Security

National IDs: They're coming, one way or the other

A storm is definitely brewing over the issue of a national ID system. Some favor a national ID standard, while others want to see a single ID issuer--the U.S. government. Still others decry the concept altogether. Take a look at these dissenting voices.


By David Berlind

Since Sept. 11, 2001, Oracle CEO Larry Ellison and Sun Microsystems CEO Scott McNealy have become this country's most vocal cheerleaders for forgery-proof digital identification. Civil libertarians, in turn, have twisted the messages of both men into something they are not, creating a national ID opposition movement. Idiots.

My father used to repeat his favorite rule of life to me every time I said something stupid (which is still pretty often). "Put your mind into gear before your mouth into motion." As McNealy implied in my recent interview, if most people welcomed a rational discussion about the big difference between authentication in situations that demand it (such as boarding an airplane, renting a crop duster, or voting) and storing personal information in a database, national ID critics might not be so quick to vilify advocates of something a lot more bulletproof than what we have today. What do we have today? A broken system.

ZDNet Tech Update
This article appears courtesy of ZDNet Tech Update, where you can explore IT solutions on various topics, including ASPs, Linux, Windows NT/2000, groupware, information systems infrastructure, wireless networking, and much more.

The facts on IDs
For everyone who thinks that we'll suddenly become inconvenienced because we have to start presenting an ID everywhere we go, guess what? We're already supposed to present an ID almost everywhere we go. No one is proposing that we double or triple the number of situations where an ID is required. Ellison's and McNealy's propositions would close two giant holes that make today's systems useless.

First, a bulletproof ID for the public—one that cannot be forged and is safe from unauthorized use—does not currently exist. Now, many organizations have implemented very good three-factor security for their own internal use. Three-factor security is based on what you know (a password), what you have (an ID card or other security token), and who you are (biometrics). Think of three-factor security as an ATM card that requires, in addition to a PIN code, a fingerprint. The digitized fingerprint isn't kept in a database. It's digitized and encrypted into the ID card, just like the PIN number.

Second, the current system's dependence on human beings to check IDs (and check them correctly) is absurd. Any politician or person who tells you that today's public identification systems solve the problems they were intended to solve is a moron.

Enter Ellison and McNealy. The two men are proposing somewhat different approaches to solving the same problem. Ellison's approach, which civil libertarians miscategorize as a national ID, is nothing of the sort. What Ellison suggests is that we have a national standard for implementing IDs. Ellison doesn't care how many IDs you have to carry or who issues them, as long as their authenticity is guaranteed. In fact, Ellison would probably love for there to be thousands of issuers. The more organizations that issue IDs, the more databases he'll probably sell. But to guarantee the authenticity of those IDs, the national government needs to ratify a standard with which all issuers must comply.

One ID issuer: Is it the best approach?
McNealy doesn't have a master plan (at least not one that he was prepared to divulge in my interview with him). I asked McNealy how he thought the system should work. He said he hadn't really thought it through that much. Thinking out loud, he first talked about how there might be multiple issuers but then settled on the idea that there probably should be one—the U.S. government. His rationale was simple: If the specification that guaranteed each ID's authenticity changed for some reason (for instance, if encryption requirements changed), implementation of the new spec would be far simpler with one issuer.

What most concerns McNealy is that this good idea might be squashed for all the wrong reasons. His opponents argue that a national ID is a slippery slope toward Big Brother watching every one of us. McNealy refers to this as "building databases" and suggests that we don't change the way things are done today.

For example, most of us (whether we know it or not) already have substantial databases built around our names or Social Security numbers. Airlines, ISPs, credit-card companies, online merchants, and many other businesses are busy building profiles of us. The civil libertarians hate these databases. But what they hate even more is the idea that the government could use a national ID to connect these disparate databases in a way that could form a more complete profile. Indeed, a national identification standard would make it much easier to connect databases and build those profiles in minutes.

McNealy doesn't like the idea, comparing it to a federal wiretap. Laws preventing such wiretaps, he believes, need to stay in place or even be strengthened to deal with the digital age. Had a national ID specification been in place before Sept. 11 and had the courts issued "database tapping" orders swiftly enough, much more might have become known much sooner about the hijackers before some of the leads went cold.

End sum
Aside from the not-so-subtle differences in the their ultimate solutions (multiple issuers vs. one issuer), both Ellison and McNealy appear focused on the same problem: a bulletproof ID specification with no room for abuse and no way to deliberately or inadvertently shortcut the authentication process.

Provided that the specification requires three-factor security, the human element is removed because a biometric system stands in the way of any transaction that requires authentication, such as voting or boarding a plane. For merchants (electronic, brick and mortar, or both), the same technology that guarantees that the person sitting next to you on the plane is who they say they are could also be the one that prevents abuses like credit-card fraud. Merchants almost always bear the cost of credit-card fraud because the authentication process failed for some reason. With the right controls in place, the benefits of a national ID idea far outweigh the detriments.

David Berlind is the editorial director of ZDNet's Tech Update.


How do you feel about national IDs?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.

 

Editor's Picks

Free Newsletters, In your Inbox