After spending many hours coming up with reasons why the proposed UBID could
not be accepted into our society I realized there was another way. This is
my concession to that on the discussion list and the resultant debate. A
few posts have been omitted that were essentially irrelevant.
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph
K
Sent: Monday, January 12, 2004 5:02 PM
Subject: An outline of UBID that might work.
Over the weekend I was writing up all the deficiencies in a UBID in an effort
to prove the concept could not succeed. It had slipped my mind that this is
one of my favorite techniques to find a solution to a difficult problem. Turn
the issue around and prove it can't be done rather than directly finding a
method by which it can accomplished. Frequently the frame of reference shift
will give new insights into the problem and a solution appears. And so it was
with the UBID. There still are obstacles that may be insurmountable, but
nearly all of my previous objections are overcome.
The two largest objections I had to the proposed UBID were that it made
tracking of individuals by "Big Brother" possible and that attack of the
central (or even somewhat distributed) database could result in catastrophic
results for a society dependent on the functioning of that database for
"clearance" in their day-to-day life activities. Both of these problem could
be made to disappear by reversing the direction of the flow of information.
Rather than the UBID holder, in essence, requesting permission on a
transaction by transaction basis the UBID device holds the restrictions for
that individual. Felony conviction on record? The UBID holder is no longer
allowed to purchase firearms and explosives (as is in accordance with current
law). Whenever a transaction occurs that must be logged (as in the case with
firearms and explosives) the transaction is only logged at the transaction
site -- it does not go back to the central database. This is similar to the
compromise reached on firearms registration in the (U.S.) gun control act of
1968. Licensed sellers of firearms are required to keep records of their
firearms sales (Federal Form 4473) which are required to be held for 20 years.
Sellers of explosives have similar forms (Form 5400.4) and records retention
requirements (permanent). The point is that if a government authority needed
to obtain records of a particular traceable transaction then those records are
available via a process and are, in essence, continuous oversight by the
private sector. Widespread abuse of access to those records is simply not
possible without widespread cooperation of the private sector. This is in
direct contrast to what has happened with things like the census records being
used to help locate Americans of Japanese descent during WWII and other more
recent abuses of U.S. government records that were against the law but the
perpetrators were given "a free pass" by the administration in power at the
time. The UBID holder would only give permission for the logging of tracing
information as needed. The normal mode for transactions would be anonymous
with the only information given to the other party was that the UBID holder
did not have a restriction for that product or service -- such as alcohol or
tobacco sale.
I would further like to suggest that the central restrictions database only
has a list of people with restrictions. They do not have a database of
everyone who has a UBID device. This is similar in function to the National
Instant Check System (NICS) currently used for verifying the legality of a
firearm sale. If the person is not in the database then the firearms
transaction is allowed. Convicted felons and people involuntarily committed to
mental health facilities are currently entered into the NICS database and
similar criteria could be developed for the UBID database. It might have all
foreign nationals visiting the country and restrictions upon them, or an
arrest could result in an entry that is removed if charges are dropped or they
are found not guilty. The UBID device would "know" the date of birth of the
holder and generic restrictions based upon age would occur without involvement
of the central database. This greatly increases the privacy for the mass of
the population that is law abiding and has an additional advantage that the
central database is much smaller and easier to maintain. This enhances the
chances the database integrity can be maintained because far fewer people will
have need for modification access to it. This also maintains the model of
presumed innocent until proven otherwise central to U.S. Constitutional law.
The restrictions on the UBID device need to be updated as things change. An
outstanding arrest warrant or felony arrest and conviction would add
restrictions. Or information of terrorist connections might place air-travel
restrictions on the holder. My proposal would be that the UBID need to be
updated periodically by connection to a central database. Or under certain
conditions contact with law enforcement might cause an immediate update in
restrictions -- such as an arrest for driving under the influence might add an
immediate restriction against driving that would expire in 24 hours. Or a
restriction on out of state travel might be put in place until after a trial.
The normal expiration period for the validity of the UBID device might be
something like 30 days. The UBID holder could at anytime connect his or her
card to a internet connected computer and update the restrictions. The UBID
device would be valid for another 30 days from the time of the update. The
connection to the database could be done through one or more anonymous proxies
located anywhere in the world such that the government entity providing the
update could not know the originating IP address of the UBID holder. The UBID
holder could see any changes to their restrictions before them being committed
to the device. This would allow people with arrest warrants, in essence,
advance notice of their status but it would also give people a chance to
travel freely to escape religious/racial/political persecution or to challenge
the change in restrictions through some sort of due process. The 30 day
expiration would also allow for people to continue to function if the central
database were attacked and was non-functional for some relatively short period
of time. Restoration of the functionality of the database within hours would
not be critical to the functioning of society. If people were to routinely
update their cards every 15 days then two weeks of repair time would be
available to the system administrators before a failure of the system would
start to have a significant impact on the functioning of society. By that time
alternate plans might also be put in place if it was not feasible to restore
the functionality of the system.
There are several technical issues to be addressed such as assuring the
updating of restrictions is not spoofed, counterfeiting of UBID devices, etc.
but I think most of them have fairly well known solutions.
There are still unsolved (and perhaps unsolvable) obstacles:
The central database integrity. There will be thousands of people that provide
information into the system. What sort of controls can be put in place such
that restrictions could not be removed or added maliciously? The smaller the
dataset can be made the less potential for abuse, but no matter the size of
the database the problem exists.
