Liberty and a national identity card (and other stuff)

Murali

Murali did his undergraduate degree in molecular biology with a minor in biophysics from the National University of Singapore (NUS). He then changed direction and did his Masters in Philosophy also at NUS. Now, he is currently pursuing a PhD in Philosophy at the University of Warwick.

Related Post Roulette

53 Responses

  1. Renzo Koornhof says:

    From my understanding, the main reason why people oppose this sort of thing is that they don’t have any trust in the authorities to not abuse the system.Report

  2. Mad Rocket Scientist says:

    The fact that it is mandatory is irksome.  Make it voluntary, and a lot of the worries about liberty disappear.

    The big concern, IMHO, is not the utility of the system, but rather the fact that it is impossible to safeguard the system from being abused (and I’m not inclined to make the job of law enforcement any easier, just on principle).  Police in the US are not known for respecting citizen privacy  & I doubt they could be trusted to do so except under the careful & restricted condition of a criminal investigation.  Other enforcement arms have also demonstrated an inability to avoid snooping on people who have done nothing wrong, except offended someones sensibilities.

    Businesses & criminals would also attempt to gain access to the database, and the US is not well known for government data security, either structurally, or politically.

    The problem is, as always, that the system has people involved.Report

  3. Jesse Ewiak says:

    As others have said, my main problem with a national ID card isn’t even the usual problems of the federal government tracking me, looking at my information, and so on. To be perfectly honest, I assume they can do that already.

    My problem is that a national ID card makes corruption, graft, and other unsavory things much easier to do at the local and state level. In other words, I trust the person at the Social Security office not to sell my info or use it nefariously. The guy at the local sheriff’s office? Not so much.Report

  4. Caleb says:

    There are two levels of possible objections I can think of.

    First is the straight deontological objection, which asserts that this level of government management of transactions between private parties is illegitimate. It is permissible to make possession of an IC conditional on receiving government benefits or services, but mandating the surrender of personal identification data on straight utilitarian grounds is per se immoral. Utilitarians would point out that this is a distinction without a difference, since nearly all persons will submit to the condition. But there is a problem with this criticism: it is difficult to draw a conceptual demarcation line between what most people would call “acceptable” or “unacceptable” levels of legally controlling private behavior using pure utilitarian logic. For example: I could use the structure of your argument for IC for laws that imposed mandatory physical exercise, eating your vegetables, brushing and flossing twice a day, and visiting your Grandma every other week. These would probably all work out in a conceptual utilitarian framwork, yet most people find them somehow objectionable.

    Second is the more Humian skepticism type objection you should recognize from Hayek. It goes: there may indeed be short-run benefits to imposing a universal standard structure for a certain social mechanism. (In this case, an ID card.) These benefits may come from the fact that the mandatory mechanism is superior to all present alternatives, or that the superiority comes from the fact that it is universal. (Or both, in this case.) But society is not static, and what may be best or optimal at one point may become less than optimal or destructive later on. Mandatorily imposed universal standard mechanisms are, inherently, rigid and not easily modified. That is, in fact, their appeal. But when you have a rapidly changing society, where at least some of the potential changes are unknown to those establishing the universal mechanism, there is the threat that some change will come along and interact with the mechanism in a way that destroys all value it heretofore created relative to a more responsive, decentralized approach.Report

    • Caleb in reply to Caleb says:

      Addendum:

      JameK makes a very good point below about institutional quality. An institution with a high level of responsiveness and low corruption would mitigate against my point #2 to some degree, since they would respond to systemic contradictions by trying to fix them. (Rather than exploit them, which is what the converse institution type would do.) The “virtuous” institution would still hit information problems, but at least there would be some attempt at a feedback loop.

      Singapore has the reputation for being one of the most competent and responsive governments on the planet. I don’t blame you for assuming virtue in the administration of IC-type programs. But your happy condition is far from universal.Report

      • david in reply to Caleb says:

        Singapore had identity cards long before it became non-corrupt and responsive. They were used in suppressing communist movement, for one thing.

        The real distinction of identity cards, and the reason you don’t generally see them in rigidly constitutionalized states, is that they are always prone to abuse, and the primary means of discouraging this abuse is not to make the cards invulnerable to hackery (which is impossible) but to crack down using state power whenever it seems like something shady is going on. Regrettably, the nature of suppressing shady going-ons means that you invariably have to compromise other restrictions on the power of states along the way, so for a tightly limited state, this is an incredible threat.

