Written by RSN Press Release,  SATURDAY, 17 APRIL 2010 15:40

The Rutherford Institute Joins with Broad Coalition to Urge White House and Members of Congress to Oppose Biometric National ID Card

Groups Insist That Comprehensive Immigration Reform Must Respect Civil Liberties and Privacy

WASHINGTON – The Rutherford Institute has joined with a broad coalition of groups urging the White House, the House and Senate Judiciary Committees, the House Ways and Means Committee and the Senate Finance Committee to oppose a proposal by Senators Charles Schumer (D-NY) and Lindsey Graham (R-SC) that would include a biometric national ID card in comprehensive immigration reform legislation.

Signatories to the letter opposing the national ID card are from across the political spectrum and include advocates for privacy, consumer rights, gun owners, limited government and religious liberty.

(A copy of the coalition’s letter is available bellow)

“No one disputes that our broken immigration system harms both immigrants and non-immigrants, but a full scale National ID system is not the solution,” said John W. Whitehead, president of The Rutherford Institute. “A National ID would not only violate privacy by helping to consolidate data and facilitate tracking of individuals, it would bring government into the very center of our lives by serving as a government permission slip needed by everyone in order to work.”

A biometric ID card, like the kind under consideration for inclusion in the comprehensive immigration reform legislation being considered by Congress, is a national system for identifying individuals that is used to determine if they are eligible for rights and benefits-a classic national ID. In order to create a biometric ID, every worker in America would have to present a birth certificate and other identification documents, then have his or her biometric, like a fingerprint, captured.

In its letter, the coalition stated, “A National ID would not only violate privacy by helping to consolidate data and facilitate tracking of individuals, it would bring government into the very center of our lives by serving as a government permission slip needed by everyone in order to work.” Both Republicans and Democrats have opposed a National ID system. President Reagan likened a 1981 proposal to the biblical “mark of the beast,” and President Clinton dismissed a similar plan because it smacked of Big Brother. Furthermore, as the letter points out, contrary to the contentions of Senators Schumer and Graham, it would be impossible to create such a system without establishing a national database-a central electronic repository-of Americans’ personal information.

Every government identification system currently in existence requires a database. Databases are necessary in order to reissue lost or stolen cards and as a check on fraud and abuse. Without record keeping, the same Social Security number and birth certificate could be used again and again to issue new cards to different people-defeating the entire purpose of the system. Such a central repository will be irresistible to identity thieves, hackers and those who want to misuse personal information for crimes like stalking.

_______________________________________________________________________

April 14, 2010

United States Senate

Washington, DC 20510

Re: Oppose Schumer/Graham Biometric National ID Proposal within Comprehensive Immigration Reform

Dear Senator:

We write today to express our opposition to a proposal by Senators Charles Schumer (D – NY) and Lindsey Graham (R – SC) to create a biometric Social Security card – one that relies on personal characteristics like fingerprints to identify individuals. No one disputes that our broken immigration system harms both immigrants and non-immigrants, but a full scale National ID system is not the solution.

Both Republicans and Democrats have opposed a National ID system. President Reagan likened a 1981 proposal to the biblical “mark of the beast,” and President Clinton dismissed a similar plan because it smacked of Big Brother. A National ID would not only violate privacy by helping to consolidate data and facilitate tracking of individuals, it would bring government into the very center of our lives by serving as a government permission slip needed by everyone in order to work. As happened with Social Security cards decades ago, use of such ID cards would quickly spread and be used for other purposes – from travel to voting to gun ownership.

Contrary to the contentions of Senators Schumer and Graham, it would be impossible to create such a system without establishing a national database – a central electronic repository – of Americans’ personal information. Every government identification system currently in existence requires a database. Databases are necessary in order to reissue lost or stolen cards and as a check on fraud and abuse. Without record keeping, the same Social Security number and birth certificate could be used again and again to issue new cards to different people – defeating the entire purpose of the system. Such a central repository will be irresistible to identity thieves, hackers and those who want to misuse personal information for crimes like stalking. The cost of this system will be extraordinary, running to hundreds of billions of dollars and dwarfing the expense associated with other parts of immigration reform. As one example, the federal government recently began to issue a limited number of biometric ID cards, called Transportation Worker Identification Credentials. It is estimated that the Department of Homeland Security will spend $1.9 billion to issue cards to approximately 1 million workers.

