Single Government ID Moves Closer to Reality

NewbieV writes "The Washington Post is reporting that "federal officials are developing government-wide identification card standards for federal employees and contractors to prevent terrorists, criminals and other unauthorized people from getting into government buildings and computer systems." The project is known as the Personal Identity Verification Project, and is being managed by the National Institute of Standards and Technology (NIST)."

Oh?

[mythosaz]

Wow, similar IDs for government employees? This might prove as dangerous to our freedom as, say, Military IDs.

Re:Oh?

[Alabama_Man]

Dangerous to our freedom? Our freedom is already in the toilet. Hell, even the future isn't safe anymore,it's being sold! So much for all your plans of a "unified id card".

Re:Oh?

[Staplerh]

Wow, similar IDs for government employees? This might prove as dangerous to our freedom as, say, Military IDs.

Oh, give me a break, who modded this 'Flamebait'. Give me a break, he had a valid point.

If you don't want a Federal ID card for employees/contractors, don't join the Federal government? This is more akin to a Military ID card than a 'national ID card'. I think this is a great analogy, and if I had meta-mod points I'd mod that unfair.

Re:Oh?

[The+Snowman]

Wow, similar IDs for government employees? This might prove as dangerous to our freedom as, say, Military IDs.

Exactly. This is not a federal ID for the masses, it is a combination ID card and access badge for secure facilities. It provides a single ID so checking IDs is easier.

Checking IDs at public places is retarded. Checking IDs at restricted access places like military bases, NASA, NSA, etc. makes a hell of a lot of sense. Joe Blow should not be allowed in the CIA headquarters. As it stands right now, each agency has its own ID card. Let's say the FBI is investigating a military member. The gate guard has to know what an FBI ID looks like if he is to provide effective entry control. By creating a common ID across the government, the gate guard knows where to look on the ID for the relevant information and what should be there.

I have one of the new military IDs. Military, civil service civilians, contractors, everyone uses the same damn ID but certain words are different, color coding is different (e.g. civil servants have a green stripe), etc. It has a microchip built in with RSA keys unlocked by a PIN. I can use it to log in to Windows NT and Solaris boxes with card readers. If this is the future of IDs for government workers, the government finally did something right for once.

I'm against this.. take three guesses why?

[Ckwop]

Oh dear jesus god no. If you're going to put all your eggs in one basket at least guard the basket well! The problem is that by unifying all the ID card systems they don't defend the basket as much as they should.

This point can be illustrated well with Safes. If it costs fifty pounds to break into a safe and only put forty pounds worth of valuables in the safe my safe is secure. If I get ten of these safes, each with forty pounds in them then the total of four hundred pounds worth of valuables is secure. Now let's say I decide to replace my ten safes with a single safe! A safe that only takes three hundred and fifty pounds to break in to is no good; I need a safe that is secure in the face of a four hundred pound attack or more.

The problem with centralising identifications systems is that the new scheme is rarely more secure than numerous schemes it replaces. Except, Except, this time this one ID acts as identification for many types of service and this makes everything less secure. Just for the sake of argument. Let's suppose I choose to attack the system in a certain way. Let say I want to obtain a real "fake"; that is, a card that is authentic but I've paid an employee that produces the cards to put bogus information on to the card. Rather than finding two friends in two different branches of government to supply me with a real card in a fake name I only have to find a single person. This type of weaking isn't just true for this limited type of attack - this weaking is there across the board.

Having different IDs is a simple security mechanism. It's the same reason that Microsoft's Passport technology is dying. Yes it might be more convient to have a single "sign in" but it means that you've produced a single global failure point for the entire system. Such systems are brital so please, I ask these people: hire some security professionals to make these decisions. Silly politicians making "security" decisions is about as helpful as putting a football coach in control of skyscrapper construction.

Simon.

Re:I'm against this.. take three guesses why?

[kun]

I agree, a single point of failure is just asking to be taken advantage of. However, a single well-secured standard is much better than several well-secured standards, since the latter gives more points of possible attack. I.e a well defended main gate or several gates with the security spread amongst them... Sadly, it looks like those who designed the system are going for the single point of entry which is secured in a "let's get this done as soon as we can" fashion... Just take a look at this maze of a flow diagram! http://csrc.nist.gov/piv-project/PIV_model.pdf If their plan is to confuse people with respect to the actual usage of the card... thus foiling false identification attempts with a spaghetti bolognese of verification methods then I think they're succeeding!

