having an ID)? One assumption seems
to be that the public sector/government will be the primary user, but
what parts of the government, in what contexts, and with what con-
straints? In what setting(s) in the public sphere would such a system be
used? Would state and local governments have access to the system?
Would the private sector be allowed to use the system? What entities
within the government or private sector would be allowed to use the
system? Who could contribute, view, and/or edit data in the system?
• What types of use would be allowed? Who would be able to ask for
an ID, and under what circumstances? Assuming that there are datasets
associated with an individual’s identity, what types of queries would be
permitted (e.g., “Is this person allowed to travel?” “Does this person have
a criminal record?”)? Beyond simple queries, would analysis and data
mining of the information collected be permitted? If so, who would be
allowed to do such analysis and for what purpose(s)?
• Would participation in and/or identification by the system be vol-
untary or mandatory? In addition, would participants have to be aware of
or consent to having their IDs checked (as opposed to, for example, allow-
ing surreptitious facial recognition)?

EXECUTIVE SUMMARY 3
• What legal structures protect the system’s integrity as well as the
data subject’s privacy and due process rights, and determine the govern-
ment and relying parties’ liability for system misuse or failure?
Each of these issues is elaborated on in the report. And each of the
above questions evokes a larger set of issues and questions that must be
resolved. In addition, many of these issues are interdependent, and
choices made for each will bear on the options available for resolving
other issues.
Decisions made at this level will also have ramifications for the tech-
nological underpinnings of the system, including what levels and kinds
of system security will be required. In fact, “system” may be the most
important (and heretofore least discussed) aspect of the term “nationwide
identity system,” because it implies the linking together of many social,
legal, and technological components in complex and interdependent
ways. The success or failure of such a system is dependent not just on the
individual components but also on the ways they work—or do not work—
together. The control of these interdependencies, and the mitigation of
security vulnerabilities and their unintended consequences, would deter-
mine the overall effectiveness of the system.
The committee believes that given the complexity and potential im-
pact of nationwide identity systems, more analysis is needed with respect
to both desirability and feasibility. In particular,
• Given the potential economic costs, significant design and imple-
mentation challenges, and risks to both security and privacy, there should
be broad agreement on what problem(s) a nationwide identity system
would address. Once there is agreement on the problem(s) to be solved,
alternatives to identity systems should also be considered as potential
solutions to whatever problem(s) is identified and agreed upon.
• The goals of a nationwide identity system must be clearly and
publicly identified and deliberated upon, with input sought from all stake-
holders; public review of these goals prior to selecting a proposed system
is essential.
• Proponents of such a system should be required to present a very
compelling case, addressing the issues raised in this report and soliciting
input from a broad range of stakeholder communities.
• Serious consideration must be given to the idea that—given the
broad range of uses, security needs, and privacy needs that might be
contemplated—no single system may suffice to meet the needs of poten-
tial users of the system.

• Care must be taken to explore completely the potential ramifica-
tions, because the costs of abandoning, correcting, or redesigning a sys-
tem after broad deployment might well be extremely high.
The legal, policy, and technological issues associated with nation-
wide identity systems warrant much more detailed and comprehensive
examination and assessment than are presented in this report. The com-
mittee hopes that the extensive set of questions and issues raised here will
help to both further and inform the policy debate. The committee wel-
comes feedback on this brief report as it continues preparing its broader
and more in-depth final report on the topic of authentication technologies
and their privacy implications.

1
Introduction and Overview
W
hile the events of September 11, 2001, have galvanized a search
for improvements in the safety and security of our society, the
challenge is to provide protection without sacrificing funda-
mental freedoms. An idea that has resurfaced as a result of the attacks is
the creation of a “national identity card,” often referred to simply as a
“national ID.”1 This term is a bit of a misnomer, in that a card would
likely be but one component of a large and complex nationwide identity
system, the core of which could be a database of personal information on
the U.S. population. This report by the Committee on Authentication
Technologies and Their Privacy Implications provides a limited explora-
tion of such a system and of the potential legal, policy, and technical
challenges that it might present.
No one really knows if a nationwide identity system could detect or
deter terrorism, although several arguments have been advanced. One is
that such a system could be used to easily identify known terrorists upon
their interaction with particular agents (such as airline security officials),
facilitating their arrest. On the other hand, unless the database of sus-
pects includes those particular individuals, the best possible identity sys-
5
1See, for example, “States Devising Plan for High-Tech National Identification System”
at <http://www.washingtonpost.com/wp-dyn/articles/A32717-2001Nov2.html> and
“National ID Card Gaining Support” at <http://www.washingtonpost.com/wp-dyn/
articles/A52300-2001Dec16.html>.

tem would not lead to their apprehension. Another suggestion is that the
data collected from the widespread use of nationwide IDs could help
prevent terrorists from achieving their objectives. This might involve the
detection of abnormal or suspicious patterns of behavior that accompany
the planning and/or execution of a terrorist act.
Another potential role of a nationwide identity system is as an inves-
tigative tool in the aftermath of a crime or terrorist attack. Here, the data
collected could help retrospectively in the identification, arrest, and pros-
ecution of the perpetrators. Some argue that this is primarily (though not
exclusively) a post facto activity, more useful for law enforcement than
for counterterrorism, which is, in part, an a priori intelligence function.
Terrorism issues per se are beyond the scope of this report, which
examines the concept of a nationwide identity system in the large, not
solely with respect to counterterrorism. The committee believes that the
concept of a nationwide identity system—including whether such a sys-
tem is a good idea—must be examined on its own merits.
Indeed, nationwide identity systems have been sought for many pur-
poses in addition to countering terrorism. They have been proposed to
aid in fraud prevention (for example, in the administration of public ben-
efits), catch “deadbeat dads,” enable electoral reforms, allow quick back-
ground checks for those buying guns or other monitored items, and pre-
vent illegal aliens from working in the United States.
Depending on the nature of the population, the data collected, and
the scope of use, a nationwide identity system might be able to help with
other tasks as well. For example, a robust, accurate and comprehensive
system might aid law-enforcement officials in tracking or finding people.2
It is possible that the correlation of social (for example, health, economic,
demographic) information could be more easily accomplished with the
use of a national identity system; statisticians, for example, note how a
single identifier would facilitate some of their analyses. In addition, de-
pending on implementation choices, e-commerce and e-government trans-
actions might be simplified. However, there could also be negative con-
sequences, ranging from infringement on rights and liberties (including
loss of or invasion of personal privacy) to harm resulting from misiden-
tification or misuse of the system, plus significant implementation and
deployment costs. The trade-offs (enhanced security versus risks to pri-
2Examples include tracking fugitives, executing warrants, tracking noncitizens with ex-
pired visas, tracking illegal aliens, and confirming alibis for those innocent of criminal
charges. A nationwide identity system could facilitate the work done by the National
Crime Information Center, a computerized database at the Federal Bureau of Investigation
that permits access by authorized users to documented criminal justice information.

