November 16, 2001
My name is Katie Corrigan and I am the legislative counsel on privacy at the American Civil Liberties Union (ACLU). The ACLU is nationwide, non-partisan organization with nearly 300,000 members dedicated to protecting the individual liberties and freedoms guaranteed in the Constitution and laws of the United States. I appreciate the opportunity to testify today on recent proposals to establish a national identification system or national ID card. Like all Americans, the ACLU supports efforts to ensure our security from terrorist threat; but we remain convinced that we need not sacrifice our civil liberties to protect safety. We believe our country can be both safe and free.
We ask Congress to use a three-prong analysis to promote safety and to reduce the likelihood that new security measures would violate civil liberties.
First, any new security proposals must be genuinely effective, rather than creating a false sense of security. Second, security measures should be implemented in a non-discriminatory manner. Individuals should not be subjected to intrusive searches or questioning based on race, ethnic origin or religion. Finally, if a security measure is determined to be genuinely effective, the government should work to ensure that its implementation minimizes its cost to our fundamental freedoms, including the rights to due process, privacy and equality.
A national identification card does not pass these basic tests. A national ID card would substantially infringe on the rights of privacy and equality of many Americans, yet would not prevent terrorist attacks. The ACLU strongly opposes the creation of a national ID card, whether the card is embodied in plastic, or whether the "card" is intangible - a sort of "virtual reality" card consisting instead of a government-mandated computerized database containing information about most people in the United States linked by a government-issued identifier.
Over the past few decades, proposals for a national identification system have appeared as a "quick fix" to a national problem of tracking one segment of the population or another, including immigrants and deadbeat dads. Since September 11, national ID proposals have been discussed in the media and in the Congress as possible counterterrorism measures. (See Appendix.)
NATIONAL ID CARD OR SYSTEM WOULD BE AN INEFFECTIVE COUNTERTERRORISM MEASURE AND WOULD SERIOUSLY UNDERMINE BASIC LIBERTIES
A national ID card or system would not be an effective counterterrorism measure. Instead, such a system could divert resources away from other counterterrorism activities and create a government bureaucracy that would undermine basic rights to privacy and equality.
First, national ID cards would create a false sense of security and divert valuable resources from other more effective counterterrorism efforts.
The rationale for creating a national ID system post-September 11 is to create a clear line between "us" (innocent people) and "them" (dangerous terrorists). Everyone would like an ID card that would put them squarely on the right side of the line and exempt them from suspicion and heightened security scrutiny when they board a plane or go to work.
Unfortunately, none of the proposed identification systems would effectively sort out the "good" from the "bad." First, an identification card simply confirms that you are who you say you are. It does not establish motive or intent to attack a plane. All 19 of the September 11 hijackers had social security numbers (SSNs), although not all of them were legitimate. One of the hijackers was listed in the San Diego phone book - both name and address. And still others rented automobiles with their debit cards and lived in suburban Florida neighborhoods. But only a few of the hijackers were on FBI watch lists. An ID card would simply have reaffirmed the hijackers' real or assumed identities. It would have done nothing to establish their criminal motives for renting cars and going to flight school.
Second, an identity card is only as good as the information that establishes an individual's identity in the first place. It does not make sense to build a national identification system on a faulty foundation, particularly when possession of an ID card would give you a free pass to avoid heightened security measures.
No form of documentation is completely foolproof. There are always ways to beat the system. Presumably, an individual would obtain an identity card using documents such as a birth certificate or driver's license. Anyone, including terrorists, could falsify or forge such documents. The Inspector General of the Social Security Administration testified last week that six of the hijackers obtained SSNs through fraudulent means.1 And, at least one person who is a suspected associate in the September 11 attack has been indicted for using false information to obtain a SSN. In addition, a national ID card would do nothing to sort out domestic terrorists. As a US citizen, Timothy McVeigh would have certainly qualified for a national ID.
A national ID system would inevitably foster the blackmarket in fake identification. For instance, in 1990, several DMV employees in Virginia were indicted for selling possibly thousands of drivers' licenses to illegal immigrants in violation of the law.2 The creation of these cards and supporting infrastructures create new risks of insiders issuing phony IDs and outsiders gaining access. There is always the potential for misuse by individuals in any large organization.
At best, a national ID would serve as a placebo to make us all feel better when we show the card at the airport, a turnpike tollbooth, or at our workplaces. At worst, the ID card would create a false sense of security and divert resources from other more productive counterterrorism activities. In 1998, General Accounting Office (GAO) reported that mass issuance of counterfeit-resistant Social Security cards would be very expensive.3 The Social Security Administration estimated that no matter what material the card was made from or what type of technology was used for security purposes, such as biometric identifiers, "issuing an enhanced card to all number holders using current procedures would cost a minimum of about $4 billion or more." And, even with the offer from Larry Ellison (Chairman and CEO of Oracle) of free database software, the processing costs alone of issuing new ID cards are estimated to be 90% of the $4 billion expense.
Second, national ID cards would provide a new tool for racial and ethnic profiling and lead to more illegal discrimination, not less.
The cards would provide new opportunities for discrimination and harassment of people who are perceived as looking or sounding "foreign." Some people have argued that ID cards would end racial profiling and other discriminatory practices. We need only look to history to see how "identification" requirements can impact the daily lives of Americans. The Immigration Reform and Control Act of 1986 required employers to verify the identity of potential employees and their eligibility to work in the U.S. The Act also imposed sanctions for failing to comply with the verification requirements. As a result, there has been widespread discrimination based on citizenship status and against foreign-looking American workers, especially Asians and Hispanics. A 1990 General Accounting Office (GAO) study found almost 20 percent of employers engaged in such practices. 4
A national ID card would have the same effect on a broader scale. Latinos, Asians, African-Americans and other minorities would become subject to more and more status and identity checks -- not just from their employers, but also from police, banks, merchants and others. The failure to carry a national I.D. card would likely come to be viewed as a reason for search, detention or arrest of minorities. This would mean certain individuals, including immigrants, would be increasingly vulnerable to a system that subjected them the stigma and humiliation of constantly having to prove their citizenship or legal immigrant status.
Third, massive databases of information are a direct threat to the privacy of average Americans and the basic freedom to move freely around our neighborhoods and towns.
A national ID system would violate the freedom Americans take the most for granted and the one that most defines our liberty: the right to be left alone. Unlike workers in Nazi Germany, Soviet Russia, apartheid South Africa, and Castro's Cuba, no American need fear the demand, "Papers, please." As a free society, we cherish the right to be individuals, to be left alone, and to start over, free from the prying eyes of the government.
As former California Representative Tom Campbell recently argued, "If you have an ID card, it is solely for the purpose of allowing the government to compel you to produce it. This would essentially give the government the power to demand that we show our papers. It is a very dangerous thing." 5
Internal Passports Required: A national ID card would set up the infrastructure for a surveillance society. Day to day, individuals could be asked for ID when they are walking down the street, applying for a job or health insurance, or entering a building. This type of daily intrusiveness would be joined with the full power of modern computer and database technology. If a police officer or security guard scans your ID card with a pocket bar-code reader, for example, will a permanent record be created of that check, including the time and location? How long before office buildings, doctors' offices, gas stations, highway tolls, subways and buses incorporate the ID card into their security or payment systems for greater efficiency? The result could be a nation where citizens' movements inside their own country are monitored and recorded through these "internal passports."
Misuse of Highly Personal Information: Once all of this information is in the government databases, there is no guarantee its use would be limited to protecting security. There are clear examples of how government-collected information has been used for purposes other than that which it was originally intended. For instance, the confidentiality of Census Bureau information was violated during World War II to help the War Department locate Japanese-Americans so they could forcibly be removed to internment camps. During the Vietnam War, the FBI secretly operated the "Stop Index" by using its computerized National Crime Information Center (NCIC) to track and monitor the activities of people opposed to the United State's involvement in the war.
Everyday privacy violations victimize average Americans and undermine public confidence in the government. Thousands and thousands of government officials and perhaps even private industry would have access to a massive database of personal information required to support a national ID system. Even now internal breaches of database information happen all the time at the federal and state levels. In 1997, the General Accounting Office found serious weaknesses in the IRS' computer security and privacy protections and a year later many of the problems remained.6 Just last week, a former top Chicago detective admitted to running a jewel-theft ring across several states for more than a decade. Prosecutors said the detective had used law enforcement and other databases to get information about the travel schedules of traveling jewelry salesmen.7 And, an investigation by the Detroit Free Press shows other types of abuses that can happen. Looking at how a database available to Michigan law enforcement was used, the newspaper found that officers had used it to help their friends or themselves stalk women, threaten motorists, track estranged spouses - even to intimidate political opponents.
Even an innocent mistake by a single government employee can have a huge impact on an individual's life. In the past month, the University of Montana accidentally posted the psychological records of 62 children on the Internet. Names, addresses, and psychological tests were posted along with intimate details such as the boy prone to "anger outbursts, gender identity issues" and bedwetting. The immediate impact of such disclosures includes embarrassment and humiliation or further psychological trauma. The long term impact could be depression, poor performance in school and, depending on which databases the psychological information ended up, it could come back to haunt children later in life when they are trying to find a job or get a security clearance.
Any one of these privacy violations would be magnified in the context of a national ID system. A national ID system would allow government officials to access information contained in numerous and unrelated databases through one centralized system. Fraud or mistake would no longer be limited to one state law enforcement database or one university's research files. Government employees could tap into a database that included all kinds of information about an individual - from tax returns to health care data to student loan information. One employee or one wrong keyboard stroke could send a person's entire file into public distribution.
Finally, national ID proposals ask Americans to trust that a massive identification bureaucracy would facilitate our way of life rather than undermine the freedoms we take for granted.
The scale of the bureaucracy required to implement a national ID system cannot be underestimated. Thousands of government employees would be required to develop, implement, and maintain the supporting computer infrastructure and technology standards and process the cards for every American. The SSA estimated the cost of issuing counterfeit-resistant social security cards at $4 billion. The Administration did not even consider, however, the cost of updating the picture or other identifier on the card over a person's lifetime, periodically replacing the magnetic or electronic storage technology to ensure reliability, or the simple costs of having to replace lost cards.8 In addition, this report did not consider the information database that would also have to be developed, implemented, and maintained.
What would happen if an ID card is stolen? What proof of identity would be used to decide who gets a card? What would happen if you lose your ID? An overnight business trip might have to be cancelled because you don't have the time to go through heightened security at the airport. You might not be able to drive across a bridge to work without ID that says you are who you say you are. Even worse, you might not be employable without proof of ID. And, what if you run out of your house to buy a quart of milk and forget your ID? If a police officer stops you, you would automatically be considered suspect.
Anyone who has had to correct an inaccurate credit history will understand how hard it could be to correct an error that has found its way into your national ID file. Error rates in government databases tend to be high. Internal Revenue Service data and programs have been found to have error rates in the range of 10 to 20%.9 And, according to the GAO, there has been a significant increase in identity theft over the years.10 It is estimated that 40,000 victims of identity theft must struggle each year to clear their names and fix their credit histories.
Even with biometric identifiers on each and every ID, experts say there is no guarantee that individuals won't be identified - or misidentified -- in error. Professor David J. Farber, a technology expert at the University of Pennsylvania recently said, "Biometrics are fallible."11 Fingerprints and retinal scans are reasonably reliable when used with an expensive reader. Other forms of biometrics such as hand readers and facial recognition, however, have high error rates. (See ACLU's Feature on Facial Recognition Technology at http://archive.aclu.org/features/f110101a.html.)
Under a national ID system, employee mistake, database error rates, and common fraud would not simply affect individuals in one area of life. Instead, problems with the ID system or card could take away an individual's ability to move freely from place to place or even make someone unemployable until the file got straightened out.