Re:I'm against this.. take three guesses why?

[complete+loony]

But, a manager in building A should only be able to grant access to builing A, and query if you have permission to access building A, not the entire government. And anyone should be able to query the system to confirm your identity. Of course the system might be vulnerable to attacks that elevate privliges.

Re:I'm against this.. take three guesses why?

[NoMoreNicksLeft]

Except that this isn't about protection from terrorists at all, its about control-freakism on a rampage.

The terrorist that defeats this, will be one with a valid ID as janitorial staff. Not someone trying to fake an ID as a junior senator. Duh.

Don't you wonder a little bit, that they're rushing to protect all the official buildings, when people like you and I will still be unsafe in public buildings? Do they think this will have protected us at the airport prior to 9/11, or in the towers? Even the pentagon, that was attacked, wasn't infiltrated with a fake ID, but with a 757 hellbent for the ground. Duh.

Centralization is a fetish for the elected nazi wannabees. It won't do a damn bit of good for you and me, and only a fool can't dream up at least one way for it to be abused...

Re:I'm against this.. take three guesses why?

[SilverspurG]

In short, I fail to see the downside if the system is implemented by someone with the slightest of clues.

Oh Lord. MOD THIS FUNNY.

You have seen the people who've been hired as security screeners at airports, haven't you? You are familiar with the perfection of implementation that DC is famous world-wide for, aren't you? You are familiar with the first rule of thumb which every 18-year old learns if they have to do any sort of real labor,"Good enough for government work."

And, again, what is a 1024-bit cryptographic signature going to give me at work that the security guard at the front desk wouldn't have caught to begin with in terms of identification? In the hiring process new employees are paraded around for everyone to see. Some unknown can't just walk in with an ID card and pretend he's worked there for years. Even visitors from off-site, who legitimately work for our company, are introduced to the front desk and escorted around.

Re:I'm against this.. take three guesses why?

[mcg1969]

The terrorist that defeats this, will be one with a valid ID as janitorial staff. Not someone trying to fake an ID as a junior senator. Duh.

Umm, I never said someone needed to impersonate a senator. In fact, a janitor is exactly the kind of thing I'd imagine, too. And yet, even janitors don't have access to every building in the government. My comment still applies.

Don't you wonder a little bit, that they're rushing to protect all the official buildings, when people like you and I will still be unsafe in public buildings?

Umm, no, I don't think they believe this would have stopped 9/11. In fact I'm hoping they go on the assumption that the terrorists are exploring different ideas as well. Besides, you sure do have some interesting logic: don't bother to protect anything because you're not protecting everything.

Not so bad

[tirefire]

Doesn't sound too bad - a single ID card for federal employees would be very handy - you just need one key to get into everything you have access to, instead of fumbling around with multiple keys and passcards.

Until the gov't starts implanting RFID tags in our skulls to track our every move, I don't really see the danger.

Or...

A single ID can be forged and used by terrorists for access to any government building! Brilliant!

Re:Or...

[mcg1969]

Let's forget terrorists for a moment, do you really believe these badges would be designed so that an employee of the Department of Agriculture can gain access to an NSA building?

Re:Or...

[Zocalo]

Exactly. These things will almost certainly be like swipe cards on steroids with multiple levels of validation as to what and what isn't permitted. In a typical swipe card system you divide your secured areas into zones, then assign each swipe card access on a zone by zone basis. That covers the "something you have" aspect of security, and you can still add in the "something you know" (keypad or other password system) and "something you are" (biometic) if you wish. Hell, you can even keep the people standing around with guns too if the situation merits it.

I've been at large multi-building, multi-location sites that have implemented this kind of thing using smartcards. The obvious gains of increased convenience, cost savings through having a common system and ease of management are all there, but a loss in operational security isn't. It's not that such systems are invulnerable (they're not by a long shot), but they are no more vulnerable than individual systems and it's *much* easier to be sure ex-employees are completely locked out.

reaching?

