The public has repeatedly rebuffed attempts by the federal government to centralize identification management

By Mike Spinney – Jul 22, 2010

Mike Spinney is a senior privacy analyst at the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy.

The Homeland Security Department recently announced an initiative aimed at creating a more secure system of online identification. According to its Web site, the National Strategy for Trusted Identities in Cyberspace seeks to “improve cyberspace for everyone — individuals, private sector and governments — who conducts business online.”

That’s certainly a noble goal. But the very existence of NSTIC begs two very important questions: Does protecting me and my fellow citizens while we transact business online fall within the department’s areas of responsibility? And does DHS truly believe it can do what the private sector, driven by a clear and compelling profit motive, has yet to successfully accomplish?

The answer to both questions is a resounding no. DHS should focus on doing what its name implies — protecting the homeland — and resist the urge to demote itself into the role of national cyber mall cop.

I say this not to demean the department, which shoulders a weighty load in addressing the manifold threats to our shores in this age of terrorism, but because any effort by DHS to create a voluntary trusted identity program is doomed to fail.

The recent experience and backlash associated with Real ID — rebuffed by the general public and legislatively rejected by 11 states before being scrapped — and high-tech passports — subject to ongoing criticism for their security vulnerabilities — demonstrate that the public is uneasy at best and at worst dead set against any attempts by the federal government to centralize identification in any form. Another national identification storm cloud is gathering on the horizon in the form of the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment provision of pending immigration reform. With every attempt at using technology to track citizens, George Orwell’s shadow grows longer.

Conspiracy theories aside, lessons learned from the evolution of Social Security numbers into a de facto national financial credential — in spite of being prohibited by the law that created them for any use other than the management of Social Security benefits — should be enough to remind us of what can happen with a national identification program even when it is conceived with the best of intentions.

Of course, DHS would not be the first organization to fail at creating a broadly successful universal digital identifier. Devices such as smart cards and tokens have been in use for years and are effective for managing identity-based access to secure enterprise systems. But such technology works best in a single organization because cost and management issues temper their advantages in broader applications.

At the consumer level, where individuals might be using multiple identities for a broad range of applications, any secure identity system would need to take into account the highly complex vagaries of human behavior. Doing so successfully in the private sector would be a feat with a multibillion-dollar payday — and there’s plenty of money and brainpower being spent on that effort already.

Consider, too, the challenges DHS faces in successfully launching a trusted identity program when the agency lacks the trust of the general public. In the Ponemon Institute’s annual Privacy Trust Study of the United States Government, DHS ranked 70th among the 75 federal agencies studied. The Citizenship and Immigration Services agency and Customs and Border Protection agency, both of which are part of DHS, ranked 74th and 75th, respectively.

If DHS believes that a more secure online experience will enhance homeland defense, that goal would be better served by the creation of an educational program that makes people more aware of how to safely conduct online activities. When you get beyond the Beltway, you find that too many people are making unsafe decisions online not because the technologies and techniques are lacking but because they simply don’t know any better. If left to persist, public ignorance will be the downfall of any trusted identity strategy.

In a country where Nepali’s, Bangladeshis and Pakistani’s can practically walk across the border – why should a terrorist bother to fake a biometric passport?

It could come useful in certain situations. Why would someone like David Headley risk a clandestine crossover, when he could live in the best of hotels, mix in the most hallowed social circles – legally? It’s also a neat trick to shift blame to an Indian citizen, after a terrorist attack.

But an “attack” is not the only thing a cloned biometric passport can be used for. It can also be used to steal your identity. For cheap. If my last post made you believe it’s almost impossible to mess around with a biometric passport, I’m very sorry. Because this one – is about how it’s already been done. With equipment that costs less than ten thousand rupees.

Lukas Grunwald, a German security expert, did it in 2006. British newspapers reported on a similar stunt by Adam Laurie, in 2007. Jeroen Van Beek, a researcher in the Netherlands, actually walked into Amsterdam airport with a fake biometric passport made in the name of Elvis Presley. He was not stopped.

Just Google their exploits – most technically minded terrorists probably already have. Here’s a quick account of how they did it.

A biometric passport has a chip, about the size of the one in your mobile phone SIM. That chip is embedded in a radio transmitter, slightly smaller than your visiting card. The entire unit is then sealed, into the last, thick page of our passports. You’ll get one of these things when you apply to renew your passport.

Effectively – this passport is now a tiny radio transmitter. It emits radio signals at a certain frequency. And over those radio waves, it transmits the information stored in its chip.

If you have a radio scanner listening in on that specific frequency – you can intercept that data. You could be standing ten meters away, you wouldn’t even need to touch the passport. You could read it, then clone it.

I’ll get into the specifics later. But here’s why you should begin to get worried.

1.) Let’s say a terrorist knows he looks a fair bit like you. First, he’d clone all your passport details by eavesdropping on the chip. Then insert his new, cloned chip into a fake paper passport he’s already made.

He’d grow a beard or a pony tail – to confuse the airport guards. When they test his passport on their reader, it wouldn’t ring any alarms – after all it’s a perfect clone of a perfectly valid passport.

