Homeland Security Director Defends Real ID

An anonymous reader writes "Homeland Security chief Michael Chertoff is defending the upcoming rollout of the national ID card as vital for the nation's security. Chertoff reminded reporters of the importance of the initiative after this week's uncovering of an ID-forging ring. The Real ID Act of May 2005 dictates the uses and requirements for the documentation, which by 2008 may be required for everything from travel to banking. Just the same, the HSD has yet to dictate how exactly the cards will work. " From the article: "The Homeland Security chief, who is nearing his two-year mark with the agency, was likely trying to quell rampant skepticism about the IDs voiced by some privacy advocates, immigrants and other groups. Some have said they fear that the IDs are a stepping stone to a veritable police state, complete with ready surveillance of individuals. Some have argued that the idea of creating more tamperproof IDs is only a marginally better way to screen out those intent on committing terrorist acts because ID cards don't even begin to tackle a core crime prevention challenge: determining a person's unspoken intentions. "

A few questions.

[CanSpice]

So how exactly would these new ID cards be forge-proof? If people are already forging IDs, what's to stop them from forging these new ones? And what problem does this national ID card solve?

Re:A few questions.

[Chris+Burke]

I find this worth mentioning in any article about national IDs that mentions a connection to fighting terrorism:

All of the 9-11 hijackers had valid ID.

If necessary, read that again and let it sink in.

I can't tell you what problem a national ID card solves, but I can tell you for sure what problem it doesn't solve.

Re:A few questions.

[mpaque]

I can't tell you what problem a national ID card solves

Oooh! I know! I know!

The problem is that right now it's just too darn hard to dig up information on the person whose ID you are checking. Under The Real ID Act, though, the state ID authority (usually the DMV) will be required not only to examine your birth certificate and social security card, but also to scan and create digital copies of them in their system, as well as collecting further information on their forms. This makes the database so created a convenient one stop shopping point for identity theft^Wverification.

Citizens, rest assured that the millions of checkpoints in airports, police cars, banks, and doctor's offices will all keep this information secure, protecting you from Evil and ensuring your continued Freedom. You do want to be Free, don't you? Just hand over the document, and you'll be Free to pass this checkpoint...

Re:Oh no, think about our children!

[ronanbear]

Terrorists don't carry ID.

Of all the stupid irrelevant measures to fight terrorism. Forcing everyone to carry ID will just make the existing millions of people in America who are out of the system go further underground. It will make it much easier for the terrorists to hide if they want to stay in America and it will be harder for the FBI to track anyone.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Where do they think they get this power from?

[Jherek+Carnelian]

It's not "mandatory", but any state that does not abide by the Real ID requirements won't recieve any federal funding for roads and such.

Which is a tactic that is abused even more than the interstate commerce clause. They take our money as federal tax and then ransom it back to us to make us do things we don't want to do.

Re:Oh no, think about our children!

[Anonymous+Brave+Guy]

Actually, terrorists often do carry ID. In fact, in most major terrorist attacks in the West since 9/11, the terrorists have been carrying genuine ID. The 9/11 hijackers used real ID to get on the planes. The Madrid train bombers had official ID. The London transport bombers were not using false ID.

This is why the whole ID card scheme business, both over in the US and here in the UK, is one big sham. In fact, our government has moved the goalposts so often, as each successive "justification" has been debunked, that I can't even remember what useful stuff they do think they'll achieve now.

And this does... what?

[pluther]

So next time there's a terrorist suicide attack, they'll know who the people involved were, because they showed ID? Kinda like... last time... ?

But, if people enter the US from other countries, they'll be using their passports for ID, not this thing, so... um... what was the point again?

Ah, but if they made everyone, even people visiting from other countries, get one of these, then it's much more secure than showing the passport. And how would they get one? They'd need some other ID first... like, for instance, a passport...

So, what possible good can this do? Well, I guess it'll make it harder for underage kids to buy beer. Other than that? Nothing, really...

SSN

[Myopic]

I'm not exactly in favor of a national ID card, but this new program for implementing one makes me marginally happy. Why? Because we already have a national ID card, and it's a terrible one, trivial to abuse, trivial to forge, and used in contexts where it makes no sense: the Social Security Card. When the SSN card was first introduced, it was derided as a national ID card, but the proponents promised it wasn't. Well, it was, and we can see that by looking around us now. Do you want a driver's license? Well you better have a valid SSN card because one is required to get a license (this is a new rule as of summer 2006, so many of you might not realize this yet). Do you want a bank account? Need one. You need one for everything. My local video store demanded my actual physical SSN card before they would rent me a video. (I almost refused but I really really wanted to see Weekend At Bernie's II.)

So, shit, even though I don't want there to be a national ID card, the one coming soon is sure to be better than the one we have now.

I just really hope my new Social Conformity Number is 54601.

Re:Oh no, think about our children!

[tbo]

If it was a rational world, the drinking age would be the same as the age at which you can sign up for the army to fight and die for your country. It seems pretty ridiculous that you could drive a tank at 19, but not have a beer afterwards. That said, you have brought up a good point: the negative consequences of accurate, reliable ID.

There are really three things people are worried about here:
1 - The possibility of fraud inherent in even an ideal ID system.
2 - The possibility of fraud in a real-world system implemented by the US government (i.e., one that will probably be poorly designed).
3 - The negative consequences of an accurate ID system.

