Part of the Democratic immigration plan is to require every
American worker to have some kind of biometric identification
[*].
The proposal is one of the biggest differences between the newest
immigration reform proposal and legislation crafted by late
Sen. Edward Kennedy (D-Mass.) and Sen. John McCain (R-Ariz.).
The national ID program would be titled the Believe System, an acronym
for Biometric Enrollment, Locally stored Information and Electronic
Verification of Employment.
It would require all workers across the nation to carry a card with a
digital encryption key that would have to match work authorization
databases.
"The cardholder's identity will be verified by matching the biometric
identifier stored within the microprocessing chip on the card to the
identifier provided by the cardholder that shall be read by the
scanner used by the employer," states the Democratic legislative
proposal.
...
"The biometric identification card is a critical element here," Durbin
said. "For a long time it was resisted by many groups, but now we live
in a world where we take off our shoes at the airport and pull out our
identification.
The usual privacy groups are upset about this. I'm not sure how thrilled
I am about it either, but that angle seems played out. Right now, I'm
more interested in the security issues.
First, the American system of personal identification is far weaker
than would be required to really support this strong a system of
identification. The only real
personal identification most US citizens have is a birth certificate
(if they can find it; I don't know where mine is) and a driver's
license. This is reflected in the proof of right to work requirements:
All that's required to get a US passport (sufficient for proof to work in the US)
is a birth certificate and some form of personal
identification (e.g., a driver's license). And at least in California
all you need to get a driver's license is a birth certificate, so
basically all you need is a birth certificate. Similarly, a social
security card (trivially forgeable) and a driver's license are
sufficient to establish the right to work. Any new identification
system like the one proposed here would need to be based on the
same shakey foundation. It's not clear that there's a lot of point in
requiring this strong a piece of identification (fingerprints, etc.)
when we have this weak a notion of people's identity to start with.
Second, the system as described seems incredibly inconvenient, given that it
effectively mandates that every employer in the country have some new
scanner that can be used to verify the user's fingerprint.1
That seems
like it's going to have a huge scalability problem.
It's not clear how this is going to work in practice, either: is the scanner
going to actually check the user's fingerprint (lots of opportunities
for false rejects here), display the fingerprint and require employers
to check it (you've gotta be kidding me, right?), or send the fingerprint
back to Washington where it can be checked centrally. This last seems
like the most practical option.
Regardless, I have two simpler approaches: the first preserves the
personal identity check but with much less infrastructure. We replace
social security cards and SSNs with a new, longer, identifier (18 digits
should be plenty long).2 These numbers are effectively unguessable,
but the US government maintains a central database that matches
them to pictures (this database can be generated the same way
as we were planning to establish the system described above).
When you go to hire a new employee, you ask for their card
(actually the number is enough) and type their number and your
own TIN into https://www.identitycheck.gov/
. The site shows
their picture and you just compare it against the person in front
of you. This creates a record in the database of the check, which
establishes that you have done the check and provides a secure
mechanism for delivering the (customary) biometric without the
need for any new technical infrastructure at the vast majority of
employers.
Really, though, we could probably dispense with the biometric
entirely. As long as we have an entry in some national database
of everyone who is allegedly working [keyed by SSN]
and what job they hold
(including when they started and stopped and some limited
information about what hours they work) it should be possible
to data mine the database for multiple SSNs and catch most
cases of people not authorized to work, since each will
have to present some legitimate number, and most
numbers which can be used already are in use by other people
working other jobs.
So, I'm not sure why this seems like a good idea to Durbin et al.
Rather, it just seems like the more general misplaced faith
that people seem to have in positive identification as
panacea.
1. And what's with the microchip? All you need here is a digital
signature, which doesn't require any kind of chipcard. If Congress wants
a system like this, they should probably let professionals design it rather than
trying to specify every detail.
2. The idea behind the longer identifier is to make it
prohibitive to try random identifiers and get people's actual data.
We just need a long enough identifier that most random values
are invalid.
If we capture the requester's TIN, then any significant number of
bogus identifier requests points directly to this kind of fishing expedition.
Really 18 digits is probably too long, but since 9 digit SSNs are already too
small, we might as well buy ourselves some room.