My new project: Tact, a simple chat app.

Article about ID cards in common law countries, and my thoughts on it

March 08, 2009

Bruce Schneier links to an interesting paper discussing ID cards in common law countries, and why they are often perceived as negative. Summary quote:

This chapter suggests that the U.S. hostility to ID cards is based on a romantic vision of free movement, and that the English view is tied to a related concept of “the rights of Englishmen.” I then suggest that these views distract from the real issues raised by contemporary national ID plans in the common and civil-law worlds.

As the chapter elaborates, ID cards are often seen as a risk to free movement, and some people believe it leads to a police society where anyone may be stopped any time without probable cause and arrested if they don’t carry an ID.

Now, it is true that in the modern society, there is a disbalance of government and individual. The government has more resources and is more powerful, and the individual is always at a disadvantage. The above suggests that ID cards will further deepen that imbalance and give the government more control. Free movement is, of course, important, but in my view this debate misses most of the opportunities. Instead, I’d like to turn the argument on its head and ask the opposite question: could it be possible that ID cards are instead a mechanism to empower the citizens in the digital age so that they can regain some of the control they have lost?

The ID card argument is interesting because it embraces many of the disciplines I have had the opportunity to work with – public governance, information security and privacy, and usability. So, let’s talk about usability – not of a product, but how “user-friendly” or more appropriately, citizen-friendly a government is in a digital age.

Regardless of what side of the above “free movement” argument you are on, unless you live in a jungle, your government has a lot of data about you. Most of the time, unlike authorized government agents, you do not have easy access to that data. Let’s imagine for a second now that your government has given you an electronic ID card – not as a surveillance device, but as a token that you can use to access government records and see the same information about you that officials in all the different agencies already see. And not only that, but you’d be able to see who has accessed your information, and for what purpose. All the accesses both by yourself as well as government and commercial actors would be logged, and you’d be able to review and scrutinize those.

Now, there is a category of data that your government does not necessarily want you to see, that has to do with sensitive security and anti-terrorism information. Fine with me (and I don’t want to debate today about the detailed nature of these measures or their constitutionality. I just say there’s a class of data that’s “more sensitive” than other data, but I won’t scrutinize this in detail). But as for most data, it is in the best interest of both you and your government that you have easy access to it at any time. Things like tax and property records, driving violations, parking tickets, public transport tickets, your kid’s school records, sex offenders living in your neighborhood – there’s no reason why you shouldn’t have electronic access to those. And since getting a security scheme right is hard and costly, it does not make sense for all different government agencies to issue separate tokens and passwords to you; instead, it would make more sense if they worked together and standardized upon a common access token.

I believe that one necessary part of an ID scheme is an ID number assigned to each participant (person), which facilitates unambiguous identification. So, an ID card would really be nothing more than a number assigned to a person, and an electronic method to securely authenticate that the right person is currently using the card, and that the card has not been invalidated or revoked.

Opponents to ID card and number schemes immediately cry out “superdatabase!”, saying that having an ID card and/or number leads to all government data being put in a big pot and spooky agents having access to everything, since all data can be cross-referenced and what not. Like I said above though, the data is there already today, whether you want it or not. And the ID card should by itself not have any data associated with it, other than the ID numbers and cards issued to persons, and whether a given card is valid or not. (If a card becomes invalid, e.g is stolen or expires, the person receives a new card, but the personal ID number remains the same for the whole life.)

I believe that data should remain compartmentalized in relevant agencies. So, even though you are identified by the same ID number in both databases, it does not mean that the maintainers of these databases can access all data about you. Instead, giving persons access to their own data in the different agencies is a good way of starting debate about who else and why has access to that data, and what security methods are in place to enforce this access by persons and officials.

Now the above is a bit similar to how credit reporting works in the US. I had heard horror stories about it, but the truth is not so bad (other than the system being somewhat insecure). Social Security Number is being used both as the identifier and password. But insecurity aside, you can sign in to the system, pay the credit agency some money, and see your own credit history and interestingly also who has requested access to it. It works. I applied for a credit card, and then I went to check my credit record and indeed saw that this financial institution had queried my record. (But no one else had.)