When they try to physically cross check his appearance against your facial image stored on the chip, they wouldn’t spot a difference. A biometric facial or fingerprint scanner would have rung alarms – but they’re very expensive and used at very few counters. So a terrorist COULD cross borders – using YOUR passport details.

There is also a psychological problem – if the machine says a passport is OK, airport officials will tend to believe it and drop their guard. They won’t bother to do a more careful physical check. Because that would take more time – and after all wasn’t the biometric passport meant to save time at check in counters?

2.) Or let’s say it’s scamsters who want to target you. The postman or courier boy who delivers your passport home, could copy details from its chip, without even opening the envelope. So could a hotel attendant abroad – when you show him your passport to book a room. Among those details, will be an exact digital copy of the first page of your passport.

This first page is something we often photocopy. We use it as a proof of identity – to open a bank account, to apply for a new phone connection, for a driving license etc. The scamster could send that first page to an Indian bank and open a new account in your name. And funnel in dirty money into it, without you ever knowing.

3.) There’s another loophole in the “Biometric Passport as extra security” scheme. When you walk into a country like the US with your passport, your info is not only scanned and crosschecked – it’s also stored on their servers for a very long time. This supposedly happens to all passports presented at immigration – part of their “War on Terror” is keeping track of the details and frequency of people’s visits.

In theory, a corrupt official in the department could gather your private data and sell it to people on the black market. Right now – someone else can’t easily match your unique biometrics. But technology gets better everyday, so a leak in the department would mean a terrorist could walk around with your identity.

4.) Another pinprick in the “security” angle. At least one researcher has shown how to trigger a small bomb when it comes close enough to radio signals transmitted by a particular country’s passport. Terrorists could also use a similar technique can to single out people of a particular country from a group – and target them for kidnapping/elimination.

It’s not just passports. The technology can be used to eavesdrop and clone other RFID or Radio Frequency Identification Devices. That includes the card you use to get entry into your office, your new driving license and perhaps even the upcoming UID or Universal Identity card.

Getting back to the passports. Inexpensive Radio Frequency scanners can easily be bought online. You could also build one by modifying the Bluetooth receiver on your PC. Software like Golden Reader, that let you communicate with a passport chip, are easily available on the net. The International Civil Aviation Organization or ICAO – the nodal agency behind the biometric passport movement, has it on its website.

When held over a passport reader at the airport, the chip and the reader first challenge each other with a code. Once each is satisfied the other’s a genuine party – the chip transmits the info it carries to the reader.

To prevent people from eves-dropping on this exchange, the designers of biometric passports used a simple trick. They printed a twenty four character, two line strip of data on one of the pages of the passport.

This “Strip” is called a “Machine Readable Zone”, or MRZ. Only after swiping this strip through a machine, would the passport reader be able to generate a valid challenge that the passport chip would respond to. So whoever wants to read the passport, would have to have it open, in his hand.

Smart. The problem is, the characters they’ve decided to print on that strip. Your date of birth, your passport number, its date of expiry and so on – in a specific pattern.

Clever programmers can guess those details. Your DOB, they find from sites like Facebook. From public databases online – they observe patterns in a long series of passport numbers. They also find out the number of passports issued everyday in the country.

They feed all that research into a maths formula that’s often used by companies to generate things like random credit card numbers. And crack the MRZ of your passport, on a normal home PC, in under two hours. The big expense – about Rs 10,000 for a radio scanner. With the MRZ code, a terrorist or scamster can suck data from your chip, standing upto ten meters away at the check in counter.

Governments could of course put in place a more complex passport numbering system. But though such demonstration attacks have been widely reported in the foreign press, they haven’t moved on this yet.

When someone like a postman has the luxury of holding your physical passport in his hand, he can suck it dry with another trick. He swipes the passport against his radio scanner many, many times.

The more the number of swipes, the higher the chance of the computer mathematically guessing the security code. In an ATM, if you enter the wrong code thrice – you’re locked out and can’t withdraw any money. A similar safety feature hasn’t yet been built into these passport chips.

A small backgrounder on how all this started in the first place. After 9/11, America decided that all foreigners entering its borders would need to have machine readable passports with biometrics – on the assumption that these would be tough to forge.

It demanded this of the 27 countries that had a visa waiver agreement with it. Most of Europe fell in line and soon, the rest of the world.

After researchers publicly carried out attacks on these passports, FIDIS, or the “Future of Identity in the Information Age” – a European Union funded body called the technology used in them “poorly conceived”.

“European governments have forced their citizens to adopt documents which dramatically reduce their security and privacy and increase the risk of identity theft.”

The Indian Government however – doesn’t seem to have listened.

A commonly-used cancer drug can make patients’ fingerprints disappear, potentially causing problems for foreign travel, a doctor warns.

One patient was held by US immigration officials for four hours before they allowed him to enter the country.

The case is highlighted in the journal Annals of Oncology.

The patient’s doctor, Eng-Huat Tan, from Singapore, advised all travellers to the US being treated with the drug capecitabine to carry a doctor’s note.

Dr Tan, based at the National Cancer Centre in Singapore, said several other patients had also reported loss of fingerprints on blog sites, with some also having problems entering the US.