Expanded to the entire US workforce of 150 million people, that would translate to a proportionately greater cost of $285 billion. A biometric system would likely have to be fee based – requiring not just government permission, but also a government fee to work. Adding insult to injury, this unaffordable scheme will probably never work. Even ignoring the enormous difficulties of creating a system to fingerprint every worker and distributing readers to employers across the country, the truth is that some employers prefer the ambiguity of the current process.

Unless significantly greater resources are dedicated to enforcing the law, employers will continue to have a strong incentive to circumvent a broken system. Such enforcement could be accomplished just as easily without a National ID.

A biometric ID system would be controversial and unpopular with constituencies across the ideological spectrum. It would require the fingerprinting of every American worker – not just immigrants. It would also require the creation of a bureaucracy that combines the worst elements of the Transportation Security Administration and state Motor Vehicle Departments. For all of these reasons we believe that a National ID system should play no part in the otherwise needed reform of our immigration system.

Sincerely,

American Civil Liberties Union

American Library Association

American Policy Center

Americans for Tax Reform

Bill of Rights Defense Committee

Calegislation

Campaign for Liberty

Center for Digital Democracy

Center for Financial Privacy and Human Rights

Citizen Outreach

Citizens Against Government Waste

Citizens Committee for the Right to Keep and Bear Arms

Competitive Enterprise Institute

Consumer Action

Consumer Federation of America

Consumer Watchdog

Cyber Privacy Project

Defending Dissent Foundation

DownsizeDC.org, Inc.

Electronic Frontier Foundation

Electronic Privacy Information Center

Equal Justice Alliance

Former Congressman Bob Barr

Hispanic Leadership Fund

Home School Legal Defense Association

Indian American Republican Council

Liberty Coalition

National Center for Transgender Equality

National Lawyer’s Guild–National Office

National Whistleblower Center

Patient Privacy Rights

Privacy Activism

Privacy International

Privacy Journal

Privacy Lives

Privacy Rights Clearinghouse

Privacy Times

PrivacyRightsNow Coalition

Rutherford Institute

The 5-11 Campaign

The Identity Project

The Multiracial Activist

U.S. Bill of Rights Foundation

World Privacy Forum

A bill under discussion in the U.S. Senate could force Americans to take sides on two issues that are extremely important to millions of people: illegal immigration versus privacy.

The controversial legislation appears to be a solution to the problem of illegal immigration. It would require the issuance of identification cards for all workers in the United States. Besides the name and photograph, these cards would contain biometric information, such as fingerprints, so they would be extremely difficult to manipulate.

The goal is to tie the worker to his or her card. If the information doesn’t check out, then the person isn’t eligible to work legally in the country.

It’s a bold move, but it is one that should make privacy advocates more than a little nervous.

The cards would be, in effect, a national ID card, a tool supported by some law enforcement officials a few years ago but was shot down by opponents who believe such a card could hamper freedoms. The concern rests with the possibility that if the cards can contain biometric information, then they could one day include tiny components that allow the government to track the movements of citizens.

This bill, which has sponsors from both major political parties, faces a difficult road to becoming a law, but it does draw out an important question: Is freedom more important than solving the immigration issue?

Illegal immigration is a problem. The costs of providing education, providing health care and other services for illegal immigrants are exorbitant. A biometric identification card could be the solution, but it also imposes on legal immigrants and citizens. Such a card could start our nation down the slippery slope of eventually having something in our wallets that allow the government to track our every move.

There are other solutions, such as improving and then enforcing the use of the E-Verify system, in which a person’s legal status is reviewed during the hiring process. The Utah Legislature is considering such a move, albeit without any real penalties for businesses that ignore it.

The point is that although legislation may curb a big problem related to approximately 12 million to 14 million illegal immigrants, it could cause even larger problems for the other 300 million-plus people in the country.

Even the potential for giving up freedom is too high of price to pay.

If Simple Credit Cards are cloneable just imagine how ”New ID cards” are supposed to be ‘unforgeable’ – but it took expert minutes to clone one, and program it with false data

By Cory Doctorow at 11:43 PM February 11, 2010

(Chip and PIN is broken via Schneier)

BBC: New flaws in chip and pin system revealed

Noted security researcher Ross Anderson and colleagues have published a paper showing how “Chip-and-PIN” (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn’t stop the banks from pushing ahead with it, spending a fortune in the process.