A similar proposal for purchase of firearms based on a restriction notice
placed on drivers licenses was objected to by the ACLU as having a high
potential for abuse. If I recall correctly, the claim was that once the
convicted felon had "paid his debt to society" they should not longer have a
highly visible status in the general population. This system may also result
in similar objections.
The population at large may simply refuse to cooperate. Canada's firearm
registry is failing in part because of this. Most of the provinces have
refused to enforce it because of the widespread opposition. It is estimated
over 1 million firearms are not registered in defiance of the law. Only one
conviction has been made because of their failure to registry a firearm. See
http://www.globetechnology.com/servlet/ArticleNews/TPStory/LAC/20040107/REVIEWM07/TPTechInvestor
for more details.
Does this really buy us anything that isn't already accomplished other ways?
If it does, then does the money spent on this system represent the best return
on investment in methods to solve the targeted problems?
Although I didn't consciously remember it until after I started working
through the details there is a similar system being used today for real estate
agents. A friend in the business explained the system to me last September.
They have a card that is updated with permissions frequently (something like
once a week or once a day) which allows them to open a box installed on the
outside of a property. The box holds the key to the building's entrance and
logs the transaction for later retrieval. This system may be patented by
vendor.
I would also like to give credit to Henry Boitel for getting me "fired up"
enough to try and prove him wrong about the workability of a UBID system. If
some of my suggestions result in acceptance, implementation, then from there,
somehow into a police state I would like everyone to blame Henry instead of
me. :-)
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Tuesday, January 13, 2004 7:58 AM
Subject: Re: An outline of UBID that might work.
Joe,
It would be helpful to me if you would recast your firearms/explosives
examples within the following analysis. I think you will find that the none of
your issues are with the UBID, but rather with the substantive rules that will
continue to be administered by the appropriate federal and state agencies
separate apart from the UBID card or the UBID database..
You express valid concerns with regard to the treatment of data, However, the
UBID system does not manage data beyond the enrollee's basic identification
information and whether he is a citizen, resident alien or visitor, a
convicted felon, a fugitive, a parolee or probationer with travel
restrictions, a missing person or on an authorized watch list, alive or dead,
whether presently adjudicated incompetent and whether presently a minor.
All substantive data bases whether they be of a government agency or private
entity or entry to your car or home, are under the exclusive control of the
entities that manage those data bases. For example, you go to your bank.
a) Swipe your UBID card at the ATM. By doing so, you are claiming that you are
the person to whom that card was issued.
b) You are asked to display your biometric(s), and it/they are compared to the
card. The bank's system now knows that there is or is not a match.
c) If no match, a procedure is followed similar to present swipe failures,
giving an opportunity to correct errors.
d) If there is a match, part 1 of the id process is completed successfully.
e) As the foregoing is occurring, the bank's system is checking with the UBID
central database to make certain that this is a validly issued card. There is
no central data base check against the biometric. Only against other data
encrypted within the card. If that data does not match (e.g. name and public
UBID number having been issued to a person with a certain non public UBID
number), then the ID effort is rejected.
f) If the local biometric check and the central card validity check match then
the ATM displays the options that are available to the identified person with
regard to available transactions.
g) The central data base has no information concerning the substance of the
transaction. Only that it certified the card to this bank at this date and
time.
h) The bank has no information concerning any transactions you may have
performed with the card elsewhere that day and has no information concerning
the central bank validity check information. It has a record that validity was
confirmed to it at this day and time.
i) The central database verification is no more complex or data intensive than
typical credit card transactions involving central data bases - i.e. just
about all credit card transactions.
j) If for any reason the central data base network and its redundancies should
all fail, the bank would have the option of temporarily waiving central card
verification..
The foregoing scenario can be recast to put any entity in place of the bank.
In each instance, the central system is only certifying that the card details
match details on file.
In any situation, a bank or other entity is free to also require a password,
but if the UBID checks out, they must have an immediate reasonable alternative
to password failure.
I think that the foregoing meets your primary concerns.
You suggest that the central database would only have a list of the people
with restrictions. The UBID central database would have a list of all
enrollees, but the information it would carry on them would be:
a) all information on the card, including biometric, and
b) the specified status information I have detailed above (citizen, etc.). The
central database would be updated in as close to real time as possible with
regard to changes in status -- e.g. felony convictions, shift from legal to
illegal alien, fugitive, etc.
c) the UBID outline describes different levels of card - general, relative
background, deep background, to cover different security levels. All cards
would look the same except for name and photo and number on the face of card,
and the details that are imbed electronically. There would be no indication of
security level. However, if a person presents himself to a secure site, the
site would have the option of externally verifying UBID security level or
simply using its own database for that purpose or both.
The card never has on it or within it any information other than that
necessary to confirm ID and card validity - with one exception. Optionally,
the card can include some memory that is under the control of the card holder,
both as to what can go in that memory and what can be read from that memory
and what can be removed from that memory. This might typically be used to
store emergency information, electronic transaction receipts and other things
for the sole convenience and at the sole discretion of the card holder.
You express a concern that errors will inevitably occur in the UBID system.
Since, for most people the scope of information is relatively narrow, and all
information is relatively standardized, I suspect the error level will be
immensely less than in the multiplicity of secure and pseudo identity systems
that presently exist. The personal status information (citizen, etc.) will be
as reliable as the systems that exist outside of UBID to determine and record
that information. For most people, the basic id information and the status
information, once properly input or corrected, will remain the same until
death.
You do not mention it, but there is an issue with regard to changes in some
biometrics that occur with the passage of time. In accordance with the state
of technology, periodic updates would be required for such biometrics.
