Dumb uses for smart ID cards – Brief Article
John C. Tanner
In the wake of the 11 September terrorist attacks, the US Congress has become increasingly enamored with the idea of issuing chip-enabled national ID cards that could store all sorts of identifying data, from the carrier’s birth date and Social Security number to a DNA sample.
Law enforcement agents and airport security staff could supposedly fight terrorism by using devices to scan the cards and match the card data against a centralized database with the same information to verify the cardholder’s identity.
Civil rights and privacy advocates understandably went out of their minds, fearing the abuses that such a system would invite. Under a smart ID card system, the government could easily track a person’s travel, purchases, political affiliations and reading material, and correlate that data into a profile for whatever purpose the police saw fit.
Australia is currently having the same debate. Elsewhere in Asia, smart national ID cards have already arrived. Malaysia began issuing smart ID cards with fingerprint data in September last year. Last month, the Macau government launched its own smart ID card plan. Meanwhile, Hong Kong is going ahead with plans to launch its own smart ID card system in mid-2003.
In each case, these cards are expected to double as debit cards and possibly function as driver’s licenses or library cards at the cardholder’s request. The Hong Kong government plans to issue free digital certificates with each card in a bid to encourage online commerce.
But are smart ID cards a smart move even for countries that have already adopted them, much less for other countries considering doing the same? That depends on what you really want to use them for. The technology behind smart ID cards is pretty reliable now, and is getting better all the time. But like all technology, it’s only useful if it accomplishes what you want it to do.
Solutions searching problems
For example, Hong Kong’s idea of including free digital certificates with smart ID cards is a novel idea, but whether it would significantly drive e-business is debatable. Just because you have a free digital certificate doesn’t mean you’re going to trust it or the third-party authenticator that issued it. That will take time. That said, the ID card would serve as a good mechanism for getting them out in the public, so perhaps it’s a start.
If you want to use smart ID cards to prevent atrocities like the 9/11 attacks in the US, however, forget it. The terrorists on those airplanes could have had either valid ID cards or faked ones good enough to fool airport security. Smart ID card proponents vehemently disagree with this, but smart cards can be forged. In the US, for example, people working for the state government departments that issue driver’s licenses have been caught making and selling fake licenses showing the cardholder is old enough to buy beer. If you wanted to get a smart ID card for the same purpose, one key crony or easily bribed official in the local immigration bureau is possibly all you’d need to get one.
This problem also applies to just about everything else a smart ID card could be used for. Even a digital signature won’t prevent someone with the right connections or skills from using a duplicate card (provided the original cardholder doesn’t know it’s been duplicated) or a card made for “someone” who only exists because the central database says so.
Privacy vs convenience
Of course, none of this is any reason to reject smart ID cards altogether. If we refused to use any technology with a security flaw, the Internet wouldn’t exist and we’d all still do all our banking at teller windows. Smart cards work and work well for things like access to campus buildings and prepaid debit cards. I use both types in Hong Kong and mainland China, and they’re convenient to use.
The idea of a national ID card may go against the grain of privacy advocates, but in countries that already have national ID cards (which, incidentally, outnumber those that don’t) it’s less of a concern. The convenience factor alone will probably drive acceptance of smart ID cards for certain things. People routinely give up privacy for convenience or security, which is why we hand out our ID numbers to service providers we want to do business with, or let airport security staff X-ray our bags.
Sure, the potential for data abuse exists, but that’s true today with credit card data and existing analog ID cards. That doesn’t make it right, but rather than a ban on smart ID cards, what we really need are enforceable privacy policies that require transparent data processing, prohibit unauthorized third-party sales and allow people to access their own files.
Okay, that may be a pipe dream, but any government worth the paper it’s printed on would take such concerns into account. If your government is one that doesn’t return your phone calls on principle, then you’ve probably got bigger fundamental problems than whether your ID card has a chip in it.
COPYRIGHT 2002 Advanstar Communications, Inc.
COPYRIGHT 2004 Gale Group