Copyright 2000 by Neal R. Wagner.
Individuals are wary of identification schemes, and not just ones that promise to shine a laser into their eye. Even a request for a fingerprint makes people wonder about storage and reuse of the print. However, reliable identification of individuals is the basis for accountability schemes; to hold someone responsible requires accurate identification of the person. Without such identification, there is no point in passing a law requiring that an individual identify himself when carrying out certain activities, such as buying a gun. I myself want perfect identification to keep someone from passing himself off as me, doing something in my name.
Each human activity can be explicitly attributed or kept anonymous, and attribution requires identification. For example, society sees false attribution in poison pen letters, those harmful letters falsely claiming a particular author. Identification plays a role even in anonymous activities, because it is often desirable to verify that several activities have been carried out by the same anonymous individual.
Many public activities should be attributed; society would be better off with much anonymity removed. The attribution should be verified with reliable identification techniques. For example, articles in newspapers and magazines usually profit from attribution, though anonymity also plays a role in the freedom of information of the press to correct wrongs, as with the U.S. Watergate scandal. Similarly, discourteous acts committed in public or while driving would be toned down if there were no anonymity. Certain activities, such as whistle-blowing, the use of a suggestion box, voting, or a health-care inquiry, benefit from anonymity.
The concepts of identification and verification are central to a discussion of the identity of individuals. To verify an individual's identity means to check that a person is who he claims he is, using stored data about that particular individual. To identify an unknown individual is much harder -- one must discover the person's identity using data describing a large pool of individuals. With fingerprints, for example, verification will check that a single fingerprint is what it should be, while identification may have to search through vast files of fingerprints. The possible mistakes for verification are to verify the identity of an impostor, or to reject a correct individual as if he were an impostor. Identification can make the additional mistake of deciding on the wrong identity.
A system that monitors the transfer of prisoners in San Antonio gives a real-life example in current U.S. society where perfect identity verification is a requirement. This system uses fingerprints, automatic fingerprint recognition by software, and ID bands with photographs. Officials need to know during a transfer of prisoners by bus that the right person is getting on the bus and that the same person gets off the bus. It seems that an easy way to effect an escape is to ``talk'' someone in prison on a lesser charge into trading identities, even when there is no close match in appearance. The ``talking into'' is not hard to do with a few well-placed threats to a prisoner and his relatives.
Verification
Identity verification techniques continue to present problems in a practical setting. Simultaneously, one wants a low error rate, an easy and inexpensive implementation, and convenience for users. Private industry and government are carrying out a vast amount of research in this area, with a number of mature systems in use. Most facilities still use one of the two classic methods: either a password or PIN (Personal Identification Number, like the 4-digit numbers used in bank teller machines) that the user has memorized, or an identification card with a picture that the user carries. Notice that merchants accepting a credit card often do no identity verification at all.
Both these methods have flaws. Users are bad at remembering passwords, especially computer-generated passwords or multiple passwords. (One expert on identity verification said he has trouble with more than a couple of 4-digit PIN's.) Users respond to these difficulties by choosing a simple password if that is an option -- a password that is easy to guess. Otherwise users record the password where it might be seen. For example, a stolen wallet with both bank teller card and driver's license will allow the thief to guess the birth date as a likely PIN. As for the other classic method of identity cards, they are often forged, stolen, altered, or not checked carefully enough. Most checks are done by hand, although a careful check causes delays and requires extra manpower.
As a result of these problems, providers of identification services have introduced a variety of hardware schemes. Identity cards can include data in a magnetic strip for machines to read, or computer chips, or even a self-contained computer on the card -- as a so-called ``smart'' card that can respond adaptively. Other approaches rely on personal features, also known as biometrics. These terms refer to physical characteristics of individuals that people or machines can measure.
Here is a list of categories for identity verification methods.
1. Prearranged information, such as passwords or PIN's. These have the disadvantages mentioned above of being hard to remember and easy to guess or steal, but passwords are so convenient to implement and easy to use that they are the dominant system. Current high-security installations recommend a password of eight random letters that is changed every three months -- a burden for hapless users to memorize. Promising are methods that, while forcing random computer-generated passwords on users, attempt to make the password easier to remember, either by the choice of syllable parts strung together, or by the use of pass phrases made up of common words. It also helps to give the user a selection of these computer-generated passwords. The prearranged information might even be an agreement to behave in a certain way. For example, one can use a code phrase in an innocent-sounding context, as some embassy personnel are trained to do. As another example, an organization may require that security guards recognize top-level management on sight; use of the ID card is then interpreted as a sign of coercion.