Dr Eng-Huat Tan
National Cancer Centre, Singapore

His patient, a 62-year-old man, had head and neck cancer that had spread, but which had responded well to chemotherapy.

He was prescribed capecitabine to help prevent the cancer coming back.

Although the drug is commonly used to treat a range of cancers, it can cause chronic inflammation of the palms or soles of the feet, leading to peeling, bleeding or blistering of the skin.

Over time this can lead to the loss of fingerprints.

Dr Tan’s patient developed mild side effects, and because they did not affect his daily life, it was decided that he should keep on taking a low dose of the drug.

In December 2008, after more than three years of capecitabine he travelled to the US to visit relatives.

Dr Tan said: “He was detained at the airport customs for four hours because the immigration officers could not detect his fingerprints.

“He was allowed to enter after the custom officers were satisfied that he was not a security threat.

“He was advised to travel with a letter from his oncologist stating his condition and the treatment he was receiving to account for his lack of fingerprints to facilitate his entry in future.”

Security measures

Foreign visitors have been asked to provide fingerprints at USA airports for several years.

The images are matched with millions of visa holders to detect whether the new visa applicant has a visa under a different name.

It is uncertain when a patient will lose their fingerprints, and in this case the patient was not aware that he had.

Dr Tan said: “Patients taking long-term capecitabine may have problems with regards to fingerprint identification when they enter US ports or other countries that require fingerprint identification and should be warned about this.

“It is possible that there may be a growing number of such patients. They should prepare adequately before travelling to avert inconvenience.”

Martin Ledwick, of the charity Cancer Research UK, said: “In a minority of cases, some chemotherapy drugs can cause hand and foot syndrome, where the skin can begin to peel on the palms of the hands and soles of the feet.

“For most people, this is reasonably mild.”

We’ve all seen movies in which a character has a retinal scan to prove his or her identity before walking into a top-secret installation. That’s an example of a biometric system. In general, biometrics is a collection of measures of human physiology and behavior. A biometric system could scan a person’s fingerprint or analyze the way he or she types on a keyboard. The purpose of most biometric systems is to authenticate a person’s claimed identity.

Biometrics tend to be more convenient than other methods of identity authentication. You might forget your ID at home when you head out the door, but you’ll still be able to use biometric devices. Imagine verifying your identity while at the store by swiping your finger across a sensor.

But along with convenience and security comes a concern for privacy. For biometrics to work, there needs to be a database containing the relevant information for each individual authorized by the system. For example, at that top-secret installation, every employee’s biometric signature would have to be recorded so that the scanners could verify each person’s identity. This might not present much of a problem on its own. If the only data the system stores relates to the actual biometric measurements, privacy violations are at a minimum. But by their very nature, biometric systems collect more information than just the users’ fingerprints, retinal patterns or other biometric data. At a basic level, most systems will record when and where a person is at the time of a scan.

I Recognize That Face

Biometric systems with cameras may use facial recognition software or study the way you move to identify you.

You might think of fingerprint or retinal scanners when you hear the word Biometrics, but the term has a broader definition. Facial recognition technology falls into the biometric category. There are already several cameras on the market that can detect faces. A few are able to recognize and remember a group of faces. You just take a picture of a friend, tag the photo and the camera will automatically tag any future photos of that friend. It’s both cool and creepy.

Imagine using this technology in public places to identify the people passing through. For example, a major city might install cameras at high-traffic areas to scan for terrorists or identify criminals. While the motivation for using that technology might be pure, it creates difficult privacy issues. The city would have a record of everyone who passed through that neighborhood. The technology treats everyone as a suspect as if it’s only a matter of time before each of us commits a crime.

And what happens if the technology makes a mistake and misidentifies someone? Weather conditions, clothing, hairstyles and even the cleanliness of the lens could affect the ability of the camera to identify people. Critics might ask: Why install a system that’s unreliable?

What happens if a person suffers an illness or injury that changes his or her appearance? Such a change could present problems with biometrics. Adjusting the biometric system to accommodate the change could also result in a violation of the user’s privacy. The system administrator now knows more details about the user.

A society with pervasive biometric systems would make anonymity a virtual impossibility. Should that society become oppressive or otherwise abusive to the population, the citizens would have few opportunities to react without revealing their own identities.

Groups like the Biometrics Institute are aware of privacy concerns and strive to create processes to limit the chance for biometric applications to violate a person’s privacy. Other groups advocate that companies, governments and other organizations conduct a privacy assessment before installing a biometric system. With vigilance and caution, we may find a way to incorporate biometrics into our lives and still maintain our privacy.

I do find it a bit ironic that the same Senator Schumer seeking to force Facebook to change its privacy policies – rightly so I might add - is simultaneously leading the push in Congress to require all Americans to have national ID cards.

The concept for a National ID Card with biometric identifiers – like fingerprints, facial, and/or iris scans – is being proposed for inclusion in the coming immigration reform legislation. There are a number of reasons why this concerns me, most notably the fact that its part of much larger pattern of government expansion of power through increasingly intrusive assaults on our civil liberties. All of course, in the name of keeping us safe, and protecting us usually from one kind of brown person or another. Now, instead of pandering to those afraid of “terrorists” on every street corner, this seems to be pandering to those unduly afraid of the “illegal immigrant threat”.