This is a baby steps model that is in many ways broken and insecure, but it serves as an example of what could be possible. For example, I would like to log in to the Internal Revenue Service, Customs and Immigration Service or New York State Department of Motor Vehicles to see what current and historic data they have about me, but there is no way for me to do that today.

Largely, the above is how the system is implemented in Estonia today. I am thousands of miles away, but I am able to log on to the Tax Office with my ID card and file my taxes directly to the government using a pretty straightforward online form, without paying anything to the intermediaries. (For those who don’t know, in the US, if you don’t want to fill your tax record forms by hand which may be quite complicated, you can buy an online product where you can fill a similar easy form. But the products are offered by private companies, not the tax office.) I also need to carry over some figures from my last year’s tax report, so I can review my past tax returns in the same place.

There are other benefits. Imagine a secure electronic messaging system together with the ID card. If any agency of the Estonian government, or really anybody else in Estonia since anyone can ask the ID card system “what’s the e-mail address of this particular person”, needs to tell me something important, they have my e-mail address associated with the card where they can send me e-mail. If there is sensitive information, they just send me a notice that I should sign in to their secure website with my ID card (without having any prior relation or registration with them) and review whatever is needed.

In the US, whenever I send somewhere some form to apply for whatever private or government service, I need to write down my street address. I moved from Pittsburgh to New York last year and set up mail forwarding with the US Post Office, and I have indeed got some important mail forwarded. But the forwarding works for a limited time. I wouldn’t be surprised if there was some important mail sitting in Pittsburgh right now, waiting for me, and I have no way of knowing about it or accessing it.

Later this year, we will have two votes in Estonia, for the European Parliament and the municipality where I am still registered and stay when I live in Estonia. I will be able to vote on the Internet using my ID card, without worrying about mail voting or looking for a consulate. I know enough about the voting system to be convinced that it is secure – more so than any form of paper. (And definitely more than the completely insecure voting machines used in the US, where you must still go to the voting station to vote with a machine, which for me defeats the whole point of electronic voting.)

The Estonian e-government system does have a little bug that’s not too serious but I still hope it will be fixed one day. The personal ID number encodes a person’s birth time and gender. I think that is a privacy violation – not too serious one, but it would be better if the ID number was just a completely random number that didn’t by itself contain any data.

As far as I know, no one has really calculated the cost savings that would be achieved by implementing above features of e-government, neither Estonia nor US nor anywhere else. Some of them are easy to calculate in monetary terms and very visible in Estonia today. The Tax Office in Estonia is saying it costs them money to mail out paper notices about pending land taxes to people, and is encouraging people to sign up to electronic notices by saying: “If you sign up for electronic land tax notice, you will receive your income tax refund faster”. Everybody still receives their refunds within the legal time limits, but those opting in to electronic notices will receive their refunds in a matter of days, instead of weeks and months.

So, there are very tangible benefits in terms of cost savings, to ID cards and the associated e-governance. Other benefits are more difficult to calculate. How do you assign a value to each citizen being more empowered, and gaining equal access to information as compared to government officials? I am sure there are governments in the world who would want to calculate this for the opposite reason – so that they would NOT do this, and could keep people away from knowledge and thus power, and could express their own power in tangible numbers. But as for democratic open societies, I believe that access to information is something that both people and elected officials stand for.

With the economic crisis in full effect around the world and both governments and individuals desperately looking for ways to cut their costs while maintaining or improving access to public information and services, I have some hope that nonsense arguments about ID cards and e-governance (police states, limiting free movement etc) get thrown out and are instead repaced with more rational debate about the true benefits. The risks must definitely be accounted for, and there are sadly many counterproductive examples of such schemes being done with bad security, thus torpedoing the whole idea. But if done correctly, I believe electronic ID cards and e-governance are a great way of further empowering citizens and opening up societies.

ADDED: electronic ID cards do require some extra infrastructure. For example, if you have a smartcard-based system, you need a card reader connected to your computer. It doesn’t cost much, but you may still think it’s a hassle to buy and connect it. But if you think that rolling out the infrastructure is a showstopper, I’ll tell you a Skype story. One of the original Skype engineers, in 2003, was skeptical about the whole idea of Skype taking off. Why? “Nobody has microphones connected to their computer.” Which was probably true in 2003. But today he is glad that history and more than 405 million people have proven him wrong.