Similarly, there is the problem of someone who experiences a temporary or
permanent change or loss of a biometric. Alternate verification procedures
will have to be available for such persons just as there are reasonable
alternate methods for persons with other types of disabilities.
You mention that some of the population may refuse to cooperate. In this
regard you have to distinguish between the ID function and the substantive
activities for which the ID is used. If there is a doohicky agency that
requires all people to register their doohickies and submit a full color
picture of themselves alongside of their doohicky, someone may refuse to
engage in that registration process, with or without a UBID. That is really
not a UBID issue. I suspect that most refusals to cooperate would fall into
that category. Clearly, there are some persons who will not want to
participate in any ID program, particularly if it relates to a unique database
designation, such as a number. Most such persons will eventually enroll since
the lack of an ID will have practical consequences since it is difficult to
live in the modern world without an ID and since some people, by their very
status as non-citizens, professionals, government employees and felons, will
not have any choice.
When we are dealing with hundreds of millions of people, regarding anything,
there will always be at least tens of thousands of people who, out of protest
or not getting up on time, will create bumps in the implementation landscape.
If that kind of bump were seen as making a system unworkable, we simply would
have not government or private systems of any kind.
The UBID is confronted by the same kind of problems that plague biometrics
generally. 1) There is a real scarcity of scientific/acadmic minds that are
devoted to this sort of thing beyond the power point level; 2) For competitive
reasons, many who can talk about all or parts of such a system, decline to
enter into the dialog; 3) There is an increasingly bureaucratic approach, in
both the public and private sectors, that discourages giving an opinion as to
things deemed controversial. To some extent, it is Galileo all over again.
Meanwhile, at far greater cost, a de fecto BID systems are proliferating and
being linked and huge amounts of personal data, of uncertain reliability or
completeness, are being "mined" over and over again, without any apparent
safeguards or unified policy.
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Christopher
Effgen
Sent: Tuesday, January 13, 2004 10:30 AM
Subject: Re: An outline of UBID that might work.
Henry,
Below is my understanding of your UBID proposal:
The UBID system does not manage data beyond the enrollee's basic
identification information and whether he is a citizen, resident alien or
visitor, a convicted felon, a fugitive, a parolee or probationer with travel
restrictions, a missing person or on an authorized watch list, alive or dead,
whether presently adjudicated incompetent and whether presently a minor.
The UBID system involves the mandatory use of an identity card, which contains
a copy of an aspect of an individual's biometrics. The card is used to confirm
the identity of the person using the card when an individual engages in
transactions. Without a card, an individual can not engage in transactions as
determined by governmental and non-government entities.
As used by government, an individual's legal status as a citizen is monitored
and adjusted. The system maintains links to criminal history and investigative
records. It is also used to maintain the suspect status of an individual, and
determine if the individual is free to travel within the United States.
As used by non-governmental organizations the card can be used to determine if
you are allowed to enter your car, home, or have access to your deposits in
banks.
All cards would look the same except for name and photo and number on the face
of card.
Optionally, the card can include some memory that is under the control of the
card holder, both as to what can go in that memory and what can be read from
that memory and what can be removed from that memory. This might typically be
used to store emergency information, electronic transaction receipts and other
things for the sole convenience and at the sole discretion of the cardholder.
If a segment of the population refuses to cooperate, they will not have a
choice.
I think that I have been fair in representing your views.
I believe that this is where we are moving, and that if we implement this
scheme we will inevitably move way beyond this. For example, the uses that you
propose by government are minimal to say the least. The card would be required
in all government benefit transactions, and virtually everyone with a
commercial interest would want to use the card to track transactions of every
type. Private industry would use this information to construct deep profiles
of every citizen of the United States.
Years ago, I wrote a paper called the neural network. The neural network is a
system in which our minds are linked electronically. The difference between
that system and this system is that brains, not minds are linked. In your
system that you would construct a mind, outside the control of the individual,
which takes in the information and makes the determinations. The system
studies the habits of individuals and makes determinations accordingly. The
individual, who has no control of the mind/system making these determinations,
exists in a chaotic world. The system tends to generate self-fulfilling
prophecies with respect to an individual's future anticipated behavior.
The system is operated by bureaucrats who, by the nature of the limits placed
upon them by the nature of the organizations that they work for, can never
achieve their potential as human beings, but must, at least at work,
subordinate themselves to the goals of the organization. Bureaucracies, while
necessary, tend to be incompetent, irresponsible and, when holding the power
of sovereign, lawless. The tendency of the human race to create static
repressive systems has been noted by others. When we survey the vast majority
of human history, what we see are a few lights in which individuals were free
to pursue their creative potential.
At this time too, we are dealing with the cultural phenomena of regression in
the face of a disaster that has affected every level in our society. Add to
this, the tendency of individuals to use such disasters for the justification
of the pursuit of objects that they wanted to engage in anyway, and we have a
fair summary of the why of what is happening in the world today.
Yet, there is a larger picture. We live in a risk/threat universe, in which
the good is the absence of disasters. The reason that I gave up my work of
mitigating disasters, 20 months before September 11, 2000, and became involved
in this issue, was because I saw the danger of this.
Christopher Effgen
Anchorage
-----Original Message-----
From: The Biometric Consortium's Discussion List [mailto:BIOMETRICS@PEACH.EASE.LSOFT.COM]
On Behalf Of Henry J. Boitel
Sent: Tuesday, January 13, 2004 11:09 AM
Subject: Re: An outline of UBID that might work.
Christopher,
Look at anything real clasp and it appears to be something other than it is,
as Gulliver learned.
