Giving thanks for failure: The ID card mess five years later

Giving thanks for failure: The ID card mess five years later

Summary: Money has momentum - and one consequence of the present TSA uproar is likely to be a revival in national ID card proposals as bureaucrats ignore a decade of data processing failures in making this work, to order up more of the same.


I doubt there are many unaware of the consumer revolt happening with respect to the American TSA scan and and pat down procedure -and in that context here's the introduction from a March 15, 2010 article by Karin Kloosterman for on Israel's top 10 airport security technologies:

Since the attempted terror attack on board a US airplane last Christmas day, airport authorities around the world are in a race to find novel solutions to fight terror. Israeli strategic and technical tactics feature high on their lists. What's the secret to the country's success in keeping Ben Gurion Airport terror free?

"Israel concentrates on the passengers and not their luggage so we have a real edge over the rest of the world in protecting travelers," says Rafi Sela, a top security consultant and former chief security officer at the Israel Airport Authority. "This is in addition to us protecting the whole airport, while the others merely try to achieve aviation security," he tells ISRAEL21c.

multiport query

Sela, who advises governments and airport authorities all over the world, has become the leading figure advocating Israel's unique approach to airport security in the past six years.

Through his company AR Challenges, he uses approaches and technology services rooted in Israeli innovation to try to help his clients stay one-step ahead of potential terrorists. The global transportation security consultancy, of which he is president, works with high profile clients including Canada's RCMP, the US Navy Seals and airports around the world.

Making use of homegrown technologies, some of them developed by whiz-kids in the Israel Defense Forces (IDF) Intelligence Corps 8200 army unit, Sela believes that Israel's strength in airport security is because it boasts near-invisible protective 'rings' of security around the airport and passengers.

Most airports around the world often lack measures as basic as video surveillance, he explains. "The airports are so concentrated on finding your bottles of water and perfumes that they don't even look at you," says Sela. "The security personnel forget that they are in the business of looking for terrorists."

At Ben Gurion Airport you can take a coffee on board. According to Sela, airport security personnel don't care what you take on the plane. "The security in Israel checks you as a passenger, and not the luggage. If you are cleared as a person then who cares what you bring on the plane with you?"

With that context in mind, I want to repeat much of what I said in this space on December 12th and 13th, 2005:

Bad guy detectors and ID - from Dec 12/05/

Do you know who Deborah Davis is?

Think a possible Rosa Parks for the Patriot Act era - here's the 411 from a supporter web site:

One morning in late September 2005, Deb was riding the public bus to work. She was minding her own business, reading a book and planning for work, when a security guard got on this public bus and demanded that every passenger show their ID. Deb, having done nothing wrong, declined. The guard called in federal cops, and she was arrested and charged with federal criminal misdemeanors after refusing to show ID on demand.

The bus was crossing through the Denver Federal center at the time, and three months later the US attorney in Denver announced a decision not to prosecute, but you can see that what really happened here was a collision between individual rights and government's reflexive belief in identification.

A thousand years ago people in western Europe were identified either as members of noble families or by members of noble families - and that's still fundamentally how it's done in places like Cuba, Vietnam, and Communist China. Even in democracies like Canada, however, we have remenants of that approach: to get a passport, for example, a Canadian has to be vouched for by three qualified professionals - doctors, lawyers, or priests.

In general, however, western governments have been handing the identification job over to computers - that is, to us IT grunts.

Here's the opening paragraph from a report by John Lettice, on the theregister headlined "EU ministers approve biometric ID, fingerprint data sharing"

The European biometric ID card takes another step forward this week, with the European Justice and Home Affairs Council set to approve "minimum security standards" for national ID cards. Alongside this the Council will be roadmapping the rollout of Europe's biometric visa system, which will contain the fingerprints of 70 million people within the next few years, and hearing European Commission proposals for greater sharing of fingerprint data.

There are two very different sets of issues here: the first involving effectiveness and the second human rights.

In thinking about effectiveness, consider that effectiveness comes in two forms. As perfected in East Germany the "Papieren, Bitte" smirk is part of an intimidation policy that really doesn't have anything to do with identification, but that's not what happened in Denver. There the cops barely glanced at identification documents produced by people who choose to comply because the cops really didn't care who these people were - they cared about the response they got when they asked for identification because they hoped that would help them separate the good guys from the bad guys.

Basically what's going on there is that the individual cop has to deal with large numbers of people he doesn't know anything about, and so asking for identification allows him to assess whether the individual confronted exhibits unusual hesitation or other odd behavior -and they have to ask people obviously not guilty of anything because not doing so gives people who are selected for questioning both an excuse not to co-operate and a defence if caught out.

If we set aside the ethical issues so we can concentrate on the technological ones we can see that what's wanted is a kind of social memory: an electronic prostheses making up for the fact that we live in a big world in which the cop probably didn't grow up with all the people he comes in contact with and therefore doesn't know them. In this context the identification document acts as an index to a life history access to which is intended to give the cop a fair chance of knowing enough about the people he's dealing with to separate the good guys from the bad guys.

Notice that this is contextual: you can be the worst kind of street scum or corporate criminal and still have every right to use public transit or get a hamburger at an airport kiosk. In the United States at least, the police can't wander around randomly accosting people on the street to arrest those with unpaid parking tickets or other public malfeasence on their records.

It's the elision (cutting out) of this contextual component in the issue of identification that's at the heart of the design mistakes governments everywhere are making as they embark on national id card schemes. Basically, they're asking everyone to carry an identification card that can be used, on demand, as an index to a life history when all they really need, and all they should get, is a token that lets the cop on the street make the good guy / bad guy call in context and provides no other information.

Nobody's proposing anything like this, and the reason is clear: the bureaucrats know with certainty that they need identification -because that's the only thing they've ever had, and no-one's told them that alternatives exist. The big consulting companies, people like Accenture, EDS, and IBM, are trapped too: they can only respond to an RFI (request for information) on national identification systems with proposals on national identification systems.

In other words this is a closed loop that repeats its mistakes until change is forced on it from outside. That force has to come from the politicians: who have to sell this stuff to the public: show them that sensible alternatives exist, let internal presure for change build from a few expensive failures, and change might have a chance.

The failure process is well underway already. Every major western government has embarked on a national identity card scheme of some kind - and the same people who brought us Canada's two billion dollar gun registery, who can't get the IRS into the ninties, and who blew a few hundred million pounds on the latest failed child welfare information system in the UK, are profitably deploying their usual expertise to take these solutions to new heights.

Meanwhile, of course, Ms. Davis was absolutely right and by the time governments get their national ID cards issued, you can expect her right to refuse to be widely supported in case law - at least in the United States and possibly in the UK.

So what's coming is a collision between an immoveable object (government's tendency to demand identification) and an irresistible force: human rights, into which it should be possible to slip a perceptional change about what's really needed and so get an alternative accepted.

Starting tomorrow I want to talk about how that could be made to work; meanwhile consider that we're the guys caught in the middle - the IT grunts about to receive impossible, and objectionable, marching orders we'll be expected to dog trot around a very large pile of taxpayer money and human rights issues.

National ID - tokens and processes (Dec 13/05)

A national id system that met legitimate law enforcement and defence objectives without compromising human rights would have to have three parts:

  1. a "good guy" indicator or token together with a reader technology.


  2. a separately verifiable authentication mechanism for the token itself - is it, not the information it conveys, legitimate and is the person holding it the person to whom it was issued?


  3. a trustable backend, including issuance and updating processes, for the information conveyed by the token.

Ethical issues aside, making this happen is mostly about process and perception - and only a little bit about technology.

Such a token would have to be small -initially perhaps configured as a card, later possibly as a jewelry or watch component, and finally perhaps as a subcutaneous implant.