INTRODUCTION AND OVERVIEW 7
vacy, cost versus functionality, and so on) need to be carefully consid-
ered.
Many other countries have nationwide identity systems, which they
often use for such diverse purposes as proof of age (e.g., Belgium), proof
of citizenship, and for generating electronic signatures (e.g., Finland). In
the United States, citizens’ concern for civil liberties, their historic associa-
tion of ID cards with repressive regimes, and states’ rights concerns have
discouraged movement toward a governmentally sanctioned nationwide
identity system.3 Additionally, because the country was settled by immi-
grants, a significant fraction of whom wanted to escape just such prac-
tices, many U.S. record systems were intentionally designed not to gather
linking data.4 Further, it appears that laws requiring individuals to show
proof of legal status or citizenship result in increased discrimination based
on national origin and/or appearance.5 The human rights issues that
could arise, such as increased demands for documentation from those
who look or sound “foreign” and the deterioration of living and working
conditions for aliens, are substantial.6 Clearly, an examination of the
legal and social framework surrounding identity systems, while outside
the scope of this report, would be essential.7
Although discriminatory acts such as those alluded to above might be
constrainable by law, the presentation of identifying documents—driver’s
licenses and credit cards, for example—is being demanded today in more
3The Electronic Privacy Information Center has compiled a set of resources and reports
on the topic at its Web site, <http://www.epic.org/privacy/id_cards/>.
4An example that frustrates many genealogists is that U.S. birth certificates usually re-
quire identifying the town of birth only for parents born in the United States; for people
born elsewhere, the country of birth is sufficient. Generally speaking, the mindset that such
things are “no one’s business” has deep roots.
5See U.S. General Accounting Office (GAO), Immigration Reform: Employer Sanctions and
the Question of Discrimination, March 1990; Marvin Howe, “Immigration Law Leads to Job
Bias, New York Reports,” New York Times, February 26, 1990, p. A1. The GAO report on the
Immigration Reform and Control Act of 1986 (IRCA) cites a “widespread pattern of dis-
crimination” resulting “solely from the implementation of IRCA.” Ten percent of employers
discriminated on the basis of foreign accent or appearance, and nine percent discriminated
by preferring certain authorized workers over others.
6Especially for communities of recent immigrants, there is likely to be significant contro-
versy in shifting to a system that would prohibit or make difficult work and other activities
without presentation of an ID. In considering the feasibility and desirability of a particular
approach, designers of any such system should be aware of this potential opposition, as
well as possible opposition from other segments of the population.
7It would be useful to examine how such systems have worked in other countries, as well
as to examine nations where IDs have been proposed but not implemented (such as the
United Kingdom).

and more generic circumstances. There is also evidence of growing ef-
forts in the public and private sectors to collect, maintain, correlate, and
use more and more information on citizens’ activities based on existing
identifiers such as Social Security numbers (SSNs). Initially designed only
for administering social security benefits, SSNs are now common data
elements in public and private sector databases, allowing for easy sharing
and correlation of disparate records. This is a classic example of function
“creep”—continuous expansion in the use of a system first intended for a
limited purpose.8
Before any decisions can be made about whether to attempt to formal-
ize some kind of nationwide identity system, the question of what is being
discussed must be answered. Thus the committee believes that substan-
tive and sustained analysis is needed on the issue.
There is no recognized universal model for a nationwide identity
system. Because different people mean different things when they dis-
cuss the concept, evaluating it requires clarification of what is intended.
The range of possibilities for identity systems is broad and includes alter-
native approaches such as the following:
• A database establishing a unique identity and maintaining infor-
mation on every U.S. citizen, including, for example, information on
known felony convictions and place of residence, available for govern-
ment and commercial query;
• A system similar to the above system that also includes noncitizens
who are legally in the United States;9
8Some might argue that the SSN is already a de facto national identifier. The General
Accounting Office makes this assertion and also points out that no one law governs the use
of SSNs. While originally intended to identify retirees who qualified for the Social Security
retirement system, the SSN is now required, in some cases by law, to be used to identify
individuals who seek federal assistance. In addition, of course, the SSN has been adopted
as a taxpayer ID number. In his book Database Nation, Simson Garfinkel provides a history
of the expanded use of the SSN. Provisions of the Social Security Act, the Privacy Act, and
the Computer Matching Act are among the laws that attempt to limit the conditions under
which SSNs and associated data are used (General Accounting Office, Social Security: Gov-
ernment and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28,
February 1999). For example, the Privacy Act of 1974, available at <http://www.usdoj.gov/
foia/privstat.htm>, requires the disclosure of how the SSN will be used by all government
agencies. In 1986, the Office of Technology Assessment addressed the issue of ubiquitous
use of the SSN as well (U.S. Congress, Office of Technology Assessment, Government Infor-
mation Technology: Electronic Records Systems and Individual Privacy, OTA-CIT-296, Washing-
ton, D.C., U.S. Government Printing Office, June 1986).
9Note that there are additional discussions about systems aimed exclusively at non-
citizens, including, for example, proposals that would more rigorously track foreign stu-
dents within the United States.

• A database of only a fraction of the country’s population—those
individuals who have a specific characteristic (for example, criminal
record, past noncriminal but anomalous behavior, trusted travelers)—
that would not include the majority of people in the country; and
• A database allowing voluntary participation in return for such ben-
efits as ease of entry into the country or access to the fast line at the airport
security checkpoint.
The above possibilities (there are others as well) emphasize the need
for answers to a number of questions before a more substantive analysis
can proceed. Several policy questions should be asked when considering
any kind of identity system (see also Figure 1.1):
• What would be the purpose of the system? Possibilities include expe-
diting and/or tracking travel, prospectively monitoring citizens’ activi-
ties in order to discern suspicious behavior, and retrospectively aiding in
the identification of perpetrators of crime, among others.10
• What is the scope of the population for whom an ID would be issued
and whose activities would presumably be recorded in the system? How
would the identities of these individuals be authenticated?
• What is the scope of the data that would be gathered about individu-
als participating in the system and correlated with their national identity?
While it may be referred to casually as an “identification system,” imply-
ing that all the system would do is identify individuals, many proposals
talk about the ID as a key to a much larger collection of data. Would these
data include only identity data (and what, precisely, is meant by identity
data)? Or would other data be collected, stored, and/or analyzed as well?
With what confidence would the accuracy and quality of these data be
established and subsequently determined?
• Who would be the user(s) of the system (as opposed to who would
participate in the system by having an ID)? One assumption seems to be
that the public sector/federal government would be the primary user, but
what parts of the government, in what contexts, and with what con-
straints? In what setting(s) in the public sphere would such a system be
used? Would state and local governments have access to the system?
Would the private sector be allowed to use it? What entities within the
government or private sector would be allowed to use the system? Who
could contribute, view, and/or edit data in the system?
10In general, the narrower the goals, the simpler and, perhaps, less controversial a sys-
tem is likely to be, although even a narrowly focused system can run into function creep
and problems associated with misidentification.

FIGURE 1.1 Interconnecting policy choices. The choices made for each of the
questions posed will bear, with differing degrees of influence, on the choices
made with respect to all of the other issues. For example, the goals of the system
will influence what data are collected about individuals. What data are collected
about individuals will constrain the possible goals of the system. Who is allowed
to use the system will have a bearing on what legal structures are needed. What
legal structures are put in place will bear on what kinds of access to the system
are allowed. And so on.
• What types of use would be allowed? Who would be able to ask for
an ID, and under what circumstances? Assuming that there are datasets
associated with an individual’s identity, what types of queries would be
permitted (e.g., “Is this person allowed to travel?” “Does this person have
a criminal record?”)? Beyond simple queries, would analysis and data
mining of the collected information be permitted? If so, who would be
allowed to do this kind of analysis and for what purpose(s)?
• Would participation in and/or identification by the system be vol-
untary or mandatory? In addition, must participants be aware of or con-
sent to having their IDs checked (as opposed to, for example, undergoing
surreptitious facial recognition)?
Users?
Voluntary or
mandatory? What data?
Type of
use?
Who is
participating?
Legal
structures?
Goals?