Step back a moment. The UBID would be mandatory only in the sense that if one
wishes to engage in transactions where he must establish his identity, the
UBID would be the identity standard. This whole thing, at its primary level,
turns on the question of whether people/ agencies/ businesses have a right to
know who you are when they deal with you.
On a secondary level, it turns on whether, when relevant, a
person/agency/business has a right to know if you are a citizen, a minor, a
person of various tupes of illegal status, or an incompetent.
If I turned the tables, we could come up with several principles that seem to
flow from your approach:
1. Equivocal identificiation is good enough. There ought be something in the
equation to keep people off balance when they are deciding whether to extend
trust, credit or entitlements.
2. A private id certification, i.e., one that costs money is ok for those who
can afford it, so that they can get to the head of the line and not be
publicly embarassed. The rest can wait on line and be primary candidates for
rejection.
3. Trust the government to defend amd protect you, keep you in a sanitary
environment, oversee matters of health, etc., issue your birth certificate,
your professional license, your marraige license and regulate the private
sector, provide an ID for your real property and supervise your banks, but
don't trust them to run an identification system.
4. Give the opportunity to both government and the private sector to jerk you
around on identity issues if you do not have the power or influence to demand
respect and attention.
5. Instead of focusing on a very narrow program of identity verification and
illegals screening, it is preferable to have every person a suspect each time
he or she is encontered, and we leave to chance the question of whether
illegals will be screened out of the community.
6. In the absence of a unified system, that permits very targetted
retrospective inquiries, retain the present non-system, that ensures
broadbased, indiscrimnate rummaging through personal information and
activities.
7. Keep the name list systems (that you have been fighting for some time in
courts and agencies) as preferable to a unequivocal ID system.
My point is that it is not enough to say "I don't like the weapon that this
gives to government/business". In order to be valid, one must compare the
prospective situation to the present situation. The present situation is
devoid of controls, is probably uncontrollable and results in huge personal
and national insecurity, as well as great cost if even if the cost of identity
theft is not counted.
If you have a better idea to remedy the present inadequacies, let's hear it. I
would be happy to see a better solution and, in any event, I would enjoy
picking apart someone else's proposal.
Best wishes,
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Daniel C Landi
Sent: Tuesday, January 13, 2004 6:28 PM
Subject: RES: An outline of UBID that might work.
IMHO, it is a fact that UBID cannot rely on the secrecy of the biometric data.
When such systems become a de facto standard for border checking and country
club entrance, all this logged information will be too valuable to remain
untouched.
I’m not saying that there will be foreign companies specialized on gathering
biometric samples or an underground community that will create an open
biometric repository on the Internet. But one should assume that all his ten
fingers, face, irises, retinas, voice samples, etc will be known in a raw
digital format. We won’t put all these images and data openly on our personal
digital certificates, but it is just like so. Actually, when the future
bio-hackers start enrolling fingerprint images associated to your name, you
might just do it yourself (apart from government controlled systems).
I don’t think that changing from finger to finger then from biometric to
biometric is a good countermeasure, and I’m not sure what the solution is.
Should we adopt only tamper proof hardware with embedded digital certificates
for signing and date stamping? Should we research more seriously the live
checking mechanisms on the sensors? Maybe an option is to use short-term
biometric technologies with constant updating and periodically re-issuing – so
the data stolen will “expire” after some time – or intentionally degrading the
biometric template to allow only limited 1:1 matches.
I did not read through all the posts concerning UBID, so pardon me if these
ideas were discussed here before.
Best regards,
Daniel C Landi
Sao Paulo, BR
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Tuesday, January 13, 2004 7:51 PM
Subject: Re: RES: An outline of UBID that might work.
Daniel,
I agree with you. It will only be a matter of time before one's current
templates or actual images of one's ID biometrics are captured by
persons who have not been authorized to capture them. It should be noted
that open availability has always been inherent in what I will call
traditional biometrics, i.e., photos, signatures and recorded voice.
In my view, the best ID biometrics system is one in which it does not
matter whether anyone captures your biometric images or templates. After
all, it is not the biometric that gives you access, it is the fact that
you, a living person, match the biometric.
The foregoing notwithstanding, there is no doubt that you put your
finger on an area of security holes that must be plugged. To the extent
possible, these should be anticipated and resolved before inauguration
of the system. For potential problems that cannot yet be resolved, there
ought be automated oversight that flags potential irregularities.
It is important to distinguish between the ID process and the
substantive transactions that follow. For example, you go to a store,
present your UBID, it confirms you are who you claim, and you buy ten
widgets, charging them to your Mastercard account. The clerk charges 12
widgets to your card, and keeps the extra two. Or he charges only the
number you have purchased but puts only 8 in your bag and keeps 2.
Neither of these is an ID problem, Identification worked fine.
You go into the same store, purchase 10 widgets and get 10 widgets and
you leave. The clerk, a graduate of Mission Impossible school, has
plugged a device into the ID system and it captures all of the
interactions of you and your card with the local and central systems.
Without the need of breaking any encryptions, the clerk merely uses the
recording to feed back to the system a new order under the guise that
the biometric and card information is coming from you and your card.
Unlike the first example, I consider this to be a true ID biometrics
issue and I think it illustrates the type of thing about which you are
expressing concern. <<<<I hope members of the list will pick up on
Daniel's challenge and comment as to existing practical solutions to
this scenario.>>>> It should be noted that such scams are a lot easier
with current credit card systems, where the clerk forgets to give you
your card back or simply uses his record of your card number to enter
another order.