        Constrained states err on the side of doing less. Unconstrained states err on the side of doing more – the discouragement against institutionally conducting identity theft in Singapore is imagining all the elaborate ways in which the state can find and punish you, and it isn’t going to stop merely because it can’t really prove it’s you, or doesn’t presently have the appropriate executive powers to act.

        States do occupy the continuum of constraints, of course… when the US had a problem with organized crime, it made it much easier to punish it.Report

  5. James Hanley says:

    Note, this is not an RFID system which allows you to be tracked.

    Can we be certain there is no ratchet effect?Report

  6. James K says:

    The big issue for me is institutional quality.  Now Singapore is a world leader in non-corrupt government which makes this safer, some of the Nordic countries also maintain extensive government databases (enough that they can actually produce a Census without using a questionnaire).  But doing what you suggest in the US would be a disaster.  Bear in mind that less than 50 years ago a President of the United States had the director of the FBI use official information to compile blackmail material on his enemies.  This is not a government than can be trusted with more than the minimum of personal information.

    Just to provide a contrast, in New Zealand it’s actually illegal for multiple agencies to use the same unique identifier for the same person.Report

  7. Jason Kuznicki says:

    The only people who don’t want a national ID card are people who do things they don’t want anyone knowing about anyway.

    So what’s the problem?

    The problem is that when everything becomes legible to the state, everything becomes the potential subject of legislation. Or just of state action without legislation.

    But there are many, many people who wake up every day and thank their lucky stars that they don’t have to show a government identity card for their economic activity, and these people aren’t even doing anything I’d call wrong.

    Who do I have in mind?  People with:

    –gender identity issues

    –strange or possibly embarrassing hobbies or fetishes

    –secret romantic liaisons

    –personal enemies in any level of government

    –radical political beliefs

    –radical religious beliefs

    –anonymous donors and benefactors

    A unique identifier does not make people safer.  It makes them more tractable.  And tractable is a dangerous thing to be.Report

    • I would amend your list to include non-sanctioned political beliefs.  Radicalism is often political code for a truth that politicians just don’t like.Report

      • Mike in reply to Philip H. says:

        Let the Republicans get total control of House, Senate, and Presidency again – throw in a terrorist attack for good measure – and you’ll see how quickly this can be tossed into fascism land.

        “Radicalism” today, political code for a truth that politicians just don’t like?

        “Socialism”, “Liberal”, all the other epithets they have for anyone who isn’t a bible thumping, gun toting military worshiper. Used your ID to vote in a Democrat primary once or donate to a Democrat politician? Whoops, you’d better not come by our party any more. In fact, you’d better not try to patronize any business that’s run by One Of Us.

        If you don’t believe they’d do it, look at the Great RINO Hunt of the past few years.

        While you’re at it, identify the two politicians for the following quotes:

        “It is only right we ask everyone to pay their fair share.Middle class taxpayers shouldn’t pay higher taxes than millionaires and billionaires. That’s pretty straightforward. It’s hard to argue against that.”

        We’re going to close the unproductive tax loopholes that have allowed some of the truly wealthy to avoid paying their fair share. In theory, some of those loopholes were understandable, but in practice they sometimes made it possible for millionaires to pay nothing, while a bus driver was paying 10 percent of his salary, and that’s crazy. It’s time we stopped it.

        One of these is a guy the insane right wingers worship, who wouldn’t escape being called a “RINO” today. The other is the current POTUS. Can you tell the difference?Report

    • Kyle in reply to Jason Kuznicki says:

      So far, I think this is the more convincing critique; however, I wonder what this looks like. Presently, private merchants can demand to see some kind of ID and there’s no right to privacy in economic transactions that extends to non-governmental actors.

      So I’m not sure is the implication here that a national ID card system would start a slippery slope towards more governmental interference in economic transactions? Requiring or stimulating a more widespread use of IDs? Or is the basic point that it erodes anonymity? In which case, how does a national ID card substantially differ from social security numbers?

       Report

      • BSK in reply to Kyle says:

        A sex shop owner can demand to see my license when I buy my triple dildo.  He might also insist on writing down my name and address and the details of my purchase.  However, I have the option to walk away and shop at another store without such demands.  And there is a big difference between the shopowner possessing this information that, ultimately, I give voluntarily and the government possessing this information which was compelled from me.Report

  8. Patrick Cahalan says:

    This deserves a post-length reply, but I don’t have the time today.