[sailforsingapore]

This is a ways away from a "single government ID". That makes it sound like we are all going to get barcodes on our necks, this is simply a way to streamline the process of verifying federal employees, just as corporations have for years...this is not a problem. It becomes an issue when the ID starts to become mandatory for the non-governmental public, where the potential for abuse is.

Online single sign on

[SilverspurG]

Does anyone really think that you should have a single sign on name and password for every online service, site, e-mail account? Would you want that single sign on to be linked with all of your bank accounts? Why is it bad to have everything linked together? What makes identity theft easier?

Forget trolling about tin-foil hats or paranoid people who have nothing to hide. Let's get back to the nuts and bolts of why, from the very beginnings of nature, squirrels put nuts in many different places.

interesting

[LBArrettAnderson]

I'm assuming that with the incredibly intelligent slashdot editors we have here, that the part we should be paying attention to is "contractors." Well, no, i still don't see why this is important news, let alone have anything to do with my rights online.

I'm not a government employee, and I don't plan on sneaking in to any government building that i'm not supposed to be in. Are you trying to say that we have a right to have illegal access to all government property?

Government-issued IDs are already here.

[Pendersempai]

Drivers' licenses are ubiquitous and necessary. They are marked with identifying data and a unique number. They have your picture. Authorities are allowed to ask for it, and in general citizens are expected to cough it up. They must be checked by private parties in certain circumstances (to prove your age, for example), and in other circumstance private parties insist on checking your drivers' license as a prerequisite to doing business with you (Blockbuster, e.g.)

Granted, each state keeps track of its own citizens' licenses, so I suppose that's one difference between the status quo and the ballyhooed National ID Card. But really, what else are we afraid of? Why don't we just bite the bullet and make citizens' identification cards necessary? The states can take care of issuing them and tracking the relevant data, and we can have laws about when authorities are not allowed to ask for identification, or when a citizen is not obligated to identify himself, just like we do with licenses. But not arbitrarily tying our ID cards to driving would be much more efficient. Why should it be harder for a blind man to identify himself at will simply because he cannot drive?

So to everyone terrified of national ID cards, wake up: that reality arrived long ago.

Spain had ID cards

[permaculture]

UK Parliamentary Committee Releases Report Damning ID System http://www.privacyinternational.org/article.shtml? cmd%5B347%5D=x-347-63601

Spain has ID cards, but that didn't prevent the Madrid train bomb: http://news.bbc.co.uk/2/hi/europe/3500452.stm

The British Parliament has abandoned their new ID cards for the Houses of Parliament despite the recent security breaches, as some hundreds have 'gone missing'.

Reasons against ID cards: http://www.bbc.co.uk/dna/ican/A2319176

------------

ID cards might well:

* Worsen harassment of ethnic minorities: They'll provide another pretext for stop-and-search, often directed at ethnic minorities

* Have little impact on counter-terrorism: Sophisticated terror networks would soon be able to produce counterfeit cards or papers enabling people to get legitimate cards

* Have little effect on illegal working: Employers who are already willing to break the law won't be put off by identity cards

* Lead to 'function creep': The functions of the card will grow over time as it stores more personal information. More people could demand to see it, effectively making it compulsory to carry one

* Lead to loss of privacy: There will be a massive database containing an unprecedented amount of personal information on people

* Be costly and impractical: There is scepticism about the cost and operability of the scheme, as well as the government's ability to manage the technology

----------------

Doubts over ID card scheme http://news.bbc.co.uk/1/hi/technology/2688697.stm

Re:Not really

[crawling_chaos]

Passwords can be cracked. Should we stop using them? Locks can be picked. Do you leave your house door open?

Properly handled IDs do contribute to security, but they are not a panacea. Nor is anything else for that matter. Security is a process, not a technology, but dismissing a unified government employee ID as "totally useless" is just disengenous. At a minimum, it increases security by lowering the training burden on the officers responsible for checking on access rights. Can it be defeated? Sure. Is it harder to defeat than the hodgepodge of identification systems currently in use by federal agencies? Yes, it is. The current FDA IDs are a joke, for example. I would bet any talented forger would have no trouble producing a reasonable copy of one with today's technology.