IP: Progressive Policy Institute wants biometric license-smartcards

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Declan McCullagh <declan () well com>

[I invite Rob Atkinson of the Progressive Policy Institute to reply.
Previous Politech message with background is here:
http://www.politechbot.com/p-03149.html --Declan]

---

Date: Tue, 19 Feb 2002 08:23:46 -0700
From: "Ralph S. Hoefelmeyer" <ralph.hoefelmeyer () wcom com>
Subject: I heard their VP speak RE: National ID? Driver's licenses to
become biometric smartcards
To: declan () well com
Cc: rshoefelmeyer () netscape net

Declan,
Dr Robert Atkinson, VP of PPI, was the keynote speaker at the Smart Card
Alliance on 6 February 2002 in Austin, TX.    He pushed the technology of
smart cards for a national ID, saying that 50 standardized DMV cards were
not an national ID.  He was indifferent and dismissive of privacy concerns,
marginalizing those who cared about civil liberties as "fringe groups".  In
fairness, in discussions afterward, the fact we *do* live in a police state
was taken as a given [try telling some cop, as you walk down the street,
"no, you can not see my ID"; we can discuss later how to get that shoe print
off of your back].  PPI is just as dangerous to freedom as any of the right
wing groups, they are simply more open to the use of technology.  Their
purported "third way" is simply another name for "national socialism".
I queried Dr. A on the database errors that were sure to crop up.  He was
dismissive of this problem, saying it was not pertinent to the goal of
identifying everyone.  He was also not ready to add teeth to his proposals,
where abusers of the ID system (LE, IRS, etc.) would be held accountable.
Typical Beltway Wonk ...
Ralph

Ralph S. Hoefelmeyer, CISSP
<these views do not represent those of my company, so please use the CC'd
e-mail address for responses and attribution>

---

Date: Sat, 16 Feb 2002 14:51:33 -0800
From: Roderick Sprattling <rls () wiseworks com>
Reply-To: rls () wiseworks com
To: declan () well com
Subject: Re: FC: National ID? Driver's licenses to become biometric
smartcards
References: <20020215213447.A32352 () cluebot com>

Declan,

Ham and Atkinson have either missed or ignored two practical problems in
this scheme (quite apart from privacy issues). First is the obvious dilemma
of multi-function devices: You pack a lot of functionality in one card, but
lose the card and you may have lost you driving license, your cash, your
voter registration and your season ski pass. Since all data must be stored
on the card, there is no backup. Consumers will learn, then decline in
droves.

Second is the likelihood that counterfeits *will* be made: They're just too
valuable. If the smart card driving license is accepted as absolute proof
of identity, documents and transactions based upon the counterfeit smart
card are even less likely to be questioned. Those holding counterfeit IDs
will find their way strewn with flowers.

Rod
---
Roderick Sprattling
rls () wiseworks com

---

Date: Sat, 16 Feb 2002 23:08:52 -0000 (GMT)
Subject: Re: IP: USNews' Dana Hawkins on biometrics, facecams, and 'light
prints'
From: "Paul Holman" <pablos () shmoo com>
To: <declan () well com>
Cc: <farber () cis upenn edu>, <dhawkins () usnews com>

Declan,

I believe there is an important line to draw for the use of biometrics in
authentication.  The thrust of my argument is that no biometric
technology is acceptable unless the profile data is fully within the
control of its subject.  So for instance, a smart card with a finger print
reader onboard would be a great way to make authentication more
convenient for me, so long as my profile and the means to match it
are also on that card.  This model prevents large databases of profile
data from being compiled anywhere.  In my experience, most
biometric technology companies have no clues about creating secure
devices, and their implementations are more easily hacked/
circumvented without attacking the weakness of the technology itself.
Additionally, I know of no implementations that meet my litmus test
described above.

I have a small web page where I maintain ongoing critique of
biometrics at <http://pablos.kadrevis.com/projects/biometrics>.  I'll be
posting more information about the current state of the art here.  I
apparently need some motivation to elaborate on my arguments, so
please feel free to direct some flames my way.

