Smart card, dumb idea: Biometric ID cards are bad for one reason: they're too hard to replace

THE OTTAWA CITIZEN
11/18/2002

Immigration Minister Denis Coderre has suggested that Canadians concerned about security debate the merits of a "biometric" national identity card. Civil libertarians are alarmed about the privacy implications of cards containing so much personal data. But there's another reason to oppose them too: bad engineering.

For the uninitiated, "biometric" cards use sophisticated technology to identify their bearers by some unique physical characteristic recorded on the card. To enter a restricted area, you have to have the card, and the eyeballs or fingerprints to match it. That makes these cards hard to counterfeit.

They're already in limited use by governments and businesses, and the Canadian Air Transportation Security Agency is considering them. But while biometrics" sounds cool, there is a broad problem. Security systems based on it may be unlikely to fail, but if they do fail, the consequences will be very serious.

No one likes failure, but between unpredictable events and predictable human stupidity, it happens a lot. That's why engineers, when designing any safeguard, must ask what the consequences of failure are. (They use the term "ductile" for a system that fails relatively "well" -- that is, in which any failure is either limited or can be fixed quickly. They use the term "brittle" for a failure that will have widespread consequences if things go badly.)

In a perfect world, for example, there would be no car accidents. But between bad weather and bad driving, accidents happen. So in addition to sophisticated vehicle and road designs, automotive safety experts build in a simple safeguard: the seat belt. Likewise, architects first try to design buildings that won't catch fire. But they also incorporate features to minimize the harm should a fire occur, such as smoke detectors.

The Atlantic Monthly recently profiled cyber-security expert Bruce Schneier, who devoted himself to devising theoretically foolproof computer systems -- until one day he realized he was doing it for clients who couldn't program their VCRs. Then he realized, and began to preach, the importance of "ductile" rather than "brittle" security systems. He puts biometric cards in the latter category.

Suppose, he says, all your data is encoded to your thumbprint, and someone hacks into the database. True, you can stop them from using it by cancelling it. But what next? "The bank can issue you a new card with a new number. But (with biometrics) this is your thumb -- you can't get a new one." Identity theft is bad enough with replaceable passports, bank cards and drivers' licences. With a biometric ID card, the only way to get rid of the stolen identity would be permanently to delete the legitimate one as well. That's a nightmare for governments and citizens.

Anyone who has seen the film Minority Report knows what he's talking about. In the movie, a character played by Tom Cruise, whose eyes are biometrically scanned all the time in his futuristic world, has to go to the trouble of getting an eye transplant when he wants to change his identity. Biometrics are definitely "brittle."

Recently, nearly 1,000 traditional Pearson International Airport passes were misplaced. Security supervisors quickly cancelled them (and eventually recovered them). If they'd been biometric, and stolen rather than misplaced, cancelling them wouldn't have been enough. You'd have had to change employees -- hire ones with different thumbs or eyeballs (or go the Tom Cruise route).

In seeking to protect Canada's national security, the specific measures will be as varied as the problems, but they must all share one characteristic. In addition to being designed not to fail very easily, they should be designed not to fail catastrophically.