This is another thread that got me fully engaged again and lead me to
find what I believe are "coffin nails" for the national ID card. There are
a few postings from other people that were not included that I thought to be
essentially off topic. In some cases some of the messages are not in
chronological order to make the following of certain sub-threads easier.
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Wednesday, January 07, 2004 1:05 PM
Subject: An Outline of UBID
[Subject title was formerly "Program to fingerprint U.S. visitors starts"]
Responding to Nancy Yanes-Hoffman
Nancy,
Descriptions of the UBID have been included in postings to the BC list since
Sept 12, 2001. Here is a summary. I have numbered the paragraphs to facilitate
questions or comment.
1. There is no manufacturer or even a designated biometric. There is no
company with a vested interest. UBID is a concept into which can be plugged
the devices and methods best suited to accomplish the objective.
2. The issuance of identity documents has always been a governmental function.
That continues to be the case as illustrated by birth certificates, passports
and other official identity documents. This is not to be confused with the
fact that private entities issue documents that are used for their own
identification purposes. There are not too many places that will accept your
health club card as proof of identity, or even your employee card (other than
entities that are in some kind of privity with your employer).
3. The concept is that when the government or a private entity has a right to
ask you to produce proof of identity, before extending trust or credit to you,
they have a right to demand unequivocal proof of identity to the extent that
such proof is reasonably possible.
4. The card would include your biometric(s) and minimal information about you
- name - unique ID number, photo. The face of the card would likely only
include the name, photo and a public, unique ID number. The same information,
together with your biometric(s) and some encrypted information used to verify
the genuineness of the CARD, would be electronically embedded in the card.
5. Upon presentation, your live biometric(s) would be compared to the embedded
biometric(s). In addition, a remote central data base would be simultaneous
contacted to confirm that this card was actually issued to the person you
claim to be. The remote card verification process is not any more complicated
than present credit card transactions. The only function of the central system
is to confirm who you are. It does not confirm that you are a good person.
6. The card would probably end up replacing most of the plastic that people
now carry. Swipe it at an ATM, and the ATM goes through the foregoing process
and then tells you what options are available to the person you have
established yourself as being. Present it at a border crossing, and your
entitlement to enter or leave is based upon who you have established yourself
to be. No other passport document would be necessary.
7. Upon your initial enrollment, your biometric details would be compared to
the details of all other enrolled persons to make as certain as possible that
you have not enrolled under more than one identity. It may be necessary to
have several different levels of enrollment.
A. - No background check of substance - In substance this establishes a
relative identity. This is the same person that enrolled on such and such a
date. Many transactions need no more than that. This is the person we hired.
This is the person who, after being hired, has been granted access to certain
parts of the premises or certain information. This is the person who passed
his drivers license test. This is the person who opened this bank account.
B. - Moderate background check - Reasonable effort to determine the pedigree
and basic history of a person. None of this information is kept on the card.
It is the basis for issuance of the card.
C. - More substantial background checks - Somewhat in line with present
security clearance levels.
[I approached background checking a bit differently in the original version.
Therre is a lot of room to shape that aspect to real world realities and
mainenance of privacy]
8. The level of enrollment would only be revealed to checkpoints entitled to
know that information and would not be on the card but available via the
central data base. In all respects, the UBID card would appear the same for
everyone.
9. If you are on an authorized watch list, your presentation of the card would
alert the appropriate authorities. There are probably three main categories of
watch lists: a) fugitives, b) missing persons (particularly children and
incompetents), and c) terrorist watch lists.
10. For certain inquiries - presentation of the card would alert as to whether
the person is a citizen, or if the person's presence in the country is or is
not legal. For other inquiries, it would alert authorized persons as to
whether the individual is a convicted felon, probationer, or awaiting
disposition of felony charges.
11. Having established or rejected a claimed identity, the central database
would not keep any record of the activities of established identities. It
would merely authenticate the claim and bow out of the situation. Records of
the particular transaction are maintained by the entity that has requested
proof of identity.
12. Upon establishing probable cause, to a judge of competent jurisdiction,
that a person is engage in the commission of a crime, tracking can be
authorized for a limited period of time pursuant to reasonably described
objectives. In short, the process would be essentially the same as any other
search warrant or telephone tap.
13. Persons would have the right but never the obligation to store additional
personal information on their card - next of kin, person to be notified,
medical records, etc., and access to such information would only be available
with the individuals explicit cooperation or according to standards that he
has caused to be imbedded. E.g. he can provide that any medical facility can
read the medical data.
14. There is a downside to any system that is centralized, just as there are
downsides to systems that are distributed or to no systems at all.. In fact, I
do not see any downsides to the UBID other than that it provides a structure
that a repressive regime could pervert to consolidate its control. In balance,
I think that the UBID presents less potential for abuse than the present id
systems. A UBID would be presumptive proof of identity and would relieve many
persons from intentional or negligent abuses that occur on identity issues. It
would also substantially defend against identity theft or identity
misrepresentation.
15. The standards and limits applicable to the UBID would be clear and
specific. Presumptions should be in favor of individual privacy. Any elected
official who willfully seeks to pervert the system should be subject to loss
of office and criminal penalties. Government employees who willfully seek to
pervert the system should be subject to loss of employment and criminal
penalties. Private entities that seek to pervert the system might face
forfeiture of the right to use the system (as inquirers) and criminal
penalties. There must be a commitment to no-nonsense enforcement of the
integrity of the system.
16. It has now been recognized that something must be done about either
legitimizing or apprehending and deporting illegal aliens. Once the current
proposals on that matter shake out, if there is a UBID, it will be almost
impossible for an illegal or a fugitive to function without encountering a
situation that requires presentation of UBID.
17. A UBID would simply be a rational device for instilling some order in what
is essentially a disordered identity environment. It would not breach
anonymity in circumstances where anonymity is presently possible. While
enrollment might be voluntary, that is something like saying that credit
cards, checking accounts and telephones are voluntary.
18. A UBID would not uncover the fact that someone is a terrorist, unless that
fact has been independently determined from intelligence or police sources.
However, it would create a far more difficult environment for known and
unknown terrorists and criminals to navigate.
19. If I were making the decisions purchases, whether by cash or credit, of
dangerous instrumentalities such as explosives, firearms, certain poisons and
pathogens, would require presentation of a UBID, so that accountability can be
tracked when appropriate. Other technologies permit embedding of what are
essentially electronic serial numbers in such materials. Thus a good potential
will exist for tracking misuse back to those who purchased the item.
20. I do not subscribe to the concept of the "sign of the beast" or to the
idea that we must keep at the ready an environment that enables vigilante or
revolutionary activities. People with those views will likely be against any
ID system., while, ironically, driving a car with a license plate, showing an
employee id to get into work, writing a check or using a credit card and
collecting social security.
21. There is a certain downside that a UBID presents to the biometrics and
security industries as presently constituted. Once a UBID goes into effect, it
will make avoid a lot of existing and potential duplication. The same card is
used for everything. Swipe it at work, and the equipment at work knows who you
are and determines whether you have access rights. Swipe it at your home front
door, and it lets you in. Go to the bank, board a plane, etc. The major
biometric technologies will be the ones that are used for the universal
system. There will be plenty of work available to create such a system and
then to service it. Present duplicative efforts will simply have to be
directed to other things.
22. Of course, the question arises, how are we to pay for all of this? As
already indicated, any person visiting or residing in the Country would be
entitled to enrolled and receive a card at no charge. There is presently an
enormous amount of money expended by government and private enterprise on
substantially less reliable formal and informal id efforts. Similarly,
billions are lost as a result of identity theft (i.e., failure of present
systems). The initial investment would be a government expense. Thereafter,
when any inquiring entity checks the central system for verification, it would
incur a small charge or perhaps it would pay a flat rate based upon the number
of inquiries it is likely to use. That includes government functions - thus,
the cost would, in part, be allocated to various budget lines.
23. As with any such proposal, such a system will take time to create and time
to reach universal enrollment levels. That is true with any major project. If
we don't start, we will never get there. Putting it off because we cannot
implement it immediately, simply assures long term inadequacy.
24. In fact, a large number of people are or shortly will be enrolled in
systems that can be shifted to the UBID. Similarly, for the middle range of
security card a large number of military, state and federal employees and
licensed individuals have officially recorded identity histories.