Thanks,

pablos
--
Paul Holman
The Shmoo Group
pablos () shmoo com

---

From: "Taylor, Stephen" <STEPHEN.TAYLOR () saic com>
To: "'declan () well com'" <declan () well com>, politech () politechbot com
Subject: RE: National ID? Driver's licenses to become biometric smartcards
Date: Tue, 19 Feb 2002 12:13:12 -0500

Any writers out there who want to take this and run with it?  For an idea,
how about the police being able to actively scan your "smart" drivers
license and determine who you are as you pass them on the road?  No need to
even stop your car, they can sit in theirs and monitor all drivers passing
by.  For you runners, this would be a variation on the "chip" that is worn
on your shoe to record start and finish times.  A "chip" has a number that
is picked up as the runner passes over a sensor, the number from the chip is
used to access a database of runners and determine who the runner is from
the information located in the database.  The information is obviously
gathered when the runner registers for a race.

It would one big race with all the driving citizens entered into the
database that is owned by the Government.

Regards,
Steve Taylor

---

To: declan () well com
From: "J.D. Abolins" <jda-ir () njcc com>
Subject: Re: FC: National ID? Driver's licenses to become biometric
   smartcards
Cc: Grayson Barber <graysonEsq () aol com>

I am not an attorney but I wonder if one of the things that the smart card
IDs would do is to put the cards under the protections given computer
systems. With current paper/plastic IDs, one can study them, take little
snippets for analysis, use a microscope, use a bar code or mag stripe
reader, etc. as long as one does not create another ID card. With a
micoroprocessor smart card ID, analysis/hacking could fall under computer
crime laws. After all, technically, the bear of the ID does not really
"own" the ID token.

---

Date: Sat, 16 Feb 2002 21:24:05 -0700
From: "Allen S. Thorpe" <athorpe () etv net>
To: declan () well com
Subject: Re: FC: Pentagon test finds iris, face scan technology not that
reliable

No one should be surprised that the hype for new technologies is ahead of
the
actual results.  That's the history of everything to do with personal
computers and the internet. All this stuff is in its infancy.

What concerns me is the mystique of privacy and the reference to it as a
right.  Rights are carefully defined legal protections and when they are
extended in one area, they often reduce the rights of someone else or
everyone else.

Other "rights" are illusory.  I have had discussions with people who feel
violated by police cameras in public areas, when they have no such feelings
about being in plain view by plenty of other people.  Some segments of
society view routine vigilence by policy as a personal intrusion.  I wonder
what they say when they get mugged after the police reduce their presence.

The most offensive privacy violations are not committed by government, but
by
people who are given personal information in exchange for benefits and
conveniences, but these can also be used to track criminals (video cameras
in
stores and at ATMs, for example).

Technology is seldom pure evil or an unalloyed blessing, either, but
reducing
the whole issue to a one word epithet is not the way to make good decisions.

Allen S. Thorpe
Telephone: (435) 381-2543

U.S. Mail:  95 East Main St.
   P. O. Box 1238
   Castle Dale, UT  84513

Office e-mail:                                              Home e-mail:
thorpe () co emery ut us                              athorpe () etv net

---

From: "Tony Dye" <tony () bluetree ie>
To: <declan () well com>
Subject: RE: Duncan Frissell on AAMVA, licenses as biometric smartcards
Date: Mon, 18 Feb 2002 11:09:13 -0000
Message-ID: <BOEKKKDKGDHMJNHIAAMBOEMFCAAA.tony () bluetree ie>

Declan,
         Here's the text of the letter I sent to Rep. Loydd Dogget (my rep
in Texas)
a while back. I also sent a copy to both Texas senators. Rep. Doggett always
replies to my emails... neither Senator ever does. Of course, Democrats in
Travis County need all the GOP voted they can get, so he's got some
incentive.

         I'd also add to this that a Driver's licence is a nasty way to
drive people
into getting their data recorded even if they don't want to. While there
might never be a law passed to create a nation ID system, the vast majority
of the population can't 'opt-out' of a driver's licence and still eat, work,
etc. Changing the requirements for getting a licence is sneaky, underhanded,
and, IMHO amounts to government extortion. It's "Give us your valuable
personal info, or we take away your income."


***********************************
Dear Rep. Doggett,
         My name is Tony Dye, and I'm a registered voter in your district
(though
I'm currently working in Ireland). A recent Washington Times editorial
(http://www.washingtontimes.com/op-ed/20020121-166867.htm) brought to my
attention an issue of particular interest to me.