Consider, biometrics technology is the computerized matching of an individual’s personal characteristics against an image or database of images. Initially, the system captures a fingerprint, picture, or some other personal characteristic, and transforms it into a small computer file (often called a template). The next time someone interacts with the system, it creates another computer file (often called a sample), and compares it to the original template or tries to find a match in its database. Because every sample is a little different, biometrics really asks whether the sample is similar enough to the template.

So let’s be real clear, creating a database with 100′s of millions of facial scans and thumbprints raises a host of surveillance, tracking and security questions, and consumer hassles with the DMV - never mind the enormous cost.

Privacy expert Bruce Schneier recently pointed out some of pro’s and con’s of a biometric based ID:

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it’s important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. It’s hard to affix a fake fingerprint to your finger or make your retina look like someone else’s. Some people can mimic voices, and make-up artists can change people’s faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they’ve touched, and posted them on the Internet. We haven’t yet had an example of a large biometric database being hacked into, but the possibility is there. Biometrics are unique identifiers, but they’re not secrets.

And a stolen biometric can fool some systems. It can be as easy as cutting out a signature, pasting it onto a contract, and then faxing the page to someone. The person on the other end doesn’t know that the signature isn’t valid because he didn’t see it fixed onto the page. Remote logins by fingerprint fail in the same way. If there’s no way to verify the print came from an actual reader, not from a stored computer file, the system is much less secure.

…

A more secure system is to use a fingerprint to unlock your mobile phone or computer. Because there is a trusted path from the fingerprint reader to the stored fingerprint the system uses to compare, an attacker can’t inject a previously stored print as easily as he can cut and paste a signature. A photo on an ID card works the same way: the verifier can compare the face in front of him with the face on the card.

Fingerprints on ID cards are more problematic, because the attacker can try to fool the fingerprint reader. Researchers have made false fingers out of rubber or glycerin. Manufacturers have responded by building readers that also detect pores or a pulse.

The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there’s a guard with a large gun making sure no one is trying to fool the system.

…

One more problem with biometrics: they don’t fail well. Passwords can be changed, but if someone copies your thumbprint, you’re out of luck: you can’t update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you’re stuck. The failures don’t have to be this spectacular: a voiceprint reader might not recognize someone with a sore throat, or a fingerprint reader might fail outside in freezing weather. Biometric systems need to be analyzed in light of these possibilities.

Biometrics are easy, convenient, and when used properly, very secure; they’re just not a panacea. Understanding how they work and fail is critical to understanding when they improve security and when they don’t.

So, from Schneier’s perspective, it does seem that requiring ALL AMERICANS to carry these, particularly with the fingerprint or the iris as the biometricidentifier, doesn’t make much sense, and poses a significant threat to onesidentity being stolen – not protected.

The Consumer Federation of California joined with the ACLU and a host of other organizations to oppose the transition to biometric drivers licenses here in California not long ago. Some of the privacy concerns we raised during that debate include:

Right to Privacy – Personal Freedom and Security

o Whether biometric images should be collected, which images should be collected (i.e. facial v. thumbprint scan), who has access to those images, and for what purposes are the preliminary privacy questions that should addressed to protect individuals’ constitutional right to privacy.

o The Creation of Dossiers about Individuals and their Activities: Where a biometric identifier is used as a unique identifier to catalogue personal information about an individual, it would enable monitoring, tracking and surveillance of individuals. This concern applies to both the government and databrokers/private industry using the same biometric to gather information.

Threat to Anonymity and Anonymous Speech: Unless current law is changed, the biometric thumbprints and facial scans from the DMV will be used in criminal investigations, and as public and private surveillance cameras become more ubiquitous, the likelihood rises of using facial recognition to identify andsurveil innocent people just walking down the street or engaged in First Amendment protected speech on political or labor issues.

The Supreme Court has found that compelling an individual to disclose his or her political ideas or affiliations to the government deters the exercise of First Amendment rights. The right to anonymous speech, protest and leafleting are critical to our democracy.

o Perceived Infallibility and Inaccuracy: The concept that each of us is unique does not always translate into accurate biometric identification. Computer “matches” must be reviewed visually by people to confirm the accuracy. And, even then, errors are made.

Brandon Mayfield, the Oregon Attorney, was erroneously linked to the 2004 Madrid train bombings after his prints were misidentified and he was held by the FBI for two weeks, though he was never charged. His prints were “identified” through the Integrated Automated Fingerprint Identification System (IAFIS). IAFIS identified a few potential matches that were then reviewed by a fingerprint examiner and an outside experienced fingerprint expert.

o What is the “bang for the buck” that California (or in this case the US) would get from undefined changes being proposed in the nature and use of these biometric databases? How much is the whole system going to cost? How much would be borne by the state, how much would be borne by individuals?

We do know that creating biometric database systems (facial image and thumbprint) will be very costly, and even more costly to do correctly (in addition to the technology, staff needs be trained, and there must be technical and due process protections in place to ensure that people’s licenses are not wrongly denied or taken away because of an error).

