The world of identity cards evolves around making a safer card for less money. The essence of ID-cards is that on the one hand they are easy to use for the holder and on the other they make it harder for criminals to abuse someone’s identity. We seem to forget why we issue these cards and the basic question should therefore be: do we really need an identity card? In this article Clemens Willemsen sets out to answer this question from a personal view.

The earliest known identification document, a passport from the Persian Empire, dates back to 450 BC. In the past when people lived in small communities, there was no need to identify oneself as everyone knew each other well. One could go to the bank and withdraw money from his or her account with just a bank book. As soon as people started to move around in larger communities where they were not known, the need for an ID-card became necessary to identify themselves. At first, the card mainly contained administrative data but over time biometric data such as a photograph and fingerprints were added to increase the ID card’s safety. Now the emphasis is on proving that the holder is the rightful owner of the ID card.

Issues with ID-cards
An ID-card is a useful means to identify oneself but can also be abused by criminals to take your identity or present themselves as a non-existent person. The card and its administration are a solution, but simply relying on them may also present a problem.

Here are two examples where things can go wrong:
• An ID-card is stolen before the authorities have issued it to you. Although they might block it, this is only helpful if the number of the ID-card is checked online when someone uses it. If the authorities fail to inform you about it, you might never be aware of the fact that it has been stolen. Cars and goods can be bought in your name and someone else can have access to restricted areas and retrieve private information. The traces of identity fraud lead to the victim and not to the abuser.
• When you are asked to show your ID-card, it is not always checked online, nor are the security aspects always verified, as it often takes trained staff and special equipment to do so.

The use of biometrics instead of ID-cards
Let’s imagine an ID-card free world where we don’t have to carry the burden of history but can focus on new solutions. We still need to be able to identify people and link a live person to an administrative person2. In order to do this we need to “enrol” a person the moment they are born, by measuring their biometric features and by linking these data to a new administrative person in the citizens’ database. Only in this way we can assure that a person is who he claims to be for the rest of his life. It is important that the enrolment is done by an official organization to establish a reliable identity. There are a number of prerequisites in order for biometrics to replace the ID-card completely:

Extract biometric features as soon as a person is born
It might not be socially acceptable to enrol a new-born baby. After all, nobody wants to disturb that special moment. But when the baby is still young, the time is right to take its footprint (as is already done in the US) and combine the biometric data with the administrative data such as its name and birth date. The Florida Child Identification Program (Ch*I*P) gives parents the option of having their baby’s blood drawn from its heel immediately after birth. The blood is placed on a specially treated paper to bond the baby’s DNA to the paper, which is then placed into a foil envelope and given directly to the parent or guardian. The procedure is the same for older children, except that the blood is drawn by a simple fingerprick. The officials claim that they do not keep any records or samples. The disadvantage is that only the parents know the biometric feature belongs to their child.

In May 2008, the former US president Bush signed into law a bill which will see the federal government begin to screen the DNA of all newborn babies in the US. Critics have described the move as the first step towards the establishment of a national DNA database.

Use multiple forms of biometrics
Use all available forms of biometrics such as fingerprints (reliable from the age of 12), facial photographs, iris scans, etc. As each form of biometrics has an error rate, it is best to use a combination of biometric features. A combination of features also makes it harder for a criminal to spoof. Additionally, when using a fingerscan, why not vary the finger that has to be put onto the scan? In that case criminals would need ten fake fingerprints to enter their identity.

Extract the biometrics in a trustworthy and internationally uniform way
The enrolment has to be done in a standard and global way, so countries can trust the ID of citizens from other countries. For this to work well, stronger EU and ICAO standards are required.

Check a person’s ID online
The infrastructure must be organized in such a way that the set of biometrics can be checked safely against the databases in an acceptable response span. In most modern countries this might not be a problem, but it requires networks and databases to be secure and online 24/7.

Update the biometrics that are subject to change in a person’s lifetime
Some biometric features such as facial geometry are subject to minor or major changes during a person’s life. It is therefore important to save these features every time verification takes place, to make sure that the biometrics data is up-to-date. The verification of someone’s identity has to be done as accurately as at the time of enrolment.

Use special forms of ‘internal’ and ‘live’ biometrics that cannot be faked
Certain forms of biometrics are more enhanced since they retrieve data from the inside of the body and consequently cannot be spoofed that easily. Examples of such biometrics are brainwaves and eye and hand vein patterns. Although these features are considered to be “flawless”, even these are not without errors, as all forms of biometrics are based on statistics. The finger vein and hand vein seem to have the future.

Looking ahead
Various experts3 believe that the use of biometrics will not replace an ID-card entirely, but will always function as an additional feature. On its own, the use of biometrics allows only for identification, since there is no unique key (one-to-many). An ID-card allows for simple verification because the card number or social security number on the card is a unique key (one-to-one). This number must be issued at an early stage of life to be used for the purpose of verification with biometrics. The future developments around ID-cards and the application of biometrics will be very interesting indeed.

References
1 A world without identity cards has been mentioned in “Identity fraud and digital capability” by Clemens Willemsen, published in the ICAO MRTD report, volume 3, 2008. This article elaborates on that thought.
2 This article focuses on live persons. In order to check the identity of a virtual person, for example in the case of an internet transaction, there are other issues involved that are not discussed here.
3 As shown in a questionnaire conducted by the author in 2008.

+ posts

Clemens Willemsen works for the Dutch Department of Justice and Security where he specialized for more than ten years in identity management and biometrics. This article is his personal view and does not necessarily reflect the point of view of the Dutch government or its respective departments. He is now a specialist on information security.

Previous articleSafe and reliable use of biometrics
Next articleComposite material, evolution in ID’s