25. If such a system is treated as pork barrel as usual, it will cost a great
deal and probably be grossly deficient. If it is treated as a high priority of
national or international civil defense against terrorism and crime and in
favor of individual personal security, then it can be done at below the
current cost of id systems and identity theft losses.
26. One of the concerns about biometric ID systems is that someone will
capture your biometric details and then masquerade as you. Of course, that is
true with regard to any identity system, but less true of biometric systems
since you actually have to be present to be compared to your stored biometric.
You also have to present a card with your photo on it and your biometric
within it. It seems to me that the usually depicted scenario of someone
stealing your card or your losing it, does not present a material risk because
of the nature of biometrics and because of the unique three point verification
process - you, the card you present, and the central database check as to card
authenticity.
27. It would be a mistake to assume that the UBID will provide absolutely
secure proof of identity, particularly in its early stages - but even
thereafter. The system should have a built in or optional insurance provision
to safeguard against errors and fraud.
28. As much as technically possible, the system should be an open system.
There should be no secrets about how it works. When secrets are needed, they
are simply a way of temporarily hiding vulnerabilities that eventually will be
known.
29. To the extent possible, other countries should be encouraged to adopt the
same system so that there is a common identity platform, thereby facilitating
the accuracy of identifying international travelers and bringing down the cost
for everyone.
30. Efforts to defraud the system would incur criminal penalties and may also
involve periods of suspension of the entitlement to have a UBID card. or have
history of card fraud embedded in the fraudsters card.
31. Although participation would be nominally voluntary for adults, once the
system starts, enrollment of all newborns would be a requirement. The UBID
would take the place of the birth certificate.
32. A lost or stolen UBID card would not be a major problem. The individual
brings fingers and face and irises to the local registration location and buys
a new card. The registration location verifies the biometrics and other
information with the central database..
33. As with any ":living" system, improvements in the security or utility of
the UBID will be taken on with the passage of time. It would be foolish to
assume that nothing will change.
34. There are a variety of ways that the UBID can be used for remote
transactions such as purchases over the internet. That would unduly extend the
length of this summary.
32. This does not describe every element, potential problem or benefit of a
UBID system. It is not a spec. It merely is an effort to outline the concept
with sufficient particularity to be meaningful. It was originally proposed,
back on September 12, 2003 with the idea that it could be constructively
discussed and appropriately improved. Hope springs eternal.
Best wishes,
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List
On Behalf Of Huffman, Joseph K
Sent: Thursday, January 08, 2004 10:01 AM
Subject: Re: An Outline of UBID
Henry wrote:
"...if there is a UBID, it will be almost impossible for an illegal or a
fugitive to function without encountering a situation that requires
presentation of UBID."
I'm at a loss to understand how this statement can be true unless we were
allow the police to set up checkpoints and stop everyone walking down the
sidewalk and every passenger in every vehicle that drives down the road and
track the amount of food purchased by every family and compare it to the known
number of people in that family. Otherwise one only needs one person with a
valid ID to support several illegals/fugitives and the best result you can
claim is that you made things inconvenient for them.
Henry also wrote:
"purchases, whether by cash or credit, of dangerous instrumentalities such as
explosives, firearms, certain poisons and pathogens, would require
presentation of a UBID, so that accountability can be tracked when
appropriate. Other technologies permit embedding of what are essentially
electronic serial numbers in such materials. Thus a good potential will exist
for tracking misuse back to those who purchased the item."
This is a fantasy. And this is something I am somewhat of an expert on. I grew
up on a farm and still own farm land. I have an ATFE license to manufacture
high explosives and I manufacture many hundreds of pounds of explosives each
year. Firearms, explosives, and poisons can be made with tools and materials
found in almost every garage, hardware store, and grocery store. Restrictions
on these things will be no more successful than the restrictions on
recreational drugs which enter this country by the ton.
The firearms registry in Canada has been an expensive and dismal failure and
would be an essential part of any attempt of tracking commercially produced
firearms. Countries with complete bans on private ownership of firearms have
thriving black markets in firearms.
Explosives can be made from kitchen matches, household supplies, and farm
fertilizer purchased by the ton by even small farmers. A few hundred pounds
would be easily diverted without suspicion and would be more than enough to
cause tremendous damage. Here is a detonation of just FOUR pound of high
explosives, made with common everyday materials, with four gallons of gasoline
I detonated about 10 days ago:
http://www.joehuffman.org/FlashTek/JuliaFireball.wmv
I presume Henry is referring to taggants when he mentions "essentially
electronic serial numbers" which are easily removed from things such as farm
fertilizer. Not only that when studies were done regarding insertion of these
taggants in commercially produced explosives and gunpowder adverse effects
occurred (from
http://www.hodgdon.com/news/taggants.htm):
-----
The taggant was blended with HMX, an explosive material. The HMX began
deteriorating in the morning after being mixed with the taggant material. All
personnel were evacuated from the site by noon. The HMX detonated and
destroyed the plant that afternoon. Goex sued Aerospace Corporation (prime
contractor for the study), stating that the taggant was the only foreign
material in the mix, thus was the direct cause of the explosion. Goex was not
successful in the lawsuit, but was successful in getting out the message about
the potential hazard of adding taggants into some high explosives.
-----
Even if fertilizer and explosives can be successfully "tagged" and then
tracked down to the individual user then the taggants must be added at the
time of sale. If that is the case then the terrorist has the entire supply
chain available to find a weak spot to obtain their explosives (or components)
without the taggants. If the taggants are added prior to the final sale then
hundreds or even thousands of users will have the same "serial number" in
their batch of fertilizer or explosives. In the case of farm fertilizer the
applicators and trucks that carry this fertilizer are only very rarely stored
under lock and key. They are most often in open fields or sheds 24 hours a
day. Many farmers don't even have enough shed space to store all of their
equipment.
Poisons -- these are so incredible easy to acquire and make by the hundreds of
pounds I won't even both going into detail. Nearly every household already has
the components to make poison gases and fluids and if "serial numbers" and the
tracking were to be put in place life as we know it would come to a halt.
In short, attempting to successfully track "dangerous instrumentalities" will
have a tremendous cost associated with changing the entire way of doing
business and conducting our day-to-day life for hundreds of millions of
people. And my contention is that even if you were to successfully implement
such a system it would be as easily defeated by similar methods and perhaps
even the same people that smuggle recreational drugs into this country.
So tell me again, what problem does a UBID solve that can't be solve some
other way or is problem without a good solution?
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Thursday, January 08, 2004 10:58 AM
Subject: Re: An Outline of UBID
Responding to Joe Huffman
Joe,
I have numbered your points A, B , C and D within your reply, and my comments
are:.
A. You say you are at a loss to understand why a UBID would interfere with the
functioning of an illegal or a fugitive. If a biometric id is necessary for
all credit card purchases, certain kinds of other purchases, air travel,
building entry, etc., it will be almost impossible for you to function without
encountering a situation that requires presentation of your biometrics. Can
efforts be made to evade such encounters - of course. Will it make achieving
your objective a lot more difficult and will it increase the chances of your
being discovered? Absolutely.
B. Biometric ID necessary to purchase explosives and firearms. In the US
today, some things that are particularly suited to be explosives or firearms
can be easily acquired. My point is that whenever such materials or items are
purchased, an unequivocal ID should be required and recorded. I accept your
point that, even without "particularly suited" materials and items, someone
with the necessary knowledge and skill can take some ordinary items and
convert them into explosives or firearms. We cannot create a risk-free
environment, we can only make reasonable efforts to reduce the risk or to
preserve information that will help in tracking back to points of purchase. As
regards the general subject of firearms registration, I accept that there are
differing points of view that are not likely to be reconciled, just as there
are on most regulatory matters.
C. Yes I am talking about electronic ID particles that are mixed with, molded
into or adhered to objects. I am not familiar with the studies that you
mention, but they all sound like the Kitty Hawk stage of substance tracking.
The reference you site goes back to 1996, and appears to be the latest thing
that gun powder dealer can cite. I do not have any expertise in this area, but
from what I have read, it has progressed substantially since 1996.
D. You conclude: "So tell me again, what problem does a UBID solve that can't
be solve some other way or is problem without a good solution?"
The word "solve" is an overstatement. I could just as easily ask you what
problems handguns solve. Identity is the orientation point around which all
security systems must position their processes and objectives. A UBID provides
the closest thing we have to unequivocal identification of people. It is a
tool used to assist in prevention or solution of crime. It is also a tool to
assist in expediting the cessation of otherwise unwarranted intrusions upon
the privacy and respect of people.
