Citizen of the Republic
Sean O'Connor
Assistant Professor of Law
University of Pittsburgh School of Law
412.624.7446 || oconnor@law.pitt.edu
INTRODUCTION
As has been frequently noted recently, the events of 9/11 have changed
everything. Not the least of these changes are our attitudes towards
how and when we should be identified in relation to what I will call
"target services" -- air travel, chemical/biological manufacture and
distribution, access to sensitive and/or landmark structures,
trucking, crop dusting, etc. Prior to 9/11, when new identification
measures were proposed an emphasis had been on privacy and libertarian
values such as the right/freedom to travel, associate, "re-invent"
ourselves through aliases and new names/identities, or simply be
anonymous. Any call for a mandatory national identification ("ID")
card was usually an act of political suicide. Post 9/11, many new ID
measures have been proposed: some have called for a mandatory national
ID card, others for optional or service specific ID cards, and some
for enhanced usage of existing types of ID cards. Most parties
interested in a new ID card system would like it to contain biometric
security features -- a set of technologies, such as finger imaging,
face recognition or DNA fingerprinting, that digitally maps certain
characteristics of an individual and then relies on that "template" to
compare with the relevant characteristic of an individual who presents
himself to the system at a later time.
The paper argues that even before the events of 9/11 there were some
compelling reasons to rethink our identification systems, one of the
most pressing being the fraud and misrepresentation problems plaguing
the development of e-commerce and the Internet generally. Yet, the
single largest obstacle to strengthening our identification systems,
both before 9/11 and even after, may be the belief that any such
strengthening must be a trade off between freedom and privacy, on the
one hand, and security and convenience, on the other.
The goal of the paper is threefold: first, to analyze the needs and
objectives that lie behind the renewed interest in national ID cards;
second, to sketch the kind of ID system that would be required to meet
these needs and objectives; and third, to consider whether the
proposed ID system could be ethically justified. An underlying theme
of the paper is that the standard debate over national ID cards -- a
necessary tradeoff between freedom/privacy and security/convenience --
should be re-contextualized into a dialogue over where on the spectrum
between communitarianism and libertarianism we would like to be as a
society.
I. The Problems
A. Terrorism
The events of 9/11 replay constantly; anthrax contamination lingers;
smallpox and nuclear devices seem distinctly possible. Something must
be done. Many of us may now be willing to exchange (some) liberty for
(some) safety, despite Franklin's adage. Of the range of possible
defensive actions, only one type will be considered here:
identification of terrorists before they can carry out their plans.
The enemy is unmarked and thus essentially invisible. In an age of
unprecedented mobility domestically and abroad, we neither know our
neighbors nor from whence they came.
Because traditional identification by "sight" is inadequate in such a
large, anonymous society, some have argued for a solution based on
biometric identification and surveillance techniques. Proposals
include:
* mandatory biometric-enhanced national ID cards (Ellison et al.)
* biometric identification of air travel passengers and personnel (Air
Transport Association "ATA")
* mandatory re-issuance of US foreign national documents (e.g., visas)
with biometric- enhanced versions (ROCID)
While the Bush Administration has so far rejected the idea of a
national ID card (with or without biometrics), biometric
identification is being seriously considered by other public and
private organizations. Further, the current environment has increased
the amount of money that such organizations are willing to spend at
the same time that the cost of biometric installations has decreased.
Generally, this translates into a dramatic expansion of the
organizations who can "afford" biometrics now.
B. E-Commerce and Transaction Costs
Before 9/11, and even before the dot com crash and market swoon of
2001, the rise of e-commerce was arguably being hampered by the
unknown terrain of online transactions. Despite the precedents of
mail order and telephone sales of goods and services, where buyers and
sellers often never meet each other, the similar invisibility of those
behind the flashy web sites or e-mail addresses made both prospective
buyers and sellers nervous about being swindled. And the early and
frequent stories of hackers stealing credit card numbers, etc. out of
the mysterious ether of the Internet did nothing to dispel these
fears.
This quite literally seemed to raise transaction costs -- even as the
vaunted efficiencies supposed to be intrinsic to the World Wide Web
were said to be lowering them. Buyers and sellers experimented with
various authentication instruments such as cryptography, digital
signatures, digital certificates, and other types of endorsement from
trusted third parties. Even credit card companies joined the fray by
promising zero liability to their card users for Internet transactions
gone awry. All of this raised the cost of transacting business online
and still seemed somehow inadequate to overcome the distrust fostered
by "invisible" parties to a deal. Despite "certificates" and other
measures, one never could quite be sure who -- or what -- exactly was
sitting at the keyboard on the other end of the digital superhighway.
Biometric identification systems promised to link a Web identity with
a flesh and blood person. Although high at first, prices for
biometric devices suitable for use with standard home PCs were
beginning to come down. Thus, despite slower-than-expected growth,
biometric identification systems for online transactions were already
making gains in the marketplace. However, with no focal point of
standards or organization around which such systems may collect into a
comprehensive whole, use of biometrics has been too fragmented to
address the problems raised above.
II. Identification in an Unfamiliar World
In a world in which we may never see an individual with whom we have a
relationship -- business or otherwise -- or in which we do not know by
personal recognition a multitude of people passing by us on the
street, sitting near us in a workplace, or living next door, we have
no unassisted way to verify whether one is who he claims to
be. However, the problem of how to verify identity when the individual
is not known to us personally is not a new one. It has instead simply
been enormously amplified by the stream of strangers we must interact
with, on some level, every day. The following classification system
sets out old and new responses to this problem.
A. Things Known
The simplest, and perhaps oldest, means of identity verification is
the humble password -- a word, phrase, series of numbers, anything
that can be communicated and memorized. Passwords have worked
reasonably well for centuries and may be as old as language itself.
However, they are easily compromised, and once revealed, lose all
their value. Elaborate systems of frequently changing passwords,
issuing random passwords, and in the digital context, encrypting all
use of passwords, has helped, but few security experts expect
passwords to ever be foolproof, or even tightly controllable --
particularly when the system to be secured includes more than a
handful of people.
B. Things Carried
Since antiquity, signet rings and other limited edition physical
tokens have been employed to signify identity and/or authority.
Variations of this designed to operate over a distance are
certification techniques such as the wax seal, which has modern
descendants in the digital signature and certificate. The advantages
of Things Carried over Things Known is that the former can be made
hard to reproduce, and thus hard to compromise through counterfeit.
The latter are essentially infinitely reproducible. Of course, this
ignores the actual strength of Things Known -- when used properly,
they are invisible and thus very difficult to reproduce by outsiders
(the would-be imposter is forced to guess). Further, their ease of
reproduction actually assists insiders where an organization is in
flux and would not know in advance how many identifiers would be
needed. In the digital age, the distinctions between Things Known and
Things Carried may break down a bit as encrypted passwords become part
of digital signatures. The weakness of Things Carried is that it may
be relatively easy to capture the physical object and then reproduce
it. At the moment, however, Things Carried, in the form of digital
signatures and certificates, are still the first choice of many
security experts.
C. Things Sensed
1. Human Sensing
Both of the foregoing techniques are normally back-ups to the
fundamental way that humans recognize each other: visual, aural, or
other direct sensory evaluation of another human in proximity to us.
This arguably cuts out instrumental mediators and is the "best" way to
identify other humans. At least it is the way that most of us feel
comfortable with in making an ultimate determination of who is who.
Yet, this method is almost completely useless in assessing the
identity of one who is not already known to us. Further, its
effectiveness drops off quickly in proportion to the length and
closeness of our association with the other individual. Nonetheless,
most of us would accept that the best way to determine whether the
individual standing in front of me now is the same person who stood in
front of me yesterday is by sensory evaluation of this individual's
physical characteristics in comparison with my recollection of the
physical characteristics of the individual who stood before me
yesterday.
2. Machine Sensing (Biometrics)
Biometrics may be functionally described as the attempt to create
technology that identifies people mechanically in a manner similar to
the way we ordinarily identify others, i.e., recognition through the
human sensing apparatus. But, analogous to how attempts at artificial
intelligence seem to underscore the complexity and opaqueness of the
human thought process, attempts to automate identification underscore
the complexity and opaqueness of the processes of identity and
recognition.
Identity is complicated because things change over time. This is
particularly true of living things. In fact, philosophers have
questioned whether a living thing at time T1 has any real connection
with the "same" living thing at time T2 save some degree of physical
continuity (note that many of the atoms and cells that make up the
entity will even be different at the different time slices). This
quandary is exacerbated by the length of time between T1 and T2.
