For those of you who may have missed it, today was the first day of the new "Real ID Act", a/k/a, the American Nazification Papers Act. I wouldn't have know myself except that I recently moved, and wanted to exchange my current Illinois drivers license for a Missouri one. Not so fast... "You have a passport?" "No, I don't travel." "A certified copy of your original birth certificate?" "Haven't had one since I was born, fifty years ago. And since I was born about 1500 miles from here, getting one is no small task." "Too bad. Your old license is invalid and you can't get another one in any state, starting today, without at least one of the two documents, PLUS secondary ID to back them up." Even though I have a current license, and even though I am in their system as having held a valid Missouri license for 15+ years, photo included, none of it is good enough. OK, so I have no choice, I go to the post office to get a Passport - same thing. Fine, I'll just order the birth certificate and get it over with, right? Wrong. New York wants affirmative proof of identity for a copy now: passport or your [missing] original birth certificate. Anyone else see a circular problem here? "I need a new birth certificate because the old one was lost about forty years ago. And I don't have a passport to prove my identity." "Get your parents to testify who you are, and make sure they bring their passports." "They are both dead." "Sorry Sir, I'm afraid we won't be able to help you then." <click>
Ignore the Godwin's Law violation and just focus on the story. In order to get a strong government issued ID you have to prove your identity, which is done, naturally, using a strong ID, which was the problem in the first place. It sounds like something out of Gilbert and Sullivan but it's a real problem for any system that wants to strongly authenticate people.
The real problem is that the whole notion of personal identity is a fairly fuzzy one. In some sense, the notion of discrete personal identity is created by possessing strong personal identification. Historically we've had a variety of mechanisms for mapping that fuzzy personal identity onto strong forms of identity, but they never achieved the goal--nor were really intended to--of making it hard for you to get a new identity that didn't belong to you, because it's not clear what that means anyway. If you're going to be in the business of issuing strong personal identities, you need to either preserve those weak mechanisms or stop pretending that the strong personal identities are tied to the more amorphous information that preceded the issuance of the strong identity.
Is this a true story though? I saw a later posting that pointed to http://www.health.state.ny.us/vital_records/birth.htm which indicated that you could get your birth certificate using such commonplace materials as employment IDs or even telephone bills.
That seems to take care of the Catch-22 nature of the situation but it does suggest that so-called "strong" identification is not really that strong.
It seems obvious that the right way to issue a hard-to-duplicate ID is based on a set of biometrics. This doesn't do anything for telling you whether you've got the right John Smith, but it does tell you that this guy can't easily get a new formally-issued ID.
There are a gazillion privacy issues here, and I'm not thrilled with them, but if you're going to do IDs like this, it sure seems like that's the way to do them.
--John