• What legal structures would protect the system’s integrity, as well
as the data subject’s privacy and due process rights, and define the gov-
ernment and relying parties’ liability for system misuse or failure?
These questions will drive technological considerations (described in
Chapter 3), including what kinds and what levels of system security
would be required.
Throughout this report, the term “nationwide identity system” is used
in lieu of the more colloquial “national ID” or “national ID card.” Many
of the proposals are often presented in terms of a national identity card,
though technologies exist—possibly including biometrics, which mea-
sures and analyzes unique physiological and behavioral characteristics of
individuals—that might serve some of the same proposed purposes with-
out requiring a physical card. Nevertheless, the emphasis in this report is
on card-based models simply because they have been proposed most
frequently. In addition, many of the policy questions and database-re-
lated technical issues apply both to card-based systems and those that do
not require a physical card (see Chapter 3).
With respect to the chosen phrase, nationwide identity system, “na-
tionwide” is meant to underscore the scale (both geographic and in terms
of numbers of users) needed, without implying that IDs would necessar-
ily be generated from a single central location or, implicit in the term
“national,” that only citizens would need an ID.
The notion of identity is complicated, even when only the identity of
persons (and not things, arguments, systems, etc.) is being referred to, as
this report is doing. This report distinguishes between an identifier (the
name or sign by which a person is known), which can be thought of as a
label by which an individual is known in and to society and with which
he or she conducts his or her affairs within society, and the identity of a
person as seen by others. For the purposes of this report, “identity” refers
to a set of information about a person X believed to be true by Y. More
colloquially, identity is associated with an individual as a convenient way
to characterize that individual to others. The set of information and the
identifier (name, label, or sign) by which a person is known are also
sometimes referred to as that person’s “identity.” The choice of informa-
tion may be arbitrary, linked to the purpose of the identity verification
(also referred to as authentication) in any given context, or linked intrinsi-
cally to the person—as in the case of biometrics (see Box 1.1).11 For
11Although biometrics are proposed with increasing frequency for a variety of identifica-
tion and authentication purposes, they pose many difficult issues for system design, imple-
mentation, and use. These will be explored in the committee’s final report.

BOX 1.1
Terminology
For the purposes of this brief report, and to help clarify discussion, concepts that
the committee’s final report1 will explore in detail are explained here.
• Identity. The identity of X according to Y is a set of statements believed by Y
to be true about X. In this report, identity generally refers to a set of informa-
tion about X, especially in the context of a particular identity system.
• Identification. Identification is the process of determining to what identity a
particular individual corresponds, often without a claimed identity on the part
of the individual (for example, the identification of an unconscious patient in
an emergency room).
• ID. In this report, ID refers to the identity information pertaining to a particular
individual that is contained within an identity system and/or the token associ-
ated with that information.
• Authentication. Authentication is the process of confirming an asserted iden-
tity with a specified or understood level of confidence. Note that authentica-
tion is quite distinct from identification.
• Security. Security refers to a collection of safeguards that ensure the confi-
dentiality of information, protect the integrity of information, ensure the avail-
ability of information, account for use of the system, and protect the system(s)
and/or network(s) used to process the information. Security is intended to
ensure that a system resists (potentially correlated) attacks.
• Privacy. The right to privacy is the right of an individual to decide for himself
or herself when and on what terms his or her attributes should be revealed.
It should be noted that each of these terms represents a complicated, nuanced,
and, in some instances, deeply philosophical topic. The descriptions of these con-
cepts given here are not meant to be definitive, prescriptive, or comprehensive.
1See <http://www.cstb.org/web/project_authentication> for more information.
example, the information corresponding to an identity may contain facts
(such as eye color, age, address), capabilities (for example, licensed to
drive a car), medical history, financial activity, and so forth. Generally,
not all such information will be contained in the same identity, allowing a
multiplicity of identities, each of which will contain information relevant
to the purpose at hand. In the phrase “nationwide identity system,” the
word “identity” implies that decisions must be made about what consti-
tutes an identity within a system and that an identity will be established
for participants.

A critical question—which goes beyond the scope of this report, but
which must be considered in the larger law-enforcement and national-
security context—is whether establishing and verifying identity is either
necessary or sufficient for achieving any of the desired objectives of the
system. It may be that they require collection and analysis of data and/or
prospective or retrospective tracking or surveillance, well beyond mere
identity verification.12 Note that even the question of whether to institute
collection of data and surveillance is not binary (see Box 1.2).
“System” may be the most important (and heretofore least discussed)
aspect of the term “nationwide identity system,” because it implies the
linking together of many social, legal, and technological components in
complex and interdependent ways. The success or failure of such a
system is dependent not just on the individual components, but on the
ways they work—or do not work—together. Each individual component
could, in isolation, function flawlessly yet the total system fail to meet its
objectives.13 The control of these interdependencies, and the mitigation
of security vulnerabilities and their unintended consequences, would de-
termine the effectiveness of the system.
A nationwide identity system would also consist of more than simply
a database, communications networks, card readers, and hundreds of
millions of physical ID cards. The system would need to encompass
policies and procedures and to take into account security and privacy
considerations and issues of scalability, along with human factors and
manageability considerations (if the requirements of use prove too oner-
ous or put up too many barriers to meeting the goal of the relying party,
that party might try to bypass the system). The system might need to
specify the participants who will be enrolled, the users (individuals, orga-
nizations, governments) that would have access to the data, the permitted
12For example, if the goal were to track the activities or whereabouts of an individual to
detect illegal activity or suspicious patterns, surveillance of the behavior and activities of
said individual would be needed after identification was accomplished. Surveillance might
require a warrant or other judicial intervention, depending on the approach taken. If the
goal were to detect suspicious activity by previously unsuspected individuals (in order to
prevent illegal activity), correlation of surveyed actions would be required after identifica-
tion and surveillance were accomplished. Such correlation would presumably have to be
done before establishment of probable cause for a search in order for it to be useful.
13There are examples of this in security mechanisms—for example, where individual
techniques to provide additional security interact unexpectedly in such a way as to make
the system less secure. Charles Perrow explores the broad concept more thoroughly in
Normal Accidents, McGraw-Hill, 1986. In addition, the Web site <http://www.safeware-
eng.com/software-safety/accidents.shtml> describes the distinction between component
failure accidents and system accidents.

uses of the data, and the legal and operational policies and procedures
within which the system would operate. In addition, a process would
need to be in place to register individuals, manipulate (enter, store, up-
date, search and return) identity information about them, issue creden-
tials (if needed), and verify search requests, among other things. The
word “system” suggests the complicated nature of what would be re-
quired in a way that the colloquial phrase “national ID card” does not.
It is important to note that a variety of identity systems fit within the
scope of what is being discussed in this report. The recent AAMVA
proposal14 to link state motor-vehicle databases is a nationwide identity
system. So is the recent proposal to create a traveler ID and database to
expedite security checks at airports. Each of these systems could and
should be subjected to the kind of analysis and critique described in this
BOX 1.2
Degrees of Data Collection and Surveillance
Merely asserting that some data collection or surveillance would occur in a
system or that data would be analyzed is insufficient. It is important to determine
precisely what is meant or intended by “collection” and “analysis” within an identi-
fication system. There are at least five different ways to approach this issue:
• Little to no data collection. The only data collected and stored are those
needed to establish, at a particular time, an individual’s identity within the
system (for a predetermined meaning of “identity.”)
• Individual data collection. Information about an individual’s activities and
behavior is collected and stored but analyzed only upon request by an autho-
rized agent (for example, a court order).
• Aggregate data collection. Behavioral data are aggregated and stored but
only analyzed upon request or for a specific purpose. It may or may not be
possible to link data to an individual.
• Aggregate data analysis. Behavioral data are aggregated and proactively ana-
lyzed to search for suspicious or abnormal patterns. Upon an authorized
request it may or may not be possible to link data to an individual.
• Individual data analysis. Each individual’s data are proactively analyzed to
check for suspicious or abnormal patterns of behavior, and any such findings
are flagged and authorized agents alerted.
14See <http://www.aamva.org/> for more information. The committee received a brief-
ing describing some of the issues facing AAMVA in developing a more secure driver’s
license infrastructure in a context where use of driver’s licenses is expanding beyond their
nominal function.