Accordingly, theories of human recognition, and their implementation
in biometric identification systems, employ a fluid, self-adjusting
concept/algorithm to keep the identification process in synch with the
changing person. Unfortunately, manufacturers desiring to sell their
systems without lengthy, difficult-sounding technical explanations,
assert that the physical characteristics which they test are unique
and unchanging. Neither of these statements are necessarily true.
The technology of biometric identification may be summarized as
follows. Beginning with some physical or behavioral human
characteristic that is asserted to be unique for each individual
(e.g., fingerprints), a biometric system employs an electronic sensor
that picks up certain relevant details of that characteristic and then
records the particulars of these details as a digital code. This code
is the "template" which is entered into, or "enrolled," into the
central or local database of the biometric system and linked with
identifying biographical facts about the person who has just enrolled
in the system. When enrolled individuals want to access the area
protected by the biometric system at a later time, they present their
identifying characteristic to the sensor again, only this time the
biometric sensor creates a digital code of the characteristic to be
compared with templates already in the database, not to enroll it as a
new template.
However, because (i) it is difficult to have enrollees in the system
present their identifying characteristics in precisely the same way
each time (e.g., they place their finger in a slightly different
position on the finger reader), and (ii) some of these identifying
characteristics will change over time, most biometric systems
incorporate a self-adjusting probability matching procedure whereby
the presented characteristic does not need to match the template
exactly, but within a certain range of tolerance. This range of
tolerance can be increased or decreased, but doing so changes the
error rates of false positives and false negatives. Increasing the
range of tolerance will also increase the chance of false positives --
the system will "recognize" individuals as being enrolled in the
system when they are not -- while decreasing the chance of false
negatives -- the system will not fail to "recognize" individuals
enrolled in the system. Decreasing the range of tolerance will
achieve the opposite effect. At the same time, when a presented
characteristic is deemed a "match" against an enrolled template, the
details of the presented characteristic are combined with the details
of the enrolled template and a new composite template, "updated" by
the presented characteristic, is substituted as the official enrolled
template in the system database. In this way, changing identifying
characteristics are monitored "on the fly" and a user does not risk a
false rejection error rate that increases over time as the
characteristic continues to change.
There are currently no biometric systems that produce zero error
rates. Further, vendors' claims of super low error rates -- less than
.5% either way -- have been subject to much criticism, which
criticisms at the very least argue persuasively that even to the
extent that the biometric systems achieve the stated error rates in
"perfect" lab test situations, they will perform very differently in
real world applications. Criticisms regarding the effect such overly
optimistic estimates may have on perceptions of the validity of
biometric identification systems seem plausible as well: we may
misplace our trust in the "infallibility" of such systems leading to
(i) a false sense of complacency, or (ii) the ultimate identity theft
nightmare in which it becomes nearly impossible to show that one's
identity has been stolen. A further difficulty is that we each have a
finite set of identifying characteristics -- in the event that one of
my characteristics, or the template therefor, is compromised, I cannot
use that characteristic anymore. While I do have 10 fingers, I only
have one face, two retinas, etc.
The main types of biometric systems are as follows: (i) finger or hand
prints; (ii) retina imaging; (iii) iris recognition; (iv) face
recognition; (v) voice verification; (vi) signature/keyboard dynamics;
and (vii) DNA fingerprinting. Each also has certain specific pros and
cons regarding the level of intrusiveness of the sensing procedure,
the degree of "proof" regarding the characteristic's uniqueness in the
human population, the extent to which the characteristic is
perceivable in the individual by the casual observer, and the ease
with which the characteristic can be altered or impersonated.
Currently, the most widespread biometrics in actual use are finger and
hand prints. Iris and face recognition seem to be gaining steadily as
the biometric of choice however, possibly because they can be done at
a distance and without the active participation of the individual to
be identified. DNA fingerprinting may be seen as the holy grail of
biometric systems for various reasons, but it is probably the least
deployed or in actual deployment planning stages.
It is crucial to note that in all of these systems individuals, and/or
their identifying characteristics, must be enrolled before the system
can identify them. There is no system extant or planned that will
simply start "recognizing" people out of the blue. This is common
sense after some reflection -- humans cannot "identify" someone whom
they have never met or have never received a description of either.
Furthermore, up until recently, none of the biometrics systems worked
at a distance, i.e., they all required some level of proximity and/or
participation by the individual to be identified. Now, however,
identification can be done at a distance -- e.g., through face
recognition -- or with material left behind by a person who is not in
proximity to a sensor -- e.g., hair, skin, or bodily fluids for DNA
fingerprinting. But still, the individual must have already been
enrolled in the system for a match to be made, even though such
"enrollment" can be involuntary and unknown to the individual, such as
when a photograph might be used to enroll the subject of the photo
into a face recognition system.
Biometric identification systems are not perfect, but they may be all
that we have to substantially improve upon the existing flawed
identification systems based on photos, PINs, etc. Final
considerations to keep in mind are that (i) biometric systems work far
better when the individuals to be identified want to be identified
(e.g., to get their money out of an ATM), and (ii) systems based on a
one-to-one matching protocol -- so-called "authentication" where an
individual presents himself to the system and the biometric is used to
verify that he is who he claims to be -- are faster and more efficient
than those based on a one-to-many protocol -- "identification" in
biometric industry parlance where an individual is analyzed by the
system, with or without his knowledge and/or consent, to see if his
relevant characteristic matches any already on file in the system.
The question of how biometrics may best be employed to solve the
problems set forth in Part I above will be determined by deciding what
exactly it is that we are trying to achieve.
III. Stand and Be Counted
Part I of this paper outlined at least two pressing areas in which
biometric ID systems might offer help -- anti-terrorism efforts and
facilitation of e-commerce. There are of course other areas in which
biometric ID systems have been implemented or planned: (i) physical
area security; (ii) computer/network security; (iii) financial
transactions; (iv) government benefits distribution; (v) voting; (vi)
law enforcement; (vii) passports, visas, and immigration; (viii)
prisons; (ix) military personnel ID and data; (x) access to dangerous
or valuable objects; and (xi) general, multi- application personal ID
and data cards. Some of these solutions provoked strong criticism.
A. Carrots or Sticks?
The harshest criticisms for proposed identification systems seem to be
reserved for those systems that are mandatory and which will inflict
penalties on non-compliers. In particular, any system that would
require all Americans to obtain a ID card, and perhaps display it on
demand to law enforcement, will still, even after 9/11, likely run
into stiff, probably insurmountable, opposition. And this is perhaps
appropriate -- visions of menacing Nazi SS-type agents in full
jackbooted regalia snarling "Papers, please!" at us on every street
corner still resonate strongly. Whatever the actual source of unease,
it has been potent enough to quash attempts at mandatory national ID
cards in the past, and, if the Bush Administration is any indication,
it will continue to vitiate any near-term attempts to do the same.
Interestingly, however, smaller scale efforts at mandatory biometric
ID systems have succeeded, sometimes even over vocal criticism.
? California and other States have made biometric identifiers a
mandatory component of driver licenses. The California vision was not
limited to verification of the driver holding a particular license,
but was rather linked to a larger law enforcement strategy in which
CHP officers with biometric thumbprint readers connected to
wireless-equipped laptops could send both the digital information on
the drivers license, as well as the live scan of the driver's
thumbprint, to a central processing station which could then determine
whether the driver and/or the card were linked to any other criminal
(or other) investigations. Opponents to the system were quite vocal
and worked hard to prevent its deployment, although they were
ultimately unsuccessful in doing so.
? Federal and many State agencies committed themselves a number of
years ago to migrating to electronic benefits transfer ("EBT") systems
for distributing welfare and other benefits to both crack down on
fraud and streamline the process of delivering such benefits. A major
component of these initiatives is a biometric ID system. Connecticut
and New York have led the migration on behalf of the States with
systems that require a biometric ID verification for access to
benefits. Criticism has been more muted towards these initiatives,
but some commentators would likely attribute this to the fact that
welfare recipients, like prison inmates, comprise part of the
disempowered "fringe" of U.S. society who bear the brunt of unpopular
policies that would be successfully rejected by more powerful groups.
? The Illegal Immigration Reform and Immigrant Responsibility Act of
1996 ("IIRIRA") mandates that all Border Crossing Cards contain
machine-readable biometric ID features by 2002. Similar to the EBT
systems mentioned supra, the Border Crossing Card system is imposed on
persons who lack the political power of certain groups of U.S.
citizens -- of course this is because they are not U.S. citizens at
all. Thus, criticism has been muted here as well. However, there is,
of course, significant literature debating what rights non-citizens
should have under U.S. law [need short summary/cites for this].