If we can get past arguments concerning the general UBID concept and
into discussions concerning solutions to implementation problems, we
will be accomplishing something. Thanks for taking the lead Daniel.
As a footnote, fraudulent practices by insiders will always be with us.
Biometrics may not prevent yielding to temptation; however, biometrics
can help us determine who it was that yielded to temptation. We already
have use of biometrics to track who is making entries into computer systems.
Best wishes,
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph
K
Sent: Tuesday, January 13, 2004 11:18 PM
Subject: Re: An outline of UBID that might work.
Henry wrote:
----
It would be helpful to me if you would recast your firearms/explosives
examples within the following analysis. I think you will find that the none of
your issues are with the UBID, but rather with the substantive rules that will
continue to be administered by the appropriate federal and state agencies
separate apart from the UBID card or the UBID database..
----
I believe I understand how the UBID as you envision it is to work and I don't
believe you completely understand my concerns and those of probably millions
of others, not just 10's of thousands.
As soon as there is a central database that is contacted with every use of the
UBID there exists a mechanism for abuse -- the movement and activities of
people can be tracked, and that movement and those activities can be,
essentially, instantly halted. This mechanism must not EVER be allowed to
exist. It will enable the creation of a police state, which I believe will
inevitably follow. The people that find ways to avoid using it, to subvert it,
and to attack it, will be some of the justification for more control over the
population.
I have expressed this concern numerous times in numerous ways on this list and
when I get a response from people it is of the nature of "you are paranoid, no
further discussion needed". All that I can conclude is that the people that
think I am paranoid have a completely different frame of reference and are not
participating in the same reality that I am. This last weekend I did a quick,
unscientific poll of the people (both adults and teenagers) from several
different families. I asked the following question, "What do you think of a
national ID card that would be required in your day-to-day activities such
that it will be almost impossible for an illegal or a fugitive to function
without encountering a situation that requires presentation of there card?
This card would replace nearly all your other cards including credit cards and
drivers license. You only have one card to carry with you. It would be secure
and you could use it as easily as cash without the need to carry cash." The
response varied from "That would suck, it will never happen in this country."
To, "No. I wouldn't like that." Even though I tried to present it as
positively as I could not a single person would waiver from their opinion that
it was a bad (or REALLY BAD) idea. Even the teenagers were vehemently opposed.
I would have expected them to have the frame of reference at least somewhat
comfortable in lacking a sense of freedom from intrusion in their lives.
In the world where I live people can go out on their property and legally mix
up and detonate explosives just for the fun of it with the only legal
restriction being that you can't hurt anyone else or their property. Guns,
including machine guns, and guns with suppressors are legally used for
recreational purposes. When the local law enforcement shows up at these events
they complain -- that they didn't know about it earlier so they could have
arranged to have the time off to play with us. I expect this to be completely
foreign and nearly unthinkable to many on this list and an indicator of the
distance between our two (or more worlds).
In my world government has given us numerous examples in how well it can be
"trusted" to obey laws, rules, and regulations, that "protect" the private
citizen from abuse. Some of those examples follow:
In my world (this happened just a few miles from where I used to live) someone
is asked by a Federal informant to use a hacksaw and cut off the barrel of a
gun 1/4" shorter than is legal, he does so, is arrested, gets out on bail, is
given a court date a month later than has actually been scheduled, doesn't
show up for the actual court date, then when the Federal Marshals show up spy
on him prior to arrest they shoot his 10-year old son in the back, killing
him. A friend shoots a Marshall in the confrontation, killing him, the FBI
snipers show up the next day and without announcing they are present, follow
written orders to shoot to kill any armed person that comes out of the house.
Never mind all the adults and all the older children never leave the house
unarmed -- entirely legal in my world. The original arrestee is shot in the
back (wounded and survived), the friend that shot the Marshall is severely
wounded, and the arrestee's wife, carrying a baby on one hip and a pistol on
the other hip is shot in the head and killed. At the trial the jury finds the
original arrestee only guilty of failing to show up in court and is sentenced
to time served, the friend who killed the Marshal is found not-guilty and
walks out. The Feds publicly insist AFTER THE TRIAL their Marshal was murdered
although the jury found the "murderer" acted in self-defense. The state tries
to put the FBI sniper on trial for manslaughter. The Feds insist the sniper
was "just following orders" and is therefore immune from prosecution of any
type. The person that wrote the orders to "kill on sight" is never discovered
because the paper trail was literally run through the shredder. The person
that did the shredding was punished for destruction of evidence, but he was a
low level person that certainly was not the one that wrote the order. Both the
sniper that shot the three adults and the person believed to have written the
orders also have roles in the confrontation in Waco with the Branch
Dravidians. Neither are ever punished for their roles in either tragedy.
In my world I visit friends of Japanese descent and see in their living room a
framed poster from 60+ years ago. The poster announces that all people of
Japanese descent must report to the detention camps. My friend was born in my
home state, 300 miles from his home and his parents home, a month after his
parents were released from the camp after the end of WWII. His mother was too
far along in her pregnancy to travel and his parents and older siblings stayed
until after he was born to return to their "home" which was no longer theirs.
In college I wondered why there was such a concentration of people of Japanese
descent from one area of my state attending the state college. It turns out it
was the location of one of the detention camps and when the people were
released many of them had no homes to return to and stayed to start a new life
in the local area. When I went to the county fair in Puyallup (south of
Seattle) I marveled at the large building used for the exhibits and pens for
the animals. How could a relatively poor county afford to build such large
nice buildings for a fair? Those building were built by the Federal government
as "pens" for people -- Japanese Americans who had done nothing wrong other
than having parents, grandparents, and great-grandparents that had been born
in another country. Those buildings were turned over to the county after the
war. Census data, supposedly protected by Federal law, was used to help find
people that were to be sent to the camps. No person was ever punished for
using that data illegally.
In my world when you look closely at the laws regulating your sporting
equipment you find that, on the average, you rack up five potential years in
prison for every year of your participation in the sport -- should you be
discovered and convicted. All without there ever being a single victim and
many of those "crimes" being committed in such a fashion that it was virtually
impossible for you to know you were committing a crime.
In my world the federal government has made it illegal for a group of people
to pool their money, form a corporation, and place advertisements advocating
the voting for or a against a particular candidate within N days of an
election. If they can say 60 days, can they say 90 or 365 days? If you put up
a web site using your existing computer and spare time that costs you only an
hour or so of your time and the use of your spare bandwidth purchased for your
recreational use and this web site advocates voting for or against a
particular candidate you can be fined unless you report the "fair market
value" of the web site to the authorities. If this isn't an infringement of
"free speech", what is?
In my world when the President of the country comes into town they mark off a
"Free Speech Zone" a third of a mile or more away from his path where people
carrying signs opposing his policy are "free" to exercise their speech out of
obvious sight and sound of the media following the President. People in
support of his policies are allowed close access.
In my world when AIDS starting being noticed and there it was noticed the
number of people infected was doubling every year it was suggested that unless
drastic action was taken virtually the entire population of the U.S. would be
infected within 10 years some politicians started talking about quarantines of
all homosexual men. Having a central database with health and family/marital
status information in it have been very useful to implement such a plan. As it
was it simply wasn't possible to gather the information -- had the political
will materialized.
In my world people from certain mid-eastern countries are detained,
questioned, and deported without being allowed to confront their accusers and
the evidence against them, without their names or numbers ever being made
public, and (I may be mistaken on this final point) without ever having access
to effective legal counsel.
In my world if law enforcement finds you with large amounts of cash on your
person they can confiscate it and you have the burden to prove it was not
obtained illegally.
In my world if the police believe you know or should have known that someone
was selling a herbal remedy for nausea associated with anti-cancer drugs from
your property they can seize that property and you have the burden of proof
that you did not know and could not have known it was happening before you can
obtain your property.
In my world the Holocaust was not a myth, it was real. It was perpetuated by a
group of people that via the Weapons Control Act of 1938 disarmed their
victims, required them to have ID showing their ethnic background, required ID
to function in day-to-day life, then deported the disarmed victims from the
country to work camps as a temporary solution. The final solution came later.
The U.S. Gun Control Act of 1968 (GCA-68) was written by the same senator that
asked the Library of Congress to translate a document he had brought back from
the Nuremburg trials years earlier -- the Weapons Control Act of 1938. There
are many of the same phrases, terms, and requirements in the documents -- it's
obvious the documents are related, and it's obvious from the functionality of
GCA-68 as well as from the crime data prior to and following the passage of
GCA-68 that prevention or solving of crimes could not be expected and was not
achieved. However it could be useful in disarming a class of victims, similar
in function to it's parent document.
In my world when someone starts talking about government issued ID that is
essentially required to function in society and has the potential track every
person it is a struggle to remain civil. It is a struggle to not proclaim
their intentions, in the most vigorous and most energetic terms possible, to
be consistent with the governments in times past who implemented similar
systems and then proceeded to engage in genocide.
Before someone again suggests I am being paranoid and dismiss my concerns or
suggest that "regulations can provide the protection required" I suggest you
look at two things:
1) My personal life. Just two years ago I allowed the government to do an
extensive background check in order to receive a high level security
clearance. They asked detailed personal questions about me of my neighbors,
friends and acquaintances for the past ten years, found out things about my
financial situations I didn't even know, and asked my wife to tell our entire
history of knowing each other since we first met in algebra class in 1969.
They may monitor my phone calls and can search me without cause while at work.
My personal web sites have hundreds of pages of information about me and even
a web cam of my bedroom (https://joehuffman.org/cam.htm). Is this
consistent with your vision of a paranoid person?
2) History. The history of just this country in the past 100 years -- how many
regulations and protections have been violated without the government
perpetrators ever being punished? Expand that review of history to include
other countries and the violations "legal protections" become even more
obvious -- the millions of people killed by their own government for their
political, religious, or ethnic backgrounds. By what means can you guarantee
that a system and technology put in place with the capability to track the
every action of a political enemy will not be used it to do so? What if
Richard Nixon had such a system at his disposal? Do you believe he would have
not have used it or would have punished those that used it in his behalf? I
believe the only way to prevent the abuse of such as system is if the system
is never allowed to exist in the first place. I believe it is possible I am
excessively concerned. But I also believe those people who propose such a
system are either naïve, have large financial incentives, or desire to control
the power such a system would give them.
Henry wrote:
----
It would be helpful to me if you would recast your firearms/explosives
examples within the following analysis. I think you will find that the none of
your issues are with the UBID, but rather with the substantive rules that will
continue to be administered by the appropriate federal and state agencies
separate apart from the UBID card or the UBID database..
----
If you believe "substantive rules ... will continue to be administered" will
assure me the database will not be abused then you haven't been listening. The
"substantive rules" that I would required to be put in place in order to
believe the contents of the database would not abused would cause the most
enthusiastic Auschwitz guard to cringe at my creativity in punishment methods,
violate numerous protections of the Bill of Rights, and probably inspire
several additions to it.