report. Some of the issues raised here will be more applicable to some
systems than to others, but virtually any large-scale identity system will
need to take into consideration a number of policy and technological
issues; in fact, before deciding to build any identity system, the issues
outlined in this report should be explored.
A top-down, monolithic system controlled by the federal government
is not the only kind of nationwide identity system that this report ad-
dresses. For example, unifying document formats and linking the data-
bases of state driver’s licenses and ID-issuing systems would provide
broad (though not complete) coverage without creating a federally con-
trolled nationwide identity system. Further, the successes and failures of
the various nationwide identity systems in use in other countries should
be examined in order to have a fully informed discussion in the United
States. However, when studying such systems, questions of scale must be
kept in mind. Experience with a system for a population of tens of millions
is not necessarily applicable to a system that might incorporate hundreds
of millions. In any case, many of the questions raised in this report assume
large-scale systems and widespread participation in and use of such
systems.
Without attempting to answer comprehensively the many questions
surrounding a nationwide identity system and without making asser-
tions about whether to move toward or away from a nationwide identity
system, the report aims to highlight some of the significant policy, proce-
dural, and technical challenges presented by such a system, with the over-
all goal of prompting a broad discussion among and between policy mak-
ers and stakeholders.
This brief document is intended to inform the policy debate. Com-
plete policy analysis is outside its scope, though several of the broad
themes outlined here will be addressed more fully in the committee’s
final report. Chapter 2 describes what the committee believes is the most
important issue in the debate—namely, the system goals—along with
other policy issues that the committee believes should be considered in
advance of implementation and deployment. Chapter 3 explores some of
the technological issues involved in implementing a reliable and secure
nationwide identity system while minimizing unintended consequences,
such as compromises of privacy or the creation of new vulnerabilities.
Chapter 4 offers concluding remarks and suggestions.

2
Policy Considerations
N
umerous policy questions surround any proposed nationwide
identity system. They require sustained deliberation by policy
makers and significant input from the various stakeholders—
including federal, state, and local governments and agencies, privacy ad-
vocates, public-interest groups, civil rights and liberties groups, and those
who would participate in and use the system (that is, ID holders, ID
requestors, and data analysts). Establishing a nationwide identity system
would almost certainly be a complex and expensive process, requiring
years of legislative, technical, and public relations work, as systems now
in place elsewhere have shown.1
WHAT DOES IDENTITY PROVIDE?
Whether and when knowledge of “identity” could aid in solving a
problem or meeting an objective depends in part on the word’s very
definition. For the purposes of this report, identity refers to sets of infor-
mation (say, a database record or a strongly linked system of records)
about a person that can be used to tell who that person is. Confirmation
16
1In the Philippines, for example, the social security system ID card project has been
under active development and deployment for 6 years and has only reached an enrollment
of just over 2 million, en route to the goal of enrolling 40 million social security beneficia-
ries, members, and dependents.

POLICY CONSIDERATIONS 17
(at some level of assurance) of identity is useful in contexts when one or
more of the following are needed: (1) knowledge (in the present) about a
person’s past is sought (e.g., the use of a dossier), (2) knowledge about a
person in the present needs to be remembered for use in the future (e.g.,
the creation of a dossier), (3) distinguishing between two individuals is
required to prevent the possibility of mistaking one of them for the other,
or (4) verification of identity information provided by a third party. Iden-
tification and/or authentication are generally used to aid in recognition
when there are multiple dealings with a single individual but could also
be relevant to a single experience/transaction. (Note that authentication
presumes a proffered identity that needs to be confirmed, whereas identi-
fication does not—see Box 1.1.)
While casual discussions of IDs or ID cards may assume simple,
unique pairings of information and individuals, the reality is often more
complicated. In practice, individuals usually have multiple identities—to
family, to an employer or school, to neighbors, to friends, to business
associates, and so on. Thus, different sets of information are associated
with an individual in different contexts—and sometimes an ID card or
equivalent is relied upon to provide or point to that information. For
identity systems that have existed in our society for some time, there is a
common understanding of what information is associated with each. A
record associated with a driver’s license, for example, includes traffic
violations; a record associated with a credit card includes late payment
information; and so on.
Multiple identities (that is, multiple sets of information correspond-
ing to a single individual) may allow individuals to control who has
access to what kinds of information about them, and the use of multiple
identities can be a legitimate strategy for controlling personal privacy in
an information society. In addition to providing a measure of privacy
protection, the use of multiple identities, even with respect to a single
organization, serves legitimate and desirable functions in societal institu-
tions as well. One individual may have several distinct roles with respect
to a particular organization. For example, as far as the IRS is concerned,
one might be an individual taxpayer, an IRS employee, or the comptroller
of a nonprofit organization.
If, however, colluding agents are willing to make the effort, they might
be able to link an individual’s records—through additional information
or correlation with each other’s information—to create a single record. In
many cases, an identity will include a common cross-reference, such as a
Social Security number, that makes it trivially easy to link it to other
identities. Moreover, there are usually other possible cross-references
(such as address, age, and so on) that enable different sets of information
to be linked, though there may be institutional practices or practical barri-

ers that discourage such linking.2 In addition, questions arise as to how
reliable the linking would be—some institutions may not mind if linkages
are not completely supported, whereas others demand high levels of ac-
curacy.
Sometimes, the use of multiple identities by a single person, or the
use of a single identity by multiple persons, may be evidence of (or ex-
ploitable for) fraudulent behavior. Several criminals could use a single
identity not considered problematic within the system, or a single terror-
ist could use the least suspicious of multiple identities accessible to him
for boarding a plane. In principle, a nationwide identity system could, in
some contexts, eliminate or significantly reduce these sorts of problems if
it is designed to prevent both multiple individuals from claiming a single
identity and multiple identities from being claimed by a single person.3
One implication of the term “national ID” is that these identities are
centrally managed in order to make it difficult, if not impossible, for one
person to have multiple identities. A system designed to link a person to
a single identity (and prohibit use of multiple identities by a single per-
son) within a certain domain must be mandatory (that is, everyone within
the domain of interest must be included in the system), otherwise those
wishing to establish multiple identities would simply opt out of the pro-
gram. Also, checking is essential at the time an individual joins, to be sure
that he or she is not already in the system. If an identity reveals poten-
tially damaging information about a person, the person may try to avoid
the entry of this information into the system by creating a different iden-
tity. In some cases, this capability is controlled by having only one central
registry for the identity information.4
2See the 1997 CSTB report For the Record: Protecting Electronic Health Information.
3Historically, the Social Security Administration (SSA) allowed husbands and wives to
share a single Social Security number, and some grandfathered couples still do. Thus, such
an SSA “identity” refers to two people. Similarly, children and one of their parents can
share a single passport and passport number. More commonly, the case of two or more
individuals maintaining a joint bank account illustrates one identity (the bank account and
associated information) being shared by multiple individuals. Creating multiple identities
out of the single record set would be extremely hard for the issuing agencies, because the
linked people usually share a single last name. Splitting the record, therefore, might re-
quire additional personal information.
4A current example of a system that attempts to disallow multiple identities is the Com-
mercial Driver’s License Information System (CDLIS). U.S. federal law—the Commercial
Motor Vehicle Safety Act of 1986 (P.L. 99-570)—prohibits commercial truck drivers from
having multiple driving identities. In compliance with the law, CDLIS is used by the states—
via a centralized system that links the various issuing (state) agencies—to check that multiple
licenses are not issued. However, nothing in the CDLIS system itself prevents multiple
drivers from using this single license and, in fact, fraud of this type has been documented
(see “Biometric Identification Standards Research: Final Report Volume I,” San Jose State
University, December 1997, at <http://www.engr.sjsu.edu/biometrics/fhwabiom.zip>).