? The Department of Defense began its "common access card" program in
1995. This common access card was envisioned as a "multi-functional,
cross-service utility card with a magnetic stripe, integrated computer
chip (ICC), a bar code and static information. . . . [that] combines
non-updatable information (name, social security number, blood type,
photograph, etc.) and updatable information (medical pay,
qualifications) in the same card." Currently, the card is being
rolled out to "selected sites in the Quantico and Tidewater areas of
Virginia and overseas in Germany and Korea" but it will eventually be
required for all Department of Defense personnel.
On the other side of the fence, non-mandatory public and private
biometric initiatives have generated far less attention and criticism.
? INSPASS. In 1993, the INS debuted its Immigration & Naturalization
Services Passenger Automated Service System ("INSPASS") for qualified
frequent international travelers. Basically, INS runs a background
check and assesses your risk potential. If you are deemed low-risk,
then they will create a hand geometry biometric that is entered into
the system and encoded on a magnetic stripe card together with your
relevant biographical data. In turn, this enables you to bypass the
normal Customs lanes by presenting hand and card at an automated
portal. The portal's computer matches the data on the card with your
hand and runs both through a growing number of federal, state, and
international hand print databases. In most cases, the traveler is
permitted to pass in a matter of seconds.
? PORTPASS. Similar to INSPASS, PORTPASS uses the same biometric
technology to allow frequent land border crossers to pass more
quickly. The first PORTPASS test program was initiated at Hidalgo,
Texas. Presently, PORTPASS offers both a dedicated commuter lane and
an automated permit port in some locations. The biometric Border
Crossing Cards mandated by IIRIRA, as discussed above, can be used
with PORTPASS. ? ATMs. A number of banks have rolled out biometric
identification features at their ATMs to replace PINs for account
access. Usually the biometric used is either face recognition or iris
scan, some may be using finger recognition. ? Perimeter Security.
When biometric systems were more costly to install and maintain, their
use for perimeter security was limited to super secure facilities such
as nuclear power plants and high level government/military buildings.
As the cost has come down, a wide range of other facilities have
installed biometric systems -- from the obvious, such as airports, to
the not-so-obvious, such as a large specialty foods store in
Manhattan. ? Time and Attendance. Many companies have installed
biometric systems to replace the traditional "card punch" time and
attendance systems used to record (and monitor) hourly employees' work
hours. Similarly, some schools have instituted biometric systems to
control access to cafeteria lines and dormitories. If a mandatory
nationwide ID system will not be possible, as a political matter, then
what of a non-mandatory one? The obvious problem is that the very
people we would like to identify -- terrorists and con-men -- are just
the people who would not opt-in to the system. But, where sticks are
unavailable, carrots often can do the job instead. Thus, even civil
libertarians such as Alan Dershowitz have recently been musing about
an optional national ID card that would essentially be an expanded
version of INSPASS : those who qualify and opt to use the system can
move through entrance screening requirements for various sensitive
places in an abbreviated version of the more arduous process that is
being (or will be) implemented at airports, popular public
attractions, etc. But, is this really a carrot or a stick? Does
carrot or stick status depend on the order of events: i.e., it is a
carrot only if a burden already exists (e.g., the more onerous
screening process to board a plane) before a benefit (e.g., a boarding
"fast lane") is made available for those who conform their actions
appropriately? Conversely, do we consider it a stick only when no
burden currently exists, but we will impose one in the form of a
penalty for those who do not conform their actions appropriately? One
can imagine the line between stick and carrot being blurred by a
tactic analogous to the standard retailing trick of quietly raising
prices a month or so in advance of a "big sale" -- the "burden" is put
into place in full anticipation of the subsequent unveiling of the
"benefit."
Regardless of the coherence of the carrot/stick distinction, it is one
that has been successfully relied on in the past: e.g., Congress has
repeatedly used its spending power to regulate indirectly behavior by
States or individuals that it could not regulate directly. Thus,
Congress can "bribe" states with federal highway funds to increase the
minimum drinking age or lower the maximum speed limit. Accordingly,
the perception of whether any national ID card proposal is a carrot
rather than a stick may rely on whether a demonstrable burden exists
before the benefit of the ID card system is dangled before the public.
B. Inclusion vs. Exclusion
Even assuming that we create an appropriate carrot to induce
individuals to opt in to a voluntary national ID card system such as
Dershowitz and others have proposed, will such a system achieve our
ends? Presumably, those ends are to prevent further terrorist
attacks, although I would add the facilitation of Net communities and
e-commerce as well. Two flaws to such proposals arise immediately to
mind. First, a national ID card would presumably only be issued to
U.S. citizens. However, at this point we believe that all the
terrorists participating in 9/11 were foreign nationals and we further
believe that the largest ongoing terrorist threat comes from
non-citizens as well. At the same time, Internet fraud is perpetrated
by U.S. citizens and foreigners alike. Accordingly, even a mandatory
"national" ID card would miss those whom we most want to identify.
Second, a two-tiered screening procedure for all who want access to a
target service may make the overall administration of such a screening
system more difficult than a single procedure system would, while the
success rate of the two-tier system may wind up being no better than,
or even worse than, that of a single procedure system. This is
because the two-tier system must now implement and maintain two
separate screening procedures, arguably doubling the work to be done
by system administrators. Neither will be perfect and each will need
to be constantly updated to deal with new types of challenges in the
cat and mouse game qthat is accepted as the only constant in the
security profession. Further, the normal security challenges of
keeping up-to-date may be exacerbated because the two separate
procedures could essentially wind up competing with each other as well
as with the system's attackers: as one procedure is "hardened" in
response to some new threat, this may simply drive the attackers to
focus all their efforts on the other, now relatively more vulnerable,
procedure.
Thus, the real issue is inclusion versus exclusion. Who should be
allowed to use target services at all? Individuals who we know
nothing about and simply hope to figure out by some "rigorous"
screening procedure whether they will attempt to harm us? Or
individuals about who we know some sufficient baseline biographical
data (e.g., who they are, where they come from)? The problem with the
former is that it requires us to know and anticipate in advance all
the ways in which someone might take advantage of the target service
to harm us. The consensus after 9/11 seems to be that no one
seriously thought that individuals armed only with box cutters could
commandeer an airplane -- accordingly, box cutters were not even
prohibited on board. It would indeed be hubris to think that we can
now foresee every other way that target services may be misused in the
future. Of course, none of this precludes the fact that someone whom
we "know" might attack us as well, or that our biometric ID card may
fail us, but security measures have always been about "hardening"
targets, not achieving the impossible by making them impervious.
Accordingly, the best way to implement a national ID card system to
achieve our ends may be to limit the use of target services to only
those who carry the national ID card. We may also decide that, to the
extent that an equally rigorous U.S.-issued foreigner ID card can be
deployed, foreign nationals who carry such a card may use the target
services as well. This system will give us a much better -- although
admittedly not perfect -- means of protecting ourselves from many of
the methods that terrorists need to use to harm us, as well as to
create the kind of trust networks necessary for e-commerce and other
community activities to flourish on the Internet. More importantly,
the ID card system would allow those who so desire to enter a
"society- within-a-society" where the quid pro quo is that each
identifies some baseline biographical data regarding who they are,
where they came from, and, possibly, what they are "doing" in the
society.
Controversial? Very. However, it may be the only ID card proposal
that actually addresses our real concerns and objectives. Which is
not to say that it should be implemented, but rather that, given these
concerns and objectives, this is the level of system likely needed.
Further considerations driving this single federally issued ID card
system are that: (i) the cost and inconvenience to both target service
providers and target service users will multiply quickly in a world
where each service screens and issues its own ID card; and (ii) the
more different standards and systems that are out there, the more
difficult it will be for any target service that wishes to rely on
another service's ID cards, rather than issue its own, to keep up to
date on what constitutes a "valid" card for that other service.
C. "Trademarking" Ourselves
One frequently overlooked issue in biometric identification systems is
ownership of the biometric template. Even if it were established that
I "own" parts of my body -- e.g., DNA or tissue -- it would not
necessarily follow that I own any digital representations thereof. In
fact, I probably would not in the same way that I cannot assert
ownership over photographs that have been taken of me by others. But
the uses of biometric identification seem to carry more impact that
use of photographic identification because biometrics can be used in
e- commerce/cyberspace as a proxy or token for the real me in a way
that a simple photographic image cannot. For example, biometric
identifiers qualify as signatures under the E-Sign Act whereas a
simple JPEG or GIF of me likely would not.