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph
K
Sent: Thursday, January 08, 2004 12:06 PM
Subject: Re: An Outline of UBID
Regarding our discussion points A, B, C, and D.
A: Credit cards are not necessary for functioning in our society. Cash and
money orders, both of which can be completely anonymous, work for everything I
can think of. Or are you going to outlaw those too?
UBID presentation at building entrances? All buildings? All public buildings?
All commercial buildings? Malls and grocery stores? Will a parent taking their
children to the store be required to present the UBID for their children as
well? What is it you are talking about where you can significantly impede a
fugitive from functioning yet not create a tremendous burden on the ordinary
person? Then look at the bandwidth requirements for access to the central
database when you have nearly 300 million people trying to access it multiple
times on a daily basis. And what happens if the database or the communication
link goes down? No more ingress to the building? If not, then the fugitive
that MUST have access cuts the communication channel, the doors go open and
they enter. If ingress is prohibited when the channel is cut then all valid
users are denied entry by a terrorist severing the communication lines. You
loose either way. A central database for clearing all the queries? THAT (and
it's power and communication lines) will be the target of terrorist attack. If
our entire country was built around everyone having to access that database
multiple times on a daily basis can you imagine the havoc it would raise if
that database were suddenly inaccessible? You are creating a single point
failure system for the entire country.
B: Henry wrote:
----
We cannot create a risk-free environment, we can only make reasonable efforts
to reduce the risk or to preserve information that will help in tracking back
to points of purchase.
----
I'm reminded of the analogy used by computer security experts to explain
cryptology efforts to the layman. Almost all of our encryption technology is
very good. We use it as a gate in the fence around things we wish to protect.
Some encryption represents a gate a half-mile high, others a mile high. The
fence connected to the gate and around the things we wish to protect is only
three feet high. And so it is with your proposal to require ID for purchase of
"dangerous instrumentalities". Commercial firearms and explosives already
require ID, but without a means of tracking them past the retail purchase
level this is almost meaningless (or rather only a fence three feet high). At
this point tracking is impossible and I suspect this is an unsolvable problem
without a level of intrusion into ordinary life that is unacceptable to even
the most tolerate of people (random or even systematic body cavity searches).
C: Taggants are not electronic ID particles. They are color coded (at the
microscopic level) particles. Perhaps you are confusing them with RFID tags
which are much more expensive. The article I quoted was merely the first one I
found. A more recent one (September 2001) is from the Institute of Makers of
Explosives:
http://www.ime.org/printtaginexp.htm
A recommendation is:
----
The addition of identification taggants to commercial explosives must be based
on sound science and a cost-benefit analysis. Until new technologies can be
embraced, it is not in the best interests of the public, the environment, law
enforcement or industry to mandate identification taggants in commercial
explosives.
----
I could find numerous others, including the ATF (now the ATFE) reports, that
all conclude (in my words) "present technology doesn't work and there very
difficult problems yet to be solved before this is a useful tool".
D: Henry wrote:
----
The word "solve" is an overstatement. I could just as easily ask you what
problems handguns solve.
----
That is beyond the scope of this forum. But if they don't solve any problems
then why do nearly all police carry them?
Henry also wrote:
----
Identity is the orientation point around which all security systems must
position their processes and objectives. A UBID provides the closest thing we
have to unequivocal identification of people. It is a tool used to assist in
prevention or solution of crime. It is also a tool to assist in expediting the
cessation of otherwise unwarranted intrusions upon the privacy and respect of
people.
----
This is too vague for me to understand. Give me specifics -- and almost for
certain I will be able to demonstrate the cost far, far exceeds the marginal
benefits. You will only be able to catch the most stupid of the people trying
to bypass the protections you have implemented. And in most cases you would
not have needed the UBID to catch them anyway.
Don't get me wrong. I spent the last year successfully researching a new
biometric method. I think there are legitimate applications for it and nearly
all biometrics. But a UBID, as near as I can tell is, at best a waste of time,
most likely an invitation to abuse, and in the worst case a necessary tool to
implement genocide against some racial/religious/political/sexual-orientation
group. Spend your (our) money on things that work rather than things that
cannot succeed and are an invitation to severe abuse.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Thursday, January 08, 2004 3:57 PM
Subject: Re: An Outline of UBID
Joe,
The problems and my inadequacies are both sufficiently large without
overstating either of them.
(A) The only time one needs to present a UBID is under those circumstances
that identification is presently required. The only area in which I would
expand present identification requirements is in the purchase of explosives,
firearms and ammunition.
As to the single point failure issue - that would not be the case. Comparison
of the individual is to the card. The cards validity (but not the biometric)
are then confirmed to a central database. More bandwidth is used on the
internet in the United States in one minute than would be required for the
central data base confirmatiory processes in 24 hours. If the central data
base and its backups or regional mirrors should all fail, there is at least
the local verification to the card. It is difficult to believe that some bad
guy or group is going to falsify a card and then present it with the hope that
all central verification will fail. Of course, when there is a system failure,
it will be a local judgment call as to whether to risk honoring cards
presented by strangers.
(B) The fence analogy is not helpful. [Although it may cast doubt upon the
claim that guns are good protection.:- :-) ]
(C) Lest we get off on a sidetrack, keep in mind that backtracking to
explosives was only an option mentioned and is not an integral part of the the
UBID concept. You are right. taggants are microscopic color coded or otherwise
marked particles that are so mixed into another substance that they permit one
batch to be distinguished from other batches, while at the same time not
impairing the use of the substance they are tagging. A quick look at the
internet sites makes clear that the gun lobby does not like taggants and the
opposition appears to be at least, in part, ideological. Compare your
references to:
1. "Tagging Explosives" by Karl S. Kruszelnicki (2003) http://www.abc.net.au/science/k2/moments/s42124.htm
and
2. Science and Technology for Army Homeland Security: Report 1 (2003) (Board
on Army Science and Technology) ( http://www.nap.edu/openbook/0309087015/html/136-142.htm
(D) You have said you do not understand my point that identification of
persons is the central point of reference for most security situations and
that a universal ID system would cost a lot more than it is worth.
I bet you have a wallet full of ID cards, some others that you leave home in
the rare situations that you may need them, and one you wear on your person.
We live in an ID card world and almost all of our ID cards are insecure.. A
UBID would simplify the ID environment, while enhancing ID security. There is
not much more I can say on the subject.
---------
On a somewhat related subject, how would you feel about a requirement that an
RFID must be permanently imbedded in all firearms so that when a firearm is in
the area it gives off a distinctive signal that can be detected by an
appropriate receiver and would also convey the weapon's make, model and serial
number?
Best wishes,
Henry
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Ian Williams
Sent: Thursday, January 08, 2004 5:11 PM
Subject: Re: An Outline of UBID
Henry,
If a UBID were truly feasible, why complicate the process with an ID card. If
the UBID system operated on such a reliable comm infrastructure and were
accurate & capable enough to measure the uniqueness of 1:300+M; and report an
accurate response immediately, then it doesn't need a card for identification.
It should be able to tell you who you are, not validate who you claim?
If you state to allow verification to the card should the central database be
unavailable then I have to agree that there will remain the potential for
exploitation, not even accounting for the issue of establishing the
"Foundation Identity".
Ian S. Williams
Principal
Identity Systems Group Inc.
Phone: 416.702.3015
Fax: 416.352.5741
www.idsysgroup.com
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Christopher
Effgen
Sent: Thursday, January 08, 2004 5:46 PM
Subject: Re: An Outline of UBID
HB: (A) The only time one needs to present a UBID is under those circumstances
that identification is presently required. The only area in which I would
expand present identification requirements is in the purchase of explosives,
firearms and ammunition.
CE:I would be interested in a list of those present circumstances so that we
may begin a discussion wherein we can set out the scope of those circumstances
in which the card would be used.
For example for employment?
To apply for employment would we have to produce our identity card?
When we clock in or out would be by means of the card?
Would our employer be able to require us to use the card to enter certain
parts of the building?
What about law enforcement?
Would we have to produce the card when we were stopped or questioned by the
police?
Would the police be able to associate investigative reports with the numerical
identifier used with the card?
Would traffic or other minor citations of the law be associated with the card?
Would arrests or convictions be associated with the card?
What about our school records?
Would a child or his or her parents need to produce a card in order for the
child to attend public school?