Depending on the goals of the system, creating a tight identity-to-
individual bond might be excessive. Often it doesn’t matter exactly who
someone is as long as it is clear that he or she is a member of a particular
group (e.g., over 21 or an officer of a corporation with check-signing
privileges). Such group identities are often extremely useful in expedit-
ing matters in certain contexts and may raise fewer privacy concerns.
Thus, any proposal for a new identity system requires a discussion of
what sorts of identity information would be relevant and helpful to the
stated goals of the system.5 It also requires taking into account the levels
of confidence with which information was associated to an individual,
since basing a system on fragile or unreliable data poses numerous risks.
In addition, in some cases there are legal restrictions on what sort of
information may be asked of an individual (presumably to include in that
person’s associated identity information)—for example, it may not be
legal to take into account a person’s race, gender, national origin, religion,
and so forth. In other cases, retaining the advantages that come with the
ability of an individual to maintain multiple identities or to maintain
group identities could also be desirable. All in all, establishing what is
meant by “identity” in a nationwide identity system—in other words,
which collection of information is meant to encapsulate an individual’s
distinctiveness—is a first-order concern.
TO WHOM AND FOR WHAT?
Once the notion of identity has been articulated, a determination must
be made as to who would be issued an ID (see Box 1.1 for the distinction
between “ID” and “identity”) and for what purpose. First and foremost,
the goals and requirements of the system must be carefully articulated.
What problems should the system be designed to solve? How would it
provide solutions to those problems? Without a priori decisions about
what types of system functions, determined by policy choices, are de-
sired, the software and hardware may impose unwanted or undesirable
restrictions or allowances.6
If a goal of the system is the identification and/or tracking of non-U.S.
nationals, then issuing IDs only to U.S. citizens would not be sufficient.
5If the goal of the system is to aid in counterterrorism, then relevant questions might
include the following: Is a past criminal record a signal of a potential terrorist? Is a long
record of frequent travel a signal that a person is or is not likely to be a terrorist? And so on.
6See Lawrence Lessig’s treatment of software imposing values in Code and Other Laws of
Cyberspace, Basic Books, New York, 1999.

Identification and tracking of all individuals would be required.7 Fur-
thermore, non-U.S. nationals are already required to have IDs when in the
United States (passports and, in some cases, visas); however, there is
likely to be less control over—and therefore less confidence in—such for-
eign-issued credentials. This raises questions about international coordi-
nation, cooperation, and harmonization.8,9 The problems now present in
keeping track of passports and visas, and in assuring that the right indi-
viduals and agencies have the appropriate data when needed, would
undoubtedly persist in a new identification system.10 They also serve to
demonstrate how difficult it is to implement a large identification system
that is also robust.
What Is Required for ID Issuance?
The best that any system of authentication can do is provide a com-
pelling connection with some previous verification of identity. Accord-
ingly, trust in the integrity of the system is based not so much on the first
such verification as on increasing confidence when all previous transac-
7The terrorist attacks of September 11, 2001, were carried out exclusively by non-U.S.
nationals; none of them would have had a U.S. ID if one had been required only of citizens.
In addition, undercover operatives sponsored by a major foreign group or state hostile to
the United States generally are individuals without suspicious records. It follows that such
people’s IDs (be they within a United States nationwide identity system or outside it) would
not contain anything particularly problematic.
8The logistical considerations involved in issuing high-security identities for everyone
entering the country are significant, especially when individuals do not need visas in ad-
vance (such as citizens of countries in the Visa Waiver Program).
9Even if IDs were issued to foreign visitors entering the United States, the information
would be based on information provided by their country of origin. Its usefulness is lim-
ited for at least two reasons: (1) many countries do not have much data about their citizens
to begin with, and others may be unlikely to provide other nations with suspicious back-
ground information about their own citizens and (2) even if a country indicates that an
individual seeking admission to the United States has a problematic background record,
that doesn’t mean the United States would consider such a person a risk (for example, a
country might provide warnings about political dissidents). Adding information to an
individual’s ID beyond what his or her country of origin provides (presumably gathered by
U.S. intelligence) is problematic for a number of reasons, including cost, scale, paucity of
data, and potential compromise of sources and methods behind the information.
10As an example of this, the Washington Post reported that 15 of the September 11 hijack-
ers applied for visas in Saudi Arabia, where officials have indicated that identity theft is a
serious concern. See <http://www.washingtonpost.com/wp-dyn/articles/A14788-2001
Oct30.html>.

tions with that particular individual have worked out.11 But at the outset,
upon determination of who should have IDs, a host of questions arises:
How is identity first established within the system? What information
would be required of an individual upon application? How would that
information be verified?
Such broad questions imply others that are more specific: How would
the “true” identity of individuals be established (e.g., for individuals in
the initial stages of a program or after card loss or destruction)? What
family name(s) would be used for the individual (birth name, adopted
name, married name, father’s name, father’s mother’s name)? Could
middle names, diminutives, or nicknames be used as first names? When
can or must these names be changed? How would people with similar or
identical names (or other pieces of associated data) be differentiated in
the system? If participation in the system were mandatory, at what point
in a person’s life would the ID begin to be required? How frequently
would renewal be required? Under what circumstances would reissuance
be required? What if the system “loses” a person (that is, a person claims
to be in the system, but his or her information is not accessible)?
What Is the Meaning of an ID?
Broader, and perhaps more important, is the meaning of the ID (that
is, the identity information about a person in the identity system and its
associated token). Would the law define rights, privileges, and obliga-
tions with respect to the ID? Would the law define a legal person in terms
of the ID, or vice versa, or neither? Related to the meaning is the issue of
a citizen’s and the government’s responsibilities with respect to a nation-
wide identity system. A host of legal issues arises if an ID is to have
significance as, say, a government-authorized identification token. Using
an ID to verify a person’s identity would not be of value without an
obligation to present it upon demand by authorities or in an authorized
search of one’s person.12
Questions that would need to be addressed include the following:
When must the ID be carried? When must it be presented to a govern-
ment official? What happens if the holder refuses to present it? What
happens if the ID has been lost or stolen? How can information on the ID
11Although trust developed in this fashion is vulnerable as well. For example, individu-
als may act in a completely trustworthy fashion for a long period of time and then behave
fraudulently or criminally.
12 Other identification techniques, such as facial recognition, might not require an obliga-
tion to present an ID.