Consequently, in both cyberspace and real space, it is increasingly a
digital version of you (we might call it your "avatar") that allows
the real you to move about and conduct transactions. But, at the same
time, the template that constitutes your avatar is not immune to the
hacking that threatens all information technology systems -- the same
kind of "identity theft" that is being perpetrated through fraudulent
acquisition and use of credit cards, social security numbers, drivers
licenses, etc. is virtually certain to strike the new biometric
identifiers as well. And once this biometric identifier has been
compromised, you cannot simply replace it as you would change your
compromised PIN or access card. Therefore, even absent any
considerations raised by 9/11, it seems advisable that each of us has
ownership, or at least control, over our templates -- something not
currently afforded in any biometric systems to my knowledge. The
counterargument is that where a commercial entity creates the template
using its proprietary technology for a security system I am enrolled
in, why should it give me ownership (or control) of "my" template?
Further, where the system is put in place by a third party -- say my
employer -- why would I have rights to "my" template over even my
employer?
However, assuming that we make the policy decision that individuals
should have some (or all) rights to their biometric templates, then
the question shifts to how best to establish and enforce these rights.
Further complicating the matter is the fact that a biometric
distorting or "morphing" technology developed by IBM makes it possible
that someone could independently generate your template through no
interception of your actual template or the characteristic it is based
on, and with no intent to commit identity theft, but rather through a
desire to set up a pseudonymous identity. Recall also that it is not
illegal to change one's name and/or establish aliases in [most/all]
States. Arguably, it would be equally legitimate to establish alias
biometric identifiers. Does resolution of the resultant dispute turn
on priority of use or who generated the template as an un-distorted
biometric? What about where both claimants have templates based on a
distorted biometric? Should this be resolved along the lines of the
resolution procedures for Internet domain names or Lanham Act federal
trademarks?
Regardless of what preferences we establish for priority of ownership,
we should import the registry idea, if not the dispute resolution
procedures, used in both the Internet domain name system and the
Lanham Act federal trademark system, to bring order to any system of
personal ownership or control of templates. Thus, we could create a
template registry system in which the template used for an
individual's national ID card is registered along with any other
templates which that individual may wish to register. This would also
mirror public key and digital certificate systems which require a
central coordinating body to prevent duplication of identifiers. It
would be essentially a "trademark" system for individuals; but,
whereas the standard trademark system exists to establish the origin
of goods in commerce, our template registry would be created to
establish the origin of avatars in cyberspace.
Of course, legal protection cannot prevent actual duplication and
fraud, but the Lanham Act federal trademark system has proven
reasonably successful in reducing fraud by giving trademark holders
substantial legal recourse for infringement of their registered
trademarks over what recourse they would have under a common law fraud
or misrepresentation claim. Indeed, it is the public nature of the
trademark system that gives it value -- how else would I know what a
manufacturer's official trademark was for purposes of identifying
their goods? Further, how else would we cut down on the confusion
engendered when two parties independently and innocently begin using
the same mark? Thus, a template registry should benefit our use of
biometric systems in similar ways.
D. Citizen of the Republic
Assuming now that such a system would achieve our stated ends, could
we implement such a system? This question is ambiguous in at least
three ways. First, do we have the technological ability to implement
such a system? The answer to that is most likely yes, although the
system won't be perfect -- no technology fix will be sufficient on its
own. Second, can we legally implement such a system? The answer to
this is most likely yes as well. While perhaps distasteful to some,
and barring any new legislation directly prohibiting our system,
implementation will follow on the precedents of such things as:
licensing drivers, doctors, lawyers, and accountants; requiring
passports or other suitable border crossing ID to enter the U.S.; and
of course, requiring a photo ID to board a commercial airliner. We
regulate entire professions and industries -- and the individuals that
make them up -- all the time. We regulate some individual behavior
simply for safety and efficiency reasons, e.g., drivers must drive on
the right side of the road. Finally, we even regulate in ways that
are arguably quite paternalistic, e.g., mandatory seat belt laws. It
is the third ambiguity -- should we, as an ethical matter, implement
this system? -- which will occupy the remainder of this paper.
There are at least two important subsets to this ethical question: (i)
is it proper for us qua sovereign to establish such a system, knowing
that we may be "bribing" individuals to participate in something they
might not otherwise participate in; and (ii) is it proper for us qua
individuals to opt-in and accept a system that arguably constitutes a
Faustian bargain in which we exchange some freedom and privacy for
some security and convenience? I suggest that the standard normative
debate over national ID cards rests incorrectly on a framing of the
problem as a trade off between freedom/privacy and
security/convenience. Instead, the proper context should be a higher
level dialogue concerning the real and/or desired nature of our
society -- in particular a rethinking of where we are, and/or desire
to be, along the spectrum between libertarianism and communitarianism.
And, while I will not attempt to establish which position is "right"
(probably neither), I will argue that the national ID card system
proposed herein allows both positions to co-exist, to some degree,
while also allowing individuals to decide which perspective suits them
better and live accordingly.
The notion of a "social contract" goes back to the writings of Plato.
In one of the Socractic Dialogues, Socrates articulates the reasons
why he will not escape from an Athenian prison and thus avoid the
death penalty that he has been sentenced to by arguing from the
perspective of the Laws of Athens:
"Then consider this, Socrates," the Laws might say. "If we speak the
truth, aren't you attempting to wrong us in what you now undertake? We
gave you birth. We nurtured you. We educated you. We gave to you
and to every other citizen a share of every good thing we could.
Nonetheless, we continue to proclaim, by giving leave to any Athenian
who wishes, that when he has been admitted to the rights of manhood
and sees things in the City and its Laws which do not please him, he
may take what is his and go to one of our colonies or a foreign land.
No law among us stands in the way or forbids it. You may take what is
yours and go where you like, if we and the City do not please you.
But whoever among you stays, recognizing the way we render judgment
and govern the other affairs of the City, to him at that point we say
that by his action he has entered agreement with us to do as we
bid. . . ."
Plato more fully establishes his vision of the good and just state,
and the role and obligations of all citizens thereof, in the Republic.
Aristotle continues this line of social thought, which is then handed
down through the Christian tradition of Augustine and Aquinas to
modern Western culture. Rousseau writes probably the best known
explicit formulation of the social contract concept, but it is also
taken up by Hobbes and Locke. Closely intertwined with the social
contract tradition is the doctrine of "natural law." At the risk of
alienating both its proponents and detractors, I will impose a working
definition on "natural law": it is the view that there is some set of
objective, external laws/principles that (i) we can know and (ii) are
neither subjective nor mere human convention or custom. The natural
law tradition begins with Plato and Aristotle as well and continues
through the same Christian tradition of Augustine and Aquinas; it is
today perhaps best exemplified by the writings of Robert George and
John Finnis. An exegesis of these expansive doctrines here is both
unnecessary and unhelpful. It is also best left to more qualified
authors. For our purposes, there are two important underlying themes:
(A) control systems which individuals willingly/voluntarily enter into
-- preferably explicitly and not just implicitly -- are as a general
matter more ethically acceptable than control systems which are
imposed upon individuals without their consent; and (B) individuals
are "better off" -- as either a pragmatic/utilitarian or moral/ethical
matter -- when they enter society than if they remain in a "state of
nature."
Implementation of social contract theory and natural law, particularly
as an all-encompassing ideology of the state, have arguably led to
tyranny of the majority, totalitarianism, and oppressive paternalism.
I do not believe that these are necessary outcomes of social contract
theory and natural law, however. Further I think they are more likely
to occur when social contract theory and natural law are used as the
only system/ideology of the state. At any rate, I would instead like
to use (A) above in a more limited manner to justify the establishment
of our proposed voluntary national ID card system by us qua sovereign.
In short, this justification says that: (i) because social contract
theory seems most potent where (x) the system to be established is
voluntary and full disclosure is made of the risks and benefits of
such system and (y) consent to become part of the system is explicit
and not merely implicit; therefore (ii) our proposed national ID
system, which has both these characteristics, is on solid ethical
grounds.
Next, we must consider why we qua individuals might be justified in
choosing to enter into the proposed national ID card system. Can we
adopt the pragmatic/utilitarian sense of (B) above and simply state
that we may enter society because we will be "better off" as our lives
are safer and more convenient? And, following from this, can we
assert that we may enter the proposed national ID card system because
it too will make us "better off" in the same way? Certainly Hobbes
and Locke would have supported this idea. But then what of Benjamin
Franklin's now oft-quoted maxim -- "They that can give up essential
liberty to obtain a little temporary safety deserve neither liberty
nor safety"? Like most great sayings this seems to say much, but
proves little. Why have we done something wrong when we exchange
"essential liberty" for "a little temporary safety?" What is
"essential liberty"? More importantly, even before 9/11, this quote
had been transformed into a more general position that any exchange of
freedom or privacy for security or convenience is wrongheaded. But,
again, exactly why is such an exchange bad? Is it because, as a
practical matter, trading freedom for security does not work because
we subject ourselves to someone else's power, at which point our
"security" is contingent on their continuing to protect us? But that
is not really the case here because we have already accepted the rule
of our constitutional democracy, at least on some implicit level.