The token would have to respond to queries with a simple "Yes/No" response conveying no information beyond contextual legitimacy. Is this person a licensed driver? prohibited within 100 feet of playgrounds? known to be a non criminal citizen of Canada? Authorized to charge some amount to a particular Visa account?

I'm not aware that good candidate token technologies exist yet, but the foundations are certainly there. Nearly eight years ago "Safetyjet" needed iron-clad identification for crew members -and got that by combining a process based on having crew members vouch for each other with one based on a java card that only worked when held by the person it was issued to. That card used a fingerprint and the supplier failed to deliver the body temperture sensor they promised with it, but the basic card is now commercially available and one based on DNA matching isn't that far off.

A card that responds differently to different queries using either infrared or one of the near field methods doesn't exist yet either, but only because no-one's asked for it. The basic Unix ports technology is a natural fit for this kind of multi-layer with access for people with publically mandated information needs - whether bartenders or police officers, they would get the information they need, and nothing more.

YOu'd expect multiport query gear to appear, of course, but official use can be controlled through well understood legal and organizational processes and there will be little or no value to unofficial use.

Token authentication is needed, but can be managed via something like RSA digital signatures - not impossible to forge, but so difficult as to be fundamentally out of reach for the bad guys, even if they are governments.

Basically the token has to answer three questions: is the token itself real? is the person offering it the person to whom it applies? and, is the person a good guy or a possible bad guy in the present context?

The technologies needed for the first two don't really exist yet, but obvious predecessors do, so how about the backend?

Envision updates to the token happening as "endorsements" and you don't need significant change in existing organizational structures for data management. The passport office, for example, would issue passport equivelency endorsements, motor vehicle departments and courts would handle endorsements for driving related purposes, and so on.

Compared to the national ID schemes being proposed, that's minor change with the only new organizational elements needed those involved in issuing and controlling the tokens themselves and a big potential payoff in cost reduction eleswhere in government as identification cards are made obsolete.

In the intervening five years:

  1. No government has rethought the issue


  2. Every major government effort to develop a unified citizen ID card has failed - and every such failure has been rooted, not in citizen or judicial pushback, but in data processing failure. Basically government's inability to make the system work has created the delays, the costs, and the weaknesses that have allowed those opposed to implementation to claim partial victories in terms of program cancellations, program delays, delayed or altered program rebirths, and weakened political support.


  3. the security problems these efforts were supposed to address have gotten worse; and,


  4. more easily implemented (read: non IT) solutions have proven more expensive, more intrusive, and less effective, than expected.

And, of course, everything that was marginally do-able in terms of making a simple good guy card work in 2005 is much more easily do-able today.

In many ways what's happened is a kind of good news - bad news scenario: on the positive side having bureaucrats spending billions trying to use early twentieth century methods to implement nineteenth century solutions has nicely prevented progress in the wrong direction - but money has momentum, and what seems most likely to come out of the present TSA brohaha is more billion dollar spending on whatever intrusive ID card projects various bureaucracies are selling the political level as sure to work, guaranteed, nothing to it, just write the check already.

What's going on is a confluence of stupid: what the data processing community has learnt from fifty years of failure is how to make money from it, the senior bureaucracy has no idea alternatives exist, politicians equate spending with positive action, and no one's publically making the case that a simple good guy card would be both cheap and effective while preserving basic human rights and freedoms.

All of which leads to a prediction: as payment, membership, and ID come together in multiple wireless technologies we'll see the good guy card idea evolve on its own - with government left behind as it spends both money and individual freedom on the laughably out of date and out of touch.


Topics: Government US, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How does Google Chrome OS compare to SunBlade?

    I'm curious about this - whether this is a reimplementation of the concept or if there are significant differences?
    Ad Astra
    • Huh?