(or associated with it) be changed, and by whom? What if the infrastruc-
ture is down and the ID cannot be verified? Can only the federal govern-
ment compel the presentation of the ID, or would state and local govern-
ment officials (which is where most law-enforcement occurs and many
social services are delivered) also have such authority?13
Where Does the Identity Information Reside?
These questions point to other questions that must be considered
about the information associated with a person’s ID. If it is a card or other
physical token, what information is stored on it in human-readable for-
mat on the ID? What information does the ID store in machine-readable
format? What information about or pertaining to an individual is stored
in the identity system’s databases? What information in those databases
is explicitly linked to information in other databases? Who has the au-
thority to create these linkages? Who can access which information about
a person in the system? What algorithms are used to analyze data in
order to make assessments about a particular individual in a particular
context (e.g., risk profiling)?14 (See Figure 2.1 for a description of what
can happen to identity information within a system.)
Many of the questions raised in this section point more broadly to the
problem of controlling function creep (as mentioned in Chapter 1). Deci-
sions and policies made for one kind of system may not apply well if that
system begins to be used for other than its original purposes. In the
context of an identity system, function creep can occur when the same
ID/token is used to access multiple systems. (This has happened with
driver’s licenses in that they are used not only to prove authorization to
drive, but also for proof of age and proof of address in various contexts.)
13For example, if the goal were to locate and keep track of non-U.S. citizens and/or
known criminals within the United States, it would probably be necessary to challenge all
individuals (including citizens) to present the card at regular intervals and/or for a wide
variety of activities. It would further be necessary to require all individuals to carry the
card at all times. It could be that many forms of purchases and transactions would require
use of the card in an ancillary fashion, in the same way that purchases with a check often
require the presentation of a driver’s license or equivalent form of photo identification. In
this way, the information associated with the card (and by extension with the holder’s
identity) would become part of the records generated by some set of interactions, just as
Social Security numbers and license numbers are used today—a practice that suggests the
development, in effect, of dossiers. A question then arises as to what an individual’s failure
or refusal to present the card under these circumstances would mean.
14The European Data Protection Directive mandates a limited right of individuals to
know what algorithms are used to make decisions about them on the basis of personal
information.

ID
Format?
Location?
Card Database Elsewhere
Human
Readable
Machine
Readable
FIGURE 2.1 Potential information flow in identity systems. The information
associated with an individual identity could be distributed within the identity
system in multiple ways. Parts of it may be machine-readable, parts may be
readable by humans. Parts may be stored on a card, in a database, or elsewhere.
Access to this information may be available to other systems, card readers, and/
or people. Not present in this diagram, but implicit, is the notion that pieces of
information, once outside the system, could then be added to other systems. Or,
information from outside the system could be incorporated into this system.
Understanding how information flows through the system, who has access to it,
and who can change it will be important in understanding both the security and
privacy implications of an identity system.
Reuse of an ID/token for purposes beyond the original intent leads to the
feasibility of correlating information from many different sources and
systems, which can be a cause of concern, particularly with respect to
privacy. Strategies and policies that prevent or constrain function creep
will be an important factor in any identity system.

PERMITTED USERS OF THE SYSTEM
Another set of policy questions arises over users of a nationwide
identity system (recall that a system encompasses numerous social, legal,
and technological aspects): May only the government use or request an
ID? Under what circumstances? Which branches (federal, state, local) of
the government? May any private person or commercial entity request
presentation of an ID within the system? May any private person or
commercial entity require presentation of an ID? Would certain private-
sector organizations be required to use, ask for, and verify IDs? If so,
there is a possibility that such mandates might be interpreted as a safe
harbor with respect to some liability questions. How would that be
handled? Who may use the information on (or associated with) the ID,
and for what? Who may enter or modify information associated with the
ID?
Depending on the goals of the system, use of the system by the pri-
vate sector may be necessary. For example, if the goal is to create a
database to mine for suspicious activities, tracking of a broad class of
activities in the private sector may be viewed as critical. To accomplish
this tracking, the ID would need to be presented in connection with many
transactions in the private sector (e.g., when traveling on commercial
airlines, when purchasing weapons, or when staying in a hotel.) How-
ever, as the set of users of a system expands, securing against misuse
becomes more complicated. Widespread use (and abuse) of the informa-
tion associated with an ID is a major concern, underscoring the impor-
tance of the initial policy choices related to the purpose of the system.
Management and Operations
Determining how any nationwide identity system should be man-
aged and operated will be a key issue. If the federal government were to
play a leading role in operations and management, an overhaul of busi-
ness and management practices at multiple levels might be necessary.15
In addition, worldwide coordination would likely be necessary. For ex-
15Since passage of the Paperwork Reduction Act of 1995, the Office of Management and
Budget has been challenged to manage complex information assurance issues, even though
it has both budgetary and statutory authority. The Department of Defense, as another ex-
ample, is charged with managing classified and other national security systems. Nation-
wide identity systems pose new problems for each of these organizations. If the federal
government were to attempt oversight of the system, it would be necessary to determine an
appropriate management model suited to undertaking management of large-scale identity
systems.

ample, depending on the system goals, ID issuance by U.S. consulates
abroad may have to be allowed, raising the potential for fraudulently
obtained IDs. Pragmatically, even the most secure documents issued by
the U.S. government (passports, green cards, and even currency) have
been forged with regularity. Requiring federal government management
and operations expertise for nationwide identity systems thus raises a
host of issues that must be taken into consideration.
Another set of policy issues involves the roles of the public, private,
and not-for-profit sectors in a nationwide identity system. For example,
in place of the above scenario (in which the federal government takes
responsibility for the management and administration of a nationwide
identity system), the private sector alone might develop and maintain the
system. Alternatively, the private sector could be subordinate to some
procuring federal agency, in which case any resulting data would be
subject to federal laws such as the Privacy Act, the Computer Matching
Act, the Government Information Security Reform Act, and the Com-
puter Security Act.16
Of course, some hybrid model—featuring a public/private partner-
ship—is also possible, though it would require explicit designation of
which sector is responsible for what and who might be liable to poten-
tially aggrieved parties when errors or abuses occur. (In particular, care-
ful attention should be paid to due process issues that may arise in con-
nection with error correction.) In any case, it would be absolutely
necessary to define how a single organization’s private role in enabling
the system should relate, if at all, to that same organization’s private role
in its use. Furthermore, how the private entity would be funded would
also be an issue. Moreover, the goals of private institutions with respect
to such a system are likely to be very different from those of public insti-
tutions.17 This difference in ultimate objectives could lead to significantly
16These acts all impose regulatory requirements on federal agencies that collect, use, and
maintain sensitive information. The Privacy Act and the Government Information Security
Reform Act in particular impose significant public notice and comment requirements on
federal agencies to ensure public participation in the appropriateness of planned agency
uses of data. The Computer Security Act imposes a risk-based standard for agencies to
ensure they protect the confidentiality, integrity, and availability of sensitive federal infor-
mation and supporting systems. If a nationwide identity system turned out not to be a
federal government system, these laws would not apply and the protections they offer
would not be available to individuals whose information is housed in the system.
17For example, a small-store owner probably is not as interested in customers’ individual
identities at point-of-sale transactions as he or she is in receiving assurance that payment
will be made.

