Educating the public about the privacy-protecting potential of smart cards and identity solutions
13 July, 2005
category: Biometrics, Library
By Dennis Bailey, Comter Systems COO & author of The Open Society Paradox
Since 9/11, when a lack of a secure identification system in America made possible the terrorist attack, I am amazed at how far and fast the identification industry has developed. Along with many observers in the field, I believe that 2005 finds us on the cusp of a breakthrough. Yet unless the industry is able to answer its vocal critics and more importantly do a better job of talking to the public about the benefits of secure identification, I’m afraid this trend may stall.
Surveying the identification landscape in both the public and private sectors, I marvel at the changes taking place. Who would have thought that after 9/11 the United States Federal government would have moved so quickly to improve identification? Today we have the US VISIT program to capture biometrics from visitors to the U.S.; an improved passport on the way known as ePassport; a presidential directive known as HSPD-12 directing federal agencies to implement a standardized smart card for all employees and contractors; and the REAL ID Act which requires federal standards for driver’s licenses.
The private sector has made as many if not more strides toward secure identification. We’re seeing fingerprint biometrics being utilized in a dizzying array of applications including in school lunch lines, store checkouts, ATMs, daycares, libraries and even storage lockers at the Statue of Liberty. Facial recognition has improved dramatically and is being used by police in Hollywood to crack down on gang members. Inmates in prison are identified and tracked with RFID and sexual offenders, once released are tagged with GPS tracking devices. An endless number of promising biometric advances utilizing DNA, vein patterns, skin texture, just to name a few, continue to emerge out of research and development labs across the country.
In the virtual world, identity management is beginning to realize its long-awaited promise. According to the Radicati Group, the identity management market, which was less than a billion dollars in 2004 worldwide, will shoot up to $10.2 billion by 2008. Consolidation in the industry has been rampant as larger companies, in order to enter the market, gobble up smaller companies with new identity management products. The acceptance of standards such as WS-* and Security Assertion Markup Language has made federated identity management within and between organizations a reality.
Even the Internet is seeing improvements in identification. The public’s frustration with spam and phishing has led to efforts such as Sender Policy Framework (SPF) and DomainKeys to provide authentication at the server level. With the recording industry able to identify individual file traders through the help of a court order, can it be long before authentication becomes accepted by Internet users? Such a thought presages a convergence where a single identity spans an entire chain of trust reaching from the physical to the virtual world.
While the idea of a convergence of identity would be welcomed by many in the identification industry, many others, particularly those in the civil liberty crowd, would find the thought anathema. Fighting for greater anonymity and privacy, groups like the ACLU have invested significant energy in preventing the spread of identification technology. Their mission is to return to a pre-9/11 world where it would be much easier for someone to disappear into a life of anonymity.
It is true that sometimes the civil liberty movement takes things a little too far. To some they appear as modern day Luddites who fear negative consequences of any new technology. To others, their use of rhetoric like Big Brother, National ID, and Panopticon seem tired and hackneyed. At times, they appear almost comical. Consider the antics of John Gilmore who is protesting the requirement to show an ID to board a plane by refusing to fly.
Other times, their extremity seems irresponsible and dangerous such as when Simon Davies, the Director of Privacy International implied in a recent speech to the Black Hat conference in Amsterdam that the privacy movement might have to prepare for “sabotage” and “guerilla warfare” tactics against computer systems. Yet as is obvious in politics, most groups have a fringe element which shouldn’t be used to discount the group’s overall message.
The fact that the public often shirks privacy in favor of conveniences such as EZ-Pass or discounts earned through shopping cards is not a reason to ignore privacy concerns either. When it comes to identification programs, especially those managed by the government, large portions of the American public become anxious. The U.S. has a long history of being suspicious of government power and for many, identity cards draw out those fears.
History shows that identification programs that don’t take privacy into account do so at their own risk. A host of efforts including Terrorism Information Awareness (TIA), CAPPS II, and the Multi-State Anti-Terrorism Information Exchange (MATRIX) were felled by a lack of attention to privacy concerns. One wonders whether the REAL ID Act will meet the same fate as the identification provisions in the 1996 Immigration Reform and Immigrant Responsibility Act which were repealed in 1999.
Clearly privacy concerns need to be addressed if identification technologies are to realize their full potential in the market. As many in the identity business are beginning to learn, an important first step in any new effort is to bring privacy advocates and their concerns to the table early in the process. It’s also wise when possible to follow the privacy-guiding principles known as the fair information practices. The guidelines are not so burdensome and those who believe in more openness should support notions like avoiding secret databases, letting individuals check their personal data and correct it when necessary and allowing them to know on how their personal information is being used.
Part of the effort to reach out to the privacy community and the public at large is a matter of education. With so many new technologies, there is often confusion about true threats to privacy. One example is when a major privacy organization criticized the ePassport program because of Bluetooth technology even the State Department had no plans to use it. An education campaign should demonstrate how privacy can be protected through secure identification. Take smart cards for instance. They allow for anonymous authentication, secure access to the card and to applications, data to be stored on the card rather than a central database and encryption of communications between the card and the reader, all of which help safeguard privacy.
Yet even more important than addressing privacy concerns, is communicating the benefits of secure identification. The industry’s message should focus, for instance, on how smart cards can make it harder to commit crimes using a fake ID, whether it is terrorists planning their next attack, sexual predators hiding from law enforcement, illegal aliens entering the country or parents on the run to avoid paying child support. Secondly, there is a need to explain how identity management tools can improve the confidentiality and integrity of data and how ChoicePoint-type scandals can be prevented in the future.
While it is likely that a campaign won’t win over the most steadfast critics of identification, an investment in marketing the benefits and privacy protections of secure identification should pay large dividends with the public, help stave off government regulation, and ensure the viability of the industry for years to come. Arguments about Big Brother and National IDs resonate best when there is no alternate vision proffered to a country that is hungry for solutions that offer both privacy and security. Rather than wait for the next ChoicePoint debacle, the time has come to be proactive with a positive vision of how identification will benefit the open society of the twenty-first century.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.