Would a parent or child need to produce a card in order to partake in a
subsidized school lunch program?
Would a person need to produce a card in order to graduate from an educational
institution?
Would the institution be require to associate the individual with the card in
order for the person to qualify for a grant or loan of any type?
What about commerce?
Would one be able to apply for credit without a card?
Would the production of a card be required to join as member in "COSTCO" or a
similar company organized for commercial purposes?
For security purposes could a group require the card to be produced in order
to attend a concert, view a film, travel on a commercial vehicle?
What other information would be able to be associated with the card?
Or put it another way what restrictions will stop the misuse of the card?
What will happen when the government misuses card related information? Will it
come forward and take responsibility of its wrongdoing?
On a somewhat related subject, how would you feel about a requirement that an
RFID must be permanently imbedded in all firearms so that when a firearm is in
the area it gives off a distinctive signal that can be detected by an
appropriate receiver and would also convey the weapon's make, model and serial
number?
The first thing a criminal and many citizens would do is destroy the RFID. I
can see a thief selecting what house to rob based on the location of the RFID.
I also see the police justifying the use of force in entry as a result of a
similar process. The thief might or might not rob you. He may rob you for your
gun, but the police will break down your door.
Christopher
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Thursday, January 08, 2004 7:41 PM
Subject: Re: An Outline of UBID
Ian,
1. The card does not complicate the process. It simplifies the process, makes
it more securely under the control of the user, avoids total reliance upon a
network connection, provides a physical layer of security that includes a
photo, and provides a repository for non-ID information that the user may wish
to have with him - such as optional medical info or keys to such info, persons
to notify, electronic receipts captured in credit transactions, etc. The
primary purpose of the network connection is to verify that that is a card
that was actually issued and not a fabrication. Except under narrow
circumstances, the network is not used to verify a biometric.
2. If for any reason the network connection goes down, the verification to
card is still performed locally. The integrity of the card cannot be verified
over the network, but the local checkpoint has the option of omitting that
step.
3. Take each of the situations just described and compare the security they
offer to the security presently available - i.e., no biometric ID.
If there are weaknesses in all of this, they are not going to be exposed by
conclusory assertions. If person to card verification presents a material
vulnerability, please describe what it is and whether there are any credible
studies that establish that vulnerability. The same applies to network
verification of card integrity ( A process very similar to the check that is
made when you present your credit card locally and the network verifies it as
a presently valid card with available credit, but with a somewhat more robust
interaction between card and the central database.).
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Thursday, January 08, 2004 7:52 PM
Subject: Re: An Outline of UBID
Christopher,
My responses are interlineated Most of your questions are really not UBID
questions. Existing, and often long standing policies and practices involve
the use of ID cards and ID procedures and accumulation of information relating
to individuals. By and large, as will be illustrated by my responses, basic
policy will be the same with a UBID as it otherwise would have been, unless
governmental or private entities change their policies. The fact that it is a
single card and system, will actually reduce cost, provide relatively uniform
standards and avoid repeated unnecessary background checks.
Christopher Effgen wrote:
HB: (A) The only time one needs to present a UBID is under those circumstances
that identification is presently required. The only area in which I would
expand present identification requirements is in the purchase of explosives,
firearms and ammunition.
CE:I would be interested in a list of those present circumstances so that we
may begin a discussion wherein we can set out the scope of those circumstances
in which the card would be used.
For example for employment?
To apply for employment would we have to produce our identity card?
When we clock in or out would be by means of the card?
Would our employer be able to require us to use the card to enter certain
parts of the building?
HJB: In situations, such, as employment, where an employer currently has the
right to issue an ID card, time clock, access pass, the card could and
probably will be used for that purpose. In those situations, the card employer
could - simply rely upon the card or require measurement against the biometric
at each checkpoint, or also require reconfirmation of card integrity by the
network.
What about law enforcement?
Would we have to produce the card when we were stopped or questioned by the
police?
Would the police be able to associate investigative reports with the numerical
identifier used with the card?
Would traffic or other minor citations of the law be associated with the card?
Would arrests or convictions be associated with the card?
HJB: Contrary to some impressions, police do not have a right to simply stop
anyone and ask for identification. We do not and hopefully will never live in
a police state. However, in those circumstances where the police have a right
to ask you to identify yourself (which certainly would include when you are
arrested), he would have a right to ask you to produce your UBID card. There
is no obligation to carry a UBID card, but not having it with you will result
in a more cumbersome ID process of the type presently experienced by arrested
persons.
HJB: At present, when a person is arrested and fingerprinted, a rap sheet is
initiated if he does not already have a criminal record. If the person is
convicted once, then all subsequent arrests and dispositions become part of
that rap sheet. If he is never convicted of any crime, then the arrest and
charge history is (or should be) expunged. When a person with an existing rap
sheet is arrested, that rap sheet becomes available to the arresting officers,
the prosecutors and the court, so that they can use what it shows to make
various discretionary decisions, such as whether to press the current charges,
whether to offer a plea and what bail conditions to set.
HJB: I would anticipate that the situation would be the same when a UBID is
initiated. The rap sheet would reference the persons name AND his UBID number.
If the records are expunged then there ceases to be an connection to the UBID.
HJB: Those on the list who are familiar with the criminal justice process are
aware that when a person is arrested, one of his biggest problems is waiting
for his identity to be established. It has not been unknown for the process to
be intentionally prolonged as a pressure tactic. The UBID will eliminate that
wait. People who now sometimes languish in very difficult or horrid
circumstances, sometimes for several days, will be able to be more
expeditiously processed and brought before a magistrate.
HJB: Under present circumstances, governmental and private employers and
others do background checks have a right to know if a person is a convicted
felon. That fact is a matter of public record.
HJB: As noted in the UBID outline, there will be circumstances under which
persons entitled to know such information will be advised that the presenting
individual is a convicted felon. (My own inclination is that procedures for
the sealing of such records ought be available after a certain period of good
conduct. My inclination also is that disclosure of felony convictions via UBID
should only be available to limited categories of inquirers. However, the
present trend is toward greater harshness. )
HJB: You ask about whether certain things will be "associated with the card".
Actually, nothing is associated with the card. In present circumstances just
about everything you do with other people or entities is associated with your
name and some other narrowing facts, such as date of birth, address, etc. In
effect, they are the only way we have thus far been able to . . . well... .
identify you. That is your identity. The card simply makes certain that you
are who you say you are. The number on the card is the equivalent of the
previously used identity factors, without automatically revealing as much
information about you as those identity factors would reveal.
HJB: With the exception of felony convictions, fugitive warrants and high
level watch lists and missing persons reports, nothing is carried by the
central system about you. The system merely verifies your identity. Separate
paths of information presently maintained by the criminal, traffic, school,
employer, and other databases would continue to be maintained by them.
HJB: When you are charged with a minor offense, such as a speeding ticket, in
most jurisdictions such a charge does not become part of a criminal rap sheet,
but is likely part of a motor vehicle rap sheet. All such charges are
presently keyed to your drivers license. In the future, your drivers license
number and your public UBID number would likely be the same.
What about our school records?
Would a child or his or her parents need to produce a card in order for the
child to attend public school?
Would a parent or child need to produce a card in order to partake in a
subsidized school lunch program?
Would a person need to produce a card in order to graduate from an educational
institution?
Would the institution be require to associate the individual with the card in
order for the person to qualify for a grant or loan of any type?
HJB: If you have to prove who you are to be part of the foregoing programs
then you have to produce your UBID for that purpose. It is the way you
establish your identity. It does, in a more reliable way, what birth
certificates, baptismal certificates, drivers licenses and school id's
presently do.
What about commerce?
Would one be able to apply for credit without a card?
Would the production of a card be required to join as member in "COSTCO" or a
similar company organized for commercial purposes?
For security purposes could a group require the card to be produced in order
to attend a concert, view a film, travel on a commercial vehicle?
HJB: A private entity, such as a bank or credit card company or buying club or
video rental club presently has the right to ask you to identify yourself as a
condition of their dealing with you. At present you do so with whatever they
require - most often a drivers license and one or more additional proofs.
Whether or not they will switch to a UBID will be up to them. They can accept
identity on your say so or ask for ten identity references. My guess is that
they will go for the UBID. On the other hand, whenever anyone asks for your
identity, you will have a right to proffer your UBID and demand that it be
accepted as proof of your identity and that you not be required to disclose a
lot of personal information and wait a month before your are accepted as being
who you claim to be. An enormous amount of harassment and bureaucratic
nonsense will be eliminated from the lives of a large portion of the
population.