The Legislative Analysts Office raised their own privacy concerns,particularly regarding whether the data would be stored by a private vendor, and whether states that have experienced a 5-10 percent reduction in fraud using biometrics is necessarily relevant to state’s that already have secure cards and issuance processes. In other words, the Legislature (or Congress in this case)would need to assess costs of implementing a biometrics system in light of the cost of implementing other solutions and the actual number of fraudulent IDs prevented.

EFF, in its opposition to this concept as a component of PASS ID (a slightly scaled back version of REAL ID), wrote:

Proponents seem to be blind to the systemic impotence of such an identification card scheme. Individuals originally motivated to obtain and use fake IDs will instead use fake identity documents to procure “real” drivers’ licenses. PASS ID creates new risks — it calls for the scanning and storage of copies of applicants’ identity documents (birth certificates, visas, etc.). These documents will be stored in databases that will become leaky honeypots of sensitive personal data,prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database.

…proponents of the national ID effort seem blissfully unaware of the creepy implications of a “papers please” mentality (think Arizona) that may grow from the issuance of mandatory federal identification cards.

Do we really want to create a multibillion-dollar program – at a time of economic recession and growing deficits – that enhances opportunities for identity theft, turns state motor vehicle departments into arms of U.S. Immigration and Customs Enforcement and will almost certainly lead to harassment of immigrants, legal or otherwise?

It would also complicate efforts by some states to issue driver’s licenses to illegal immigrants, because such licenses would require special markings to signal that the bearer is here illegally. Sensible measures to enforce our immigration laws is one thing, but anything that discourages undocumented immigrants from getting driver’s licenses endangers all drivers on the road and raises insurance costs for everyone.

So if we put everything into that one document – make it the be-all and end-all of identification for most Americans – what might we have? An invasion of ordinary citizens’ privacy and phony documentation in the hands of identity thieves and potential terrorists that we believe too readily is authentic.

Let’s remember too the state reaction to REAL ID, with at least 42 states have considered anti-Real ID legislation, and another 25 states have enacted anti-real ID bills or resolutions, and fourteen of those states have passed binding legislation prohibiting participation in the Real ID program. Six more states have already passed resolutions or statutes in 2009.

Imposing a first-ever national identity card system, even if just for employment, would violate privacy by helping to consolidate data and facilitate tracking, and over time its use will almost certainly expand to cover other activities necessary to participate in society.

Here’s a couple clips from an article in United Press International this week:

On a five-year timetable the biometric cards would replace Social Security cards and would be used to prove eligibility for employment. Card scanners would be issued to all U.S. employers. The cards would at least have the capability of being linked to a central data system.

Like all controversial government programs, the proposed national ID card has an innocuous name: When Senate Democratic leaders unveiled the new program last month they called it Biometric Enrollment, Locally Stored Information and Electronic Verification of Employment – or “Believe,” for short.

…

The difference would be in the biometric information and the universality of the employment requirement. However, the opportunities for abuse by unscrupulous government employees are obvious.

The proposal rang alarm bells at the American Civil Liberties Union in Washington. While criticizing several aspects of proposed immigration reform, the group is concentrating its criticism on the ID cards.

“If the biometric national ID card provision of the draft bill becomes law, every worker in America would have to be fingerprinted and a new federal bureaucracy — one that could cost hundreds of billions of dollars — would have to be created to issue cards,” the organization said in a statement. “The ACLU strongly opposes the inclusion of a biometric national ID in this or any comprehensive immigration reform bill and urges senators to reject such an ID card.”

In his own statement, Christopher Calabrese, ACLU legislative counsel, said: “Creating a biometric national ID will not only be astronomically expensive, it will usher government into the very center of our lives. Every worker in America will need a government permission slip in order to work. And all of this will come with a new federal bureaucracy — one that combines the worst elements of the (Department of Motor Vehicles) and the (U.S. Transportation Security Administration). America’s broken immigration system needs real, workable reform, but it cannot come at the expense of privacy and individual freedoms.”

Click here to read more.

So my position is clear. What I particularly don’t like about it is the pattern for which it is a part of…a pattern of deteriorating privacy, increasing government and corporate powers and authority, and the expanding number of ways in which “security” and “safety” are used to scare people into giving up those very things.

If nothing else, before anything remotely like this becomes law, I would like to see an open, vigorous debate, and if the public goes and the legislature truly goes for it, then a series of steps need to be taken to implement it in a way that is fair, reasonable and secure.

Posted by CFC at Thursday, May 13, 2010

Issues Corporate Accountability, Data Protection, Government Surveillance, Records Privacy, Social Security Numbers

Ed Imwinkelried, Chair and Michael Cherry, Vice Chair - The Digital Technology Committee of the National Association of Criminal Defense Lawyers reporting that fingerprint evidence cannot be trusted. You read that right.

The Digital Technology Committee of the National Association of Criminal Defense Lawyers believes it can prove that the methods used by today’s fingerprint examiners are insufficient to establish fingerprint uniqueness.

Our membership includes experienced pattern recognition scientists who have appeared before the National Academies of Science and worked with the U.S. Department of Commerce National Institute of Standards and Technology(NIST).  Before becoming involved in forensic issues, they received letters of appreciation from the U.S. Executive Office of the President, the Director of NIST, and the White House Y2K Czar.