While it seems that the creation of a top-down, federally mandated National
ID card is beginning to die down, the basic equivalent is beginning to be
discussed, and acted upon, by the States. I would like to state my
uncompromising disapproval and rejection of the idea that biometric or
fingerprint ID information should be required on a Driver's Licence, or
shared with other State government agencies in any form at all. Biometric
data should absolutely never be collected in a central data repository, and
ID cards should absolutely never be mandatory in any State.

You may be aware that this is already required in Texas. I know that I have
already been forced to submit a thumbprint for my Texas Driver's Licence.
While I have been forced to provide this information, at least I could take
some action at the state level to remove these requirements. If, however,
this information is allowed to be co-mingled in a central data repository
with others from other states, I would have absolutely no recourse or
ability to prevent any number of identity- and privacy-related violations by
state agencies from all over the USA, not to mention Federal
"information-sharing" and the un-preventable hacker attacks. A central
location of personal information would be a gold mine and a permanent target
for hackers and for the FBI... and as even Oracle has recently learned,
NOTHING is unhackable.

NOTHING. No matter what they tell you. No matter what assurances are given,
no matter what procedures are put in place. Nothing. is. unhackable.

NOTHING NOTHING NOTHING.

Currently, to my knowledge, there is no law preventing the states from
sharing this information amongst themselves, but there is also no law
protecting citizens, preventing abuse of information, or outlining privacy
rights with regard to government information-shopping. Once the information
checks in, I'll never get it out again... even if Texas completely reverses
it position and severs all contact with the central database. Furthermore, I
also have no legal protection from federal data mining or even the sale of
that information to marketing firms, credit reporting agencies, or other
private businesses. Even if Texas were to enact such protections, I would be
powerless to prevent abuse by other states once I've been biometrically
recorded into a central database.

I strongly urge you to deny funding for any such database, and to oppose at
the federal level any central database of biometric or other unique
identification. Additionally, I beg you to take some action preventing the
states from requiring I prove my unique identity on demand of government
employees (including police), or submit unique personal information for
inclusion in a central (or shared) database. Unless I am accused of a crime,
I should never be required to carry or present proof of identity, or
subjected to inclusion in a state or federal ID database (whether or not it
includes biometric data). I CERTAINLY should NEVER be under threat of
punishment for an inability or unwillingness to produce my 'papers' while
otherwise being a law-abiding citizen.

Please consider this strongly, and reply to me with your current position.
As a Republican who has voted for you twice, I've been pleased and heartened
by your communications in the past (even though I haven't always agreed with
your positions). This represents a critical issue for me in the upcoming
mid-term elections.

I'm looking forward to hearing from you!

-Tony Dye
  Manager, IT Systems & Support
  blue tree systems
  tony () bluetree ie
  www.bluetree.ie

---

Date: Mon, 18 Feb 2002 09:39:10 -0500
To: declan () well com
From: Robert Moskowitz <rgm-int () htt-consult com>
Subject: Re: FC: Duncan Frissell on AAMVA, licenses as biometric smartcards

At 09:35 AM 2/16/2002 -0500, you wrote:
> [I'm hardly one to speak on behalf of the AAMVA, but I would speculate
> that their likely reply would be: DMVs have always issued both driver
> licenses and ID cards. Some people do not drive and still wish to take
> advantage of the many benefits of having state-issued ID. So if someone
> has their license suspended, they can apply for and receive a state-issued
> ID card that is NOT a driver's license -- but still has all the necessary
> biometric info. In fact, the first page of the AAMVA task force's
> recommendations clearly anticipates this possibility. It repeatedly
> mentions "the issuance of driver licenses and ID cards." --Declan]

Three other cases of IDs:

In New York, many people never bother to get driver licenses.  But they fly
a lot, so they get state IDs.

High School students traveling unaccompanied.  School IDs rarely
accepted.  City issued IDs are accepted.  My 16 year old has a city issued
ID card that he uses at the airports.

Cross Dressers.  I have a friend that has a state ID for 'her' alternate
identity.  Uses it to safely travel 'enfemme'.

---




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------



------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/