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) — in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you’re not even looking? The banks didn’t even realise they needed to check.

Randeep Ramesh in Delhi
guardian.co.uk, Wednesday 16 September 2009 20.33 BST
___________________________________________________________________________________________
In India, Big Brother just wants to help. The country’s 1.2 billion citizens are to be issued with a biometric identity card in an attempt to improve the delivery of India’s inefficient public services – a move civil liberties’ activists are condemning as the act of a “surveillance society”.

This month, the country began the ambitious scheme of issuing everyone with a unique identity number. Within the first five years of the scheme, giant computer servers will hold the personal details of at least 600 million people. The introduction of what will be one of the world’s most ambitious IT projects will cost an estimated £1.5bn.

The scheme is the brainchild of Nandan Nilekani, one of India’s best-known software tycoons and now head of the government’s Unique Identification Authority. “We are going to have to build something on the scale of Google but it will change the country … every person for first time [will] be able to prove who he or she was.”

The country’s red tape is legendary: Indians have dozens of types of identity verification, ranging from electoral rolls to ration cards, yet almost none can be used universally. The new system will be a national proof of identity, effective for everything, from welfare benefits to updating land records.

Nilekani said the scheme would help the poor especially. Moving from one state to another – a regular occurrence for poor villagers in search of work – often meant benefits were withdrawn because proof of residence was lacking. “This will mean maids and labourers … a hundred or two hundred million people – will be able to access welfare benefits for the first time without any questioning who they are.”

Eventually, cards will hold the person’s name, age, and birth date, as well as fingerprint or iris scans, though no caste or religious identification. “We are not profiling a billion people. This will provide an ID database which government can access online. There will be checks and balances to protect identities,” said Nilekani, who has also been in talks to create a personalised carbon account so that all Indians might buy “green technologies” using a government subsidy.

Doubts have been raised over privacy and the complex security needed to police such the system, as well as concerns that the project is just too ambitious. “We could have a hacking Olympics,” said Guru Malladi, a partner at Ernst & Young.

Civil liberty campaigners fear the card could be a tool of repression.

Nandita Haskar, a human rights lawyer, said: “There’s already no accountability in regard to violations of human and civil rights. In this atmosphere what are the oversight mechanisms for this kind of surveillance?”

Michael (Micha) Shafir the Founder & Inventor of Innovya
Traceless Biometric technology, is demonstrating to Governor
Kaine, how easy, stored information can be leaked out without
connection to any public network, and why it is so dangerous
to collect sensitive Biometric Information about innocent citizens.
Proving that there is no better security for sensitive data
than not collecting it in the first place.

12 Sep 2009, 1824 hrs IST, ET Bureau

NEW DELHI: In view of the National Unique ID project initiated by the government, and its bearing on the smartcards, RFID, biometrics, e-Security

sectors in India, SmartCards Expo 2009 has been organised in the capital from September 11-12.

The government may use biometric features like iris scan and hand geometry for recording secondary details for the National UID project, said officials at the SmartCard Expo 2009. Face readers which can scan even the face of a hijab clad woman, or a man wearing a beard from his or her original face, new smart cards, iris scanners and printing technology, were showcased at the event in this regard.

Technology majors like NXP, ST Microelectronics, Texas Instruments, Sagem, Base Systems, Bartronics, Lipi Data Systems Ltd, HiTi Digital, Infineon participated in the event. However the absence of any representative of the UIDAI (Unique ID Authority of India) was severely felt at the event, inspite of the importance of this Conference, which was fully devoted to the subject of UID.

Greg Pote, Chairman, Asia Pacific Smart Cards Association mentioned the in his view, various governments are still searching for what they can do with the national ID cards beyond ID. But most governments have a privacy commissioners and monitors, and they limit what the government can do with the details. He said that the registration number is the key driver for the card. That creates problems, with resistance from privacy bodies. His estimate is that smart cards in India are 5 years behind Europe.

Dr B K Gairola, Director General, National Informatics Centre touched upon the role of the government and the importance of the UID Project to India as a whole. He mentioned the it is like a 16 lane highway on which all applications could ride. He talked about the earlier experience of the MNIC – Multi Application National ID Project and also the importance of the creation, operation and maintenance of a Unique ID Database and the challenges associated with it.