For example, NIST invited them to participate as members of an ad hoc working group on Data Formats for the Interchange of Fingerprint, Facial, Scar, Mark, and Tattoo (SMT) Information.  These standards define the content, format, and units of information that are used for the fingerprint, facial, or SMT identification of a subject.  They not only participated on this project;  they were also permitted to vote to replace the lossy compression scheme used by the FBI and other law enforcement agencies–a scheme that saved space by sacrificing detail.  Other voters included Interpol, Germany’s Federal Criminal Police Office, the Netherlands National Police Agency, and the Royal Canadian Mounted Police.

Most recently, they have turned our attention to fingerprint analysis.  In our opinion, the ACE-V methodology should be renamed PACE-V — partial analysis comparison evaluation and verification; examiners analyze incomplete information.  We are eager to participate in DAUBERT/FRYE hearings to expose the insufficiency of the current paradigm.

You can contact us at:

Michael Cherry, Vice Chair                                                               Ed Imwinkelried, Chair

201 513-8300                                                                                                        530 752-0727

New Delhi, May 03, 2010

First Published: 01:16 IST(3/5/2010)

Last Updated: 01:22 IST(3/5/2010)

A trial run of full body scanners will start at Delhi airport later this month.

The Delhi International Airport Ltd (DIAL), which runs Delhi airport, inked an agreement with American Science and Engineering Inc (AS&E) to supply the scanners — which reveal every detail of the human body, including the genitals — to screen passengers.

The Bureau of Civil Aviation Security (BCAS) has cleared the specifications of the new scanner. Sources said the civil aviation ministry has written to the customs department to suggest duty on the scanning equipment being installed on a trial basis should be waived.

DIAL refused to confirm the order with one officer claiming the company does not speak on security-related issues.

AS&E’s is a US-based manufacturer whose list of clients includes the US Department of Homeland Security and the US Department of Defense, her Majesty’s Customs & Excise (UK), NATO, and the Royal Thai Police (Thailand), according to the company’s website.

At present, security checks at Indian airports comprise pat-down searches, doorframe metal detectors and hand-held device scans. A final decision on whether to buy the scanners — which have raised questions of human rights violation — will be taken after the trial run.

Written by RSN Press Release,  SATURDAY, 17 APRIL 2010 15:40

The Rutherford Institute Joins with Broad Coalition to Urge White House and Members of Congress to Oppose Biometric National ID Card

Groups Insist That Comprehensive Immigration Reform Must Respect Civil Liberties and Privacy

WASHINGTON – The Rutherford Institute has joined with a broad coalition of groups urging the White House, the House and Senate Judiciary Committees, the House Ways and Means Committee and the Senate Finance Committee to oppose a proposal by Senators Charles Schumer (D-NY) and Lindsey Graham (R-SC) that would include a biometric national ID card in comprehensive immigration reform legislation.

Signatories to the letter opposing the national ID card are from across the political spectrum and include advocates for privacy, consumer rights, gun owners, limited government and religious liberty.

(A copy of the coalition’s letter is available bellow)

“No one disputes that our broken immigration system harms both immigrants and non-immigrants, but a full scale National ID system is not the solution,” said John W. Whitehead, president of The Rutherford Institute. “A National ID would not only violate privacy by helping to consolidate data and facilitate tracking of individuals, it would bring government into the very center of our lives by serving as a government permission slip needed by everyone in order to work.”

A biometric ID card, like the kind under consideration for inclusion in the comprehensive immigration reform legislation being considered by Congress, is a national system for identifying individuals that is used to determine if they are eligible for rights and benefits-a classic national ID. In order to create a biometric ID, every worker in America would have to present a birth certificate and other identification documents, then have his or her biometric, like a fingerprint, captured.

In its letter, the coalition stated, “A National ID would not only violate privacy by helping to consolidate data and facilitate tracking of individuals, it would bring government into the very center of our lives by serving as a government permission slip needed by everyone in order to work.” Both Republicans and Democrats have opposed a National ID system. President Reagan likened a 1981 proposal to the biblical “mark of the beast,” and President Clinton dismissed a similar plan because it smacked of Big Brother. Furthermore, as the letter points out, contrary to the contentions of Senators Schumer and Graham, it would be impossible to create such a system without establishing a national database-a central electronic repository-of Americans’ personal information.

Every government identification system currently in existence requires a database. Databases are necessary in order to reissue lost or stolen cards and as a check on fraud and abuse. Without record keeping, the same Social Security number and birth certificate could be used again and again to issue new cards to different people-defeating the entire purpose of the system. Such a central repository will be irresistible to identity thieves, hackers and those who want to misuse personal information for crimes like stalking.

_______________________________________________________________________

April 14, 2010

United States Senate

Washington, DC 20510

Re: Oppose Schumer/Graham Biometric National ID Proposal within Comprehensive Immigration Reform

Dear Senator:

We write today to express our opposition to a proposal by Senators Charles Schumer (D – NY) and Lindsey Graham (R – SC) to create a biometric Social Security card – one that relies on personal characteristics like fingerprints to identify individuals. No one disputes that our broken immigration system harms both immigrants and non-immigrants, but a full scale National ID system is not the solution.

