Someone accidentally sent me a link yesterday to a security document that I was meant to read. I read the document (located here) and later discovered he sent me the wrong link. Overall the paper is well-written and has some strong theories behind it. I did have some concerns over this paper which I can address here.

Originally I sent this back to the person that forwarded the wrong link to me:

“…You had a line that said “…photo ID cards offer the terrorist all new weak points for exploitation” did you use the word terrorist (since the paper didn’t seem to be about terrorism (which then it would be forgiven in my viewpoint) because of the heart-strings you felt it would tug at? Wouldn’t a better line to keep the document a bit more politically neutral be something in the line of “photo ID cards offer possible weak points for exploitation” or using the term fraudsters as you do later in the paper? I don’t like the term terrorist since it has connotations that have widely been twisted since 9/11 and theoretically under some interpretations of the PATRIOT act writing this paper and examining possible weaknesses and publishing it could be a borderline activity (I don’t believe that but a strict interpretation of the law could be taken as such).

Machine-readable weaknesses could greatly be strengthened by not relying on a local computer but going to a central database while bringing up the picture on the screen like advanced documents leading into a two-factor authentication of the machine than person verification instead of the other way around of a casual glance – this way the authenticator looks at it twice. I don’t like the idea of a centralized authority and I’m against a national ID card for this reason – the privacy concerns are immense. The simplest way would be when the card is printing place an MD5 hash that would need to match one printed holographically on the front of the ID. This way education would teach us (verifiers in general) that to verify the ID – we scan it and then type in the pin that should match against the MD5 hash on the magnetic strip. This allows us infinitely more security than we have now without the privacy loss implications of a centralized authority.

Document fraud is always going to continue as long as belief in the privacy and rights of the individual. Document verification does not necessarily make our government more secure. While some of the 9/11 terrorists had expired Visas – others had perfectly valid non forged ones. If we track back history to the last major terrorist attack before that Oklahoma City bombing – that was done by an American which I suppose had valid accurate documents. …”

As you can see by the verbiage I used and the fact that I didn’t pay extreme attention at first I had mistakenly thought the person that sent the link was the author. He was not and told me he couldn’t speak to the points contained within the paper. Fair enough.

I stated most of my points in my above email excerpt, however, one thing started nagging at me later (the same nagging that urged me to write this post. The author fails to take into consideration (or glazes over the fact in his paper) the inherent insecurity during the migration period. While border guards, guards at federal government facilities, and TSA representatives can be well-trained ramping up to launch new identification, the populace at large would not have the same training.

Because the population at large would be vaguely aware of a new system but not sure of the details of what to look for this opens up a window of opportunity for larger fraud to happen than what dictates under the current system. I remember businesses having issues accepting the 20.00 bill when it was redesigned since many people thought it felt like play money and looked phony. While they usually (reluctantly) accepted it, I’m sure there was a good opportunity for counterfeiters during the weeks/months that followed.

Now if you notice above I mentioned federal agents, and local police are normally no better at detecting these things. If they called it in they may get confirmation, but some police departments are lax and don’t follow a unified procedure. For an example of this idiocy please track down Steve Wozniak’s stories about having issues with the police saying his 2.00 bills were phony when a store manager who didn’t believe 2.00 bills existed asked the officer that came into the store.

I’m not saying we should stay the course during all of this and some states should have a stronger anti-tampering mechanism. The realID issue trying to get into fruition is one attempt at the federal level to do this. I don’t believe in the realID system since it erodes our personal liberties so I don’t think there should ever be a central authority. I could go on and rail about the realID system – but you should search “ron paul realID” and hear that man’s thoughts on the issue.

Finally the cost of this reimplementation of identification papers. This is something completely not absent in the document. If you look at the numbers implementing the realID system you can see the absolute cost that this will cost you for very little security in return.

“The man who trades freedom for security does not deserve nor will he ever receive either. “
Benjamin Franklin