Senator Ernest F. Hollings
Chairman
Commerce Committee
United States Senate
254 Russell Senate Office Building
Washington, DC 20510-6125
September 19, 2002
Dear Chairman Hollings:
In today's markup, the Committee should delete Section 302 of S. 2949, the ""Aviation Security Improvement Act."" This section would allow the Transportation Security Administration (TSA) to establish ""identification verification technologies,"" including facial recognition and other biometric identification technologies, for the screening of airline passengers. This type of nationwide biometric identification system would not increase security and would pose a serious threat to privacy and civil liberties.
To be clear, there is no doubt that Federal government has a compelling interest in making air travel safe. Certain security measures may be necessary. Last year, the ACLU supported a number of security measures in the Aviation and Transportation Security Act, including limits on the number of carry on bags, matching all baggage with passengers, increased training for airport security personnel, strict control of secured areas of airports, and fortification of cockpit doors.
Before implementing any security measure, however, the government must answer two basic questions. First, does the proposed security measure actually work? And, second, is there an alternative, equally effective security measure that would be less intrusive on civil liberties? The government must ensure it is meeting its obligation to make America both safe and free.
Section 302 fails to pass this test. The proposed verification technologies would not effectively establish the identity of airline passengers but would pose a serious threat to civil liberties by establishing a massive nationwide identification system.
Section 302 would allow the Administration full authority to establish a massive identification system:
Section 302 would permit the TSA to require the installation and use of ""identification verification technologies"" to assist in the screening of air passengers. Such technologies may include identification scanners, facial scanners, biometrics or other technologies the TSA considers ""appropriate.""
This language provides the Administration a blank check to create a nationwide identification system for every air traveler in America. There is no limiting language whatsoever in the bill. TSA could say ""nobody can fly freely unless they use a card we issue, give up a sample of their DNA, and waive their right to privacy in every public or private database containing personal information about them"", thereby authorizing the TSA to do what it will with the information. Innocent people who fail to get or apply for the card would be subjected to heightened security measures (and major delays) as if they are potential terrorists. Because the bill imposes no limits, it authorizes all identification measures, including issuing special cards. Once such a card is issued, its uses would inevitably expand. Every landlord, bank, potential employer will want to rely on the card as well as other government agencies.
One reaction to the terrible events of September 11 was renewed discussion about instituting a national ID as a counter-terrorism measure. Although national ID proposals received fierce debate in the fall, the Administration and Congress wisely rejected them. Direct passage of a national ID card, however, is only one possible path to such a system. In a recent report, the nonpartisan National Research Council (NRC) did not limit its assessment of ID systems to those plainly labeled ""national ID."" The NRC called the trusted traveler program and other recent identification proposals ""nationwide identity system[s].""[1]
Section 302 would result in a false sense of security:
Identification systems are only as good as the identifier and biometric technology is fallible; there are always ways to beat the system. Recently, a German magazine tested several different types of biometric identification systems, including facial recognition, fingerprint devices, and iris scans and was able to circumvent all of them. The fingerprint scanner was outsmarted by a person who breathed on the sensor's surface and was also duped through the use of adhesive film (similar to scotch tape) and some resin; the iris scan was fooled by a photo image of one person's iris held up in front of another's person's eye. In addition, in every biometric application there is an inherent tension between security and convenience. Manufacturers of biometric identification systems must decide up front whether to ""set his fault tolerance limits very narrowly, this increases the system's security[;] the user-friendliness of the system, however, is likely to decline in proportion.""[2] Thus, the more secure a system is, the less useable the ID card.
Another example of biometrics gone wrong came out of a Japanese researcher's lab. Using the same substance as found in gummi bears and some cheap kitchen supplies the researcher was able to fool a fingerprint detector about 80% of the time.[3] And, in Boston, several researchers defeated smart card technology using a camera flashgun and microscope to extract secret information widely used in smart cards.[4]
And yet, S. 2949 suggests these very technologies are entirely appropriate. Most glaring, the bill promotes facial recognition, a technology that the Department of Defense itself found to have very high error rates even under ideal conditions, where the subject is staring directly into the camera under bright lights.
In addition, the same National Research Council report outlines pages and pages of technical, policy, bureaucratic, privacy and civil liberties questions that would need to be answered before effective implementation of a national ID system. The first question, of course, is ""whether establishing and verifying identity is either necessary or sufficient for achieving any of the desired objectives of the system."" In other words, would an ID system solve the problem? Last November, the Aviation Security Biometrics Working Group Steering Committee Analysis concluded that the ""cost, implementation, and privacy issues strongly suggest that this approach [a biometric identity verification card for airline passengers] should not be high on the priority list for aviation security."" And, that in any case, Congress should make decisions of this ""magnitude.""
Section 302 responds to National Research Council's report and the Working Group's recommendation in a mere 26 lines of legislative text. It fails to make any of the weighty decisions that must be made and simply sends them over to the TSA. It imposes no privacy limitations whatsoever on the use of invasive identification technologies. It authorizes the government to invest a huge amount of resources in technology that has in many instances been proven unreliable to accomplish the security goal.
Section 302 would threaten privacy and civil liberties:
The civil liberties debate on national ID proposals is well documented.[5] A national ID would require Americans to carry an internal passport at all times, compromising our privacy, limiting our freedom, and exposing individuals in the United States to unfair discrimination based on national origin or religion. Section 302's massive biometric identification scheme would be the basis for such a system. An individual's unique identifier would be the key to the ID system. And, this type of identification system would inevitably be used for other purposes both in government and the private sector, further eroding individual privacy.
Conclusion
National identification systems are highly complex and controversial. Congress should not punt to the Administration on this important question through an ill-considered, quickly debated measure. The Committee should delete Section 302 of the ""Aviation Security Improvement Act.""
We look forward to working with you on effective security measures that make us both safe and free.
Sincerely.
Laura Murphy
Director
Katie Corrigan
Legislative Counsel
CC: Senate Commerce Committee
ENDNOTES
[1] Stephen T. Kent & Lynette Millett, eds., IDs-Not That Easy, Questions About Nationwide Identity Systems, National Research Council, 2002.
[2] Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler, Body Check: Biometric Access Protection Devices and Their Programs Put to the Test, c't, Nov. 2002 (""? the products in the versions made available to us were more of the nature of toys rather than of serious security measures. If it does not want to gamble away the trust in biometric technology right from the start, the line of businesses should not treat the security needs of its customers quite so thoughtlessly.""). See also Jay Stanley & Barry Steinhardt, Drawing a Blank: The Failure of Facial Recognition Technology in Tampa, Florida; An ACLU Special Report,"" Jan. 3, 2002 (http://archive.aclu.org/issues/privacy/drawing_blank.pdf).
[3] John Leyden, Gummi Bears Defeat Fingerprint Sensors, The Register, May 16, 2002.
[4] John Markoff, Vulnerability is Discovered in Security for Smart Cards, N.Y. Times, May 12, 2002.
[5] A broad and diverse coalition of over 40 national organizations, including the Citizens Committee for the Right to Keep and Bear Arms, the American Conservative Union, and the National Council of La Raza, wrote letters opposing both the American Association of Motor Vehicle Administrators' (AAMVA) proposal to standardize state driver's licenses and H.R. 4633 as national ID proposals and ineffective security measures. See letter to President Bush dated February 11, 2002 at http://archive.aclu.org/congress/l021102a.html and letter to Chairman Young dated June 27, 2002 at http://archive.aclu.org/congress/l062702b.html.