The proponents of a national identification system argue that our circumstances have changed since September 11, and now Americans must accept "a little less anonymity for a lot more security." Unfortunately, this trade-off is rooted in the false assumption that a national ID card would make us more secure and fails to account for the full range of civil liberties at stake in this debate.
HISTORY OF THE SSN POINTS TO PROBLEMS WITH NATIONAL ID SYSTEM
A "Golden Rule" of informational privacy is that information collected by the government for one purpose should not be used for another purpose without the consent of the person to whom such information pertains. The history of the Social Security Number (SSN) shows just how difficult it is for the government and private industry to abide by this simple rule. It also documents Congress' longtime resistance to national ID systems.
In 1935, the Social Security Number (SSN) was created solely for the purpose of tracking contributions to the social security fund. But as soon as 1943, President Roosevelt issued an Executive Order encouraging other federal agencies to use the SSN when establishing a "one system of permanent account numbers pertaining to an individual's person." In 1961, the Civil Service Commission began using the number to identify all federal employees. The next year the IRS required the number on all individual tax returns. And, by the mid-1960s, the use of the SSN exploded in both the public and private sector as the introduction of the computer coincided with the expansion of government assistance programs.
Based on reports from the Administration and congressional hearings, Congress realized the SSN posed grave privacy concerns for the American public. In response, Congress enacted the Privacy Act in 1974 based on a finding that the right to privacy was "directly affected by the collection, maintenance, use and dissemination of personal information by federal agencies," and that the increasing use of computers and sophisticated information technology "greatly magnifies the harm to individual privacy that can occur from any collection, maintenance, use or dissemination of personal information."
Of course, Congress has considered numerous proposals to institutionalize the SSN as a national ID and consistently rejected them. Most memorably, President Clinton proposed a health security card as part of his nationalized health care plan. Both proposals met strong opposition and became a symbol of big government.
Most dramatically, in 1996 the House of Representatives rejected national ID cards during the consideration of the Illegal Immigration Reform and Immigrant Responsibility Act (HR 2202, 104th Congress). Rep. McCollum (R-FL) offered an amendment "to make a Social Security card as counterfeit-proof as the $100 bill ? and as free and protected from fraudulent use as a passport."12 The Commissioner of Social Security opposed the amendment because the Administration was opposed "to the establishment, both de jure and de facto, of the Social Security card as a "National Identification document."13 The Administrator also pointed out that SSA already included most of the anti-fraud features of the $100 bill.
Most recently, in 1999, a left-right coalition worked with Members on both sides of the aisle to repeal a provision in the 1996 Illegal Immigration and Immigrant Responsibility Reform Act that effectively coerced every state to place SSNs on every driver's license.
The lesson of the SSN is that once Congress establishes an infrastructure for tracking citizens, even if privacy protections are included, efficiency-driven "mission creep" turns a limited tool into a broad-based assault on privacy.
CONCLUSION
Congress should not set us on a track that would undermine our privacy, threaten equality, and challenge our very understanding of freedom. The ACLU strongly believes that our country must be safe, but security measures must be effective and need not come at the cost of our fundamental liberties. Congress should reject national identification systems in any form.
Thank you for inviting me to testify today. I am happy to answer any questions.
APPENDIX:
NATIONAL ID PROPOSALS IN THE MEDIA AND BEFORE CONGRESS
The various national ID proposals differ in kind, but not in effect. Almost all of them would centralize individuals' highly personal information, such as tax information, health and social security information, and law enforcement data, into an integrated database. The government would issue individuals an ID card with a unique identifier that could access all of the various databases to confirm identity, run background checks, or administer government benefits.
National ID Card Proposals
"The Ellison National ID" Proposal: Larry Ellison, Chairman and CEO of Oracle, has offered to provide the US government with the necessary software to build a national identification system. Ellison recently wrote in the Wall Street Journal, "[t]he single thing we could do to make life tougher for terrorists would be to ensure that all the information in myriad government databases [at the federal, state and local level] was integrated into a single national file."14 This database could be connected to a digital ID card that would replace Social Security cards and drivers' licenses. It could also be used to speed up the security check-in at airports and used by private industry for company ID cards.