Accenture’s Ravinder Pal Singh mentioned that Bluecasting might be a better alternative to start with because people have mobile phones, especially in villages in north India. Mobile phone is much more authentic and secure, according to him.

Biometrics involving fingerprints and other biometrics feature such as face recognition, DNA shape identification, etc were also extensively discussed.

Gemini Ramamurthy, Chairman of Cyber Society of India said that a set of 12 parameters has been issue by the UID, but the only parameter that cannot be duplicated is the biometric one. While it is important to achieve uniqueness in identification of persons, it is equally or more important to be able to establish secure identification. This means the identification of a person has to protected against misuse.
The challenges to the ID project are many. Mere possession of a unique identification number belongs to that person. It has to be established beyond doubt that the particular unique identification number belongs to the particular person and no one else. In other words, there should be a secure way to ensure that no other person can carry that identification number.

And then, if these security features have to be matched with the database contents of a particular individual, it requires a very efficient and robust facility of data base storage and retrieval with a highly reliable remote connectivity.

A more plausible is to provide a smart card, which will carry the unique identification number and the various additional security features that can be checked to further establish the uniqueness of identification of the individual. Many countries have already implemented smart card based identification programmers emphasizing the unparallel security provided by smart cards.

The government is thus considering splitting the UID database into two sets of paramters – the primary database will be accessible on the Internet and used for access purposes and verification, while the secondly database is likely to be kept offline, and in multiple formats, and be used only if the primary data is in dispute. Secondary data could have multiple biometric features including Iris scan, hand geometry, and additional data including names of grandparents and great grandparents, because the hacker may not be aware of these things, Mr Ramamurthy added. Since the UID data is in digital form, it may be useful to include an email ID as an additional data parameter.

“The appropriate audit trail, and what was the value of the data before and after the access needs to be stored, as well as the mode of access to that data. These should be available for judicial scrutiny, and certified for integrity. Companies from countries suspected of cyberwarfare against India should be avoided in case of this project.” Mr Ramamurthy said adding that a pilot project for the UID is being planned in Bangalore.

An eminent panel of experts debated with a sizable audience about the UID andtechnologies of relevance to India. The Panel was chaired by Pradeep Kumar, Vice President, Asia Pacific, STMicroelectronics. Panelists were from Sagem Securite, WYSE Biometrics, UNISYS, Bartronics, NXP Semiconductors, Barnes International, and ASK France.

By Tom Espiner ZDNet.co.uk

Posted on ZDNet News

Security expert and BT chief security-technology officer Bruce Schneier has attacked the US-Visit border-biometrics program, saying it has had “zero benefit” in terms of security.

Speaking to ZDNet UK last week, Schneier said that there was little evidence that the US-Visit program, which takes fingerprints and retinal scans from all visitors to the United States, had made any impact on reducing the threat from criminals and terrorists.

“If the Department of Homeland Security had apprehended any terrorists [through US-Visit], they would have kicked up a huge press stink,” said Schneier. “There has been zero benefit from the program.”

A long-time critic of the US-Visit program, Schneier first questioned the cost-effectiveness of the scheme in 2006. At the time, just under 1,000 people had been apprehended for criminal or immigration violations, yet the program had cost $15 billion (£9.4bn) up to that point.

“Take that $15 billion number,” wrote Schneier in a 2006 blog post. “One thousand bad guys, most of them not very bad, caught through US-Visit. That’s $15 million per bad guy caught. Surely there’s a more cost-effective way to catch bad guys?”

However, Robert Jamison, undersecretary at the US Department of Homeland Security’s National Protection and Programs Directorate, which oversees US-Visit, told ZDNet UK at the RSA Conference Europe 2008 on Wednesday that the border-biometrics program had been effective.

“There have been several instances of someone applying for entry under one name, being denied, applying under another name, and again being denied [due to biometrics records],” said Jamison. “In a few cases, criminal activity and, in some cases, terrorist activity have been prevented.”

Jamison declined to say exactly how many terrorists had been caught as a direct result of the program, saying the information was “classified”. However, Department of Homeland Security figures show that more than 2,400 immigration “violators” and criminals have been identified since the inception of the program in January 2004.

In February, US-Visit was claimed to have helped identify two terrorist suspects, now being held in Iraq, from fingerprints lifted from an improvised explosive device.