HJB: The last of the foregoing questions is not really a UBID question, but a
social environment question. You ask: "For security purposes could a group
require the card to be produced in order to attend a concert, view a film,
travel on a commercial vehicle? " To a large extent, right now, when you enter
upon private property, you may be asked to provide identification, even though
you tender cash for entry or already have a ticket. 20 years ago, who would
have imaged that there would come a time that we have to be searched to enter
a public building or airport or to go to a political speech. We should want to
see all that reduced rather than increased. There is nothing about the UBID
plan that contemplates it being used to gain entry to places in which ID is
not presently required.
HJB: Having just said that, this is an appropriate point to mention a concept
not yet included in the UBID outline. In some entry situations, the issue is
not whether you are who you say you are, but whether you fit into a certain
class. Are you a man or a woman (entry to rest rooms)? Are you over 13 or over
17 or over 21 (entry to theaters and some other places in which age is a valid
category)? Are you a member? In short your entry is not recordable to your
identity, but is conditioned by your status. I call this verification of
status rather than verification of identity. The detail of how that would work
can be discussed at another time.
What other information would be able to be associated with the card?
HJB: I am not sure I understand the question. The UBID system collects nothing
except felony convictions, fugitive warrants, missing person warrants and high
level watch lists. It reveals only that you are or are not who you say you are
and, under narrowly defined circumstances, one or more of the foregoing items
(convictions, etc.)
Or put it another way what restrictions will stop the misuse of the card
What will happen when the government misuses card related information? Will it
come forward and take responsibility of its wrongdoing?
HJB: The UBID outline makes clear that the penalties for misuse of the card by
either the public or private sector would result in serious penalties. There
is nothing about the UBID plan that would relax existing rules against
personal data abuse, discrimination, etc. The entire field of personal data
collection, and the exchange and sale of same has almost been totally
unregulated. One of the obstacles to regulation are real and fictitious claims
concerning the need to identify people. The order placed on things by a UBID
system should make it easier for the federal and state governments to regulate
personal data abuse. I personally believe there should be substantial
protective regulation, but the UBID plan is neutral on what regulation there
should be other than with regard to the integrity of the UBID system, itself.
On a somewhat related subject, how would you feel about a requirement that an
RFID must be permanently imbedded in all firearms so that when a firearm is in
the area it gives off a distinctive signal that can be detected by an
appropriate receiver and would also convey the weapon's make, model and serial
number?
The first thing a criminal and many citizens would do is destroy the RFID. I
can see a thief selecting what house to rob based on the location of the RFID.
I also see the police justifying the use of force in entry as a result of a
similar process. The thief might or might not rob you. He may rob you for your
gun, but the police will break down your door.
HJB: You have taken my question to Joe Huffman slightly out of context. In any
event, I was positing an RFID that is imbedded in a way that would require
destruction of the firearm in order to remove it. I do not understand the rest
of your comment on this point.
Henry
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Juddk712
Sent: Friday, January 09, 2004 6:03 AM
Subject: Re: An Outline of UBID
Central national database-regional database-state database-county
database-city/town database.
Communications-land lines, cellphone back up, RF back up, SAT back up.
Power-Generator back up, UPS back up
NASA mentality-redundancy
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph
K
Sent: Friday, January 09, 2004 11:58 AM
Subject: Re: An Outline of UBID
You are restricting your thinking to physical security and not including the
entire system to include software security. And NASA's primary adversary is
"mother nature", not an intelligent and perhaps well financed attacker. Single
point failure systems where the consequences are the shutdown of the entire
country should be dismissed out of hand with only a few seconds worth of
thought.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: Huffman, Joseph K
Sent: Friday, January 09, 2004 11:49 AM
To: The Biometric Consortium's Discussion List
Subject: RE: An Outline of UBID
(A) Henry, earlier you stated:
...it will be almost impossible for you to function without encountering a
situation that requires presentation of your biometrics.
Now you are saying the only time a UBID need be presented are the current
situations where an ID are presented. Currently one can get alone just fine
without having an ID card. One can obtain housing, food, use public
transportation, and with a little bit of resourcefulness low paying work. I do
not see the UBID hindering a determined adversary. To the extent you increase
the dependence on a UBID for functioning in our society you increase our
vulnerability to an attack on the system. To the extent you decrease our
dependence on a UBID you decrease it's usefulness as a deterrent to hostile
adversaries. We lose both ways. To the extent you make the UBID less dependent
on the central database (the single point failure) the more vulnerable you are
to a single issuer of the card being bribed or otherwise corrupted. To the
extent you make the UBID more dependent on the central database the more
vulnerable you are to the single point failure. Spend the money and effort on
something else not guaranteed to fail.
Can you explain the advantage of expanding present identification requirements
for explosives, firearms, and ammunition? Do you even know what the current
requirements are? And just because you have raised the requirements at one
spot (the gate) how does that improve the problem of losing track of them once
they are purchased (the low fence)?
The bandwidth used by the entire internet is irrelevant -- the bandwidth to
the central (or distributed) database IS relevant. That data has to go through
a single (or few) "pipes", not distributed over millions of "pipes". When you
do your calculations be sure to add in the updates to the database (people
moving, dying, born, arrested, etc.) as well as the multiple queries for each
person each day as they go about their lives.
The update situation brings up the issue of data integrity. A central database
of this scale will require thousands of people to have access to modify the
data. It will only take one bribe, extortion, whatever to corrupt the system.
(B) I realized I didn't explain the fence analogy as well as I should have. We
(computer security people) put up gates (cryptography) and worry about how
tall they are (the number of bits in the key or insisting on difficult to
guess passwords for example) but ignore the much weaker points in the system
(such as people putting their passwords on sticky pads on their computer
monitors). Another analogy is "an iron door on a grass hut". And so it is with
a UBID, we already have a form of ID that represents a gate many feet tall but
the fence on either side of that gate is easy to step over.
You have completely lost me on your claim to doubt that guns are good
protection. If you believe that is true I suggest you tell your local police
that and request they stop carrying theirs.
(C) Reference 1. is a news article that is rather short on verifiable fact and
appears to be an opinion piece as much as anything. The second reference you
suggest is essentially nothing more than wishful thinking. I suggest you read
following -- the ATF has no ideological alignment with "the gun lobby":
http://www.atf.gov/pub/treas_pub/taggant/98/main_report.htm
The statistics in Table S.1 and Figure S.1 show that careful consideration
must be given to mandating the use of identification taggants in commercial
high explosives and blasting agents in the U.S., since the great majority of
criminal bombings are committed with other materials and in improvised
devices. While the use of existing identification taggant technologies may be
a factor in future strategies
.
.
.
[Discussing the situation in Switzerland] SRS officials stated that
taggants play a role in building evidence, but never directly identify the
perpetrator of a criminal act involving explosives.
.
.
.
The Swiss can always trace tagged explosives back to the manufacturer, but
it is difficult to trace explosives to the last legal purchaser(s).
These last lines should get us out of the realm of a UBID. Until the
taggant in the explosive is tied to a single (or a relatively few) individuals
the benefit of a UBID is minimal at best. Continuing in the same ATF report:
Based on the information developed concerning the Swiss identification
tagging program, the ESG believes that, while the program is reasonably
effective in Switzerland, as it now exists, it could not be readily
implemented in the U.S.
http://www.atf.gov/pub/treas_pub/taggant/98/exe_summ.htm
Homemade explosives can be manufactured from chemicals found in a wide
range of products that are used everyday in the U.S. The easy availability of
these potentially explosive chemicals is compounded by the fact that
information on making bombs is readily available from a variety of sources,
including thousands of sites on the Internet. Based on currently available
information, rendering common chemicals inert would impact negatively on their
legitimate uses, as is the case with AN fertilizer. Further, at this time,
establishing regulations for the purchase of small quantities of precursor
chemicals appears to be impractical, given their prevalence in the American
home. The ESG believes that industry-based voluntary control and public
awareness programs are the most reasonable, immediate means of addressing this
problem.
(D) You are correct that I have a wallet full of cards that with a little
stretch of the imagination can be called ID cards. But it's the fence and gate
analogy again. The UBID only raises the gate while the fence(s) remain low.
