Do we need a national ID card?

There's something wrong when data brokers know more about you than the cops know about felons, CNET editor Robert Vamosi says.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
5 min read
With all the political wrangling about immigration in Washington, D.C., I'm surprised we haven't heard more about national ID cards.

Shortly after Sept. 11, 2001, members of the U.S. Congress took up the idea of requiring a national identity card; they did that again just before the 2004 election. But there is news out of the United Kingdom that national ID cards may become mandatory by 2010. And the initial response has been mostly bad, forcing me to ask: Do we even need a national ID card when there are more important security measures we can take?

In the United Kingdom, talk of a national ID card is linked to the establishment of a national biometric identity database. Within two years, all U.K. citizens renewing their passports will be required to submit biometric information. While they may opt out of receiving an actual ID card until 2010, the biometric data will still be collected. On the surface, biometric means, at a minimum, a photograph and a fingerprint--data currently required for most passports. I've already commented that biometric passports are not entirely secure, nor are they tamperproof.

You want security? Let's start by tracking convicted felons. Here's an excellent test bed to see whether such ID systems really work.

The U.K. biometric data collection includes foreigners, as well. Foreign nationals visiting the United Kingdom must apply for "biometric residence permits" or biometric visas and consent to be entered into a national database. Beginning in 2010, the U.K. ID cards (either for a resident or a visitor) will be required to buy or rent a house, stay in a hotel, purchase a cell phone, open or close a bank account, travel abroad, obtain medical care or register for classes. This latter provision seems geared at stopping illegal immigrants.

Scotland-based science fiction author Charles Stross thinks issuing every U.K. citizen an ID card by 2010 is nuts. He recently opined in his blog that the concept is doomed from the outset by the sheer numbers involved, numbers he derives from a post on Blairwatch.co.uk.

While I agree with Stross that the initial sign-up period seems too short, comments made by others regarding the ability of this new database to handle the volume of transactions required seem unwarranted. Denmark has had a national registration system since the 1920s, and in Hong Kong, citizens are required to carry around an ID card. In both cases, the databases are robust enough to handle new registrants and changes to existing records just fine. Privacy aside, the back-end systems really aren't the issue.

De facto national ID
In the United States, we already have a national ID card--and while it's robust, it's not exactly flawless. In the United States, the typical driver's license enables you to register to vote, and in most states, registering to vote automatically places you into the eligible jury pool.

We think nothing of showing our driver's license to verify a check or a hotel registration; we don't worry when a car rental establishment photocopies it for their records. And currently, some high-tech bars are scanning driver's licenses, presumably as a means of stopping underage drinkers, but also as a means of gathering statistics on their patrons, such as what hours certain demographic groups drink.

It's sad that data warehouses such as ChoicePoint know more about you and me than cops know about convicted felons on the street.

This latter use is worrisome, and it's likely to get worse, in part because of legislation approved by Congress last year. The Real ID Act requires states to adopt uniform standards for their driver's licenses, including common machine-readable technology, presumably RFID. The idea is that a driver's license in one state can be scanned by someone in another state. Under the Real ID Act, the information will not be encrypted--a boon for identity thieves who can already scan copycat credit and debit cards at their leisure.

With the Real ID Act, look for more businesses to scan driver's licenses with an eye toward selling the data to data warehouses, such as ChoicePoint, which have proven to be insecure.

Yet U.S. driver's licenses are commonly forged. Currently, every state has different criteria for what's on their residents' driver's licenses, even where the photo goes. The new law seeks to standardize the look and feel, as well as the information encoded within. Which means it'll be easier to forge a fake driver's license for anyone in any state in the near future. Here, it's the ID cards themselves that undermine the supposed security they bring.

So, how hard is it to produce a tamperproof ID card? Apparently, it's plenty hard. In a front page New York Times article on May 14, 2006, the Department of Homeland Security was called to task for investing tens of millions of dollars and more than four years of labor on a tamperproof ID card for airport, rail and maritime workers. Such a card does not yet exist. Much of the controversy surrounds the favors granted to pet businesses in rural Kentucky, and not whether to place a hologram or other unique identifier within the card.

With all the talk of creating a national ID card or standardizing U.S. driver's licenses, there has been very little action on something that would improve security--creating a united crime database in the United States. You want security? Let's start by tracking convicted felons. Here's an excellent test bed to see whether such ID systems really work.

At this moment, local law enforcement agencies don't have access to the full criminal profile of individuals they pull over. While law enforcement officers can see if there are any outstanding warrants, the picture is incomplete because law enforcement agencies do not standardize their information, nor is there a central database for this. It's sad that data warehouses such as ChoicePoint know more about you and me than cops know about convicted felons on the street.

If we can't yet sync the names of criminals wanted in one state with people arrested in another state, it seems to me that we shouldn't be so eager to start tracking honest, noncriminal citizens.