Congress Pushes Biometrics
The Federal Trade Commission has no jurisdiction over government entities so when it looks with concern at the use of facial recognition technology, it’s looking at the private sector.
Facial recognition is only one of many biometric technologies, of course, and Congress is pushing hard for biometrics that can help track and control us for various purposes. If anyone should be looking with concern, it should be us looking at the federal government.
There are legitimate uses for biometrics, of course, and well-designed implementations will undoubtedly benefit us all. But biometrics programs implemented for the government will tend to prioritize hoovering up federal cash over striking delicate balances among cost, effectiveness, privacy, and civil liberties.
So let’s look at how Congress is pressing—and in one case insufficiently restraining—the rapid advance of biometrics.
H.R. 658, the FAA Reauthorization and Reform Act of 2011, has passed the House and awaits action in the Senate. It says that “improved pilot licenses” must be capable “of accommodating a digital photograph, a biometric identifier, and any other unique identifier that the Administrator considers necessary.”
H.R. 1690, the MODERN Security Credentials Act, establishes that air carriers, airport operators, and governments may not employ or contract for the services of a person who has been denied a TWIC card. “TWIC” stands for “Transportation Worker Identity Card,” the vain post-9/11 effort to secure transportation facilities from bad people. TWIC cards use biometrics.
Biometrics Collection = Risk Creation
Why shouldn’t the government collect biometric data unless absolutely necessary? Things like this can happen to it:
The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis—including children—and detailed health information on individual citizens.
It’s a good, short write-up from Fast Company. Read the whole thing and pass it along.
Does Risk Management Counsel in Favor of a Biometric Traveler Identity System?
Writing on Reason’s Hit & Run blog, Robert Poole argues that the Transportation Security Administration should use a risk-based approach to security. As I noted in my recent “‘Strip-or-Grope’ vs. Risk Management” post, the Department of Homeland Security often talks about risk but fails to actually do risk management. Poole and I agree—everyone agrees—that DHS should use risk management. They just don’t.
With the pleasure of remembering our excellent 2005 Reason debate, “Transportation Security Aggravation,” I must again differ with Poole’s prescription, however.
Poole says TSA should separate travelers into three basic groups (quoting at length):
- Trusted Travelers, who have passed a background check and are issued a biometric ID card that proves (when they arrive at the security checkpoint) that they are the person who was cleared. This group would include cockpit crews, anyone holding a government security clearance, anyone already a member of the Department of Homeland Security’s Global Entry, Sentri, and Nexus, and anyone who applied and was accepted into a new Trusted Traveler program. These people would get to bypass regular security lanes upon having their biometric card checked at the airport, subject only to random screening of a small fraction.
- High-risk travelers, either those about whom no information is known or who are flagged by the various Department of Homeland Security (DHS) intelligence lists as warranting “Selectee” status. They would be the only ones facing body-scanners or pat-downs as mandatory, routine screening.
- Ordinary travelers—basically everyone else, who would go through metal detector and put carry-ons through 2-D X-ray machines. They would not have to remove shoes or jackets, and could travel with liquids. A small fraction of this group would be subject to random “Selectee”-type screening.
He believes, and has argued for years, that dividing ”good guys” from “bad guys” will effectively secure. It’s certainly intuitive. Poole’s a good guy. I’m a good guy. You’re a good guy (in a non-gender-specific sense).
Knowing who people are works for us in every day life: Because we can find people who borrow our stuff, for example—and because we know that we can be found—we husband our behavior and generally don’t steal things from each other, we, the decent people with a stake in society.
Poole’s thinking takes our common experience and scales it up to a national program. Capture people’s identities, link enough biography to those identities, and—voila!—we know who the good guys are and who are the (potential) bad.
But precisely what biographical information assures that a person is “good”? (The proposal is for government action: it would be a violation of due process to keep the criteria secret and an equal protection violation to unfairly divide good and bad.) How do we know a person hasn’t gone bad from the time that their goodness was established?
The attacker we face with air security measures is not among the decent cohort whose behavior is channeled by identification. That attacker’s path to mischief is nicely mapped out by Poole’s proposal: Get into the Trusted Traveler group, or find someone who can get in it. (It’s easy to know if you’re a part of it. They give you a card! You can also test the system to see if you’ve been designated “high-risk” or “ordinary.”)