And finally you ask:
On a somewhat related subject, how would you feel about a requirement that
an RFID must be permanently imbedded in all firearms so that when a firearm is
in the area it gives off a distinctive signal that can be detected by an
appropriate receiver and would also convey the weapon's make, model and serial
number?
How I feel in regards to this proposal is irrelevant. My feelings are for
recreational use. But perhaps your wording is a clue to explain your
fascination with a UBID -- more on that later. Having a RFID permanently
embedded in a firearm is not technically possible. In order for the RFID to
function it must not be encased in metal -- a Faraday shield which does not
allow electromagnetic radiation to pass through it. The RFID would have to be
either on the surface of a metal part or embedded in some electrical
non-conductor. The plastic or wood grips come to mind or the polymer frame of
many modern handguns. In which case it is easily removed with a Dremel tool
without destroying the gun. Regardless, the RFID can be defeated by wrapping
the entire firearm in aluminum foil -- a Faraday shield. Beyond that the
scanners would be quite useful for not only legal uses (by the police and
security guards) but for illegal purposes (detecting undercover police
officers or selecting unarmed private citizens as victims). As it is a mugger
runs the chance his victim selection process (except in political
jurisdictions that have an active victim disarmament program, such as NYC and
all of MA) will suffer a catastrophic failure resulting in his permanent
injury or death if he cannot determine apriori the absence of a firearm on his
victims. Giving them a tool to improve their victim selection process would be
unwise.
I'm beginning to wonder about you Henry. Feeling is irrelevant to the truth
and rational decision making. It turns out that about half of the population
base their decisions on rational thought and about half base them on emotions.
No, it's not all the women are emotional based and all the men are rational.
Its about 60/40 men and 40/60 women that are rational/emotional. One of the
responses to stress and feeling out of control of a situation is to control
SOMETHING -- even if it is useless or even counter productive to the current
situation. Our response to airplane security is one of those cases. All the
audits and tests (some of them illegal) of airport security that I am aware of
show that it is still trivial to get knives and forbidden objects (including
loaded firearms) onboard airplanes. And this is without any special
technological assistance (upon request by a government agency I recently wrote
a proposal for a method to make it nearly certain to take any reasonably sized
object onboard an airplane without detection -- with the cooperation of
someone who has access to an x-ray machine for testing I believe I could
perfect such a method in my garage in a few weeks with a few hundred dollars
worth of materials and tools). Our investment in millions and millions of
dollars in trying to prevent such items getting on the plane was almost
totally worthless. That money would have been much better spent training and
putting armed marshals on board some significant portion of the planes
(putting explosive sniffers at the gates is probably a good idea, but
explosives detection needs a lot more work before it is fool-proof, have I
told you about my personal tests of explosives detectors at airports? 100%
failure on their part to detect my deliberate contamination of my brief case
with explosive components -- even when I gave them small objects to test that
had been "salted"). But it made people feel better to make the security guards
federal employees. In that sense, making people feel better, it was a success.
And so it is with a UBID, as near as I can tell it would make people feel
better but accomplish nothing useful.
Another issue that is perhaps more closely related that might appear at first
glance is that many people "want to believe" and they evaluate something on
the best possible outcome. What also needs to be done is to evaluate something
on what the worst possible outcome is and can we accept that mode of failure?
I do this rather instinctively and dismiss many lines of thought very early
on. And so it is with UBID, which I suspect has earned me a reputation as a
nut/extremist/whatever. I completely and totally dismiss the UBID and present
as proof it's potential for abuse -- as in a tool for genocide. End of story,
no more discussion needed. In this posting and the ones to follow I will
endeavor to demonstrate in all the detail necessary that this system cannot
provide the benefits people wish it to deliver -- no matter how much you "want
to believe". Other security experts, such as Bruce Schneier who I quoted a few
days ago and whose expertise you dismissed, do similar things. They explore
one or two paths, discover it leads to an unsolvable fatal flaw and dismiss
the entire idea. People that "want to believe" dwell on the benefits and
dismiss the fatal flaws. When I used to work at Microsoft we would describe
that type of thinking as "then angels flew of his ass and made everything
work". You have to believe in magic, magic that has never before been
demonstrated to work and has repeatedly been demonstrated to fail, to believe
that a central database of this size can be made to work as securely and
reliably as you "want to believe" it to work when faced with determined and
perhaps well financed adversaries.
Your "wanting to believe" shows up again in your proposal of the RFID in all
firearms. You appear to think only of the benefits and not the fatal flaws
that can be exploited.
From a different email you sent:
HJB: Contrary to some impressions, police do not have a right to simply
stop anyone and ask for identification. We do not and hopefully will never
live in a police state. However, in those circumstances where the police have
a right to ask you to identify yourself (which certainly would include when
you are arrested), he would have a right to ask you to produce your UBID card.
There is no obligation to carry a UBID card, but not having it with you will
result in a more cumbersome ID process of the type presently experienced by
arrested persons.
I presume you refer to police power and authority, not rights. Police to
the best of my knowledge do have any rights above and beyond the average
private citizen. But beyond that -- are you saying that if you don't have your
UBID your fingerprints will be forcibly taken? And until the check on your
fingerprints comes up "clean" you will remain in custody? An what if you don't
have fingerprints? I have a friend with psoriasis on his fingers -- no
fingerprints. Or what if they soaked their fingers in bleach the night before?
Do they have to remain in custody until their fingerprints grow back? Please
explain how this works and you still claim having a UBID is "voluntary".
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Daniel E Munyan
Sent: Friday, January 09, 2004 12:23 PM
Subject: Re: An Outline of UBID
Colleagues;
I believe that what Henry is proposing with the UBID is not a panacea by any
means. It is rather an initiative that will make it easier for law abiding
citizens to function in an identification and credential laden society with
less of a chance of identity theft or mistaken identity and all of the bad
things that can flow out of it. Integrated multinational schemes of
identification and integration will speed commerce, lower anxiety over the
presence of foreign visitors (them here or us there), and generally allow
human beings to finally become part of the electronic globalization in which
most of their possessions and their "stuff" resides.
Despite protestations to the contrary, Identity smartcards are working to
speed identification versus paper sources, and are being rolled out all over
the world. The Hong Kong Identity card is a very good example. I have seen the
design for their "US Visit" program, and it is quick, efficient, and
respectful of its users. It works well because everyone in HK will already
have a UBID when the immigration control is finished. It remarkably quickens
flow through immigration points in detailed demonstrations. Smartcards have
been in use in different forms for years and though nothing is perfect, they
have worked well to increase security of financial transactions. Biometrically
enabled smartcards are just one more addition to an existing proven
technology.
As Bill from the DOT pointed out, and as NYC proved over a decade, very bad
people don't just break one law, they break many laws. You are more likely to
catch a wanted felon drinking alcohol from an open container in public or
running a stop sign than robbing a bank. The main terrorists wanted in the
9-11 bombings had overstayed their VISA's. They could have easily been stopped
at the airport if coordinated systems were in place to look for them. When Joe
says he can easily thwart security countermeasures, he is saying that from the
standpoint of a law abiding citizen. Because he would never cross that line
(we all hope after seeing the explosion video), we can be relatively sure that
he will do little to attract attention elsewhere that might lead to criminal
or terrorist plans being thwarted by indirect means, as they often are.
Sincerely,
Daniel Munyan, CISSP, CISM/CISA
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Friday, January 09, 2004 1:28 PM
Subject: Re: An Outline of UBID
Joe,
I hope you are not going to send me a bill for diagnosis and therapy :-P
See Dan Munyan's thoughtful comments. He pretty much covers it.
As far as explosives and firearms and tags and RFID are concerned, they are
somewhat off the central point and even further beyond my expertise then most
of the rest of this stuff. Suffice it to say that I have a strong sense from
what I have read, but not recently researched, tagging of explosives and
electronic tagging of firearms is or quickly will be possible. If that is not
so, it is one less thing you will have to worry about, although you may still
need your UBID to acquire same.
In terms of the card vs central database issue, I do not really follow your
argument. However, you might want to take a look at a short article in the
Daily Record (Glasgow) - Jan 9, 2004 - "HOW THE BIOMETRIC CARD WILL WORK"
http://www.dailyrecord.co.uk/news/content_objectid=13797004_method=full_siteid=89488_headline=-HOW-THE-BIOMETRIC-CARD-WILL-WORK-name_page.html
If you can put aside your fundamental disagreement with the concept of the
UBID, is there anything within your cyber-security realm that you feel might
be a worthwhile addition to the UBID concept so as to make it a least a bit
less useless or a bit more secure?