Henry wrote:
----
Most such persons will eventually enroll since the lack of an ID will have
practical consequences since it is difficult to live in the modern world
without an ID and since some people, by their very status as non-citizens,
professionals, government employees and felons, will not have any choice.
----
You dismiss with "people will have no choice" or imply they will comply simply
because it's more convenient. They may not have legal choices to avoid the
system but they have many choices. You apparently underestimate the power of
the free as well as black markets. Whatever products or services are difficult
or impossible to get without an ID will find an alternate route to the person
willing to pay a premium for that product or service in order to not show an
ID. In many cases the product or service may actually be CHEAPER on the black
market. It is that way now with illegal entry into this country. It is cheaper
(including the cost of the wait for legal entry) to buy clandestine
transportation, false documents, enter this country, and go about their
desired business than it is to follow the legal routes. It is also that way
with machine guns in the country. If you want a new machine gun, unregistered
and no trace of it "on the books" it can be had for close to it's retail
price. A legally registered machine gun (all privately owned machine guns must
have been registered prior to May 1986) is almost certainly used and costs
five to ten times it's retail price. Another example: the gun registry in
Canada. You can register yourself and your guns and continue to function
legally or you can turn them in and not be registered with the national
government. You cannot legally continue to own firearms without complying. Yet
they do. They buy ammunition, they go hunting, and they target practice with
illegal owned firearms -- an estimated 1 million firearms. How is that
possible? Most of the provinces REFUSE to enforce the national law. The
special national law enforcement officials sent to enforce the firearms laws
arrive at their desks in the morning and leave at night and do not identify
themselves to their neighbors and friends. They do not attempt to enforce the
laws. Only one person in the entire country has been convicted of failure to
follow that law. What happens to your ID card, mandated by the national
government, is not used by the local governments and they refuse to assist in
enforcing laws requiring it's use? If you don't believe that can happen --
Would you have believed the local governments of Canada would have refused to
enforce gun registration laws? I doubt it. You live in a completely different
world than I do. I am only surprised by how peaceful the opposition has been.
Henry wrote:
----
e) As the foregoing is occurring, the bank's system is checking with the UBID
central database to make certain that this is a validly issued card. There is
no central data base check against the biometric. Only against other data
encrypted within the card. If that data does not match (e.g. name and public
UBID number having been issued to a person with a certain non public UBID
number), then the ID effort is rejected.
----
I don't see the checking with the central database as being required. And this
contact with a central database is the fatal flaw that generates the
opposition and creates the single point failure for the entire functioning of
our society that must not be allowed. You seem to be aware that it is not
required because you say the bank (or whoever) has the option to continue even
if the central database is unavailable.
Henry wrote:
----
g) The central data base has no information concerning the substance of the
transaction. Only that it certified the card to this bank at this date and
time.
----
At day one in the implementation I believe this might actually be true.
However the mechanism will be in place such that "the loophole" (ask me about
the "gun show loophole" someday -- it doesn't exist although "everyone knows"
that it does) will be "closed" in later implementations. And there are already
efforts to portions of this right now. Haven't you heard of the "Know Your
Customer" program for banks?
Henry wrote:
----
i) The central database verification is no more complex or data intensive than
typical credit card transactions involving central data bases - i.e. just
about all credit card transactions.
----
Credit cards are not required to function in our society, the databases are
not owned by the government, and are distributed across a large number of
private businesses.
Henry wrote:
----
The foregoing scenario can be recast to put any entity in place of the bank.
In each instance, the central system is only certifying that the card details
match details on file.
...
I think that the foregoing meets your primary concerns.
...
The UBID central database would have a list of all enrollees...
----
Nope, it violates my primary concerns. The central system as you envision it
cannot be allowed to exist. Both from the standpoint of potential for abuse
and from the standpoint of being a single point failure mechanism.
Henry wrote:
----
You express a concern that errors will inevitably occur in the UBID system.
Since, for most people the scope of information is relatively narrow, and all
information is relatively standardized, I suspect the error level will be
immensely less than in the multiplicity of secure and pseudo identity systems
that presently exist.
----
Perhaps I failed to express my concerns accurately. I was not referring to
accidental errors but errors deliberately introduced via people motivated by
bribes or hostile intent. The more secure and fool-proof the system appears to
be the more value there will be in deliberately corrupting the database. This
is because people will be more likely to ignore contradicting data about the
ID of the user. Similar to "child proof" lids on medicine bottles increasing
the number of child poisonings when people left the bottles accessible to
children and trusted the lids to protect the access to the medicine.
I've been setting at my desk at work writing this for nearly seven hours
straight. Time to drag my tired paranoid body off to my web cam monitored
bedroom. I'll probably sleep in tomorrow morning. You can check on me by
looking at my web cam. But perhaps you won't want to do that if YOU are too
paranoid -- I keep a log of all the accesses to my web sites and I will be
looking at the logs and examining the IP addresses to see what I can discover
about my viewers. I will count the number of different visitors to compare
against the number of people on this list. Send me an email telling me who you
think is the most paranoid -- those that didn't visit my web site because I
would be checking up on their visit or me because of my concerns over the
abuse of a government controlled central database.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List [mailto:BIOMETRICS@PEACH.EASE.LSOFT.COM]
On Behalf Of Huffman, Joseph K
Sent: Wednesday, January 14, 2004 10:48 AM
To: BIOMETRICS@PEACH.EASE.LSOFT.COM
Subject: Re: An outline of UBID that might work. 2
I'm perplexed at something Henry. In what I thought was a rather dramatic turn
around of my position I proposed a system that would alleviate nearly all my
concerns and yet achieve what I thought were all of your stated purposes for a
UBID. Rather than outline the deficiencies of my proposed system you reverted
to your original proposed system. Are there objectives you have not shared
with us? Or is it that you really want the capability for a police state?