      @Ad Astra
      As far as I know Chrome is a Linux variant and sun blades are hardware...
      • ChromeOS Discussion

        @murph_z <br><br>While SunBlade is a hardware implementation tied to a Solaris back end, ChromeOS is effectively a Linux variant that stores nothing locally on the hard drive - everything you do in ChromeOS comes through browser apps with the data stored in the cloud; in theory many of the advantages you extoll for SunBlade exist in the ChromeOS ecosystem.<br><br>It is an attempt - directly - to cut out corporate IT departments by putting everything in the cloud. It doesn't matter which console you log into, you get your workspace and desktop and your files, all from Google's servers. All the programs run in the browser/on the server side as well. How they split which tasks get run in the browser and which apps get run on the server is above my pay grade - I'm just a game designer.<br><br>Given your advocacy of SunBlade and a similar methodology (all user data and applications live on the server and management costs plummet), I was curious as to what your opinion of this was.<br><br>To me, it sounds like everything old is new again; it's the same centralized methodology of Big Iron and VAXen, save that in theory the hardware is enough more capable that the irritation of waiting for your batch job to get done when the High Lords of IT Acquire A Sufficiently Spherical Tuit should be minimized.
        Ad Astra
      • Sun Blade != Sun Ray


        Ahh.. you mean chrome/cloud vs Sun Ray.

        There are many detail differences - e.g. Sun Ray is application independent (can run anything from anywhere, more or less).

        The big difference is that Sun Ray use in business generally assumes the business runs the server(s). Since I have no faith in "the cloud" except wrt to iDevices and clones (i.e. not for enterprise computing) I see this as a big plus.

        You can, of course, access google's cloud services from Sun Ray... and sometimes that may make sense. It would, I think be more exception than rule tho'.
  • Well-written

    This is a solid article. In the US (and possible Europe, too) it's been an awfully long time since critical thinking was taught in our schools. Most Americans seem to be fundamentally incapable of evaluating risk (your risk of early death from overeating is substantially higher than your risk of dying at the hands of a terrorist). Combine this with the tendency of media outlets to hype any sort of threat, and you have a people who think it's a good idea to give up every shred of liberty their fathers fought for.
  • id my ass

    just use that that all body scanner.......and pick from database of them. Sooner or later the general population will accede to the fact that if you look at enough naked people, you really don't care what they look like after awhile, at least not enough to do anything sexual.

    The body scanners need work, but knowing everyone in the world, layers of meaningless id's, or watching someone's every move may work MOST of the time, but looking at someone for weapons on their person or in their luggage is the best way to get to the heart of the matter. What is considered contraband, bomb making materials that look like drugs or drugs that look like bomb making materials is really most of the problem. The last thing anyone needs is to get busted, or upset while spending money on a vacation or getaway. It's just not like getting in your car or going to a hotel anymore. It's running a federal gauntlet with the possibility that there's something that you "forgot about" and having problems.

    Vacationing, partying, "enjoying" is so much more difficult when your "naked" in front of an audience (unless you go in for that kind of thing). I think that they ought to put one at the door of a nightclub, and face the screen towards the door so that all could see what people "have", and see how much safer they feel when they are sure that no-one has weapons except for themselves (which can in and of itself be a problem).<br><br>I have actually come around on the single ID concept, which would have my driver's license, social security # and what ever else on it, but encryption, data security, and forgery are still a few problems that come to mind. I just think it would be easier than carrying around all that crap to get a job, or register my car.
    sparkle farkle
    • oh yea

      why they need to have an outline of your body (when they make a full body scan) is beyond me, they're looking for something that isn't organic. A little programming and they can fuzz it out. A scan is really better than a token , watch list, or any other nonsense.<br><br>A couple of layer of bulletproof material between the pilots and the passengers, no carry on luggage, what can happen? Yes all the passengers can kill each other, but the pilot will make it safely OVER the millions of people on the ground. That's really the problem. The people on the ground. You could be anywhere and get shot by a maniac. you can be in your car, on a bus, on the street. But using the airplane as a weapon is the real problem, and one that has many more solutions than have been put forward.
      sparkle farkle
    • RE: Giving thanks for failure: The ID card mess five years later

      @sparkle farkle it's sad to see this type of post coming from someone who is an American. Acquiescing to idiots in the government gets you very little at a very high cost. Privacy rights are more important that the false sense of security you get.