2. Piece of hardware, such as an ordinary metal key, a card with a picture or data or even computer components on it. Cards require a machine to create, whether a camera or a computer; except for pictures, hardware is needed to read the card; and cards can be lost or stolen. In spite of these problems, cards are the second most common system, after passwords. Cryptographic techniques allow the design of cards that cannot be created except by an authorized agency. For greater security, the hardware can be hard to remove, as with the ID bands mentioned earlier.
3. Personal feature, such as a picture, a fingerprint, retinal pattern, iris pattern, body dimension, hand geometry, voice characteristic, facial thermogram, or even more sophisticated medical or biochemical property. The emphasis is on features that distinguish one user from another, such as the pictures or fingerprints that have long been in use. If pictures are used, the system stores and processes the picture, unlike a picture on a card in the previous category.
Personal feature systems have disadvantages. They are expensive, usually requiring hardware that is easily damaged, either by accident or maliciously. They are intrusive, requiring users to submit to an initial recording session and to repeated measurement sessions. Finally, until recently they have not been very reliable. Many systems still have a high error rate from errors of rejecting a legitimate user, though the error rate of accepting an impostor is now often very low. (Imagine a voice-activated money-dispensing machine that refuses a user money because his voice is hoarse from an infection.) There is a trade-off between the two kinds of errors, so that setting the tolerance to accept almost all legitimate users makes it easier for an impostor to succeed, but both errors are now being pushed below one percent.
There is promising work going on right now (and hardware/software systems for sale) in the areas of fingerprint recognition, retinal scans, iris scans, hand geometry readers, and voice and facial recognition, with claimed error rates far below one percent. Users may object to their fingerprints or other personal data on file, and many users will object to a retinal scan. Of course a blind or mute person would not be able to use the respective system. And one might make an impression of a fingerprint to fool a fingerprint-recognizing system, while a recent lurid science fiction movie (Demolition Man) showed what could be done in real life: either dragging an unwilling user to a scanner, or presenting a severed body part to it.
With voice recognition, in addition to forcing a user to answer, one could record the proper responses for playback at the machine. To foil such recordings, the system can give the user a sequence of pre-recorded words to say, different words for each session. Voice recognition will also work remotely and can even adapt to changes in a voice over time.
Identification
As mentioned earlier, identification is a harder task than verification because the choice comes from a large pool of possible identities. At present the focus of identification is on pictures and ordinary fingerprints, but these methods pose considerable difficulties. The memory of a criminal's appearance may remain after a crime, but associating the memory with a stored photograph is hard, particularly considering that an individual may change hair color and style, facial hair, and glasses, and the individual may age. Mostly this occurs more as a verification that a suspect's appearance matches the memory. The United States has now computerized and consolidated fingerprint searches, with a large database of fingerprints on hand at the national level. The use of fingerprints is an ancient and well-studied technique that will continue in use indefinitely, since fingerprints may remain after a crime. The newer DNA analysis is still mostly used for verification, but it should become widespread for identification as well. DNA analysis has special importance because of its accuracy and because samples of a criminal's tissue may also remain at a crime scene, particularly in cases of sexual offenses. For both fingerprints and DNA analysis one must be sure that the print or tissue sample comes from the individual being identified, to maintain a chain of evidence. The U.S. FBI is just now creating a DNA database for people convicted of federal sexual predatory crimes, though it is not yet fully implemented.
Other verification techniques using personal features will work for identification as well, such as retinal or iris patterns, or voice characteristics. A hidden camera can obtain the iris pattern remotely, while a microphone can record the voice of a criminal, so again such evidence may remain after a crime. With such new techniques, as with the old, emphasis should be on reliability, ease of computer searches, and on consolidation and coordination of searches, so that different jurisdictions do not withhold information from one another. Some techniques that work well for verification will not work for identification. For example, one company's hand geometry system uses only nine bytes of data for verification -- too little data to be effective for identification, since for a given hand geometry there would be many similar hands. Hand geometry also fails because information about this characteristic is unlikely to remain at a crime scene.
National Identification
American immigration officials in their search for illegal aliens often question Hispanics while ignoring Anglos -- sometimes detaining Hispanics for no other reason than their brown skin or their use of the Spanish language. This is not equality of application of the law; America should give equal treatment to everyone, using national identification. Notice the phrasing here: A physical card is not needed, just reliable and coordinated identification, since it is also an inequity to expect Hispanics to carry a special card, while Anglos need not. The terminology ought by rights to be ``national identity verification,'' since in most instances the need is to verify a claimed identity.
