Federal ID Proposals for US Citizens and Others Grow in Number and Scope
Federal ID Proposals for US Citizens and Others Grow in Number and Scope
(1) Federal ID Proposals for US Citizens and Others Grow in Number and Scope
A number of proposals for new identity cards -- some affecting US citizens and others relating to visitors to the US -- have been moving forward in recent months. Both the Bush Administration, through directives and statements, and Congress, in legislation, are actively promoting the adoption of ID cards that would utilize biometric technologies such as digitized fingerprints and facial scans.
Several programs -- such as the Transportation Workers Identity Card, designed to be used by all private and public sector workers at land air and sea ports, and US VISIT, the program for visa holders and other legal visitors to the US -- are already being implemented.
New proposals include:
- Federal Government Employee ID Card: The federal government is developing standards for a high-tech ID card for federal employees and contractors.
- State Driver's Licenses: While last year's intelligence reform bill imposed some requirements for national standards on state driver's licenses after contentious debate, a new proposal to require biometric information in all driver's licenses is expected to be introduced soon in the Congress.
- US Passports: An international standard that would include biometric information is being implemented and outgoing Department of Homeland Security (DHS) Secretary Tom Ridge has said the government should go further.
While none of the proposals specifically mentions the others, many of the officials and contractors involved have stressed the importance of "interoperability" among the standards.
CDT has concerns with the lack of privacy and security protections in several of the specific proposals, as well as an overarching concern about integration of the cards and the enrollment, authorization and transactional data that will be created as these cards are issued and used.
For a detailed discussion of different biometric technologies and the policy issues that must be addressed when taking privacy and security into account, see the June 2004 joint paper of CDT and the Heritage Foundation entitled "Biometric Technologies: Security, Legal, and Policy Implications".
(2) Federal Government Employee ID Project Raises Policy Concerns
On August 27, 2004, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12) "Policy for a Common Identification Standard for Federal Employees and Contractors." The goal of HSPD-12 is to create a unified standard for all federal government IDs so that they can be used at physical and online access points.
HSPD-12 called upon the National Institute of Standards and Technology (NIST) to develop the actual technical standard and the Office of Management and Budget (OMB) to manage implementation of the cards. The uses of the cards are left to the agencies themselves to decide.
In November, NIST issued a draft Federal Information Processing Standard (FIPS-201) for comment. The draft standard would require the collection of fingerprint information and facial information for inclusion on the cards. (Government agencies already such information to differing degrees depending on the agency.) The cards themselves will contain both a "contact" smart chip and a "contactless" chip, meaning that they can be read by devices that need direct contact with the card and devices that can read the card remotely.
While CDT appreciates the need for a single standard for identity cards for federal employees and contractors, CDT said in its comments to NIST on FIPS-201 that it is concerned that the technical standard is being developed without an adequate policy framework to prevent misuse of the cards and associated data. The failure to adopt policies before technologies are designed and procured puts at risk both the privacy and security of card-holders and the systems involved. CDT stressed that development of basic policies to limit misuse and overuse of the cards and the information on them should be a top priority for NIST and OMB in setting standards and implementing the program, but these concerns had not been address adequately in either HSPD-12 or FIPS-201.
Based on concerns from CDT and others, OMB and NIST are holding a public forum on January 19, 2005, to discuss the policy issues and how to address them. CDT will be speaking at the forum.
- Homeland Security Presidential Directive 12
- CDT's December 22, 2004 Comments on FIPS-201
- Federal Register Notice for January 19 meeting on policy issues for HSPD 12
- Slides for January 19 presentation by CDT Associate Director Ari Schwartz
(3) Ridge Calls for Fingerprints in US Passports
In an effort largely led by the US, the International Civil Aviation Organization (ICAO) has set new standards for passports. The standards call for all passports to contain a contactless smart chip and a machine readable picture of the passport holder. The goal of the new chip is to allow government agents to read the passports from a distance and compare the pictures against facial scans of terrorists and other wanted criminals.
The ICAO standards have led to several complaints from some experts and civil liberties groups, including:
- There is no requirement that the information be encrypted. In fact, it seems that the US plans to implement the standard without encrypting the information. Critics suggest that anyone with a reader will be able to collect another person's digitized passport information, creating opportunities for identity theft.
- Compounding these concerns, contactless chips raise concerns that passports will be able to be read surreptitiously. While there is a dispute about the state of the current technology and at what distance the readers will work, critics are concerned that collection can occur without consent, a major concern for the safety of passport holders.
- Facial recognition technology is ineffective for the kind of matching proposed. Tests have shown that facial recognition works best in situations where the subject is in the same environment and is being matched only to check if the person is who he says that he is (one-to-one matching vs. one-to-many matching).
Perhaps partially in response to this last point of criticism, outgoing DHS Secretary Ridge announced on January 12 that he believes that passports should contain fingerprint information for all ten fingers on the passport. While details of the proposal remain sketchy, CDT believes that this proposal would exacerbate privacy and security issues .
- ACLU, "How the U.S. Ignored International Concerns and Pushed for Radio Chips in Passports Without Security," November 26, 2004
- Associated Press, "Ridge Seeks Fingerprints on Passports"
(4) New Driver's License Legislation Expected
During last year's Congressional debate over intelligence reform, a group of Representatives led by James Sensenbrenner (R-WI) and Candace Miller (R-MI) introduced legislation that would overhaul the state driver's license system. While the intelligence reform legislation included some new requirements for national standards for driver's licenses, other proposals did not make the final bill.
The intelligence reform bill included a requirement to capture digital images of all drivers, presumably so that facial recognition technology can be used to verify that new drivers do not already have a driver's license and that anyone renewing a license is in fact the same person originally issued the license. However, the bill did not include a requirement to link the driver's license databases of all states so that states could check against each other's databases for duplicate licenses. Rep. Sensenbrenner is expected to introduce that provision in a new driver's license bill this year.
- CDT Policy Post 10.03, February 3, 2004, "Security Holes at DMVs Feed ID Theft, Offer Lessons for National ID Card Debate"
- CDT Policy Post 8.17, September 5, 2002 "Privacy and Security Risks in Driver's License Proposals"