Last Friday, Senators Charles Schumer (D-NY) and Lindsey Graham (R-SC) outlined a proposal for immigration reform. At the top of their immigration reform agenda? A national, biometric identification card for all workers, citizen or immigrant. From the article:

We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card. Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information. The cards would not contain any private information, medical information or tracking devices. The card would be a high-tech version of the Social Security card that citizens already have.

This proposal should grit the teeth and narrow the eyes of anyone who has carefully considered the dangers of a national, biometric-carrying identification card scheme. Like other national ID proposals, this one seems to naively assume that technology and federalization can provide an across-the-board "upgrade" to existing identification schemes, when in reality it spawns a beastly tangle of complex issues. On the CATO@Liberty blog, Jim Harper dissects the many reasons why the national biometric ID plan is "gratuitous and punitive." EFF shares the view that the proposal is deeply problematic — unpacking each of the statements in the paragraph above reveals many pitfalls.

"We would require all U.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social Security card." Unfortunately, "high-tech" and "fraud-proof" are far from synonymous. Technologies intended to keep information secure are regularly compromised — meaning that a permanent, national scheme will be breathtakingly expensive to develop and maintain securely. Moreover, any high-tech security would be rendered moot by the weakest link — the individuals who will be collecting data and issuing identification. Those individuals can make mistakes, and they may also allow and perpetuate fraud or identity theft. If, as the senators suggest, this card is to be a prerequisite to simply make a living, then there will be an extremely high demand for fraudulent documents, and "high-tech" itself won't stop forged, stolen, or "creatively obtained" documents from being circulated.

"Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information." The senators are wise to propose that no government database would house everyone's information — no government database should. But we're very skeptical that the government wouldn't later find it to be overwhelmingly convenient to collect the information (perhaps even to aid enforcement of the immigration regime itself). Indeed, it's hard to understand how the system would function properly without checking a large database (or set of databases) for matching a name to the biometric data. The Privacy Lives blog gives a simple example: imagine an fraudulent ID card with someone else's biometric data, but your name. To prevent this from happening, there would probably need to be a database of some kind to check for validity.

Biometrics raise a host of issues, especially in the national ID context. As security expert Bruce Schneier has noted, "[Biometrics] don't fail well. Passwords can be changed, but if someone copies your thumbprint, you're out of luck: you can't update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you're stuck."

Moreover, Schneier adds:

[B]iometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they've touched, and posted them on the Internet. We haven't yet had an example of a large biometric database being hacked into, but the possibility is there. Biometrics are unique identifiers, but they're not secrets.

In any case, a federalized, mandatory identification scheme will be subject to mission creep from third parties. Because of the ID card's proposed universality, it will likely be requested and required by airlines, insurance agencies, health care providers, mortgage lenders, credit card companies, and so forth. Those databases will become yet another high value target for hackers or again, unscrupulous individuals with valid access, and if biometric identification becomes the norm, the cost of losing control of your biometric identity information will probably be greater than today's identity theft.

"The cards would not contain any private information, medical information or tracking devices." It's important that they're recognizing that radio frequency identification chips (or RFIDs), are a disaster for holding data intended to be private or secure. But let's be clear that a persistent identifier itself can be used for tracking. If third-party organizations wind up keeping track as we posit, then a simple subpoena or warrant could reveal when you got your job, when you signed up for a credit card, or when you started seeing a specialist physician. Simply put, the lack of a dedicated "tracking device" does not equate to a lack of tracking.

This proposal is particularly worrisome because the heated emotions around immigration reform might drown out rational considerations about the effectiveness and cost of a biometric national ID card, not to mention the dire affront to personal freedom presented by such a scheme. EFF will be keeping an eye out for more details, so stay tuned.