Why National ID Cards Would Make Us Less Secure

National ID Cards

by Bruce Schneier

http://www.schneier.com/crypto-gram-0404.html#1

As a security technologist, I regularly encounter people
who say the United States should adopt a national ID
card. How could such a program not make us more secure,
they ask?

The suggestion, when it\’s made by a thoughtful civic-
minded person like Nicholas Kristof in the New York
Times, often takes on a tone that is regretful and
ambivalent: Yes, indeed, the card would be a minor
invasion of our privacy, and undoubtedly it would add to
the growing list of interruptions and delays we
encounter every day; but we live in dangerous times, we
live in a new world....

It all sounds so reasonable, but there\’s a lot to
disagree with in such an attitude.

The potential privacy encroachments of an ID card system
are far from minor. And the interruptions and delays
caused by incessant ID checks could easily proliferate
into a persistent traffic jam in office lobbies and
airports and hospital waiting rooms and shopping malls.

But my primary objection isn\’t the totalitarian
potential of national IDs, nor the likelihood that
they\’ll create a whole immense new class of social and
economic dislocations. Nor is it the opportunities they
will create for colossal boondoggles by government
contractors. My objection to the national ID card, at
least for the purposes of this essay, is much simpler.

It won\’t work. It won\’t make us more secure.

In fact, everything I\’ve learned about security over the
last 20 years tells me that once it is put in place, a
national ID card program will actually make us less
secure.

My argument may not be obvious, but it\’s not hard to
follow, either. It centers around the notion that
security must be0evaluated not based on how it works,
but on how it fails.

It doesn\’t really matter how well an ID card works when
used by the hundreds of millions of honest people that
would carry it. What matters is how the system might
fail when used by someone intent on subverting that
system: how it fails naturally, how it can be made to
fail, and how failures might be exploited.

The first problem is the card itself. No matter how
unforgeable we make it, it will be forged. And even
worse, people will get legitimate cards in fraudulent
names.

Two of the 9/11 terrorists had valid Virginia driver\’s
licenses in fake names. And even if we could guarantee
that everyone who issued national ID cards couldn\’t be
bribed, initial cardholder identity would be determined
by other identity documents... all of which would be
easier to forge.

Not that there would ever be such thing as a single ID
card. Currently about 20 percent of all identity
documents are lost per year. An entirely separate
security system would have to be developed for people
who lost their card, a system that itself is capable of
abuse.

Additionally, any ID system involves people... people
who regularly make mistakes. We all have stories of
bartenders falling for obviously fake IDs, or sloppy ID
checks at airports and government buildings. It\’s not
simply a matter of training; checking IDs is a mind-
numbingly boring task, one that is guaranteed to have
failures. Biometrics such as thumbprints show some
promise here, but bring with them their own set of
exploitable failure modes.

But the main problem with any ID system is that it
requires the existence of a database. In this case it
would have to be an immense database of private and
sensitive information on every American — one widely
and instantaneously accessible from airline check-in
stations, police cars, schools, and so on.

The security risks are enormous. Such a database would
be a kludge of existing databases; databases that are
incompatible, full of erroneous data, and unreliable. As
computer scientists, we do not know how to keep a
database of this magnitude secure, whether from outside
hackers or the thousands of insiders authorized to
access it.

And when the inevitable worms, viruses, or random
failures happen and the database goes down, what then?
Is America supposed to shut down until it\’s restored?

Proponents of national ID cards want us to assume all
these problems, and the tens of billions of dollars such
a system would cost — for what? For the promise of
being able to identify someone?

What good would it have been to know the names of
Timothy McVeigh, the Unabomber, or the DC snipers before
they were arrested? Palestinian suicide bombers
generally have no history of terrorism. The goal is here
is to know someone\’s intentions, and their identity has
very little to do with that.

And there are security benefits in having a variety of
different ID documents. A single national ID is an
exceedingly valuable document, and accordingly there\’s
greater incentive to forge it. There is more security in
alert guards paying attention to subtle social cues than
bored minimum-wage guards blindly checking IDs.

That\’s why, when someone asks me to rate the security of
a national ID card on a scale of one to 10, I can\’t give
an answer. It doesn\’t even belong on a scale.

This essay originally appeared in the Minneapolis Star
Tribune:
http://www.startribune.com/stories/1519/4698350.html

Kristof\’s essay in the New York Times:
http://www.nytimes.com/2004/03/17/opinion/...

My earlier essay on National ID cards:
http://www.schneier.com/crypto-gram-0112.html#1

My essay on identification and security:
http://www.schneier.com/crypto-gram-0402.html#6