"The Dershowitz National ID" Proposal: Professor Alan Dershowitz has provided fewer specifics on his national ID proposal, but would appear to agree with Ellison's general concept. A national ID would not be mandatory, but it would "allow [individuals] to pass through airports or building securities more expeditiously, and anyone who opted out could be examined much more closely."15
National ID Card Proposals by Another Name
No Member of Congress has introduced legislation that would implement a national ID system or ID card. Instead, there are several proposals that would establish a national ID card or system through the "backdoor" of other proposed legislation.
"The Trusted Passenger" National ID: Section 109 of the House air security bill, H.R. 3150 the "Secure Transportation for America Act," allows the Department of Transportation to implement a "trusted passenger program." The text of the legislation fails to detail the elements of the program, but its purpose would be to expedite airport screening by establishing the identity of "trusted" passengers through the issuance of an ID card. The ACLU explained in a letter to the air security conferees last week that the trusted passenger program could easily be extended to all types of travel, making it more difficult to move freely around the country, a state, or even a locality without such a trusted passenger ID. As a result, the trusted passenger program could become a de facto national ID system, requiring Americans to carry an internal passport with them wherever they go. This sytem won't stop terrorists. Too often, "trusted passengers" simply can't be trusted.
The Air Transport Association National ID: Last week, the Air Transport Association, the industry group for airline carriers, announced its support for a similar "National Traveler's ID."16 CEO Carol Hallett called on the federal government to develop a "constantly refreshed" database that would include law enforcement data, immigrations and customs information, treasury and financial data and "any other databases the government requires." Not unlike Ellison's proposal, the "Federal Information System" database would go along with an ID card containing biometric identifiers and other anti-counterfeit technologies.
Once such a massive database is established, the traveler's ID wouldn't be limited to aviation security for long. Hallett herself said, "All of the activities I have described ultimately should benefit homeland security and national security, not just aviation security."
Feinstein/Kyl National ID Starter Kit: Earlier this month, Senators Feinstein and Kyl introduced the "Visa Entry Reform Act of 2001" (S. 1627). The purpose of the bill is to strengthen counterterrorism efforts at our borders and in the visa process. The bill includes a centralized "lookout" database that would contain information about foreign nationals crossing the border into the United States. In addition, the Feinstein/Kyl bill establishes a "SmartVisa" card to make newly issued visas tamper-proof and counterfeit-resistant using biometric identifiers.
Section 7 of the Feinstein/Kyl bill, however, goes far beyond immigration policy and mandates uniform procedures for identification cards and other government documents used by average Americans. The bill clearly contemplates the "next step" toward a national ID.17
Section 7 requires the Attorney General to establish uniform procedures to "prevent fraudulent use and alteration by tampering" for "newly issued identification documents, licenses, and permits" issued by the Department of Justice, Department of Transportation, Department of Health and Human Services, and the Social Security Administration.
This provision would require the federal agencies to follow a uniform identification system for individuals obtaining government services including Medicare payments and social security benefits, or other permits and licenses. Section 7 also requires state and local governments to meet the federal requirements for any state or local identification documents subject to "Federal requirements or standards." That means the federally-mandated uniform identifier would apply to documents such as state-issued commercial trucking licenses or professional medical licenses subject to federal minimum standards.
This provision lays the groundwork for the implementation of broad-based uniform identification requirements (i.e. a national ID system) at the federal, state and local level. Congress already rejected a similar mandate to the states when it repealed Section 656(b) of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996.
Driver's License National ID: The American Association of Motor Vehicle Administrators (AAMVA) has advocated a national standard for state drivers' licenses. The proposed standards include both uniform identification requirements for the holder of the driver's license, including name, address, and personal characteristics, and uniform technology standards for additional data storage on the card, such as bar codes and optical memory.
The AAMVA itself has stated its proposal for standardized drivers' licenses would effectively create