One of the books I read last week was my co-blogger Jim Harper’s new book, Identity Crisis: How Identification Is Overused and Misunderstood. It’s excellent and if you have any interest in privacy policy you should read it.
Harper’s book does three things. In parts 1 and 2 he presents a theory of identification that classifies identification into four categories (something you are, something you are assigned, something you know, and something you have) and then identifies the relationships among identification, risk, and accountability. He particularly makes the point that the need for identification is intimately connected with the type of transaction being considered: the ID you need to check out a library book is much different than the ID you need to get a mortgage or access to a nuclear reactor. He also stresses the diversity of identification: we use many different forms of identification in our daily lives (library cards, credit cards, passwords, drivers licenses) and that’s a feature, not a bug.
In part 3 he digs into the details of identification cards: how they’re created, how they’re used, and how they can be misused. Finally parts 4 and 5 lays out his vision for an enlightened identification policy of the future: one that protects civil liberties by expanding the diversity of identifiers we use in our day-to-day life.
The book had two points that I found particularly insightful. Harper stresses the role incentives play on the security of identification. The likelihood a particular form of ID will be hacked is directly related to the rewards for doing so. That means that the more uses we pile onto a single national ID card (which is what your driver’s license is rapidly becoming) the more resources criminals will spend to corrupt the ID-granting process. In contrast, if we have many different IDs for different purposes, the rewards for corrupting any given card will be much lower.
Creating a secure ID card isn’t a technological problem, but a social and economic one. We can have all the whiz-bang verification features we want, but if the DMV has a corrupt employee, or if somebody figures out how to corrupt the “feeder” documents that prove identity to the DMV, those whiz-bang features are rendered worthless.
The other great section was his analysis of ID requirements as a “security” measurement in places like airports. He points out that intercepting terrorists using an airport “watch list” is akin to putting a “most wanted” poster up at the post office and then waiting for the criminal to come to the post office. If we know someone’s a terrorist, the police should be engaged in more active kinds of investigative activities, such as tapping their phones and monitoring the financial transactions. (with the proper warrants, of course)
This is particularly true since the “watch list” approach can actually tip terrorists off to US intelligence. A group of terrorists planning can perform trial flights in order to determine which of them is on the government’s watch list by seeing who is subjected to extra scrutiny. It can then carry out the terrorist action using those terrorists who were not on the watchlist.
Harper also points out that it’s not obvious why we think identification requirements would in any way deter terrorists from committing terrorist acts. Most terrorists carry out only one terrorist action before they’re either captured or killed, so they’re not likely to be too worried about their identity being discovered.
In short, requiring identification is “security theater,” as Harper aptly describes it. It might make us feel safer, but it’s hard to see how it actually improves or security.
I do have a nitpick or two, which I’ll expand on in a subsequent post. But in the meantime, you should buy the book.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.
Comments on this entry are closed.