Best wishes,
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph K
Sent: Friday, January 09, 2004 2:08 PM
Subject: Re: An Outline of UBID
-----Original Message-----
From: Daniel E Munyan
Sent: Friday, January 09, 2004 12:23 PM
Subject: Re: An Outline of UBID
[snip]
Despite protestations to the contrary, Identity smartcards are working to
speed identification versus paper sources, and are being rolled out all over
the world. The Hong Kong Identity card is a very good example. I have seen
the design for their "US Visit" program, and it is quick, efficient, and
respectful of its users. It works well because everyone in HK will already
have a UBID when the immigration control is finished. It remarkably quickens
flow through immigration points in detailed demonstrations. Smartcards have
been in use in different forms for years and though nothing is perfect, they
have worked well to increase security of financial transactions.
Biometrically enabled smartcards are just one more addition to an existing
proven technology. [snip]
The main terrorists wanted in the 9-11 bombings had overstayed their VISA's.
They could have easily been stopped at the airport if coordinated systems
were in place to look for them. When Joe says he can easily thwart security
countermeasures, he is saying that from the standpoint of a law abiding
citizen. Because he would never cross that line (we all hope after seeing
the explosion video), we can be relatively sure that he will do little to
attract attention elsewhere that might lead to criminal or terrorist plans
being thwarted by indirect means, as they often are. [snip]
---End Original Message----
I don't have a problem with small scale use of biometrics or ID cards --
particularly when used by private business. Only when they become mandatory
for the general public and/or the (accidental or forced) failure of the system
means disaster for nearly everyone.
The overstayed VISA's were apparently not a point of concern to the 9-11
hijackers because they were not enforced. Had they been enforced they most
likely would have not overstayed them -- a minor inconvenience to them. This
is not to say the VISA's shouldn't be enforced. Just that enforcing them by no
means represents a significant obstacle to the determined adversary. I think
it would be careless to assume the adversaries of our security are lazy,
stupid, or a combination of both such that they were likely to get caught
running a red light or some such minor offense. For the everyday, garden
variety, low I.Q. criminal, sure, you will catch a lot of those -- but at what
cost in the worst case?
How many of you have viewed some of the training tapes we captured in the
Afghan caves? I have. The techniques taught are not "state of the art",
but they aren't anything to sneeze at either. Our criminals in prison also go
through training in being criminals (I have also seen clandestine videos of
some of their practice sessions). Our overseas adversaries are far more
sophisticated, train in well coordinated teams, do extensive preliminary
ground work and planning, make long term plans and operations, and have
motives and drives different and far stronger than our everyday criminals. The
methods we use to success against our criminals cannot be counted on to defeat
those who regard our entire culture as evil and something to be destroyed even
if it means their individual death.
As for ME "crossing the line" with my hobbies of firearms and explosives you
should be fairly comfortable that I won't do something immoral and/or illegal.
The Federal Government has seen fit to not only issue me a license to
manufacture explosives (which I didn't really need to acquire for the things I
wanted to do) but to grant me a security clearance with access (on a need to
know basis) of this country's national security secrets. It is my job to find
(and sometimes, if possible, to fix) holes in security systems. The exercising
of my skills to criticize the UBID proposal should not be interpreted (as you
correctly inferred) that I would actually exploit any weaknesses exposed in
such a system to the detriment of our national security or personal gain. My
motivation for this criticism is because I believe any resources spent in the
direction of a UBID are much better spent in other areas -- the details of
those other areas are not really appropriate topics for this forum.
And, I probably should add, all the opinions expressed in this forum are mine
and do not necessarily reflect the policies or opinions of PNNL or PNNL
management.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph
K
Sent: Friday, January 09, 2004 3:02 PM
Subject: Re: An Outline of UBID
No charge Henry. Although my pysch 101 professor thought I should pursue the
subject my degrees are in electrical engineering. It would be inappropriate to
charge for professional services in an area in which I am not a professional.
:-)
I will read the reference you supplied and get back to you with my comments,
if any. Thank you.
Their are two fundamental problem with tagging explosives:
Explosives are easy to make from common everyday materials -- I believe, but
haven't tested this, that I could walk into your office completely naked with
my hands empty, walk out an hour later, and have the office blow up a few
seconds after I closed the door behind me as I was leaving using only
materials and tools I found in your office. Fully clothed and with relatively
small amounts of money and time one can bring down a Federal Building from the
exterior using improvised explosives.
The taggant materials added to commercial explosives "point" to the
manufacture not the purchaser or whoever he distributes them to. The tags need
to be added at the last possible link in the security chain to "point" to the
end user. This leaves the entire supply chain vulnerable to diversion of
untagged material. Adding additional tags at each step (or even at the end
point) in the supply chain is impractical to the best of my knowledge. If
there exists a way to add them at each point along the distribution path I may
be persuaded this is a worthwhile endeavor.
In regards to the security of a UBID: As I understand it, it is already an
iron door on a grass hut. Making the door two inches thick instead of one inch
thick is pointless. That is, the effort to improve it's security and
usefulness must reside outside the UBID itself, the total system needs to be
changed to make a material difference. To the best of my knowledge, short of
something rather revolutionary, I believe this means another step or two
closer to a police state. As much as people want to believe there exists some
magic to make them safe the reality may be that freedom isn't free and
complete or even good security cannot be obtained. It may be that if we trade
some of our freedom for temporary security we will end up with neither
(apologies to Ben Franklin for mangling his quote). If that is the case then
the correct solution involves minimizing the damage done by those who plot to
harm us, good intelligence to discover their plans before they strike, and the
cultivation of the skills and tools necessary to act on that intelligence in a
productive manner. But probably the most difficult job will be educating the
public that although the occasional losses we suffer in a state of freedom may
be dreadful, the magnitude of our loss of freedom in a futile attempt to
obtain security would be even greater and buy us little.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Friday, January 09, 2004 4:14 PM
Subject: Re: An Outline of UBID
Joe,
While I disagree with you on the utility and ramifications of a UBID, I fully
agree with your last sentence: " But probably the most difficult job will be
educating the public that although the occasional losses we suffer in a state
of freedom may be dreadful, the magnitude of our loss of freedom in a futile
attempt to obtain security would be even greater and buy us little.".
I propose a UBID in good part because it substantially narrows identity issues
that are presently the predicate for treating everyone like a suspect and that
have rapidly constricted the environment of freedom under which many of us
were privileged to have lived. We are in vital need of a path back to what
used to be normalcy.
As far apart as we may be on some perceptions, it is good to know that our
ultimate objective is pretty much the same.
Have a good weekend and keep your powder dry,
Best wishes,
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph K
Sent: Sunday, January 11, 2004 11:28 PM
Subject: Re: An Outline of UBID
I've been an activist for civil rights for many years and I learned a long
time ago that although it's easy to ascribe evil intent to your adversaries in
most cases that is simply not the case. In most situations that I have been on
opposite sides of a passionate debate with someone we both wanted the same end
goal -- a better life for everyone. The worlds we envisioned that would bring
us to that better life may have been incompatible and irreconcilable but the
knowledge that they did not have evil intent made it possible to debate the
issue in a civil manner. And so it has been with you. I have known for
sometime that although I regarded your ideas as a threat to all of humanity
(only a slight exaggeration) they did not come from an evil heart.
My weekend went well -- time was spent with friends and family. And certainly
my "powder" will be kept dry. Last weekend I finished my new explosives
magazine:
http://www.boomershoot.org/TajMahal/Magazine.htm
The ATFE inspector is to show up sometime in March to okay it and I plan to
have about 2000 pounds of high explosives in it by the first weekend of May.
Come on out and join us for some fun when we detonate it (in increments of 1,
2, and 4 pounds). A hundred or more other people are coming from as far away
as Texas, Arizona, and New Jersey. You would be most welcome to attend as
well. :-)
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of optisec
Sent: Saturday, January 10, 2004 12:06 AM
Subject: Is there life after the UBID
The discussions on whether the UBID will prove to be a fail-safe tool against
terrorism, identity fraud, weapons and explosives falling into the hands of
evil doers, illegal residency, and knowing who everybody is at any time
anywhere, is a misconception of biometrics, the ID card, and reality.
