Time for a national ID card?

So far, the approach would limit use of smart cards to employment applications. However, experts have floated the idea of using such cards in a variety of other transactions, from commerce to health care services, in physical environments and digitally for online authentication.

Neville Pattinson, vice president of government affairs and business development at Gemalto North America, a provider of digital security credentials, said he believes the new Social Security card should be the basis of a national identity credential that would improve the ease and security of many transactions. Jim Harper, director of information policy studies at the Cato Institute, said he sees major dangers associated with that proposition.

They discussed their views recently with Federal Computer Week. Both men serve on the Homeland Security Department's Data Privacy and Integrity Advisory Committee, though their remarks don’t reflect DHS' or the committee's views on this subject.

What are the benefits of a single digital identity credential?

Pattinson: We’re in the midst of a national identity crisis in general. We have no single trusted credential in our society today. We’re using Social Security cards in paper form, driver's licenses, birth certificates. At best, we have a passport, which is probably the best credential of all to date.

We really need to look at the positioning for an identity credential for the citizen that gives control to that citizen to present their identity in both the real world and the online virtual world.

Harper: If you look at the way people actually work in the world and the way they do security in other realms, they disperse their assets. They have key chains with several different keys on it, and that doesn’t represent a crisis in security for physical possessions. That’s a good security mechanism to have very different keys for different purposes.

So, I think it’s a mistake to design an identity system around a single trusted credential.

How do you convince people that there are enough benefits to overcome the risks of a single credential?

Pattinson: We have, fundamentally, one identity that we use in our real-world, day-to-day [lives]. Perhaps we have pseudonyms or personas we use in our virtual world. We need a trusted credential to spawn various manifestations of the credential in different situations.

Harper: The root of your identity is actually your body, and trying to impose a governmental or private organization outside that to provide the root of our identity is a mistake. I don’t want identity systems for humans to operate the way the Internet does, with a root server that some organization controls and not me. Identity should spring from the person.

I don’t think you can make a good sales pitch to people and have them agree to hand over the keys to their identity to any organization, much less to a government body, which has so much coercive authority.

Is there a psychological barrier to people adopting this single identity, given that people like the idea of having different credentials for access to each of their assets?

Pattinson: I think, inevitably, that is the case. In the United States, that is clearly evident in the discussions we have. Some see [a single credential] as abhorrent, though others see it as something that could be useful. It’s very much a personal reaction.

Harper: The selling point that this empowers the individual is important, especially in the context of a government-provided digital credential. In my view, having a government-provided credential — and this assumes everyone should have one — undercuts the bargaining position of the individual.

It’s like “You have the national credential, don’t you?” and if you don’t and you haven’t proven who you are to me, then it’s “I can’t do business with you. You’re some kind of illegal alien.” And so we are all going to naturally migrate toward proving our identity for far more transactions than we do today and thus creating the opportunity for far more recordkeeping and undercutting our privacy.

So even though it will be presented as a choice that people can use when they want to, over time, this credential will de facto become the national identity card?

Harper: Yes, it’s the same choice that people have when they use Web sites. I’m all for publishing [Web site] privacy policies, but in the end, it’s take-it-or-leave-it. So with the majority of the public focused on living their lives and not [being] privacy activists, they will say “OK, I’m just going to present my individual credential for every transaction, including buying a pack of gum. That’s what they tell me to do.”

Pattinson: What we’re considering is the need for providing an elective digital credential, biometric identifier or whatever it may be to the citizen. On that basis, having to present it for more and more transactions is all about [evaluating] the risk of performing a transaction with or without it.

Wouldn’t the demand for efficiency push industry and government toward the use of just one or two credentials?

Pattinson: To me, this is just a transactional ability to prove who I am at the point of enrollment. After that, you’ve potentially got other identification mechanisms like those we carry today. We have a whole host of cards that we carry in our wallets and purses that have ID-based information for [use with] individual systems.

Harper: This idea of a voluntary system is rather at odds with the circumstances in which we are talking about having a biometric Social Security card.

You’ve got 7 million employers around the country already equipped to use it for employment verification, and you’ve got lots of politicians who want to solve things that are problems from their perspective. We’ve already seen legislation with regard to Real ID [federal standards for driver's licenses], for access to financial services and credit at the state and local level. You’ve seen proposals to require proof of immigration status for housing. There have even been things floated in the past because of the methamphetamine problem that a national ID should be required of people to buy cold medicine.

So the uses of this national credential, once it’s in place, are limited only by the imagination of regulators. And [the notion of it being voluntary], that just disappears over quite a short period of time.

What’s the political will for going forward with this, given everything else that’s going on today?

Harper: I think, frankly, that the stabs at national ID such as Real ID and PASS ID [a proposed replacement of Real ID] have delayed progress because everyone thinks that’s where it’s going to happen. And trying to do this at the federal level through the Social Security system I guarantee would take 10 years even if everyone agreed on it. It’s really just keeping us from letting innovation and invention and private capital go to work on this problem and start building identity systems and credentialing systems that are really creative and user-friendly.

If you haven’t met the challenge of consumer uptake, trying to force it on people through the government is not going to work either.

Pattinson: I think certainly we owe it to our citizens to provide something. There is a need. We are unable to present identity and be able to prove it in the virtual world and in our digital lives today.

What I’m suggesting is just a simplified view of being able to have one credential that could facilitate the enrollment into [other systems] and give you a trusted persona under any commercial organization. But trusted back to something that we need in our society to know who we are dealing with and [allow] an individual to be able to prove it.