Further, referring again to Hobbes and Locke, this general position
runs squarely against one of the standard rationales for why
individuals enter society at all. Returning to Franklin's maxim, it
does not condemn just any exchange of liberty for safety, but rather
an inequitable one where we give an important liberty for an
inconsequential, fleeting safety. In one respect, he may be
disparaging what would be a bad deal under any circumstances.
Further, it is not clear that accepting our national ID card, in the
absence of add-ons such as new police stop and search procedures
related to it or abuse of the (limited) data that it will contain,
would constitute the giving up of an "essential liberty." Neither is
it clear that the resultant safety from implementing such a system
would be "little" or "temporary."
I would suggest that much of the current bite of the general "no
freedom for security" position, as well as Franklin's maxim, relies on
a perception that many citizens have of their relationship with the
government as adversarial, at least in part. Sadly, this should not
be the case. Ours is supposed to be, in the phraseology of high
school civics classes, a "government by the people, for the people."
A discussion of how we have moved from that sentiment to the current
conception of government as the "other" is far beyond the scope of
this paper. I would simply note that at the very least we must
acknowledge that as imperfect as our democracy might be, it is still
far different from the kind of despotic monarchies and oligarchies
that Franklin was likely thinking of when he penned the original
quote. Accordingly, I think we might be able to justify an
individual's acceptance of the national ID card system because he or
she is "better off" just on the basis of increasing his or her safety
and convenience, which is in accordance with one of the traditional
rationales for entering society at all. And while this justification
may be hotly debated by the "no freedom for security" types, a key
strength of the system is that it is voluntary -- those who think it
is a bad deal need not participate.
Of course, Ellison et al. would argue that we are not in fact trading
any freedom for security anyway. First, we are not limiting what we
can do merely by accepting a national ID card (even a mandatory one):
it is the government actions or restrictions that might be tied to the
card that could limit our freedom. Second, to the extent that our
concern is that we are giving up some privacy, these individuals would
argue that we really have no privacy anymore anyway and that whatever
data could/would be placed on the card is already available to the
government and others through various electronic databases. Whether
or not these arguments are persuasive, I do not think that this, nor
the pragmatic rationale outlined above, is the correct debate.
Instead, I believe that we must consider the ethical/moral sense of
(B) together with the actual and/or desired nature of our society.
Stemming out of the same Plato/Aristotle/Augustine/Aquinas lineage as
social contract theory and natural law is a paternalistic
communitarian philosophy which asserts that individuals need guidance
to live a good life and that it is a proper role of the state --
indeed an obligation of the good and just state -- to impose this
guidance on its citizens and enforce conformance thereto. A core
component of this philosophy, particularly in its Kantian form, is
that in a state of nature individuals are slaves to their passions:
they need the guidance of a well-ordered, good and just state to free
them from such passions and allow them to live rational, intellectual
lives (which are assumed to be "better"). Thus, besides leading a
good life, the individual is in fact more "free" by entering into such
a paternalistic communitarian society. One flaw often attributed to
the traditional version of this paternalistic communitarianism is that
the decisions regarding what constitutes the good life, and therefore
what "guidance" should be enforced, are not made by the people but
rather by some ruling elite such as Plato's philosopher-kings. And it
is true that many of us might reject a system wherein some elite group
or individual is anointed as the unqualified arbiter of what is right
and wrong, or what constitutes the correct life, and how we should be
forced to conform our lives accordingly. In fact, this seems to be
the hallmark of "fundamentalist" groups such as the Taliban, whom we
generally think are both misguided and dangerous.
But such an all-encompassing, top-down approach is not a necessary
component of a communitarian program. Further, while communitarianism
is often associated with attempts to "legislate morality," the first
does not entail the second. Instead, one commentator defines a purely
communitarian perspective to be one that holds that "social cohesion
is valuable not merely as a means of preserving order (and other goods
which sometimes come as the fruit of co-ordinated human activity), but
as something worthwhile for its own sake." A further explication of
this doctrine asserts that, "[t]he identification of one's interests
and well-being with that of others to whom one is thus integrally
related is essential to community (as it is to marriage) considered
not merely as instrumentally valuable (whether for the sake of peace,
order, prosperity, prestige, or any other extrinsic goal) but as
intrinsically worth while." Of course, one can enhance a
communitarian position with a recommendation that we should legislate
morals, but that is not a necessary outcome of the position.
This communitarian philosophy is often set against the libertarian
tradition stemming from Mill and Bentham. Based on Mill's "Harm
Principle," this libertarian tradition asserts that states are
ethically justified to use force on their citizenry only to the extent
necessary to prevent one citizen from harming another. This
perspective coincides nicely with the standard American self-image of
rugged individualists tracing our ideological roots back to myths of
the Wild West. It also works well with Bentham's utilitarianism. The
necessary corollary of the libertarian tradition is that citizens
should be free to do whatever they desire, so long as they do not harm
one another. A libertarian ideology also complements a pluralistic
value structure wherein we accept that there are many different
"correct" moral/cultural systems and that we should allow them all to
co-exist. A result of all this is a moral relativism which in turn
dictates that (i) morality should be excised from law and (ii) laws
should be made and kept only to the extent that they lead to
pragmatic, efficient outcomes.
I believe that many of us have conflicting views regarding
communitarian and libertarian perspectives (even if we don't think of
them in those terms). I suspect that many of us would give
libertarian responses to abstract questions about the place of morals,
religion, etc. in our society: e.g., these are private matters that
should be of no concern to the state. At the same time, I think we
act like communitarians in much of our daily lives and in responses to
concrete ethical questions: e.g., we seek "communities-of-interest" of
which we can be an integral part and which entail specific norms of
behavior. Further, our laws reflect this conflict, for example: we
don't allow prayer in schools to maintain the separation of church and
state, but many states outlaw private sexual relations between
consenting adults of the same sex; and we actively promote free and
efficient markets, but we do not allow economic efficiency to trump
all other concerns (e.g., we regulate industries even though this may
be inefficient for their corresponding markets). Finally, I would
argue that many, if not most, Americans believe that our laws and
system of justice do (and should) espouse at least some minimal value
system rather than existing merely as a pragmatic set of rules put in
place to keep us from hurting each other too much.
In 1995, Francis Fukuyama published his landmark book "Trust" which
argued that economic prosperity actually relies on the "social
virtues," and, in fact, a far more communitarian society than one
would expect from the standard utilitarian economic tradition stemming
from Bentham. Fukuyama's analysis correlates with the historical
findings that even America -- home of the rugged individualist --
prospered not because of individuals maximizing their utility as
against all others, but rather by being part of tightly-knit
communities with layered networks of business, social, religious, and
civic connections. These layers were mutually reinforcing, and, for
economic purposes, enhanced the prosperity of the overall community by
establishing a predictable business environment in which individual
actors were constrained against both freeloading and end game
opportunistic behaviors because such actions would have strong
repercussions in other areas of the individual's life (e.g., social
ostracization, moral condemnation, etc.). Thus, when the Stranger
came to town, he was more suspect than welcome until he could "prove"
that he was trustworthy -- this "proof" being simply the passage of
sufficient time and interactions with the locals such that he
demonstrated his willingness to become enmeshed in the layers of
connectedness within the community.
We are not that society anymore, as Fukuyama points out, with
potentially adverse effects to our future prosperity. Many of us
associate the communities Fukuyama sketches with small town
xenophobia, provincialism, gossip, and a lack of privacy. Such
communities may impose too much conformity on their inhabitants,
resulting in a stultifying homogenous society. They may also set the
stage for witch hunts and McCarthyism-type blacklisting of those who
are merely "different." More importantly, they run up against two
other central American values: (i) we should be free to reinvent
ourselves and have a fresh start if we so desire; and (ii) we should
be free to be who we are, even if that is unpopular with the majority
in our community. Yet, we are conflicted about these as well.
Megan's Law exemplifies the conflict over (i): we want convicts to
have a fresh start after paying their debt to society, but we also
want to know when former child molesters move into our neighborhood,
particularly when we have children. "Don't Ask, Don't Tell" policies
in the military typify the conflict over (ii): we generally think that
gay people should be able to come "out of the closet," but we don't
want to know about it, particularly when they are in the military.
Nonetheless, based on the foregoing in total, I think one might accept
the moral/ethical variant of (B) -- that is, individuals are "better
off" when they enter society because being an integral part of a
community is a good in and of itself that outweighs the negative
consequences of entering the society. Of course, Fukuyama's argument
for participation in communities is a little different and may be seen
as a meta-economic/utilitarian perspective: we must become enmeshed in
layered communities and value the social virtues because then we will
be more prosperous as well. Either way, we can then justify an
individual's choice to enter our national ID card system because he or
she is taking an affirmative step to become an integral part of the
society-within-a- society created by the system. Accordingly, because
we have established a justification for our creation of the system as
a sovereign and for our voluntary entrance into the system as
individuals, we can argue that it is ethical to implement the system.
But there is a further value to exploring the potential communitarian
angle to our system. It can be argued that many Americans have been
seeking a greater sense of community for some time now. The standard
libertarian perspective on this has been that everyone is completely
free to participate in non-state religious, cultural, or social
communities-of-interest. However, this answer appears to be
unsatisfactory to a substantial number of Americans and numerous
commentators had bemoaned our increasingly fragmented and disconnected
society. In light of 9/11 it appears that terrorists took advantage
of just this absence of tight communities to "hide in plain sight" and
move around the country without arousing much suspicion.
Interestingly, Lord Patrick Devlin, a Twentieth Century proponent of
communitarianism and natural law, proposed in his "disintegration
thesis" that a society which lost its sense of shared community and
values would suffer a disintegration of the "social order." At the
time, his thesis was considerably weakened by H.L.A. Hart's demand to
see empirical evidence that this had in fact happened to any society.
George later tried to reconstruct Devlin's thesis by claiming that
Devlin probably meant "social cohesion" rather than "social order."
What is lost is the satisfaction of citizens to feel that they are
integrally related to and interacting in a meaningful way with their
fellow citizens and the society as a whole -- essentially the formerly
integrated community "dis"integrates. The circumstances of 9/11 and
after may now give some evidence for a position somewhere between
Devlin's thesis formulation and George's reconstitution of it: our
loss of shared community and values over the past decades may have led
not only to a disintegration of social cohesion, but it also invited
attacks by those who would destroy our social order.
I would argue that further evidence for the negative consequences of a
loss of shared community and values is the rise of divisive religious
fundamentalism and orthodoxy in this country. What may be seen as an
excess on one hand -- the fanatical separation of the state from
anything smacking of morals or values -- may have provoked an opposite
excess on the other hand -- numerous individuals, particularly the
young who grew up under the extreme agnosticism of the current state,
flocking to strict fundamentalist or orthodox groups for their
community and values. Further support for this speculation may be
seen in the enthusiastic embrace of the new patriotism especially by
those in their 20s and 30s.
Accordingly, the terrorist attacks may have provided a galvanizing
focal point around which a new sense of national community and values
may coalesce, as has been suggested in numerous articles. We should
not squander this opportunity, but neither should we use it to swing
the pendulum to the opposite extreme. Those who want to stand up and
be counted as part of a national society that is larger and broader
than the communities-in-interest we are supposed to satisfy ourselves
with can be given a formal mechanism to do so -- the national ID card
system and its attendant national community of "affirmative" citizens.
At the same time, those who continue to hold a strong libertarian
perspective can stay out of the system, arguably continuing on as they
had before the system came into place. My hope is that formal
entrance into the system will also encourage informal community
building among system members, perhaps analogous to the anecdotal
evidence that naturalized citizens tend to be more civic-minded that
natural born citizens. This community building will be no less
valuable in the online world where the absence of communities of trust
is increasingly seen as a stumbling block to achieving the flourishing
e-commerce and Net communities envisioned in the early days of the
Internet.
By providing a self-reinforcing feedback loop, the planned
communitarian aspects of our national ID card system may in turn help
counteract the limitations of the technology itself. As described
above, biometric identification technologies are most effective where
(i) participants want to be identified and (ii) the human operators of
the system execute their tasks diligently and intelligently. By
essentially limiting the system to members who affirmatively want to
participate, the success rate of the technology should be higher than
in adversarial environments. Further, communitarian sentiments among
the participants should encourage an extra level of citizen-policing
wherein suspicious activities/persons who get past security
checkpoints -- real or virtual -- are reported by members of the
community. On a practical level, the culture established within the
system should encourage/empower all members to ask "who are you?"
"where did you come from?" and "what are you doing?" with all the
attendant layers of meaning -- positive and negative -- which those
questions represent, and with far more frequency and acceptability
than is presently the case in our disinterested and disconnected
national society. We are encouraged to do something similar with our
children, e.g., become more actively involved in their lives. Why not
with the other members of our community, many of whom we rely on in
important ways for our safety, well being, and flourishing? And after
all, aren't these really the questions we would most like answered
before we place ourselves into a sealed cabin with two hundred other
people and begin hurtling through the air at 600 mph, all while seated
above x tons of incendiary jet fuel?
IV. Conclusion
Both the terrorist war and Internet fraud present challenges, which,
as the saying goes, are really opportunities. Ironically, part of
what the terrorists and extremists claim to hate about us -- our
materialism/consumerism and lack of strong family/community ties --
are things that many of us may not be too crazy about either. Perhaps
even more ironically, our reversal, or at least tempering, of these
traits may be our best weapon against the terrorists. Not because we
would be capitulating to the terrorists, and therefore they would have
no reason to attack us anymore, but rather because, when coupled with
the national ID card system described herein, we will largely prevent
them from "hiding in the open" and using our own alienation and
disconnectedness to wander "unseen" among us wreaking havoc where they
will. At the same time, the much heralded Net communities and
e-commerce system may well be stumbling under the weight of a
libertarian ethos that allows a minority to sabotage the cooperative
efforts of the majority. Our proposed national ID card system,
coupled with a more communitarian perspective on the part of members
of that system, could go a long way to creating virtual "safe/trust
zones" on the Net in which commerce and community could take place
with greater success, all while leaving an "untamed" libertarian Net
space for those who prefer that.
The proposals to counter the terrorist threat that have been discussed
publicly to date either: (i) do nothing; (ii) do too little; (iii) do
too much; or (iv) create more problems than they solve. (i) seems
foolhardy, if not impossible as a political/emotional matter. (ii) is
exemplified by the move to "tighten up" existing security procedures
at airports, etc. -- a process that has already been shown to be
deeply flawed on both conceptual and implementation bases -- as well
as by other purely ad hoc solutions, particularly those that focus
only on what has already been done and not on what might come next.
(iii) is perhaps best demonstrated by Ellison's call for a mandatory
national ID card, or cautious murmurs about rounding up Arabs and/or
torturing suspected terrorists. (iv) pertains to ad hoc solutions
that will be difficult to integrate with, or may be cross purposes
with, other solutions, e.g., the ATA's proposal for an air travel ID
card or system. This latter suggestion has been tentatively endorsed
by Richard Clarke, White House National Security Council staff
coordinator for security, infrastructure protection and counter-
terrorism, as part of a larger alternative to a mandatory national ID
card: "'Not one national ID card that we force everybody to have,' but
multiple, voluntary cards that could improve the efficiency of
activities . . . ." But, as discussed above, we do not need a
proliferation of ID cards/systems for different facets of our lives.
A concern that I did not fully address in the body of the paper is
whether the proposed system will create a two-tiered society,
particularly where the success of the system prompts more and more
target services to require the ID card until it seems that the card is
required to participate in any aspect of modern life. It is hard to
predict whether this will happen, and more difficult still to predict
how much of a downside it will present. Nevertheless, one
counterargument is that our proposed system may not be categorically
different from the situation today where I need a bank account,
credit/debit/access cards, driver license/state ID/passport/visa,
credit history with one of only three private credit agencies, social
security number, etc. just to partake in the benefits of modern life.
Further, both currently and in our proposed system, it is still
possible to live "off the grid." This last point is crucial. The
problem with a mandatory national ID system is that it removes this
last "safety valve" whereby Americans can in fact (or in fantasy) drop
off the radar screen and live simply and privately. This is not an
academic point, as demonstrated by the numbers of Americans who have
decided that just such a simple and anonymous life is well worth
giving up modern "conveniences."
At the other end of the spectrum from citizens who choose to live "off
the grid" are citizens who accept Ellison's proclamation that "privacy
is an illusion" today and who do not much mourn its passing. For
other citizens, the very notion of true citizenship may include a
rejection of anonymity -- the point is that being a citizen is an
affirmative act of standing up and being counted as a member of the
society/state, not just lurking around the edges as if by default or
accident. Our proposal respects all of these positions and allows
them to continue to co-exist: it simply makes explicit what has
previously been implicit, and in doing so, hopefully fosters
thoughtful dialogue, introspection, and decision making by the
populace.