Today, in the US, every person who drives a motor vehicle is required to have
a 'legal' driver's license. Every vehicle on the road is required to be tested
once every year to meet minimum safety standards: good tires, brakes,
suspension, lights, etc. Automobile manufacturers are required to meet minimum
safety standards and tests for proving that they meet such minimum standards.
As a result of all these standards and regulations, have motor vehicle deaths
been reduced to zero? The answer is NO. Would we then prefer to eliminate all
these regulations and allow anyone who wishes to drive on the road in vehicles
with bad brakes, tires, and missing or non-functioning lights, as well as
automobiles without airbags, safety belts, ABS, etc? One would have to be
irrational to say YES, even though all of the above still do not totally
eliminated deaths on the road. What all of the above measures have done, is
reduce the number of injuries and deaths as a result of human and mechanical
failure.
Yes, there are persons driving illegally as well as legally who are causing
traffic accidents and deaths. However, by having the above regulations in
place, we have been able to reduce fatalities and make the average citizen's
life far safer and more secure.
I am not an authority on US Constitutional law, but I image one could argue
that the requirement for one to have a drivers license is an infringement on
his Constitutional rights. One could argue (TIC), that if the founders of the
Constitution wrote that every citizen had the right to bear arms, and these
same founders traveled by horse when carrying such arms or when they traveled
to sign the Constitution, then the government does not have the right to
control who rides on horses or drives vehicles. The law in the West was one
shot 'horse thieves', so why are automobile thieves not being shot today?
Tradition is a fine thing, but times have changed, and the requirements of
modern society are a bit different then when the West was founded and the
Constitution was written.
An ID card or UBID, whatever you wish to call it, will, on the one hand,
infringe on one's right to absolute privacy, and on the other hand, make ones
life far safer and easier. Just as in the case of having to pass a driving
test and meet certain standards in order to obtain a driver's license, so to
there are certain standards that must be met in order to obtain an ID card.
Should an ID card be mandatory? Is the need for obtaining a driver's license a
voluntary choice? If you want to drive on public property, you are required to
own a legal driver's license. The same should hold true with an ID card. If
you wish to remain on your property for the rest of your stay on earth, so be
it. But if you wish to leave your place of birth, conduct transactions with
other members of society, receive government benefits, and travel, then you
should be required to identify yourself.
No one has argued that a driver's license infringes on one's rights. In
obtaining a driver's license one provides proof of identification, residency,
and other relevant information depending on State laws. To my knowledge,
nobody has ever gone to the Supreme Court to argue against a driver's license
being an infringement on one's Constitutional Rights. Has there been any
movement in the US protesting how the information on one's driver's license is
being protected? Has there been a movement to return all the credit cards that
US citizens hold, because the credit card companies, which are providing
financial services that make financial transactions easier and faster, are not
providing 100% protection against fraud nor proven that all the information is
totally secure? Credit card carriers know that the system has some failures
and dangers involved, but the benefits far outweigh the disadvantages: ROI.
Credit card holders, while owning and using their credit cards every day, are
putting pressure on the credit card industry to improve security standards to
protect against identity fraud. The credit card industry itself is now in the
process of introducing new technology to protect against fraud and better
secure the information it holds. However, without first having introduced the
credit card with then know security measures, we would be facing long lines in
banks to withdraw cash, traveling with travelers checks, and filling our
pockets with loose change.
People are afraid of change. This was true when the automobile began replacing
horses, when automation replaced the assembly line, and when plastic replaced
checks and cash.
An ID card or UBID will not be perfect. In the beginning it will be faced with
what may appear to be endless problems, but you need to begin somewhere. The
present state of identity fraud has reached a level that requires logical
solution and sound thinking.
If the United States where to look at how other democratic and free societies
are introducing and using ID cards every day by its citizens for hundreds of
millions of safe transactions, it would become apparent that Big Brother is
not their to spy on you, but rather to protect you against the evils and "Bad
Guys" that did not exist when the US Constitution was written.
Yona Flink
OptiSec Ltd. Israel
Mobile: +972 5 430 8727
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of James Childers
Sent: Saturday, January 10, 2004 9:43 AM
Subject: Re: Is there life after the UBID
Yona,
Your comments are well thought out however they are based upon a principle
misconception about the United States constitution and law.
First - the United States is not a "Democracy" in the truest sense of the
word. We are a Democratic Representative Constitutional Republic. Individuals
within the States elect their representatives to govern them at the local and
state level. Each state within this republic has representation in our
national assembly - both in the upper house (Senate) and lower house (House of
Representatives). Up until the XVII Amendment to the constitution in 1912
Senators were appointed by the states to their seats. The XVII Amendment
allows for state-wide election of senators.
The United States is a tight confederation of independent "states"...Thus the
"United" States. One is not a resident of "The United States", but a resident
in which state they reside and since the states are unified under a common
national constitution, thus a resident or citizen of the "United" States.
Second -The central authority of the national constitution was purposefully
limited to few centralized powers in the Federal Government with all other
powers being relegated to "the states and the people respectively" (X
Amendment). Even the power of the FEDERAL GOVERNMENT is split into three
distinctive and separate entities - The Legislative Branch (Congress) - The
Executive Branch (The Presidency and day-to-day working branch of the
government) and the oversight of the Judicial Branch (Courts). Congress makes
the laws - The Executive Branch enforces these laws and the Judicial branch
determines if these laws are just and in line with the original intent of the
founding principles of the constitution.
These centralized powers are designed to be limited to guaranteeing ALL
citizens of the several states certain rights, freedoms and responsibilities
and to have a central federal government oversee the interaction of the states
particularly in regard to "interstate commerce", national defense and
international treaties that would be binding upon the several states. Each of
the laws passed by our national assembly(ies) both state and federal must pass
these constitutional tests. I personally believe that the Patriot Act will not
pass constitutional muster and thus will be invalidated eventually by the
Supreme Court.
Thus the power of the local governments to regulate the use of a motor vehicle
and to issue Drivers Licenses is not a power that was prohibited under the
national constitution nor was driving a motor vehicle a right enumerated in
the Constitution. Freedom of movement and travel is guaranteed by the US
Constitution although driving is not an enumerated right and thus can be
considered a privilege and thus subject to licensing and other restrictions by
the local state authorities.
Since the operation of a motor vehicle involves skill, training and a working
knowledge of the rules of the road, local states began "licensing" individuals
the right to operate a motor vehicle during the early part of the last
century. Eventually they added a photograph and personal information to better
identify "authorized" individuals. Since then the "license" or identification
has been used for many additional programs not originally intended.
Third - The Drivers License has become our de facto national standard ID
because it is a common standard among the states (i.e. something that every
state issues). We could have used hunting or fishing licenses or any other
form of statement of individual identity. The Drivers License just happened to
be convenient and something that most people possess. There are many people in
the US that do not have a drivers license or a local government ID card.
Additionally it must be noted that you are NOT REQUIRED to produce
identification or a license if an officer stops you on the street UNLESS you
are operating a motor vehicle. The right to "privacy" is not specifically
mentioned in the constitution although it is inferred by the IV, V and IX
Amendments - The enumeration in the Constitution, of certain rights, shall not
be construed to deny or disparage others retained by the people.
The crux of the argument involving airline passenger identification in the US
is the question of the guaranteed right to freedom of movement and travel vs.
the "privilege" of traveling on a private aircraft and the ability of the
airline to grant or deny this privilege based upon a verifiable statement of
identity against a known list of "denied persons". There is no requirement for
ID for traveling on a Bus or Train. So why an airplane ( I ask this
rhetorically of course )?
We in the US are coming to grips with some very tough issues. Nationally there
is a consensus that we need a single form of verifiable ID. The real question
is how will our government(s) both local and national use this information and
how will it infringe upon our rights and freedoms guaranteed through the
bloodshed of our forefathers and enumerated in our national constitution?
We KNOW that we need to positively identify threats to our republic, but how
do we do this within the framework of our existing constitutional limitations?
Maybe (and I say this with great trepidation) it will involve another
constitutional convention. These laws, limitations, rights, freedoms and
responsibilities have kept our republic strong throughout the last 200+ years
and they are not lightly discarded nor trampled upon.
Sorry for the civics lesson, but I hope this helps.
James Childers
CEO
Artemis Solutions Group LLC
Biometrics Direct TM
Secure Biometric Authentication for Home and Office TM
Smart Card Supply -
PVC, Smart Cards, Printers and Accessories