different system requirements and design and could encourage function
creep over time.
PERMITTED USES OF THE SYSTEM
A key question about a nationwide identity system is the uses to
which the information in it will be put. Will the system be designed to
foster consolidation of other (especially federal) databases—or might that
be a predictable side effect? Will it be designed to support individualized
queries about individuals or provide a yes/no answer to simple questions
(for example, “Is this individual a U.S. citizen?”)? Will the system facilitate
data mining to establish “suspicious profiles”? If the system is to be used
extensively by law enforcement, checks and balances would need to be
put in place to prevent misuse of information (for example, constraints
should be placed on how information collected or seen—perhaps tangen-
tially—as a result of a particular investigation can be used for other pur-
poses).
Consider the system’s potential need to make real-time associations
of persons with identity—a policy question with technology-challenging
implications. For many purposes, the linkage between the person and the
identity need not be provided instantly. An application for a mortgage
need not be processed in seconds. On the other hand, an identity that
authorizes access to a secure building must be validated at the time of the
intended entry. A related issue is the prospect of constant real-time corre-
lation and analysis of an individual’s national-identity-based transac-
tions.18 It is likely that such correlation, while possibly desirable depend-
ing on the goals of the system, would be financially, technologically, and
administratively impossible. For that matter, even retrospective correla-
tion of all transactions would be extremely challenging and expensive.
Depending on what information must be tracked and stored, very large
amounts of data may be generated. And the analysis of large amounts of
data while looking for certain kinds of patterns is a large and open re-
search area.
An additional correlation concern relates to potential uses beyond
those associated with public safety and counterterrorism. If private enti-
ties are allowed to use the nationwide identity system for their own pur-
poses, it is likely that IDs would be linked to a wide range of information,
including bank accounts, credit cards, airline tickets, car rentals, hotel
stays, retail transactions, purchases of controlled items (guns, explosives,
18For example, it may be useful to correlate instantly the renting of a large truck in one
state with the purchase of a large amount of fertilizer a day later in another state.

perhaps some fertilizers, prescription drugs subject to abuse), phone lines,
cell phone accounts, prepaid cell phones, and so on.19 Even if the data
were not explicitly tied together by organizations, linking users by data
items in their identity (such as SSNs) is possible. In addition, systems that
employ biometrics could have the ability to link individuals whose infor-
mation is stored in different databases. That is, two different digital
representations of an iris or fingerprint could be compared to see if they
might have come from the same eye or finger.20,21
Finally, privacy is of serious concern to many, especially when infor-
mation linkages extend across the boundaries of multiple identities—for
example, in the linking of health data, credit ratings, or organizational
memberships with our employment records. Of greatest concern to most
people is the creation without authorization of such linkages by others,
particularly those in positions of authority—governments or employers,
for example.
The “minimization principle” is often used as a guideline when build-
ing systems sensitive to privacy concerns.22 It relates to the kind and
quantity of information collected from and/or about individuals and
emphasizes the need to collect only the minimum amount necessary for
19The issues become even thornier when one considers the possibility that physical items
may eventually have their own tracking systems embedded in them. Cross-correlation of
information about things and people would likely result in an exponential explosion of
data, further complicating the technical questions and confounding the privacy issues. See
Charlie Schmidt’s “Beyond the Bar Code,” Technology Review, March 2001.
20Systems that will allow eye/finger versus database comparisons but not database ver-
sus database comparisons have been proposed, such as in N.K. Ratha, J.H. Connell, and
R.M. Bolle, “Enhancing Security and Privacy in Biometrics-Based Authentication Systems,”
IBM Systems Journal, vol. 40, No. 3, 2001. Another possible solution would be to use
biometrics only at three points in any given system: when checking for duplicate enroll-
ments at initial registration to prevent issuance of multiple IDs to a single user, when
checking the binding between the cardholder and the card at point-of-service applications,
and when reissuing the card. This check, which could occur without revealing the biomet-
ric pattern to the holder of the card, would create yet another point in the system where
security is needed.
21Work done by Latanya Sweeney (see <http://sweeney.heinz.cmu.edu/confidentiality.
html>) suggests that very little information is needed to uniquely identity a particular
individual in even an ostensibly anonymized database, suggesting that creating linkages
between databases—even without biometric data tying individuals to their data—may not
be difficult.
22This notion is articulated in a report of the U.S. Privacy Protection Study Commission,
Personal Privacy in an Information Society, Government Printing Office, Washington, D.C.,
1977, also known as the Privacy Commission Report. Three principles espoused in that
report are to (1) minimize intrusiveness, (2) maximize fairness, and (3) create legitimate,
enforceable expectations of confidentiality.

the desired transaction. Minimization also implies that disclosure of in-
formation should be limited to the purpose(s) for which it was collected.
A pragmatic reason for this, in addition to the privacy aspects, is that
information is likely to have an accuracy commensurate with its original
purpose (for example, the address given on a video-store membership
application form is more likely to be false than the home telephone num-
ber given on an employment application). In addition, the minimization
principle suggests that information should be deleted when no longer
needed and that the information disclosed be limited to that which is
needed to fulfill the request (as opposed to disclosing all available infor-
mation about an individual or transaction).
Clearly, minimization runs counter to the kinds of information collec-
tion and correlation needed for the preemptive and retrospective analyses
contemplated by proposals for a nationwide identity system meant to
counter terrorism and unlawful activities. Resolving or mitigating this
tension will be a serious challenge to those developing policies for a na-
tionwide identity system.
VOLUNTARY OR MANDATORY?
Whether participation in the system is to be required or chosen is a
major policy decision. Until the goals of the system are clearly articu-
lated, it will be difficult to gauge which type of participation would be
preferable. Some goals may directly or indirectly require mandatory
checking of identities and/or enrollment in the system. For example, if
the goal were to prohibit travel by persons with malicious intentions, all
air travelers would need to be enrolled—if enrollment were voluntary,
such people would simply not enroll and would be permitted to travel. In
general, any attempt to ascertain that an individual does not possess an
unwanted attribute (for example, malicious intent) requires a complete
knowledge of behaviors related to that attribute, and hence mandatory
checks.
Clearly, a voluntary system is likely to meet with less resistance and
to raise fewer concerns about civil liberties, although its voluntary nature
would seem to limit the kinds of goals that it could expect to achieve.
However, even when a system is nominally voluntary, attention should
be paid to whether the large inconveniences of nonparticipation make it
effectively mandatory. Deliberate consideration of whether and when to
require participation and the implications of widespread but voluntary
participation would be essential.
There are at least two levels at which participation occurs: when an
individual establishes an identity within the system and when his or her
ID is requested or used in a given interaction. Whether an individual

must consent to presenting his or her ID as opposed to having the ID
observed from a distance (possibly without the person’s knowledge) is
another critical policy decision.
WHAT LEGAL STRUCTURES?
In considering whether to implement any nationwide identity sys-
tem, decision makers would have to determine whether and how such a
system would be regulated, and by whom. What constitutes misuse of
the ID or the data associated with it? What penalties are imposed on the
holder for misusing or tampering with the ID? What penalties are im-
posed on officers of the government for abuse of the card or misuse of its
information? What penalties are imposed on private parties or busi-
nesses other than the holder for abuse of the card or misuse of the identity
and associated information? Would laws permit, discourage, or forbid
private-sector actors from asking individuals to present the card for rea-
sons other than those intended by the public sector?
Depending on the policy choices and deployment strategies a nation-
wide identity system reflects, its constitutional implications may be sig-
nificant. The constitutional limitations on an agent’s ability to require
presentation of IDs,23 along with the limitations on the ability of Con-
gress to enact a nationwide identity system, should be explored before
any such enactment to avert the costs of imposing the system and then
having to revise or abandon it in the face of its unconstitutionality, to say
nothing of its effects on civil liberties.
Depending on implementation details and policy decisions, a nation-
wide identity system could be used to compile and store large amounts of
information on individuals, so that the legal restrictions on compiling and
using dossiers would have to be strictly obeyed. More broadly, an under-
standing of the principles that support significant privacy-related authori-
ties, as well as the major legal traditions and principles that drive U.S.
privacy law and policy, will be necessary when considering identity sys-
tems that will handle personally identifiable information.24 In particular,
23In fact, the Supreme Court has limited the situations in which government authorities
and police officers may require individuals to leave an area due to lack of apparent pur-
pose. See Brown v. Texas at <http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?navby=
case&court=us&vol=443&invol=47>.
24U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee
on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, Govern-
ment Printing Office, Washington, D.C., 1973.