    In a nutshell, one of the main problems with information security is in transitive trust.  A national ID card subsumes a lot of trust, and therefore it represents an extremely vulnerable and valuable attack space.

    Right now, if you look in my wallet you’ll find a number of cards that represent chunks of trust.  I have two credit cards, my driver’s license, my health insurance card, my dental card, a couple of shopping loyalty cards, pictures of my kids, my Caltech ID card (with RFID) that gets me both face authentication that I’m a member of the Caltech community and access to physical locations on campus that would otherwise require a key.

    Every one of those identification tokens (and really, an ID card is just an identification token in a security model) carries implicit authorizations.  My driver’s license authorizes me to pilot an automobile in the U.S.; it also serves as a (bad and ought not to but practically speaking it does) something of a tacit confirmation that I’m a U.S. citizen, particularly when coupled with all of the other cards in my wallet and the fact that I know my SSN.

    Whenever you couple two identification tokens, you couple not only their explicit authorizations, but their implicit ones as well.  By coupling my Caltech ID with the RFID token, it acts both as an identifier and a key.  If you coupled my driver’s license with my credit card and/or with my social security card, you increase the utility of the identification card.  You simplify the user-experience.  Both of these things, however, vastly increase the value of the card for nefarious purposes.

    Some of the 9/11 hijackers possessed a valid VA driver’s license.  You can obtain a legal driver’s license by suborning a limited number of actors at any state DMV.  By coupling lots of identification tokens (and their implicit authorizations) together, you make all of those avenues of attack much, much more lucrative.

    In a small (relatively speaking) country such as Singapore or Israel, this introduces an oversight burden which may be surmountable.  Much like Israeli airport security works because Israeli airport security really needs to watch only two Israeli airports, a national ID card in Singapore could (potentially) work because a limited number of people need the ability to issue the cards.  Watching the watchers is feasible.

    However, these problems combinatorically explode when you get a larger population.  A security system that allows you to oversight 500 government workers responsible for maintaining a set of secure information databases for 1 or 2 million records simply cannot function if you make that 5,000 government workers, let alone 10,000 or 50,000.

    Put all of this functionality into a single card, and you make that card extremely valuable to an attacker.  The attacker only needs to find the weak point: the one government employee who is vastly underpaid and wants an extra chunk of change every 30 days.  The class break problems are enormous: if you crack the database, you get every bit of information about everyone, all at once… instead of having to crack multiple databases that are not normalized and correlate all the k-nowledge yourself.

    (Also: when it does come to pass that the system fails, a monstrously large burden falls upon any victim to prove that they are in fact, themselves and that the illicit transactions are in fact somebody else.)Report

  9. Dan Miller says:

    I think it’s pretty interesting that all the discussion so far has focused on government IDs alone.  Certainly the Mastercard corporation already meets the criteria for level 3 at least?Report

    • Jason Kuznicki in reply to Dan Miller says:

      Which is why anyone who cares about privacy uses cash to buy dildos and falsies.

      If we had no option but to use MasterCard, that would be a different story.Report

      • ThatPirateGuy in reply to Jason Kuznicki says:

        But my reward points!Report

      • Dan Miller in reply to Jason Kuznicki says:

        I don’t think any single purchase is the only privacy issue, though.  Even if any given purchase is innocuous, looking at all of them can produce a pretty detailed picture of where a person lives, where they’ve been, etc etc–much more detailed and invasive than any existing government profile.  And the “choice” thing seems to be pretty much a dodge–most of the population has a credit or debit card (174 million people according to these stats and a little math).  Sure, people could theoretically not use cards (and not buy online except at enormous hassle, but I digress), but they haven’t.  And the result is that the majority of the population is already sporting a profile that’s more intrusive than Murali’s option 3, arguably bordering on option 2.  If you’re worried about the panopticon, well, that ship has sailed.Report

  10. BlaiseP says:

    The problem with Identity Cards generally is the level of security applied to the data thus generated.   We have the wretched Social Security Number system in the USA with almost no security behind it.   The US military has the CAC card, almost as vulnerable.Report

  11. Kyle says:

    I wonder how much thinking on this issue is generational. I mean I’m young and I’ve never had a peer or younger person voice concerns about national ID cards. From my perspective anyone who wants to get basic information about me really doesn’t have to try very hard (it’s  called google). As for fingerprints, when’s the last time laypeople used fingerprints for anything?