Both Republicans and Democrats have opposed a National ID system. President Reagan likened a 1981 proposal to the biblical “mark of the beast,” and President Clinton dismissed a similar plan because it smacked of Big Brother. A National ID would not only violate privacy by helping to consolidate data and facilitate tracking of individuals, it would bring government into the very center of our lives by serving as a government permission slip needed by everyone in order to work. As happened with Social Security cards decades ago, use of such ID cards would quickly spread and be used for other purposes – from travel to voting to gun ownership.

Contrary to the contentions of Senators Schumer and Graham, it would be impossible to create such a system without establishing a national database – a central electronic repository – of Americans’ personal information. Every government identification system currently in existence requires a database. Databases are necessary in order to reissue lost or stolen cards and as a check on fraud and abuse. Without record keeping, the same Social Security number and birth certificate could be used again and again to issue new cards to different people – defeating the entire purpose of the system. Such a central repository will be irresistible to identity thieves, hackers and those who want to misuse personal information for crimes like stalking. The cost of this system will be extraordinary, running to hundreds of billions of dollars and dwarfing the expense associated with other parts of immigration reform. As one example, the federal government recently began to issue a limited number of biometric ID cards, called Transportation Worker Identification Credentials. It is estimated that the Department of Homeland Security will spend $1.9 billion to issue cards to approximately 1 million workers.

Expanded to the entire US workforce of 150 million people, that would translate to a proportionately greater cost of $285 billion. A biometric system would likely have to be fee based – requiring not just government permission, but also a government fee to work. Adding insult to injury, this unaffordable scheme will probably never work. Even ignoring the enormous difficulties of creating a system to fingerprint every worker and distributing readers to employers across the country, the truth is that some employers prefer the ambiguity of the current process.

Unless significantly greater resources are dedicated to enforcing the law, employers will continue to have a strong incentive to circumvent a broken system. Such enforcement could be accomplished just as easily without a National ID.

A biometric ID system would be controversial and unpopular with constituencies across the ideological spectrum. It would require the fingerprinting of every American worker – not just immigrants. It would also require the creation of a bureaucracy that combines the worst elements of the Transportation Security Administration and state Motor Vehicle Departments. For all of these reasons we believe that a National ID system should play no part in the otherwise needed reform of our immigration system.

Sincerely,

American Civil Liberties Union

American Library Association

American Policy Center

Americans for Tax Reform

Bill of Rights Defense Committee

Calegislation

Campaign for Liberty

Center for Digital Democracy

Center for Financial Privacy and Human Rights

Citizen Outreach

Citizens Against Government Waste

Citizens Committee for the Right to Keep and Bear Arms

Competitive Enterprise Institute

Consumer Action

Consumer Federation of America

Consumer Watchdog

Cyber Privacy Project

Defending Dissent Foundation

DownsizeDC.org, Inc.

Electronic Frontier Foundation

Electronic Privacy Information Center

Equal Justice Alliance

Former Congressman Bob Barr

Hispanic Leadership Fund

Home School Legal Defense Association

Indian American Republican Council

Liberty Coalition

National Center for Transgender Equality

National Lawyer’s Guild–National Office

National Whistleblower Center

Patient Privacy Rights

Privacy Activism

Privacy International

Privacy Journal

Privacy Lives

Privacy Rights Clearinghouse

Privacy Times

PrivacyRightsNow Coalition

Rutherford Institute

The 5-11 Campaign

The Identity Project

The Multiracial Activist

U.S. Bill of Rights Foundation

World Privacy Forum

NEW DELHI: After seeking information from the US authorities on who picked up the tab for Pakistani-American terrorist David Coleman Headley’s credit cards, security agencies have launched a crackdown against terror suspects using international cards as a mode of funding their operations in India.

In two operations in Lucknow and Delhi, intelligence agencies with the help of local police seized more than 65 international credit cards with at least Rs 4-5 crore withdrawn on them and distributed to sleeper cells, sources said.

In the first operation, the Anti-Terrorist Squad of the UP police last month recovered 20 international cards from two individuals in Lucknow after a close surveillance revealed that they were using the credit cards to draw money and pass it on to sleeper cells in the city on the instructions of Nepal-based masterminds.

In a similar action in the national Capital, officials of the Delhi Police raided a resident in Rohini and recovered 45 international credit cards from his possession along with Rs 6 lakh in cash. Initial questioning of the accused in both the cases that the revealed money was paid in Nepal and the operatives in Lucknow and Delhi were instructed to withdraw it and pass it on to contacts as per orders.

While the income tax department is on the job to map the economic footprint of these jehadis within the country, the government has roped in the Enforcement Directorate to register and investigate each of these cases to identify the sources of transactions made in foreign countries on these cards and further investigate the cases under the Prevention of Money Laundering Act (PMLA).

Meanwhile, the government is in touch with the authorities in US and Canada to ascertain who had paid for the credit card bills of Headley and other accused linked to the 26/11 Mumbai terror attack.