it would be helpful to have insight into the statutory models that pertain
where mistakes can have severe repercussions (such as census informa-
tion collection or tax returns).
A further consideration is that because identification in the form of
birth certificates and driver’s licenses has traditionally been done at the
state and local level, states’ rights and associated issues could well arise.
It will be important to examine the federal/state constitutional tensions
along with how such issues may facilitate or impede development of
policy solutions in this arena. How, for example, should a nationwide
identity system interact with the other federal, state, and local identity
systems that are already in place? Should these other systems continue,
be coupled to the nationwide system, or be superseded?
BENEFITS AND DRAWBACKS
Creation of a well-thought-out and well-designed nationwide iden-
tity system could have some advantages over the current methods of
establishing and verifying identity, such as state-issued driver’s licenses,
Immigration and Naturalization Service documents, and birth certificates.
Current systems have many characteristics that pose a challenge to meet-
ing the goals expressed by proponents of a more uniform nationwide
identity system. For example, the documents in current systems are not
standardized in form or information content, so that a person inspecting
an offered document often cannot determine if it even resembles an au-
thentic document (much less whether it actually is authentic) without
substantial research.
Similarly, such documents are generally not strongly linked to the
person who offers one for identity, allowing several people to use a single
authentic document. Identities also cannot be clearly revoked in current
systems, allowing a person to successfully offer an invalid ID as verifica-
tion of identity. Moreover, these systems do not universally employ strong
anticounterfeiting measures—indeed, the existing measures vary from
document to document, and the documents are not easily checked.
A nationwide identity system, depending on its implementation,
might drive many other forms of identification out of use by subsuming
their functionality. Several factors in particular could encourage wide-
spread third-party reliance on the nationwide identity system to the ex-
clusion of current systems. First, if the cost of the system is borne by the
government and its associated agencies, the system’s use would be free to
other segments of society unless measures (technical, legal, or otherwise)
are taken to prevent unauthorized use. Second, unless private parties are
prevented by law (or restrictions on technology) from relying on the na-
tionwide identity system, the liability associated with such reliance would

be shielded by the government’s sovereign immunity. Third, even if the
private parties were forbidden to rely on the data, it is very likely that
private commercial organizations would begin to correlate data about
citizens based on their card and/or identity within the system. The infor-
mation in these commercial databases may not be as strongly protected
(legally or technologically) as, presumably, is the information in the na-
tionwide identity system’s own databases. The correlation and aggrega-
tion of personal information thus raise a variety of policy questions about
the use of such information and constraints on it.
As Garrett Hardin wrote in 1968, “You can’t do just one thing.”25 The
introduction of a nationwide identity system would create ripples
throughout society and the legal system. It is difficult to predict what
unintended effects these ripples would have. In part due to our frontier
history, there seems to be a widespread belief in our country that some
socially good things derive from the current inability to strongly correlate
an identity with an individual—for example, a person often has the op-
tion of leaving some detail of his or her life behind. Examples include the
expunging of the criminal records of minors, anonymous testing for sexu-
ally transmissible diseases (and the consequent public-health benefits of
reducing the incidence of these diseases), shielding the identity of rape
victims from public view, and erasing the records of bankruptcy after a
statutory interval.
It is not known how much the smooth operation of society depends
on such things, or on the assumption that they are possible. There is a
risk, however, that they would be lost, or at least significantly impaired, if
a broadly used nationwide identity system came into existence.26 Ensur-
ing the privacy protections in these examples would likely depend on
carefully limiting access to, and the specific uses of, the system’s data-
bases, and on restricting the required uses of an ID to certain circum-
stances.
Identity theft is already a critical problem,27 even without central-
25Garrett Hardin, “The Tragedy of the Commons,” Science 162:1243-1248 (1968).
26Years of experience show that when people automate or regiment a previously manual
or only lightly regimented system, they discover the new system’s demand that things be
done “exactly right” can create havoc, and that what used to be a smooth process needs to
be redesigned to accommodate the less flexible automated system. Decision makers must
consider that introducing a rigorous identity system might wreak similar havoc when
people discover that some authentication activities require more flexibility than the new
system can offer.
27Time magazine notes that in 2001 the “Federal Trade Commission logged more than
85,000 complaints from people whose identities had been pirated” and that “some con-
sumer advocates suggest as many as 750,000 identities are stolen each year.” See <http://
www.time.com/time/nation/article/0,8599,196857,00.html>.

ized, mandated identities for everyone. Identity theft is an individual’s
fraudulent claim that he or she is the person to whom the information in
the system refers, allowing him or her to derive some benefit from an-
other party who is relying on that claim. It might involve theft of a
physical ID token or it might involve the thief’s learning some secret or
personal information and using this in lieu of the token. One reason for
the problem is the broad misuse of SSNs, coupled with the fact that the
number itself is small enough to be easily memorized. In addition, birth
and death data in the United States are not subject to stringent accuracy
requirements nor are they highly correlated, making it relatively straight-
forward to exploit a deceased person’s birth certificate in order to estab-
lish credentials as a basis for an identity.
Given the attendant risks, a nationwide identity system would need
to provide much better protection against identity theft than do current
systems of identification.28 Additional questions arise in the context of a
nationwide system of how to recover from identity theft. Who would
have the authority to restore or create a new identity for someone when
necessary? And what safeguards would be needed to prevent this author-
ity from being abused?
While offering better solutions to some problems surrounding iden-
tity theft, a nationwide identity system poses its own risks. For example,
it is likely that the existence of a single, distinct source of identity would
create a single point of failure that could facilitate identity theft. The theft
or counterfeiting of an ID would allow an individual to “become” the
person described by the card, in very strong terms, especially if the na-
tionwide identity system were to be used for many purposes other than
those required by the government. Paradoxically, it could be that a ro-
bust nationwide identity system makes identity theft more difficult while
at the same time making its consequences more dire. The economic in-
centive to counterfeit these cards could turn out to be much greater than
the economic incentive to counterfeit U.S. currency.
28One strategy might be for the system to avoid displaying human-readable ID “num-
bers” or other unique identifiers to private organizations. This would, in effect, make it
impossible for anyone to read another person’s information off his or her card. (Imagine,
for example, a credit card that does not have the account number embossed on the front but
makes it available only to machines that read magnetic stripes, thereby reducing opportuni-
ties for casual theft). The strategy would instead require that agents use cryptographic
techniques to authenticate individuals or enable transactions. See Figure 2.1 for a descrip-
tion of the kinds of information in an identity system and where the information might end
up.

Another Random Scribd Document
with Unrelated Content

credit card donations. To donate, please visit:
www.gutenberg.org/donate.
Section 5. General Information About
Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.
Project Gutenberg™ eBooks are often created from several
printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.
This website includes information about Project Gutenberg™,
including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade
Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
ebookultra.com

IDs Not That Easy Questions About Nationwide Identity Systems 1st Edition Edition Stephen T. Kent

More Related Content

Similar to IDs Not That Easy Questions About Nationwide Identity Systems 1st Edition Edition Stephen T. Kent (20)

Recently uploaded (20)

IDs Not That Easy Questions About Nationwide Identity Systems 1st Edition Edition Stephen T. Kent