      Here we are invading individuals right to privacy in the name of security while at the same time cargo gets up on airplanes with basically no inspection. So while the TSAA agent is tickling your rectum the bad guys are sticking bad things into cargo which they know does not go through the same inspections that people do.
      • why so sad?

        As I said, I believe that the scanner is the less of two evils as far as personal freedoms are concerned if they can't look at your body profile. They're looking for contraband, not genitals.

        As far as scanning cargo, the entire world is at risk, and there are few ways to mitigate the risk, short of charging more for air freight and installing scanners that have a computer doing the scanning which is years away (I do believe that that to will come to pass). Individuals can't scan that much cargo by eye. the only reason we didn't have a problem with the recent al-quiada attack was good intelligence.

        Picking out a nutjob with a bomb or a gun is easy, picking apart thousands of packages is hard.

        sparkle farkle
  • Handmaid's Tale

    Imagine a system where the government could, at the flip of switch (metaphorically) disenfranchise an entire segment of the population. Late with your income tax? All of sudden your token no longer lets you into any federal building (except tax collections, of course) or national park. No court or appeal. And the security guards don't have any discretion, 'cause they don't know if you've been banned for being late or are a threat. All they can see is Green Light or Red Light. Late with a Visa payment? Visa bans your token from a concert that they have bought the promotion rights to.

    As a Canadian, Rudy, you should be familiar with Margret Atwood's writings. Forget that she usually writes "[i]chick can lit[/i]" because when she writes science fiction she writes some of the best SF there is. My point is this....

    In [i]Handmaid's Tale[/i] a dictatorial theocracy was able to take over simply by using using data bases (under direct government control or controlled by legislation) to marginalize one segment of the population after another. People were being made unemployable, turned into poor credit risks, finding they couldn't go to places, etc simply by entries made into databases. Like any good SF it took one possible scenario and pushed it to the extreme and then she wrote a good story around it.

    That is the critical problem with adoption of the Good/Bad GuyGal token. You don't have control of the token, somebody else has - several "others" do - and they control what the token can do and where it can go. And since you are now linked to the token, their control of the token means they control you.
    • Servant's response


      I agree about the risks - but think they can be managed more easily and with less impact on personal rights than the alternatives. Bear in mind, of course, that I see nothing wrong with Visa cutting off your credit if you fail to pay your bills.
      • More Thinking


        I've been thinking some more about this. But first a clarification....

        I wasn't thinking about Visa cutting off your credit if you don't pay your bill. They do that now when you try to use your Visa. I was thinking, for example, of them being the sole promoter of an event and checking tokens on entry. Someone may have valid tickets, but still be denied entry based on arbitrary criteria.

        The problem with tokens, imo, is that it becomes incredibly easy for organizations - both government and corporate - to control tokens much much more than it's possible to control people. But if you have linked tokens to people, by controlling the access that tokens have to places and actions then by proxy you are controlling the people.

        If the whole idea of tokens is to mitigate the misuse of ID cards by government, then why do you think that given an even easier way to control their populations (i.e. tokens) that governments won't misuse those as well?
    • what's the difference between an ID and a token?

      @snberk341 not really that much. On one you can read what they have to say about you, on the other you can't.
      sparkle farkle
      • The difference is that the card has a limited ....