In summary, our proposed opt-in national ID card system should create
a "society-within-a- society" that relies on both (i) a high tech
"passport" to enter and operate inside the system, and (ii) a
nationwide affirmative civic community that is more communitarian than
libertarian in nature. It is meant to illuminate the problems with
existing proposals that seem inadequate to achieve our real objectives
and lack the contextual, ethical analysis that would justify their
implementation. This paper attempts to sketch a deeper analysis of
what those real objectives are. In doing so, the intent is to bring
us out of a reactive mindset that looks only to patching what has
already gone wrong, and into a pro-active stage that will help not
only restore some of the security we used to believe we enjoyed, but
also, and more importantly, allow us to address root societal issues
that existed before 9/11, and which themselves may have been building
to crisis and contributing to an environment in which 9/11 and other
tragedies could occur.
Described in Part II infra.
Of course, a consumer's liability for any fraudulent or unauthorized
online transaction -- where, by definition, an electronic funds
transfer had occurred -- was only $50 to begin with. But, then again,
most consumers who refrained from online transactions because just
"anyone" might get access to their credit card numbers did not realize
that they had already given out their credit card numbers to quite
likely thousands of strangers over the years -- restaurants, stores,
taxis, mail order catalogs, and so on. Further, for a very long time,
vendors who accepted credit cards and used the old-fashioned roller
embossing machine to record the information on the card simply threw
away the carbon sheets between copies. This invited disreputable types
to "dumpster dive," retrieve the carbons, and then have access to
numerous credit card numbers, expirations dates, and authorized
signatures.
This is an important relevant distinction and can translate into the
distinction between identity and psuedonymity. We will define
identity as knowledge of the particulars of a flesh and blood person;
pseudonymity will be defined as acceptance that a presenting person
has the authority to enter into a proposed transaction.
Some have argued that the olfactory sense played a critical role in
identification for early humans.
Unless of course we have photographs or other reasonably detailed
and precise representations of the person's physical characteristics.
This is sometimes referred to as either the "Type I" error rate or
the "False Acceptance Rate" ("FAR") of the system.
This is sometimes referred to as either the "Type II" error rate or
the "False Rejection Rate" ("FRR") of the system.
However, infrequent users of the biometric system may suffer a
greater than normal (for the system) false rejection rate because
their template has not been adjusted gradually as the characteristic
changed.
[insert cites to Sandia tests, etc.] This can be due to some
combination of environmental and human operator challenges. See
FEDERAL ADVISORY COMMITTEE ON FALSE IDENTIFICATION (FACFI), U.S. DEP'T
OF JUSTICE, THE CRIMINAL USE OF FALSE IDENTIFICATION (1976); Simon
G. Davies, Touching Big Brother: How Biometric Technology will Fuse
Flesh and Machine, 7 INFORMATION TECHNOLOGY & PEOPLE (1994); Gerald
Lazar, Agencies Scan Biometrics for Potential Applications, FEDERAL
COMPUTER WEEK, January 20, 1997.
Joseph P. Campbell, Jr., Lisa A. Alyea, and Jeffrey S. Dunn,
Biometric Security: Government Applications and Operations (last
visited March 28, 1997). Finger or hand print biometrics are the most
popular probably due to our familiarity and comfort with the validity
of ink fingerprints as a unique identifier.
;
Electronic Benefits Transfer: Use of Biometrics to Deter Fraud in the
Nationwide EBT Program, GAO Report No. OSI-95-20 14-20 (September
1995). This process should not be confused with a photographic
process -- there is no "picture" of the print or palm, but simply a
sequence of measurements of distances between the ridges of the print
or dimensions of the palm.
This biometric is based upon the alleged uniqueness of the pattern
of blood vessels lining the retina of the individual human eye.
Carter, supra note 3 at 409; Electronic Benefits Transfer: Use of
Biometrics to Deter Fraud in the Nationwide EBT Program, GAO Report
No. OSI-95-20 22-24 (September 1995).
Different from a retina scan, iris recognition focuses on
imperfections in the color and texture of the individual human iris
(the colored part of the eye surrounding the pupil). Carter supra
note 3 at 409; IriScan, Welcome to IriScan Online (last visited March
31, 1997) ; Sensar, The Company at a Glance
(last visited March 31, 1997) .
Peter Kruizinga, The Face Recognition Home Page (last visited March
31, 1997) ; Miros,
True Face: The Ultimate in Personal ID (last visited March 31, 1997)
; Identification Technologies
International, One-on-One Facial Identification System (last modified
March 19, 1997) . Biometric face
recognition systems attempt to surmount the obvious foils of wigs,
glasses, facial hair, etc. by measuring the relative position of fixed
features of human faces (e.g., ears and noses). See A. Pentland,
B. Moghaddam, T. Starner, O. Oliyide, M. Turk, M.I.T. Media
Laboratory Perceptual Computing Section Technical Report No. 245,
View-Based and Modular Eigenspaces for Face Recognition (1994).
Unfortunately, the term "voice recognition" has already been applied
to devices that recognize spoken words regardless of who is speaking
them. Thus, "voice verification" is used to distinguish the capability
of recognizing whose voice it is. Carter, supra note 3 at 411;
Electronic Benefits Transfer: Use of Biometrics to Deter Fraud in the
Nationwide EBT Program, GAO Report No. OSI-95-20 24-5 (September
1995); Voice Control Systems, Inc., SpeechPrint ID Verification
Technology Brief (last visited March 31, 1997)
; Veritel Corp., Speaker
Identification Security Comes of Age (last visited March 31, 1997)
. Aging, colds, voice modulators, and
impersonators plague the development of this technology, yet it has
progressed notwithstanding.
These biometric techniques measure (x) the direction, speed, and
pressure of the writing instrument as a person signs his or her name,
or (y) the timing and rhythm of a person's typing on a keyboard.
Carter, supra note 3 at 411- 412; Electronic Benefits Transfer: Use of
Biometrics to Deter Fraud in the Nationwide EBT Program, GAO Report
No. OSI-95-20 25-7 (September 1995); PenOp, What is PenOp? (last
visited March 31, 1997) ;
Communication Intelligence Corporation, "Sign-It" for Lotus "cc:Mail"
(last visited March 31, 1997)
. This biometric is not
necessarily incorporated into the electronic signature pads currently
used by some retail stores and shipping companies -- these pads may
simply digitally capture the signature as a graphic (e.g.,
bitmapping).
Perhaps the ultimate identifier, this biometric previously was
hampered by its high level of physical intrusiveness: the tissue or
blood sample required for testing and matching was relatively large.
This biometric has probably the clearest scientific claim to
uniqueness. Further, with the advent of DNA testing that can work
with even miniscule amounts of tissue -- e.g., single hairs or a
couple of sloughed off cells -- the practicality of this biometric has
dramatically increased from even a few years ago. David F. Betsch,
DNA Fingerprinting in Human Health and Society (last visited March 31,
1997)
For more detailed descriptions of these, see Sean O'Connor,
"Collected, Tagged and Archived: Legal Issues in the Burgeoning Use of
Biometrics for Personal Identification" 3 BENDER'S IMMIGRATION
BULLETIN 1245, 1247 -- 1249 (1998)
E.g., weapons or automobiles.
See www.epic.org/privacy/biometrics/ .
See www.epic.org/privacy/id_cards/ .
See www.infoworld.com/articles/hn/xml/01/09/27/010927hnnatlid.xml .
See supra
J. Harry Jones, Now it's Tougher to Hide: Computer Net Checks Prints
at Touch of Key, San Diego Union- Tribune, February 1, 1994, at 1;
Jeff Collins, Fingerprintouts; The Process of Identifying Suspects is
Undergoing a High-Tech Conversion in Orange County and Other Areas,
Orange County Register, May 10, 1994, at B01; John Jordan,
Fingermatrix Ready to Take Fingerprint Device to Market, Westchester
Co. Business Journal, May 22, 1989, at 1; Milena Jovanovitch, [no
title], Courier-Journal, August 13, 1989, at 14A.
[cite]
See Federal Electronic Benefits Transfer Task Force, From Paper to
Electronics: Creating a Benefit Delivery System That Works Better and
Costs Less: An Implementation Plan for Nationwide EBT 1 (1994)
(Interagency Committee) [hereinafter EBT Task Force Report]. See also
Electronic Benefits Transfer: Use of Biometrics to Deter Fraud in the
Nationwide EBT Program, GAO Report No. OSI-95-20 (September 1995).
[need short summary and cites for this]
Identification cards allowing Mexicans and Canadians who live within
75 miles of the US border to enter the US for short periods of time
(up to 72 hours).
This program was originally known as the "Multi-Technology Automated
Reader Card" ("MARC") program. 1996 Authorizing Appropriations for
Military Activities of the Department of Defense, S. Rpt. No. 112,
104th Cong., 1st Sess. (1995).
Id.
See www.defenselink.mil/cgi-bin/dlprint.cgi .
