Thank you for asking me to testify today regarding the DC One card program.
At the Cato Institute, I serve as director of information policy studies, and among my specialties are identification and credentialing systems. I have testified about identification systems in legislatures around the country and several times before Congress.
I also serve on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, which often deals with the privacy and civil liberties consequences of identity-based security. My book, “Identity Crisis: How Identification is Overused and Misunderstood,” explores identification theory and the considerations that should go into public policies about identification and credentialing.
Though they are invariably put forward for good purposes, identity card systems hold many risks to values that we hold dear like privacy and civil liberties. Given the wonders of technology, people often imagine ID cards to be a panacea for a wide array of economic and social problems, and they imagine that ID card systems advance national security goals like protection from terrorism. ID card systems are not suited to many of these goals, and uniform ID systems compromise or threaten important values.
Luckily, the DC One card program does not have such grand aims. As the program exists today, I’m happy to report that I have found little to criticize in it. The DC One card can help avoid some of the expense of operating multiple card systems among multiple agencies without creating a surveillance system in the process. However, I will caution against future expansions of the program.
First, let me say how glad I am that you are examining the DC One card program early in its life. Many of the programs and systems I deal with at the federal level have been planned or operating for years, or they are products of congressional action that lacked sufficient deliberation and that Congress does not want to revisit. Sometimes both!
Because decisions about them were made without regard for privacy and civil liberties, and because they have inertia, these programs will be the subject of policy battles for years. Millions of dollars will be wasted on these unacceptable programs as they die long, slow deaths.
Your care in examining and continuing to monitor the DC One card program can help avoid conflict with civil liberties and privacy, basic values of this country and community. The end result can be a program that meets your efficiency objectives because it enjoys widespread uptake.
Understanding Identification-Economic and Social Glue
Identification and credentialing is complex. It is important to understand in some detail the policy issues a card system like the DC One card might encounter.
First, think of identification and identity cards as economic and social glue. Identification is what holds people and organizations together when they want to deal with one another. Quite simply, for example, having a library card makes it easier to use a library, and it helps the library administer its processes. You only have to think for a minute how difficult life would be if we had to get reacquainted with someone every time we met, or if we had to prove everything about ourselves to a government agency each time we dealt with it.
More precisely, identification allows people and organizations to keep records about each other, picking up where they left off when they encounter one another a second, third, fourth, or subsequent time. This is essential to have a well-functioning society.
The problem with identification, though, particularly as we move into the digital age, is that it can get a little too “sticky.”
Think about how we constantly vary the information we share in our personal dealings. A simple example is the person who declines to give another person a phone number, or who shares her work number rather than her home number. This is an important protection, allowing us to maintain separation from people and entities we may not want to deal with.
Many digital identification systems are unresponsive to these needs. They will identify a person more accurately than is needed and provide the relying party (the one “checking ID”) with information that is not relevant to a transaction. Imagine shaking hands with someone at a party and finding him instantly transported to your living room with your photo album in his lap. This is at least discomforting, and a threat to civil liberties in the governmental context. It is what digital identification systems often do.
Privacy and Data Security Risks
To be a little bit more precise about these privacy risks, I characterize them as “in system” and “out of system” risks.
“In system” refers to the card system itself. Does the card issuer collect just enough information to provide a reliable identification in the circumstances, or does it collect more information than is needed? A card system that has many uses, that has “high-value”/high-security uses, or that is part of a “federated” system will often require and contain more information than any one transaction requires.
Drivers’ licenses and the budding national policy of “one driver-one license” bring all these dynamics together. Through inadvertence, the driver’s license has become not just proof of entitlement to drive, but also proof of identity for financial transactions, proof of age, and even (mistakenly) a national security document at the airport, among many other things. Getting a driver’s license now requires a deep dive into biographical information, collection of identity documents, and increasingly collection of biometrics.
Because there are separate licensing entities around the country, a “one driver-one license” policy will require all jurisdictions to share a great deal of data with other jurisdictions to make sure people aren’t licensed to drive in two places. This system is an orgy of data collection and data sharing. Pity the poor soul who just wants to be able to drive a car.
“Out of system” privacy risks refer to the data that a system allows a relying party to collect. Many state drivers’ licenses have a 2D bar code that quickly conveys in digital form not only the information printed on the card, but other information too. The 2D bar code standard selected by the Department of Homeland Security for compliance with the REAL ID law includes race data, for example, and the Department’s rules did not bar states from including race information. This could be collected and databased during any transaction in which someone is required to share his or her driver’s license.
The scan of digital information from a driver’s license is just the beginning. This data will be combined with “meta-data”-the time and location at which the data was collected, the purpose for which it was collected, and so on. Throughout a person’s day, multiple scans of a license can create a digital trail, revealing much about a person’s interests, preferences, and habits, as well as his or her associates if they, too, are leaving digital trails.
As yet, driver’s licenses aren’t scanned very often, but it will happen much more often if a nationally uniform driver’s license is created. A nationally uniform system will create economies of scale around scanners, middleware, and database technology to capture driver license data and meta-data.
Additional problems arise in these systems when “high-value” transactions are placed on them. If having a certain card will give someone access to benefits or payments, if having a fake card can facilitate fraud, and so on, attacks on that card system will predictably rise. Efforts to match the value of having a card will go into creating forged cards, using forged documents to get real cards, or corrupting card-issuing officials to get one. These attacks create not only problems for the direct victims of fraud, but for the people who fraudsters may impersonate.
When a card system moves to high-value uses like the transfer of funds, access to employment, and so on, myriad attacks on the system, countermeasures, and counterattacks will deeply complicate things. In the process, the privacy of the citizen can be ignored or overridden.
A Modest System With Minimal Privacy Risks
Luckily, the DC One card program is not so grand a system. Though valued by the community, access to recreational facilities, schools, and summer work programs are not the “high-value” uses that will inspire fraud and forgery.
This means the DC One card program can do “light touch” identification‑a simple photo and some contact info-and that is all it does. As noted in its privacy policy the DC One card system collects 1) contacts: name, address, telephone number; 2) gender; 3) date of birth; 4) last 4 digits of SSN; 5) agencies/programs that use the card; and 6) card number.
To be perfected, the privacy policy should probably include mention of the fact that the DC One card program holds a photograph of the cardholder, and DC One might examine whether gender, date of birth, and SSN information is needed to distinguish among users and administer the system. Lots of detailed information is required to distinguish among users in a system with 300 million people; a system for 600,000 does not require nearly as much data. Each data element should be examined to see what purpose it serves, and discarded if it doesn’t have uses that outweigh privacy considerations.
I was delighted to learn that the 1D bar code on the card contains only the serial number of the card. When a District agency scans the bar code, it uses this number to pull up its records about the person, and to assure that the person is entitled to access facilities, check out books, and so on.
This number is an identifier, of course, and if it were used throughout the local economy it would become a tracking number in the same way that the driver’s license can be, or that the Social Security Number is nationally in financial services and health care. But given the limited uses of the system today, this simple identifier is the data-minimizing way to administer access to various D.C. public services.
Given the appropriate simplicity of the DC One card program, the majority of the privacy issues I see are with the programs that use it. They hold the bulk of the data about their customers, and their policies should include providing users access to information about themselves and timely data destruction policies. The most secure data is the data that is never collected or that has been destroyed when it is no longer needed.
The Horizon: Keeping DC One Successful
My testimony has probably made obvious that identification and credentialing policies are complex. The complexities multiply rapidly when an identification system is put to new uses.
My advice, accordingly, is to use the DC One card system for the government services that it is suited to, but not to assume that its success in some areas will guarantee success in new ones. Accesses to libraries, school, and summer programs are important but “low value” uses, and you can get efficiencies by combining them on a single card. But converting this to a security card or smart card system, to a driver’s license, general purpose ID card, or using it to administer benefits will bring new complications to the system and new threats to privacy.
Adding new uses to the DC One card system should occur slowly and carefully, with due consideration to the type of use, the attacks it may draw to the system, and the privacy implications of securing the system against those attacks. You will probably find that the efficiencies made by trying to consolidate some card systems in the District drop off or are outweighed by other considerations like privacy and security.
A diversity of identification cards, card issuers, and credentials is not a failure of efficient government. It is a product of balancing efficiency with other important values like privacy, personal security, and civil liberties.
Congratulations again for examining these issues before you have encountered problems. Thank you again for inviting me to testify and for considering my views.