        @sparkle farkle <br><br>... amount of information on it. A token can be linked to a much larger data set. Plus those data sets can be changed arbitrarily and, literally, overnight.<br><br>One of the most important tools that a population has against arbitrary abuse of power (by government or corporations) is time. It takes time for a population to notice the abuse (as a mass, not individually), get motivated to oppose the abuse, and then to organize itself through court challenges and protests.<br><br>With ID cards, it takes longer to marginalize a group. It can be done, as seen in Germany during WWII, but I think a token would make it easier. Because a token can be tied to so many more fields of information, a person (sorry, a 'token') can arbitrarily be denied access to places and services for reasons that are not apparent to either the screener or the person holding the token. There is no more transparency.<br><br>As you try to enter a court house, to defend yourself from an unjust charge, security can deny you access with a simple "Government says your token is not cleared to access this building".
    • still I see no difference between a token and an ID

      if you use the data on an ID to access a database, it becomes a token. My drivers license has all the information that you need to identify me. One swipe, and away you go. In fact they have readers to determine if you're of age to drink by swiping your drivers license.

      sparkle farkle
      • Currently you have a multiple of tokens, or proto-tokens....

        @sparkle farkle

        ... which each link to a separate database. So, your driver's license links to a limited set of data. Minimally, it is what is necessary to permit the holder to operate a vehicle. In some places they have linked it to other State/Province data - like whether the holder is a "dead-beat dad" (a encroachment that I am very much against). However, your driver's licence does not link to your taxes records, your credit card records, your medical records.

        Your health card doesn't link back to tax records, driving conviction records, etc etc

        Your Social Security # doesn't... well, lets leave that aside because I think in fact the SS# in USA has become broken. Used for too many things, with too few privacy protections....

        A single token system makes it easy to link all of these things together, and allows - I would argue [i]invites[/i] - the government and corporations to control what the token can do based on criteria that may have nothing to do with what the token holder is trying to do or access.
    • RE: Giving thanks for failure: The ID card mess five years later

      @snberk341 good to see some sane folks out there can see the obvious problems with these dumb ideas. A lot of harm can be done when people forget how these types of ideas have been abused in the past.
    • With converging data sets, all you need is one


      you can find alot about me by just giving you my phone number, or social security number. Medical records may be off limits at this point, but it's doubtful whether or not someone would determine your risk of being a terrorist by your state of health.<br><br>Welcome to the information age. I'm sure that a determined terrorist could manage to make a profile for himself that would not set of any alarms. I'm also sure that people can change overnight given the right circumstances, from "good to evil" and that no amount of profiling will give you someone's state of mind.<br><br>
      sparkle farkle
      • Sure I can find out a lot about with a phone #...

        @sparkle farkle <br><br>.... but most of it already at the edges of what I am legally allowed to know. We should be pushing that edge back, not making it easier to control people based on their private data.<br><br>I don't really like using the American Soc Sec # as an example, because I think it's a totally broken system. The number the govt gives you for one particular purpose has become a catchall # that people use in all different sorts of ways. There is no privacy attached to it any more. Do you know, that I as a Canadian, I don't have to give my SIN (soc sec equivalent) to <i>anybody</i> except banks when opening an account (to report back to the tax people); I don't have to give a bank my SIN when applying for loan, since there are no tax paying implications; When applying for govt benefits, unless there are tax implications I don't even have to give my SIN to the govt dept that assigns the number in the first place.<br><br>Putting an entire population at the mercy of what permissions are attached to a token, in the interests of protecting against a terrorist attack seems to me to be - um, less than intelligent. There's that Franklin saying about Freedom and Security. Plus it ranks right up there with Fascism as being a welcoming place to live. Plus, you have done nothing to screen the <i>person</i> (which was Rudy's initial post, remember) - all you've done is create a way to screen tokens (read 'baggage') and the person with a valid token is totally ignored. But it's the person, and not the toke, that carries the bomb.
      • RE: Giving thanks for failure: The ID card mess five years later

        @sparkle farkle <br><br>Actually your state of health could help in identifying potential terrorists. - Have you been diagnosed as paranoid? delusional?, etc. Perhaps you are terminally ill and have nothing to live for and have a grudge against the government or even against someone on the plane. Your state of health could be a factor. Or it could not be. We're getting into a very interesting area.