    This actually reminds me a lot of the concerns people would voice at my old job about using their fingerprint to verify their identity. (Technically, biometrics but close enough for this point) They’d voice concerns about data theiving and privacy and I always found them somewhat baffling. If I walked into a bank and said, “I’d like to open account. I don’t have an ID but here’s a copy of my fingerprints,” would I get a bank account? Absolutely not.

    As for concerns about security, I am a fan of proving you can handle some responsibility before being granted more. However, I think Murali raises a really good point about this being an issue of competing security and how under current laws the loss of privacy from a national database with basic account information would actually guard against overinclusive government actions like “no fly” lists and deportations.Report

  12. Jaybird says:

    If we could figure out a way that we could ENSURE that it’s non-transferable… a tattoo on the right hand or forehead, say… we could then use this tool to help combat the illegal immigration problem.

    If you want to buy or sell something, you have to have this mark. If you don’t have it, you have to go underground and do business on the black market (or starve (or go back home)).

    I don’t see a single downside.Report

    • KenB in reply to Jaybird says:

      No downsides, are you crazy??  How are they going to come up with a tattoo design that doesn’t clash with all my other ones?Report

    • BlaiseP in reply to Jaybird says:

      There’s a simple way to manage this stunt, via the Web of Trust paradigmReport

      • Patrick Cahalan in reply to BlaiseP says:

        Simple in the, “Wow, it’s so simple nobody actually uses it” way.

        Zimmerman’s idea is great and all, but it fails when it hits humanity.  Humanity hits back.Report

        • BlaiseP in reply to Patrick Cahalan says:

          I dunno.  I have to deal with this problem a fair bit and I do implement the Web of Trust pattern, so it is in use.  The weak point is the CA, as we’ve long since known.

          When I implement a Web of Trust, I have the employee go down to the security office with his manager, where he’s given what for all practical purposes a unique token, generated based on his manager’s token and the output of a face recognition algorithm.   Not hard to implement PAMs thereafter, really.   Sets up a cascading RBAC system without much problem at all.    SELinux and the ACLs control the rest.Report

          • Patrick Cahalan in reply to BlaiseP says:

            Whelp, that’s good security design when the manager knows the employee, and the manager is a trusted agent and the security officer is a trusted agent and the attack space against the back-end is limited.

            That’s a reasonable number of assumptions for a closed system, provided you’re suitably paranoid about the border to begin with.

            When you have a manager (a “secureID” deskperson) who doesn’t know the employee (the citizen) and the security officer (the “secureID” issuer) doesn’t know the manager and the system is open and (in many cases) the manager works for one organization (a state) and the security officer works for another (the feds) and the back end is opened to all those state, local, and federal agencies all ’round everywhere, you have a different set of problems.Report

            • BlaiseP in reply to Patrick Cahalan says:

              I believe all identity must be based on personal knowledge of the person thus identified.  Truth is, we’re not tracking identity but relationships.  Many such identities could be created, based not on the identity per-se but on the relationship thus specified.   Consider what happens when a manager is fired:  the old relationship is no longer valid and new relationships between manager and subordinates must be created.

              In the wider world, we could have a relationship between patient and doctor thus created.Report

    • Murali in reply to Jaybird says:

      Actually, implanting a chip which monitors sings of life and which can work as an IC, debit card, etc (for every single bloody transaction) would makepeople’s wallets that much slimer and bbe really cool.Report

      • sonmi451 in reply to Murali says:

        Yup, Mr Murali is obviously a true-blue, die-hard liberaltarian. I mean, what liberaltarian wouldn’t support his proposal? A liberaltarian who thinks that democracy is overrated, people shouldn’t care so much about the right to vote since voting doesn’t really matter (hey, I guess Civil Rights Act and Voting Rights are all a waste of time, right? That stupid Lyndon Jonhson, he shouldn’t have been that stupid to fight for blacks to vote and losing the white votes in the South. After all, voting and democracy is overrated). And now this proposal. Does that term liberaltarian means nothing anymore?Report

      • sonmi451 in reply to Murali says:

        Seriously, what the heck kind of LIBERALTARIAN wants to implant chips on people? Am I the only one seeing how crazy nuts this is? And I’m mostly a liberal who’s okay with what the right-wing calls the “liberal nanny state”, but even I think this is JUST FREAKIN’ NUTS. And yet  this is coming from Mr Murali, someone who insists on calling himself a LIBERALTARIAN!!! MAybe some actual libertarians want to chime in on why Mr Murali is out of his mind? Unbelievable.Report

  13. Philip H. says:

    Aside from the obvious political thought suppression issues, my main concern is this – when was the last time an authoritarian state issued mandatory ID cards to all citizens without the willingness and ability for use those cards for immoral acts?  can’t find a historical example?

     Report

  14. Murali says:

    Thanks everyone for the great comments on this.

    Especially would like to thank Jesse Ewiak (I’m rarely appreciative of the disagreements we have).

    Something that has come up twice is about how a national identity card can be used for political thought suppression. I dont see how having an IC plays any part in whatever thought suppression that does take place in singapore. But even more saliently, it is not clear how an IC could be used to suppress political opposition in the US which has far more safeguards against such things than Singapore.Report

  15. Alan Scott says:

    To things:

    First, I’m skeptical of those that argue that a national ID somehow a huge violation of our privacy but having a driver’s license and a ssn and a library card and a student ID isn’t.  I understand why it may be a bad Idea from an information-security perspective, but that’s tangential.  More IDs mean more hoops to jump through and more people who can make your life miserable for their own selfish reasons.

    Second, I want to touch on Murali’s initial suggestion of indexing fingerprints and DNA to the card and using it to identify crime suspects.  This is a REALLY REALLY BAD IDEA.  DNA and fingerprinting can be reliably used for verification when someone’s already a suspect, but when you’re comparing a profile to a database of 300 million people, you’re going to get some false positives–people whose DNA or fingerprints seem similar enough that the police start to look at them as suspects, despite the fact that they live hundreds of miles away and have no relation to the case.Report

    • Patrick Cahalan in reply to Alan Scott says:

      First, I’m skeptical of those that argue that a national ID somehow a huge violation of our privacy but having a driver’s license and a ssn and a library card and a student ID isn’t.

      It’s not the same, in the classical terms of information management.

      Segregated systems means meta information is of a lower signal and a higher noise.  The meta data associated with the persona attached to each one of those individual cards cannot (necessarily) be indexed to the personae attached to the other cards.

      Practically speaking nowadays, this is not moot, but close enough for government work, because the U.S. has absolutely crappy data privacy laws.  However, you could re-segregate the data with appropriate introduction of real data privacy laws.  You could never do that with a national ID card; there are no multiple personae, only one.

      This is a REALLY REALLY BAD IDEA.  DNA and fingerprinting can be reliably used for verification when someone’s already a suspect, but when you’re comparing a profile to a database of 300 million people, you’re going to get some false positives

      This is a really good point and I should have brought it up myself in my own comment.  I beg “I was short on time” for my excuse, but that’s a bad excuse.  +1 on the whole paragraph.Report

    • James K in reply to Alan Scott says:

      Second, I want to touch on Murali’s initial suggestion of indexing fingerprints and DNA to the card and using it to identify crime suspects.  This is a REALLY REALLY BAD IDEA.  DNA and fingerprinting can be reliably used for verification when someone’s already a suspect, but when you’re comparing a profile to a database of 300 million people, you’re going to get some false positives–people whose DNA or fingerprints seem similar enough that the police start to look at them as suspects, despite the fact that they live hundreds of miles away and have no relation to the case.

      Ah, someone who understands Bayes Theorem, excellent.Report

  16. Matty says:

    I suppose my objection is to the idea that I would *have* to identify myself in this way. Driving licences, credit cards etc are all in theory voluntary – you can walk everywhere and pay cash.

    In practice I am happy to share all sorts of information with all sorts of people but I’d still like the choice.

    A related worry, which isn’t in your proposals but always comes to mind on this subject is the totalitarian spectacle or people facing prosecution for not having a card on them when stopped by the police. Whenever I hear the phrase “compulsary ID” my brain translates this to “Your papers citizen!”Report

    • James K in reply to Matty says:

      I fell that if a law requiring the presentation of ID is ever passed, it should include a provision that the officer must use a thick Russian or German accent when they ask for the ID.

       Report