With a Trusted Traveler positioned to do wrong, chances are good that he or she won’t be subjected to screening and can carry whatever dangerous articles onto a plane. The end result? Predictable gnashing of teeth and wailing about a “failure to connect the dots.”
All this is not to say that Poole’s plan should not be adopted. If he can convince an airline of its merits, and the airline can convince its shareholders, insurers, airports, and their customers, they should implement the program to their heart’s content. They should reap the economic gain, too, when they prove that they have found a way to better serve the public’s safety, convenience, privacy, and transportation needs.
It is the TSA that should not implement this program. Along with what are significant security defects, it is the creation of a program that the government might use to control access to other goods, services, and infrastructure throughout society. The TSA would migrate toward conditioning all travel on having a government-issued biometric identity card. Fundamentally, the government should not be making these decisions or operating airline security systems.
A very interesting paper surfaced by recent public attention to this issue predicts that annual highway deaths will increase (from an already significant number) by between 11 and 275 because of people’s avoidance of privacy-invasive airport procedures. But what caught my eye in it were the following numbers:
During the past decade, terrorist attacks, with respect to air travel in the United States, have occurred three times involving six aircraft. Four planes were hijacked on 9/11, the shoe bomber incident occurred in December 2001, and, most recently, the Christmas Day underwear bomber attempted an attack in 2009. In that same span of time, over 99 million planes took off and landed within the United States, carrying over 7 billion passengers.
Especially because 9/11′s ”commandeering” attack on air travel has been essentially foreclosed by hardened cockpit doors and passenger/crew awareness, these numbers suggest the smallness of the chance that somone can elude worldwide investigatory pressure, prepare an explosive and detonator that actually work, smuggle both through conventional security, and successfully use them to take down a plane. It hasn’t happened in nearly 100 million flights.
This is not an argument to “let up” on security or to stop searching for measures that will cost-effectively drive the chance of attacker success even closer to zero. But more thorough risk management analysis than mine or Bob Poole’s would probably show that accepting the above risk is preferable to either delaying and invading the bodily privacy of travelers or creating a biometric identity and background-check system.
National Research Council Takes Biometrics Down a Notch
Late last month, the National Research Council released a book entitled Biometric Recognition: Challenges and Opportunities that exposes the many difficulties with biometric identification systems. Popular culture has portrayed biometrics as nearly infallible, but it’s just not so, the report emphasizes. Especially at scale, biometrics will encounter a lot of challenges, from engineering problems to social and legal considerations.
“[N]o biometric characteristic, including DNA, is known to be capable of reliably correct individualization over the size of the world’s population,” the report says (page 30). As with analog, in-person identification, biometrics produces a probabilistic identification (or exclusion), but not a certain one. Many biometrics change with time. Due to injury, illness, and other causes, a significant number of people do not have biometric characteristics like fingerprints and irises, requiring special accommodation.
At the scale often imagined for biometric systems, even a small number of false positives or false negatives (referred to in the report as false matches and false nonmatches) will produce considerable difficulties. “[F]alse alarms may consume large amounts of resources in situations where very few impostors exist in the system’s target population.” (page 45)
Consider a system that produces a false negative, excluding someone from access to a building, one time in a thousand. If there aren’t impostors attempting to defeat the biometric system on a regular basis, the managers of the system will quickly come to assume that the system is always mistaken when it produces a “nonmatch” and they will habituate to overruling the biometric system, rendering it impotent.
Context is everything. Biometric systems have to be engineered for particular usages, keeping the interests of the users and operators in mind, then tested and reviewed thoroughly to see if they are serving the purpose for which they’re intended. The report debunks the “magic wand” capability that has been imputed to biometrics: “[S]tating that a system is a biometric system or uses ‘biometrics’ does not provide much information about what the system is for or how difficult it is to successfully implement.” (page 60)
“Biometric Recognition: Challenges and Opportunities” is a follow-on to the 2003 National Research Council report, “Who Goes There?: Authentication Through the Lens of Privacy.” That was one of few resources on identification processes and policy when I was researching my book, Identity Crisis: How Identification is Overused and Misunderstood. (Mine is quite a bit more accessible than this new book, so if you’re interested in the field, you might want to start there.)
There is nothing inherently wrong with biometrics. They will have their place, and they will make their way into use. But the dream of a security silver bullet in biometrics is not to be. Identity-based security—using the knowledge of who people are for protection—is valuable and useful in day-to-day life, but it does not scale. National or world ID systems would not secure, but they would carry large costs denominated in both dollars and privacy.
Don’t BELIEVE the Hype—Though Unformed, the Democrats’ National ID Plan Is Rife With Threats to Privacy and Civil Liberties
Senate Democrats have solidified and given more definition to their plan to create a biometric national ID, the centerpiece of their immigration reform proposal. (For reasons unrelated to the national ID plan, Senator Lindsey Graham (R-SC) has dropped out of the picture for now.) The “Conceptual Proposal for Immigration Reform” they released last week gives much more detail to the sketchy plans I previously reviewed.
In my Cato Policy Analysis, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution for Illegal Immigration,” I wrote about the possibility of a work authorization document limited to that purpose—and my doubts that the government would adopt one.
A credential such as eligibility for employment under [the immigration laws] can be proved without creating a nationwide biometric tracking scheme. In fact, templates already exist. But it is unlikely to see adoption. . . . [I]dentification and tracking . . . shift the risk of error in the card-issuance process from the government to the citizen. . . . [T]racking preserves government power. A work-eligibility and tracking system . . . makes the individual’s employment eligibility subject to revision at a later time, if the government wants to change the rules or adapt the system to new purposes, for example.
Those doubts are validated by this plan, which appears to be a full-fledged national ID and national biometric database. Assurances that it won’t be used for purposes beyond immigration control are not persuasive. This is national identity and surveillance infrastructure that will be “switched on” by later policy changes.
They’re calling it “BELIEVE,” short for “Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment.” They can call it that. We’ll study it, and give credence to what we learn.
The plan is confusing, disorganized, repetitive, and sometimes contradictory. Summarizing it is a little like trying to piece together the egg when all you have is the omelet, but three themes emerge: First, this summary backs away from an earlier claim that there would not be a biometric national identity database. There will be a national biometric database. Second, repeating the word “fraud-proof” does not make this national ID system fraud proof. Third, this national ID system definitely paves the way for uses beyond work authorization. This is the comprehensive national identity system that people across the ideological and political spectrum oppose.
The national ID part of the Democrats’ proposal begins at the bottom of page eight. It’s a veritable word-cloud, suggesting a violation of the rule of thumb that simple solutions are usually the best. But let’s look at it, line by line.
Schumer and Graham on Immigration Reform: Why Not Do it Without the Biometric National ID?
There is much to commend in the op-ed on immigration reform that Senators Chuck Schumer (D-NY) and Lindsey Graham (R-SC) published in this morning’s Washington Post. Unfortunately, they lead with their worst idea: a biometric national ID card, mandatory for all American workers.
Here’s the good: “Americans overwhelmingly oppose illegal immigration and support legal immigration,” they say. “Throughout our history, immigrants have contributed to making this country more vibrant and economically dynamic.”
Their plan includes problem-solving proposals: “creating a process for admitting temporary workers” and “implementing a tough but fair path to legalization.” The latter would reduce the population of illegal aliens in the U.S.—good—and the former would reduce the need to enter illegally in the first place—also good.
Joined with the enhanced border security they propose, these ideas would address the immigration challenge as well as anyone knows how. (Details matter, and my colleagues will have more to say, I’m sure.)
But then there is their gratuitous national ID proposal for all American workers, and stepped up interior enforcement. “Interior enforcement” is a euphemism for “rounding up illegal workers” under some administrations and “raiding employers” under others.
This is the most specific Senator Schumer has ever been about his biometric national ID proposal, though he’s had it in mind since at least 2007. But it is hardly satisfactory, and the claim there will be no national ID database is almost certainly not true.
Here is the paragraph that captures the senators’ plan:
Read the rest of this post »
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