[UPDATE] Nearly 80,000 travelers are enrolled in this program, and
INS plans to expand the program to airports in San Francisco, Chicago,
Miami, and Los Angeles shortly. INS, U.S. Dep't of Justice, Draft
Statement of Standards and Guidelines for Developing an Immigration
and Naturalization Services Passenger Accelerated Service System
(INSPASS), 60 Fed. Reg. 9697 (1995); Ronald J. Hays, INSPASS: INS
Passenger Accelerated Service System (last visited January 4, 1997)
; INSPASS and IDENT
Branch Out, BIOMETRIC TECHNOLOGY TODAY, Sept. 1996, at 5; Lisa Corbin,
Icons of Information Technology, GOV'T EXECUTIVE, Dec. 1996, 33-4.
Id.
Ronald J. Hays, INSPASS: INS Passenger Accelerated Service System
(last visited July 7, 1997)
.
[check this and get cites]
[get cites for this section]
[get cites; store is Eli's on Upper East Side]
[get cites; RSI materials re school lunch line]
Dershowitz does not mention INSPASS -- and it is unclear whether he
was aware of the system when he wrote his article -- but it is
arguably a better analogue for his system than the "EZ-PASS"
"FAST-PASS" and other automated toll payment programs he refers to.
Alternatively, one could think of this as a Coase-Theorem type
question of perspective.
But is this really just a different way of saying that Congress
penalizes states that do not go along with Congress' wishes in these
regards by withholding federal highway funds?
Although the analysis does not rely on the conjunction of the two,
but rather only the disjunction. Furthermore, we might throw in some
or all of other justifications that have traditionally been advanced
in favor of national ID cards generally.
This is why the ROCID proposal targets only visas and other
identification documents issued and required by the U.S. for entry by
foreign nationals into the country.
Replacing the panoply of other foreign national ID documents
currently issued by the U.S.
This is similar to the difficulty today for ID checkers faced with
the fact that 50 different states issue driver licenses, and each
State often has multiple "valid" forms of such ID at any given time.
This doesn't even begin to include the myriad of other types of
identification -- visas, passports, etc. -- out there as well.
Although I can, in certain circumstances, exercise legal control
over how such photographs are used, reproduced, or distributed.
Absent some additional content of the file or context in which it is
sent that somehow indicates that I intend to use the file as my
"signature."
See http://www.anu.edu.au/people/Roger.Clarke/DV/Biometrics.html .
See id.
Although, I could possibly switch to a different biometric
identifier -- say, from finger image to iris scan -- if the system I
wanted to access allowed for multiple types of identifier
technologies. But, as mentioned supra, I only have so many
identifiers to go through.
[cite]
Absent a demonstrable intent to steal someone else's identity.
This might also be seen as an extension of Tom Peter's "you are your
own brand" theory. [cite] It is also interesting that a
Net/performance art piece entitled "Trademarking Mouschette" appeared
in 2000. [get cite from Mark] Of course, this artwork seems to have
intended to show the dehumanizing aspects of an overly commercialized
world in which individuals are nothing but commodities. More
esoterically, it may also further the claims of "Mark of the Beast"
doomsayers.
We might ask why we would allow registration of templates when we do
not allow trademark registration of personal names. But the reason we
disallow registration of personal names is because there is
substantial overlap in the usage of such names and it would be unfair
to decide who, of thousands of individuals, should get to register
"John Smith." But, the degree of overlap for templates should be
fairly small, even including the use of distorted templates, and so we
could employ decision processes analogous to those used for competing
trademark registration claims.
While I have some graduate training in ethics, I would not claim to
be an ethicist. Thus, it is with some trepidation that I venture into
such territory.
GREEK PHILOSOPHY: THALES TO ARISTOTLE 106 -- 107 (Reginald E. Allen,
ed. and trans.) (The Free Press 1991).
This definition does not include any reference to "sociobiology" or
similar systems which might claim that human custom or convention just
is natural law -- such customs/conventions have been naturally
selected, in the Darwinian sense, as the best adaptive behavior to
increase reproductive success of humans and thus represent something
external and objective about our world.
Just what constitutes "willing" or "voluntary" can of course be
problematic. Generally we would like it to mean a volitional course
of action entered into based on a rational, reflective decision
process unaffected by outside coercion and in accordance with
long-range life plans. However, we may be "coerced" in many
different, sometimes subtle ways, at the same time that it may be
quite rational to succumb to such coercion.
Depending on your preferences. The pragmatic/utilitarian argument
descends from Hobbes and relies on a belief that in a state of nature
few of us could achieve the safety, material comfort, etc. that we can
as part of organized society. The moral/ethical argument descends
from Aristotle through Augustine, Aquinas, and Kant and relies on a
belief that humans in a state of nature are mere slaves to their
passions, reacting to the world around them; when an individual enters
organized society and accepts its rules, he frees himself from such
passions by subjugating his base will/passions to his rational
intellect.
Obviously, where one rejects the strength of social contract theory
even in the "ideal" situation set forth here, then one would likewise
logically reject the ethical justification of our proposed national ID
system.
HISTORICAL REVIEW OF PENNSYLVANIA [get exact cite] I use this quote
not because there is anything magical or privileged about it, but
rather because it has both been used frequently in the current debate
and because it sums up the outline of the debate over national ID
cards even before 9/11.
In the words of Larry Ellison, "all you have to lose is your
illusions [of privacy]." Other prominent software/information
technology moguls have made similar statements.
ROBERT P. GEORGE, MAKING MEN MORAL 68 (Oxford University Press, 1993).
Id.
Of course, an economist could argue that regulation has in fact
increased the overall efficiency of a particular market because the
increased confidence which consumers have in an industry's
products/services leads them to purchase more than they would
otherwise. Yet, this is not the argument of economic free marketers
who still argue for deregulation and truly free markets.
As in game theory non-iterative prisoner's dilemma games wherein it
is more advantageous for the players to "cheat" or "defect" because
they will maximize their value (over cooperating).
I asserted this value on a Canadian television program in 1997 to
argue against the "if you've got nothing to hide, you have nothing to
fear" justification for anti-privacy tracking and surveillance
technologies. I assumed most viewers would find the anti-privacy
justification hollow at best, but was surprised to find exactly this
justification being successfully used by British authorities to
support their extensive public surveillance networks as reported in
Jeffrey Rosen's recent article on the subject. Professor Rosen
advanced his own version of (i) in attempting to show why such a
anti-privacy justification would not work in America. [cite]
[NYT cites]
George uses a marriage analogy to strengthen our appreciation for
this value: we would not consider the relationship between a husband
and wife in which they were no longer in love but still lived together
and co- ordinated their activities just for practical ends to be the
same as one where the couple is in love and co-ordinate their
activities because of the intrinsic value of being together in the
relationship.
And across the world in a backlash either against the "corrupting"
libertarian influence of the pervasive American/Western culture or
against the declining communitarianism of other developed Western
nations as well.
[cite NYT articles]
Of course, the obvious response to this is that the system will
create a two-tiered society that is very different from what we have
now.
[cites]
It is interesting to note that Net communities such as the Well,
Slashdot, and Rhizome.org have run into problems with managing
themselves as a community as they grew beyond their original members
who generally all knew each other. As unknown new members quickly
joined, the "noise" level -- represented by anonymous or pseudonymous
spammers, flamers, and cranks -- threatened to drown out the signal
quality in some of these communities. The communities that have
successfully dealt with this problem seem to have done so creating
different participation levels and feedback mechanisms that can
selected among by their members. [cite Steve Johnson article]
Note that this point highlights a crucial difference between the
feasibility of our system and general face recognition systems being
considered for airport screening. Our system utilizes the more
effective and efficient one- to-one matching protocol, whereas the
general screening systems are relying on the easily fooled and
inefficient one- to-many matching protocol.
[cite Partnership for a Drug-Free America and similar ads]
[Insert NYT article cite and quote]
This is not a polemic against all hackers, many of whom actually
have legitimate political/cultural/technology agendas. Nor is it even
placing the blame on what I would consider to be the aimless, bored
hackers who are separate from the "agenda" hackers. Instead it is an
argument against that the majority of users who want to cooperate and
create useful systems and communities should not allow themselves to
be trapped by an ideology that they may neither really agree with, as
a day-to-day value, nor which serves any real purpose to them.
Although this may also do too little as discussed supra.
[get NYT cites]
[cite CNN article].
[get estimate of number of Americans living "off the grid"]
This is not the same as a rejection of privacy or clearly demarcated
zones of privacy, but rather that when we are "in public" we expect to
be recognized and known. For Discussion Purposes Only -- Do Not Cite
Without Author's Permission
24 v.1 -- 11/15/01