Monday, April 19, 2004

There are two lovely essays in Bruce Schneier's latest Crypto-Gram, one on national identity cards and the second on the economic incentives to rig electronic voting machines. On national ID cards:

"But my primary objection isn't the totalitarian potential of national
IDs, nor the likelihood that they'll create a whole immense new class
of social and economic dislocations. Nor is it the opportunities they
will create for colossal boondoggles by government contractors. My
objection to the national ID card, at least for the purposes of this
essay, is much simpler.

It won't work. It won't make us more secure.

In fact, everything I've learned about security over the last 20 years
tells me that once it is put in place, a national ID card program will
actually make us less secure.

My argument may not be obvious, but it's not hard to follow,
either. It centers around the notion that security must be evaluated
not based on how it works, but on how it fails.

It doesn't really matter how well an ID card works when used by the
hundreds of millions of honest people that would carry it. What
matters is how the system might fail when used by someone intent on
subverting that system: how it fails naturally, how it can be made to
fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we
make it, it will be forged. And even worse, people will get legitimate
cards in fraudulent names...

... the main problem with any ID system is that it requires the
existence of a database. In this case it would have to be an immense
database of private and sensitive information on every American -- one
widely and instantaneously accessible from airline check-in stations,
police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of
existing databases; databases that are incompatible, full of erroneous
data, and unreliable. As computer scientists, we do not know how to
keep a database of this magnitude secure, whether from outside hackers
or the thousands of insiders authorized to access it.

And when the inevitable worms, viruses, or random failures happen and
the database goes down, what then? Is America supposed to shut down
until it's restored?

Proponents of national ID cards want us to assume all these problems,
and the tens of billions of dollars such a system would cost -- for
what? For the promise of being able to identify someone?"

No comments: