1996-03-29 - Re: The Law Loft: Surviving the Biometric I.D. Card

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: f06ff665d625fea202a40d32cb6df79139c02949242d51a80da21531260dbfdf
Message ID: <199603281944.LAA20391@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1996-03-29 07:56:15 UTC
Raw Date: Fri, 29 Mar 1996 15:56:15 +0800

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Fri, 29 Mar 1996 15:56:15 +0800
To: cypherpunks@toad.com
Subject: Re:  The Law Loft: Surviving the Biometric I.D. Card
Message-ID: <199603281944.LAA20391@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


I have been surprised not to hear more about this aspect of the
immigration reform laws.  Unfortunately the alert which Tim forwarded
is out of date, and I believe the reforms did pass in some form.  I
view biometric identification as a very disturbing development and
I'd like to hear more about the wording of the bills as finally passed.

If they really want to give people a card which proves their legal
residence in the US, a less intrusive approach is possible.  Rather
than set up a database of all employees, and/or give each person an
official identity card, instead have people come and prove their residency,
then give them a card with the biometric information and a blind signature.
No other information goes on the card, no information goes into a
database.  The signature is a certificate testifying that the person
with the particular thumbprint is legal to work in the US.  The card
can't be transferred since no one else has that thumbprint.  But no
identifying information is recorded.  There is no advantage in people
coming in twice to get more than one card since their print will be
the same each time, so no database is needed.

A simpler approach dispenses with the blind signature and just issues a
regular signature on the thumbprint or other biomarker.  This is about as
good since proving residency will probably require at least an incidental
display of identity papers, so you are already trusting the agency not to
log you, and you can just as easily trust them not to log the signature.

This is an approach which accomplishes the goal with a minimal intrusion
into people's privacy.  I don't know how it compares with current
biometric concepts - maybe this is similar to what they are proposing,
minus the database.  But there is a general principle that government
regulations should use the least restrictive means where they violate
people's rights, such as the seriouss privacy violations in the current
proposals.  So I think it should be possible to make a strong argument
that privacy protecting alternatives which accomplish the objective must
be considered.

The key concept is to unlink identity from the credential.  That is the
crucial idea of credentials, one which has not yet pentrated the
popular consciousness.  Maybe we need to start pushing it more.  You
don't have to prove your identity to prove you have certain
qualifications.  There is no need to tie everything to a central
identifier.  A system of dispersed, stand-alone credentials will be far
better at protecting privacy.  Blind signatures can help protect against
cheating, but policy can work too, especially when credentials are issued
by a public agency on a large scale, so systematic and secret record
keeping is impractical since so many people are involved.

I know a lot of people will oppose even this form of biometric
information, which is not tied to identity.  Perhaps we could have some
discussion on the degree to which people see this kind of system as a
privacy threat.  If the credential concept is new we could discuss that,
too.

Hal





Thread