A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) Federal ID Proposals for US Citizens and Others Grow in Number and Scope
(2) Federal Government Employee ID Project Raises Policy Concerns
(3) Ridge Calls for Fingerprints in US Passports
(4) New Driver's License Legislation Expected
A number of proposals for new identity cards -- some affecting US citizens and others relating to visitors to the US -- have been moving forward in recent months. Both the Bush Administration, through directives and statements, and Congress, in legislation, are actively promoting the adoption of ID cards that would utilize biometric technologies such as digitized fingerprints and facial scans.
Several programs -- such as the Transportation Workers Identity Card, designed to be used by all private and public sector workers at land air and sea ports, and US VISIT, the program for visa holders and other legal visitors to the US -- are already being implemented.
New proposals include:
While none of the proposals specifically mentions the others, many of the officials and contractors involved have stressed the importance of "interoperability" among the standards.
CDT has concerns with the lack of privacy and security protections in several of the specific proposals, as well as an overarching concern about integration of the cards and the enrollment, authorization and transactional data that will be created as these cards are issued and used.
For a detailed discussion of different biometric technologies and the policy issues that must be addressed when taking privacy and security into account, see the June 2004 joint paper of CDT and the Heritage Foundation entitled "Biometric Technologies: Security, Legal, and Policy Implications".
On August 27, 2004, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12) "Policy for a Common Identification Standard for Federal Employees and Contractors." The goal of HSPD-12 is to create a unified standard for all federal government IDs so that they can be used at physical and online access points.
HSPD-12 called upon the National Institute of Standards and Technology (NIST) to develop the actual technical standard and the Office of Management and Budget (OMB) to manage implementation of the cards. The uses of the cards are left to the agencies themselves to decide.
In November, NIST issued a draft Federal Information Processing Standard (FIPS-201) for comment. The draft standard would require the collection of fingerprint information and facial information for inclusion on the cards. (Government agencies already such information to differing degrees depending on the agency.) The cards themselves will contain both a "contact" smart chip and a "contactless" chip, meaning that they can be read by devices that need direct contact with the card and devices that can read the card remotely.
While CDT appreciates the need for a single standard for identity cards for federal employees and contractors, CDT said in its comments to NIST on FIPS-201 that it is concerned that the technical standard is being developed without an adequate policy framework to prevent misuse of the cards and associated data. The failure to adopt policies before technologies are designed and procured puts at risk both the privacy and security of card-holders and the systems involved. CDT stressed that development of basic policies to limit misuse and overuse of the cards and the information on them should be a top priority for NIST and OMB in setting standards and implementing the program, but these concerns had not been address adequately in either HSPD-12 or FIPS-201.
Based on concerns from CDT and others, OMB and NIST are holding a public forum on January 19, 2005, to discuss the policy issues and how to address them. CDT will be speaking at the forum.
In an effort largely led by the US, the International Civil Aviation Organization (ICAO) has set new standards for passports. The standards call for all passports to contain a contactless smart chip and a machine readable picture of the passport holder. The goal of the new chip is to allow government agents to read the passports from a distance and compare the pictures against facial scans of terrorists and other wanted criminals.
The ICAO standards have led to several complaints from some experts and civil liberties groups, including:
Perhaps partially in response to this last point of criticism, outgoing DHS Secretary Ridge announced on January 12 that he believes that passports should contain fingerprint information for all ten fingers on the passport. While details of the proposal remain sketchy, CDT believes that this proposal would exacerbate privacy and security issues .
During last year's Congressional debate over intelligence reform, a group of Representatives led by James Sensenbrenner (R-WI) and Candace Miller (R-MI) introduced legislation that would overhaul the state driver's license system. While the intelligence reform legislation included some new requirements for national standards for driver's licenses, other proposals did not make the final bill.
The intelligence reform bill included a requirement to capture digital images of all drivers, presumably so that facial recognition technology can be used to verify that new drivers do not already have a driver's license and that anyone renewing a license is in fact the same person originally issued the license. However, the bill did not include a requirement to link the driver's license databases of all states so that states could check against each other's databases for duplicate licenses. Rep. Sensenbrenner is expected to introduce that provision in a new driver's license bill this year.