There are positives, too. I'll classify them as follows:
1 + Personal benefits of an ideal ID system.
2 + Benefits to companies from an ideal ID system.
3 + National / social benefits.

Before I get into details, what do I mean by an ideal system? One in which you can prove to anyone you wish any of the following information, or some subset thereof: name, age, eligibility to work, driving license, professional certifications, credit "card" account, etc. For instance, you might want to prove to a bar's bouncer that you're of legal age, but not reveal your name, credit card number, or even your exact age. How could this work? As soon as you reach legal age, the government sends you a digitally signed "certificate" that includes your photo and a statement that you can drink. When you go to a bar, you can upload the certificate to the bouncer's PDA or whatever, and he checks to see the picture is you. If it is, you're in. To break this, you'd need to break public key cryptography, which you can probably only do with a quantum computer.

Now, let's get into details.

1 - Fraud in an ideal ID system
Even in an ideal system, the card will only be as good as the information used to create it. While such a system is being adopted, there's a window of opportunity for people to forge old-style IDs, then use them to get a new "official" ID with the forged information. This is commonly done with birth certificates now. This is the main issue.

2 - Fraud in a real-world system
Even compared to other governments, the US seems particularly bad at large-scale IT projects. It's surprising, considering all the IT talent in the country. A system designed by the US government would probably start with bad specs, have a bad design, and be poorly implemented. A disaster, in short. I suspect radical changes in the process might help here. Put NIST in charge of designing open standards, with the NSA consulting. Get Bruce Schneier, the EFF, and others involved. Maybe try something like the AES challenge.

3 - Negative consequences of an ideal system
This is the most insidious of all the negatives. An accurate, effective, ubiquitous ID card will be used for more and more things, and will become a method for tracking and controlling people. We'd need some really good privacy laws to prevent this, as well as a smart design that puts people in charge of their own information and how much they reveal.

1 + Personal benefits
Wouldn't it be great to ditch all those cards in your wallet and just have one thing to carry? I know I'd like that. It would also be great to not have to worry about ID theft (at least, not in an ideal system). Depending on how the backend worked, a unified ID could also mean not having to change your address in a gazillion databases every time you move (for instance, did you know the California DMV driver license database is independent of the California vehicle registration database, and you have to change your address separately in both?) Really, this category boils down to convenience and reduced vulnerability to ID theft, IF the system is well-designed.

2 + Benefits to companies
This one's pretty simple--reduced fraud leads to reduced expenses, for banks, credit card companies, and merchants. It probably also simplifies a lot of transactions, which wo

Where they get this power from

[The+Monster]

They take our money as federal tax and then ransom it back to us to make us do things we don't want to do.

And that is due to the twin abominations ratified in 1913, the 16th and 17th Amendments, which gave the national government the power to extract huge sums of money directly from the people, and took from the state legislatures their delegates in the Senate.

Imagine that you are a US Senator, elected to that position by the legislature of your state. A bill is proposed that will demand that the same legislature enact a certain law, and the state executive branch enforce it to the satisfaction of some national executive agency, or have funds withheld. Now imagine you want to be re-elected by that legislature. How do you think you're going to vote?

The result of these changes is that more and more decisions are being made in the US Congress and by the faceless mass of bureaucrats in national agencies, rather than in state capitals, county courthouses, and city halls. The concentration of power favors well-funded lobbyists who represent powerful interests, for whom the return on their investment can be huge; against diffuse interests of common citizens.

Instead of 50 different 'distros' of government, with the chance to learn from each other and merge improvements that succeeded elsewhere, we get stuck with a single implementation. Any flaws in that monoculture are global and potentially catastrophic.

"realID" !! you know it's real, it's in the name!

[finkployd]

The DHS is run by over promoted bureaucrats who know absolutely nothing about security. We all know this, here is why this time:

First lets talk about passwords. One thing I run into that people who set corporate policies for passwords often do not understand is that the password strength is very rarely the weak point in an attack. Quite often the requirements will be sent to something crazy like 20 characters, no repeating characters, enforced alphanumeric, (you all know the usual strong password requirements) and they feel that is it. Oh, but to reset a forgotten password all you need to know is your mother's maiden name or some such. THAT is the weak link, you have effectively made every user's password their mother's maiden name. All of the other password strength requirements are irrelevant.

"How does this relate, finkployd, you arrogant prick?" I hear most of you asking. Simple, how does one get one of these super duper realID cards? I strongly suspect it is by showing OTHER, PRE-EXISTING forms of ID. How else would it work? The problem of how to distribute these cards in such a way that you know they are being generated for and sent to the proper people pales in comparison to actually designing the damn thing in the first place. It will certainly depend in some way on existing forms of ID, meaning it is absolutely no more secure then them.

Of course the government and financial institutions will inevitably consider it to be the absolute last word in authentication, so expect that if your identity is ever stolen via a false realID card, nobody will ever believe you. YOU will be financially (and likely criminally) responsible for anything done if your realID is spoofed. Good luck everyone, we are screwed :)

Finkployd

Re:Oh no, think about our children!

[dangitman]

If you can't produce one, then maybe you're someone that law enforcement might want to know about.

But then again, maybe you're just someone who forgets things or leaves them at home. Maybe you're a victim of pickpockets. Perhaps you put on the wrong pants.

It's not going to help law enforcement be more efficient if they go around interrogating everybody who forgets or loses their ID card. Actual troublemakers will probably be sure to have ID at all times.