Many people have proposed a national identity card in the U.S., while others have successfully resisted introduction of the cards. There is sufficient need for these cards that other imperfect cards have filled the void. The bewildering array of current cards in use, including driver's licenses, social security cards, and other job-related cards are ``easily counterfeited and poorly coordinated.'' For example state driver's licenses now serve even non-drivers as an identity card. The state cards vary greatly, though the trend is toward more secure licenses, ones harder to forge, like the Minnesota license with its security features: a bar code, a 256-character magnetic strip, and a digitized photo and signature. The license is nearly the same as a Minnesota identification card, used most often for activities not involving driving.
Current technology allows the creation of excellent identity cards, difficult or impossible to forge. The U.S. needs strong and unforgable national ID cards, but only as a part of a system of national identification. A card would provide a simple means for identifying individuals using inexpensive hardware and without a requirement for transferring data. As mentioned above, the card would actually provide identity verification, using one or more of the personal features mentioned earlier, such as fingerprints, or retinal, iris, or voice characteristics. Public key cryptographic techniques can encrypt the personal feature data so that cards could not be created by an impostor. The same personal features with the same recognition hardware would provide identity verification without the card, requiring only a data link to a central site. Cryptographic techniques can prove that one is truly communicating with the proper site.
These cards are not at all like the U.S. 100 dollar bills foreign print shops forge so well that experts can scarcely detect them. Cryptography allows creation of truly unforgable cards, ones that a person with better technology than the card makers cannot forge. (Someone else could copy an existing card, but could not make a new card with a different identity or different features on it.)
The data describing every individual's personal features would likely be distributed over many sites in what is known as a distributed database. An identity verification would involve transfer of data about a single individual, usually from a nearby site -- a simple query that remains simple no matter how many people are involved. Identification of an unknown person would still usually involve only the local site, but at worst it might be a lengthy process -- made more lengthy with increasing numbers of people identified, but such identification is rare compared with the constant need for identity verification.
Many in the U.S. have vehemently opposed national identify cards, and of course these people would also oppose a proposal for cards as only part of national identification. One concern is that the cards could be forged and misused, and so not be effective. The unforgable proposal above handles that problem, but the larger concerns center on government misuse of the card. Such misuse is an all-important issue for opponents of cards.
The government might misuse cards by creating forged cards for insiders, for government employees with a ``need'' for cards, and for those outside the government with connections to the card-making bureaucracy.
More worrisome misuse would occur if a government used identification for purposes beyond the legal uses -- say, to keep track of political enemies, or to maintain prohibited information about individuals. Thus people in Minnesota worry about just what information is stored in the 256 characters on their state's driver's license. Perhaps it records traffic violations that are not supposed to be on the card; perhaps it has inaccurate information.
The current array of different cards with different individual data stored along with them again argues in favor of a single card, with a clear location for any personal data, where an individual could check the extent and accuracy of this data. Such checks are essential; as with credit bureau data, each individual must have ready access to all personal data regarding themselves.
Finally, there are worries that a reliable national identification scheme would tempt lawmakers to extend its uses beyond the initial concept. This would not be illegal use and need not even be misuse in a broader sense, but it is still cause for concern about identification out of control.
Governmental misuse is likely to occur, so plans for implementation must include plans to protect against such misuse. Society must monitor and control the sites that create cards and that carry out identification. (Cryptographic techniques allow for simple verification sites that do not need such tight controls, since they cannot create cards.) As for extending the application of national identification, this deserves wide and open debate within society.
Cost is another concern, but high-quality identification does not have to be expensive -- conversion to a unified system might save money over the current mess in the U.S. of identification by each state, by separate government agencies, and by many companies or organizations. Reliability should be extremely high, especially if several features are used simultaneously. Data storage and retrieval requirements would be comparable to what the U.S. has now in various taxing and monitoring agencies.
I personally feel that I would be much better off if I could be reliably identified. It often happens that a person is mistaken, detained, and even jailed because he looks like or has the same name as a wanted criminal. People worry that the police will stop them on the street and demand their identity without cause, but such an incident is unrelated to issues of national identification. If the police are behaving unjustly (committing crimes, in other words), they must be controlled by society; the controls and identification and surveillance of the lawkeepers must be the most complete and stringent in society.
Deliberate theft of identity is also on the increase now and can be devastating. In the U.S., a criminal's knowledge of someone else's social security number and mother's maiden name (the latter often used as an extremely crude identity verifier) can lead to major financial and credit problems, as the criminal assumes a new identity to steal or obtain credit.