Life is filled with ironies. Has anyone else shared my mirth that it is
someone with a German surname arguing against an intrusive authoritarian
government and someone with a (apparently) French surname that is arguing for
it?
Most of my day yesterday was spent working on or presenting a new biometric
technology for use by a rather secretive government agency which I think has
an entirely legitimate function. I amuse myself on a daily basis.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: Henry J. Boitel [mailto:boitel@MINDSPRING.COM]
Sent: Wednesday, January 14, 2004 8:23 AM
To: BIOMETRICS@PEACH.EASE.LSOFT.COM
Subject: Re: An outline of UBID that might work. 2
Joe,
Your comments primarily focus on your fears and general distrust of
government. My initial reaction was that you were engaging in an
inappropriately extended rant, rather than addressing the specific
elements of UBID that you see as being insecure and less desirable than
the status quo. However, your fears and distrust,. to a greater or
lesser extent, reflect concerns held by many in the United States. While
not everyone will agree with some of the examples your cite, it is
likely that there are many similar examples that they might site or that
are not matters of public knowledge. In that regard you probably have
more in common with some inner city residents than you might think.
That said, there are probably four broad approaches that people with
such views might take: a) Yours, which appears to be to (literally)
circle the wagons locally, and reject efforts at broad-based solutions;
or b) Realization that there are no local solutions to some problems,
and ,therefore, a focus must be had on improving the accountability of
government for its actions, while vesting government with the power to
resolve problems that are national in scope, or c) Opting out and going
with the flow, i.e., out of naiveté, or lack of concern, or fear, or
d) Those who are not particularly concerned because they derive profits
or power or status from what your or I might characterize government or
government/semi-private sector abuse of power.
There are some floaters who are in one group or the other depending upon
the issue. As regards a national identity card, the ACLU appears to be
in your group, but I suspect they are beginning to see that they are
playing a losing hand and can be more effective if they moderate their
position.
The group I describe as (c) is probably the largest group. Of course,
each group has a number of subgroups that range over a rather
substantial spectrum. Ironically, quite a few people in your group are
government employees or are engaged in activities that are heavily
government dependent, and, in order to qualify for their employment
positions, have waived privacy rights on a rather broad scale, as you
describe you have done. I suppose such ironies or inconsistencies are
fundamental to human nature.
On your views, as you have expressed them, I guess our positions are
irreconcilable. However, as I have hope for government, I also have
hope for you. You see, while you are protesting against a basic ID
card, the government is going forward with intrusive procedures that go
far beyond anything contemplated by a UBID, and a good part of their
tacit rationale is that we don't know who people are.
Anyway, let's keep in mind that this is a biometrics discussion group.
We have heard loud and clear from you and others that Government is
untrustworthy and that a common id card can be leveraged into a massive,
oppressive tracking system. For the time being at least, I am going to
opt out of further discussions on those fundamental issues. I am
looking for more specific discussion as to: 1). How the UBID can be made
to work for its stated purpose and 2) how protective features can be
put in place to prevent abuse, and 3) How the UBID provides more or less
identity protection and individual empowerment that the status quo id
systems.
Best wishes,
Henry J. Boitel
New York
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph
K
Sent: Wednesday, January 14, 2004 10:48 AM
Subject: Re: An outline of UBID that might work. 2
I'm perplexed at something Henry. In what I thought was a rather dramatic turn
around of my position I proposed a system that would alleviate nearly all my
concerns and yet achieve what I thought were all of your stated purposes for a
UBID. Rather than outline the deficiencies of my proposed system you reverted
to your original proposed system. Are there objectives you have not shared
with us? Or is it that you really want the capability for a police state?
Life is filled with ironies. Has anyone else shared my mirth that it is
someone with a German surname arguing against an intrusive authoritarian
government and someone with a (apparently) French surname that is arguing for
it?
Most of my day yesterday was spent working on or presenting a new biometric
technology for use by a rather secretive government agency which I think has
an entirely legitimate function. I amuse myself on a daily basis.
Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA
509-375-2201
-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Wednesday, January 14, 2004 11:29 AM
Subject: Re: An outline of UBID that might work. 2
Joe,
As regards objectives, I do not think I could have been more clear than
was specified in the UBID outline and as further specified in response
to specific questions. I also assure you that I am at least as opposed
to a "police state" as you are. regardless of whether oppression comes
from big government, local government, local, self-styled militants or
irresponsible business.
With due respect, it seems to me that most of your presentations have
been directed at why we should not trust the government and conclusory,
but not analytical, statements concerning why a central database, used
for confirming card validity and flagging illegals, presents an
unacceptable vulnerability for individual rights and privacy.
While eternal vigilance is the price of liberty, I am prepared to
believe that we have the capability of setting ground rules and electing
and appointing officials that will faithfully enforce the law. If our
energy were spent in that direction, rather than in giving up on
government, I think we would all live more securely within a context of
liberty.
We have had a sea change in the liberty and privacy environment in the
past two years. The free flow of guns and explosives and opposition to
a coherent ID system have not been doing anything to arrest that change.
To the contrary, they create an environment that tends to be relied upon
by those who champion that change.
If you think your proposed changes in the UBID will secure ID security
objectives, then you will have to explain that in a way that is more
detailed than what you have said thus far.
Henry
Henry J. Boitel
New York