The Department of Homeland Security recently released a transcript of Secretary Michael Chertoff’s speech at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events. Interestingly, Chertoff spends a lot of time detailing how identification interacts with economics — especially focusing on problems arising from identity theft. Now, identity theft is a huge problem, but it’s not a problem in the domain of Homeland Security. Read the passage below and try to figure out why Homeland Security is focusing on this, rather than the Federal Trade Commission or the departments of Commerce and Treasury.
So when you think about it, identity lies at the heart of the issue of employment which touches virtually every American. Identity, more and more particularly with the use of the Internet for purposes of transacting business, lies at the heart of our entire financial and market system. If we don’t know who you are, if we don’t know whether you are accurately representing your assets and your intentions over the Internet or even transacting business face to face, we introduce an element of risk into that business model.
The Department of Homeland Security and Secretary Chertoff have spent a lot of time pushing the REAL ID national identification system as a savior for false identification problems. The REAL ID Act of 2005 mandates that state driver’s licenses and ID cards follow federal technical standards and verification procedures issued by the Department of Homeland Security, standards that even the federal government cannot meet.
The REAL ID system (pdf) also enables tracking, surveillance, and profiling of the American public through the interlinking of the motor vehicle databases of all 56 states and territories, the use of an unencrypted machine-readable zone on the state ID cards and driver’s licenses, and the ability for the system to be used for much more than the few purposes set out by the 2005 law.
In an opinion column written by Secretary Chertoff, he urged states, companies, and the general public to embrace the national identification system because he says it is trustworthy. Secretary Chertoff said “embracing REAL ID” would mean using the one ID card to “cash a check, hire a baby sitter, board a plane or engage in countless other activities.” Chertoff has deflected questions about the massive security hole created by embedding so much trust in one national identification card — people will trust the criminals who hand them forged cards. In this speech, Chertoff agrees that the fact that REAL ID and other identification cards can be forged is a security problem:
I certainly have seen intelligence that tells me that sophisticated criminals and sophisticated terrorists spend a great deal of time learning to fabricate and forge even these improved cards. The net effect of this may be that it’s going to be harder for people on campus here to get a drink when they’re under 21, but unfortunately it’s not going to be that much harder for the most sophisticated dangerous people to counterfeit an identity card.
Chertoff goes on to describe a new system of identification, where individuals would combine biographic data, a technological device, and biometric data (such as a fingerprint or DNA):
I like to say that the issue of identity authentication, determining that you are in fact the person you claim to be, really rests potentially on what I call the three Ds: description, device, and digit, and what do I mean by that? Well, description means some piece of information or something known to you and not to anybody else that can separate you from the other person who claims to be you. […]
The second is device. Now, the device we most commonly use to identify ourselves is the card, the card that can be forged in some cases […] A cell phone could be used as an identification device. If you constructed a cell phone and you created a token in a cell phone and the way the token system works, if you operate in the area of intellectual, you know, property and IT, is the token changes every 30 seconds, so that the number that flashes on the token is useless if it’s stolen because in 30 seconds, it doesn’t grant access anymore. […]
The third potential strategic leg, besides description and device, is digit, your finger, your fingerprint, more commonly described sometimes as a biometric. Your digit is unique. Your fingerprint is unique and the ability to use that as an identifier, as we do, for example, throughout the criminal justice system, gives us a third powerful tool that we can use in order to make sure that we can separate real people from impersonators.
Secretary Chertoff says he “can envision a time in the not-too-distant future” where “whether it’s for purposes of getting on an airplane, whether it’s for purposes of transacting business at a bank, whether it’s for purposes of gaining entry into a student dormitory,” that an individual will have to use at least two and potentially all three of these identifiers — biographic, device and biometric data — in order to prove her identity.
It’s interesting that Secretary Chertoff believes security comes from gathering yet more data on individuals in order to identify them. But we’ve seen that identification-based security can fail spectacularly. For example, last year in Florida, two men entered restricted areas, bypassed security screeners and carried a duffel bag containing 14 guns and drugs onto a commercial plane. They avoided detection, because they were airline baggage handlers who used their uniforms and legally issued identification cards. Both men had passed federal background checks before they were hired, according to a spokesman for Comair, the airline that employed the men. The men were only investigated and caught after receiving an anonymous tip.
If the airport had identification-neutral security systems, such as requiring all fliers go through metal detectors, then the men could not have walked past them. But the identification-based security system – allowing some fliers to skip screening because they are presumed to have no evil intent – failed, and the men transported weapons and contraband aboard a commercial flight. In fact, the airport quickly began screening all employees who enter secure areas in order to avoid a similar security breach in the future.