A year-long investigation in the use of international credit cards by terror suspects in India has revealed that at least Rs 20-25 crore had been spent by them in the recent past across the country. These credit cards were issued in US, Canada, UK, Dubai, Nepal and Bangladesh and the bills were picked up by terror masterminds based there. Agencies are identifying all such payment gateways, their beneficiaries and sponsors.

The authorities are hopeful of busting the terror and narcotics syndicates by establishing a link between the users of such credit cards and their masterminds who are picking up the tab. Though the FBI has shared some details with the National Investigation Agency while referring to Headley’s co-accused Tahawwur Hussain Rana’s company, World Immigration Service, as one of the funding sources which also provided him a cover for his jehadi mission, it is not yet clear who picked up Headley’s credit card bills in the US.

Sources said Pakistan-based jehadi outfits are using the new modus operandi to fund their operatives in India without alerting the security agencies as the earlier hawala mode of funding had come under close surveillance.

CSI Fraud: researchers craft fake DNA evidence

Ronald Bailey | March 17, 2010

Earlier this week, the New York Times ran a provocative op/ed by Yale law student Michael Seringhaus in which he advocated that the DNA profiles of every American be kept in a central forensic database. The goal of such a database is to help the police fight crime by better enabling them to find perpetrators who leave DNA traces at the scenes of their misdeeds. Current forensic DNA databases generally contain DNA profiles from convicts, but many states and the feds are now also including DNA profiles from arrestees.

Seringhaus thinks the current system is unfair because the databases are racially skewed. He also notes that the practice of familial searches which partial DNA matches can point to family members of people who already have their DNA on file, putting a criminal’s family members under a cloud of suspicion although they have not been arrested nor convicted of any crime. Seringhaus is right when he notes that the DNA profiles can be used only for identification and does not reveal other genetic information provided that the DNA samples are destroyed once the profiles are digitally encoded. So what does he think are the advantages of a universal DNA database?

A much fairer system would be to store DNA profiles for each and every one of us. This would eliminate any racial bias, negate the need for the questionable technique of familial search, and of course be a far stronger tool for law enforcement than even an arrestee database.

This universal database is tenable from a privacy perspective because of the very limited information content of DNA profiles: whereas the genome itself poses a serious privacy risk, Codis-style profiles do not.

A universal record would be a strong deterrent to first-time offenders — after all, any DNA sample left behind would be a smoking gun for the police — and would enable the police to more quickly apprehend repeat criminals. It would also help prevent wrongful convictions.

As a practical matter, universal DNA collection is fairly easy: it could be done alongside blood tests on newborns, or through painless cheek swabs as a prerequisite to obtaining a driver’s license or Social Security card. Once a biological sample was obtained, its use must be limited to generating a DNA profile only, and afterward the sample would be destroyed. Access to the DNA database would remain limited to law enforcement officers investigating serious crimes.

Since every American would have a stake in keeping the data private and ensuring that only the limited content vital to law enforcement was recorded, there would be far less likelihood of government misuse than in the case of a more selective database.

Interestingly, the American Civil Liberties Union is opposed to collecting DNA samples from anyone prior to conviction, specifically citing the problam of increasing racial disparities in the databanks. However, it would seem that Seringhaus’ proposal for a universal DNA databank would obviate the ACLU’s racial disparity argument. The ACLU is also worried that DNA samples might be used in ways that violate individual privacy, but once again, that objection fails if the samples are destroyed after the DNA ID profiles are encoded. The main ACLU objection is:

In America, people are presumed innocent until proven guilty. Thousands of people are arrested or detained every year and never charged with a crime. Housing a person’s DNA in a criminal database renders that person an automatic suspect for any future crime – without warrant, probable cause, or individualized suspicion.

Law enforcement already has ample authority to collect a DNA sample from an arrested individual in those cases where a court-issued warrant supported by probable cause is first obtained.

But is DNA profiling all that legally different from fingerprinting? After all, the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) and the Department of Homeland Security’s (DHS) Automated Biometric Identification System (IDENT) already contain the fingerprints of millions of people, both criminal and civil. Back in 2002, I noted:

The legislators and police argue that this expansion of DNA testing simply builds on a century’s experience with ordinary fingerprinting. After all, obtaining a DNA sample with a cheek swab is not much more invasive than staining a suspect’s fingers with ink, and it’s a lot less invasive than alcohol blood testing or semen collection. According to this view, DNA testing is just another, perhaps more effective way to establish a suspect’s identity and presence at a crime scene.

In 2006, in a column on using familial DNA searches, I predicted:

…that since collecting DNA is no more invasive than fingerprinting, it seems very likely that a similarly sized national DNA database will be created in the near future. And who knows—someday your genetic profile may be embedded in your national ID card too. Heck, who needs a national ID card if every cop has a fast DNA reader and wireless electronic link to the comprehensive national DNA database? If we want to avoid becoming a database nation, the time to stop it is now.

One final thought–by the end of this decade nearly everyone’s physician will have a digital record of his or her complete genome on file. Here’s betting that the police will regularly seek and get warrants to access the medical genome files of suspects by 2020.

Disclosure: I am still a member of the ACLU.