In your article you criticize National ID Cards. It is my opinion that many of your points are invalid and/or misleading. More broadly, it is my opinion that your opposition to National ID Cards is based more on philosophical opposition to the idea that the actual reality of any such system. Of course, I would like to point out that many democratic nations have ID cards without undermining civil liberties and in fact providing essentially perfect protection against identity theft (which the US most assuredly does not have). Overall, a National ID Card is basically an unforgable driver's license. Why such a thing should arouse such fierce opposition is not clear to me, although obviously it does.
A few specific points:
1. Any decent National ID Card would be totally unforgable. The technology required for an unforgable ID card has existed for years and would presumably be employed in the U.S. For example, all of the information on the card would be digitally signed using a secret key. To be useful the signed information would include a picture, fingerprints and/or iris data. Any attempt to create a fake ID would show up as a digital signature mismatch. To date no cryptographic flaws have been found in the standard digital signature algorithms used in the U.S. and around the world.
Of course, there is always the risk that the secret key used to sign ID cards might be lost. Presumably enormous care would be taken to prevent any such failure. Beyond that, an array of different secret keys could easily be used to sign ID cards. Each key could be separately stored and protected so that the loss of any one key would not compromise the system. Giving the keys limited lifetimes (5-10 years) would ensure that at least one key was still intact at the point that the secret keys (and cards) would have to be replaced.
In addition, the data on the cards would also be stored in some central database. This means that even if all of the secret keys leaked, a National ID Card could still not be forged. Why? Because the data on the forged ID card would not match the contents of the database and would result in the immediate recognition that card in question was invalid. In other words, to successfully create a fake ID card, someone would have to obtain all of the secret keys used to sign ID cards and simultaneously corrupt the national identification database.
2. Your article asks what would happen if the database crashed or was otherwise unavailable. The answer is not much. Why? Because the ID cards would be self-verifying as stated above. Even if terrorists successfully attacked the ID database with the intent of stopping database verification they would still have to obtain all of the secret keys to create even one forged ID. Beyond that the ID database could easily be replicated. What many folks may not realize is how small such a database would be. Allowing for 100K per person and 300 million records, only 30 terabytes would be needed for all of the records. This is roughly 120 current generation disk drives from your local CompUSA at a cost of around $30K.
In practice, higher quality and higher cost disks would be used. However, the cost would still be minimal. A recent copy of the Gilder Technology Report claimed that commercial disk space costs around $2.33 per gigabyte per year. That puts the disk storage costs of the ID database under $100K per year. Obviously the support costs of any such system could dwarf the hardware expenditures. However, it should be clear that such a system could incorporate a high level of physical replication to ensure continuous availability under any set of circumstances short of "Deep Impact" (the movie).
3. Your article suggests that any database system would be vulnerable to hackers, viruses, worms, etc. that could corrupt its contents. In my opinion, these threats can be controlled and are not an obstacle to deploying any such system. The best evidence is that the Federal government already runs any number of critical data
Slashdot Mirror
Mr. Schneier,
In your article you criticize National ID Cards. It is my opinion that many of your points are invalid and/or misleading. More broadly, it is my opinion that your opposition to National ID Cards is based more on philosophical opposition to the idea that the actual reality of any such system. Of course, I would like to point out that many democratic nations have ID cards without undermining civil liberties and in fact providing essentially perfect protection against identity theft (which the US most assuredly does not have). Overall, a National ID Card is basically an unforgable driver's license. Why such a thing should arouse such fierce opposition is not clear to me, although obviously it does.
A few specific points:
1. Any decent National ID Card would be totally unforgable. The technology required for an unforgable ID card has existed for years and would presumably be employed in the U.S. For example, all of the information on the card would be digitally signed using a secret key. To be useful the signed information would include a picture, fingerprints and/or iris data. Any attempt to create a fake ID would show up as a digital signature mismatch. To date no cryptographic flaws have been found in the standard digital signature algorithms used in the U.S. and around the world.
Of course, there is always the risk that the secret key used to sign ID cards might be lost. Presumably enormous care would be taken to prevent any such failure. Beyond that, an array of different secret keys could easily be used to sign ID cards. Each key could be separately stored and protected so that the loss of any one key would not compromise the system. Giving the keys limited lifetimes (5-10 years) would ensure that at least one key was still intact at the point that the secret keys (and cards) would have to be replaced.
In addition, the data on the cards would also be stored in some central database. This means that even if all of the secret keys leaked, a National ID Card could still not be forged. Why? Because the data on the forged ID card would not match the contents of the database and would result in the immediate recognition that card in question was invalid. In other words, to successfully create a fake ID card, someone would have to obtain all of the secret keys used to sign ID cards and simultaneously corrupt the national identification database.
2. Your article asks what would happen if the database crashed or was otherwise unavailable. The answer is not much. Why? Because the ID cards would be self-verifying as stated above. Even if terrorists successfully attacked the ID database with the intent of stopping database verification they would still have to obtain all of the secret keys to create even one forged ID. Beyond that the ID database could easily be replicated. What many folks may not realize is how small such a database would be. Allowing for 100K per person and 300 million records, only 30 terabytes would be needed for all of the records. This is roughly 120 current generation disk drives from your local CompUSA at a cost of around $30K.
In practice, higher quality and higher cost disks would be used. However, the cost would still be minimal. A recent copy of the Gilder Technology Report claimed that commercial disk space costs around $2.33 per gigabyte per year. That puts the disk storage costs of the ID database under $100K per year. Obviously the support costs of any such system could dwarf the hardware expenditures. However, it should be clear that such a system could incorporate a high level of physical replication to ensure continuous availability under any set of circumstances short of "Deep Impact" (the movie).
3. Your article suggests that any database system would be vulnerable to hackers, viruses, worms, etc. that could corrupt its contents. In my opinion, these threats can be controlled and are not an obstacle to deploying any such system. The best evidence is that the Federal government already runs any number of critical data