Home
Up
Bloggers I Have Met

Privacy Policy

A UBID That Might Work

After spending many hours coming up with reasons why the proposed UBID could not be accepted into our society I realized there was another way.  This is my concession to that on the discussion list and the resultant debate.  A few posts have been omitted that were essentially irrelevant.

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph K
Sent: Monday, January 12, 2004 5:02 PM
Subject: An outline of UBID that might work.


Over the weekend I was writing up all the deficiencies in a UBID in an effort to prove the concept could not succeed. It had slipped my mind that this is one of my favorite techniques to find a solution to a difficult problem. Turn the issue around and prove it can't be done rather than directly finding a method by which it can accomplished. Frequently the frame of reference shift will give new insights into the problem and a solution appears. And so it was with the UBID. There still are obstacles that may be insurmountable, but nearly all of my previous objections are overcome.

The two largest objections I had to the proposed UBID were that it made tracking of individuals by "Big Brother" possible and that attack of the central (or even somewhat distributed) database could result in catastrophic results for a society dependent on the functioning of that database for "clearance" in their day-to-day life activities. Both of these problem could be made to disappear by reversing the direction of the flow of information. Rather than the UBID holder, in essence, requesting permission on a transaction by transaction basis the UBID device holds the restrictions for that individual. Felony conviction on record? The UBID holder is no longer allowed to purchase firearms and explosives (as is in accordance with current law). Whenever a transaction occurs that must be logged (as in the case with firearms and explosives) the transaction is only logged at the transaction site -- it does not go back to the central database. This is similar to the compromise reached on firearms registration in the (U.S.) gun control act of 1968. Licensed sellers of firearms are required to keep records of their firearms sales (Federal Form 4473) which are required to be held for 20 years. Sellers of explosives have similar forms (Form 5400.4) and records retention requirements (permanent). The point is that if a government authority needed to obtain records of a particular traceable transaction then those records are available via a process and are, in essence, continuous oversight by the private sector. Widespread abuse of access to those records is simply not possible without widespread cooperation of the private sector. This is in direct contrast to what has happened with things like the census records being used to help locate Americans of Japanese descent during WWII and other more recent abuses of U.S. government records that were against the law but the perpetrators were given "a free pass" by the administration in power at the time. The UBID holder would only give permission for the logging of tracing information as needed. The normal mode for transactions would be anonymous with the only information given to the other party was that the UBID holder did not have a restriction for that product or service -- such as alcohol or tobacco sale.

I would further like to suggest that the central restrictions database only has a list of people with restrictions. They do not have a database of everyone who has a UBID device. This is similar in function to the National Instant Check System (NICS) currently used for verifying the legality of a firearm sale. If the person is not in the database then the firearms transaction is allowed. Convicted felons and people involuntarily committed to mental health facilities are currently entered into the NICS database and similar criteria could be developed for the UBID database. It might have all foreign nationals visiting the country and restrictions upon them, or an arrest could result in an entry that is removed if charges are dropped or they are found not guilty. The UBID device would "know" the date of birth of the holder and generic restrictions based upon age would occur without involvement of the central database. This greatly increases the privacy for the mass of the population that is law abiding and has an additional advantage that the central database is much smaller and easier to maintain. This enhances the chances the database integrity can be maintained because far fewer people will have need for modification access to it. This also maintains the model of presumed innocent until proven otherwise central to U.S. Constitutional law.

The restrictions on the UBID device need to be updated as things change. An outstanding arrest warrant or felony arrest and conviction would add restrictions. Or information of terrorist connections might place air-travel restrictions on the holder. My proposal would be that the UBID need to be updated periodically by connection to a central database. Or under certain conditions contact with law enforcement might cause an immediate update in restrictions -- such as an arrest for driving under the influence might add an immediate restriction against driving that would expire in 24 hours. Or a restriction on out of state travel might be put in place until after a trial. The normal expiration period for the validity of the UBID device might be something like 30 days. The UBID holder could at anytime connect his or her card to a internet connected computer and update the restrictions. The UBID device would be valid for another 30 days from the time of the update. The connection to the database could be done through one or more anonymous proxies located anywhere in the world such that the government entity providing the update could not know the originating IP address of the UBID holder. The UBID holder could see any changes to their restrictions before them being committed to the device. This would allow people with arrest warrants, in essence, advance notice of their status but it would also give people a chance to travel freely to escape religious/racial/political persecution or to challenge the change in restrictions through some sort of due process. The 30 day expiration would also allow for people to continue to function if the central database were attacked and was non-functional for some relatively short period of time. Restoration of the functionality of the database within hours would not be critical to the functioning of society. If people were to routinely update their cards every 15 days then two weeks of repair time would be available to the system administrators before a failure of the system would start to have a significant impact on the functioning of society. By that time alternate plans might also be put in place if it was not feasible to restore the functionality of the system.

There are several technical issues to be addressed such as assuring the updating of restrictions is not spoofed, counterfeiting of UBID devices, etc. but I think most of them have fairly well known solutions.

There are still unsolved (and perhaps unsolvable) obstacles:
The central database integrity. There will be thousands of people that provide information into the system. What sort of controls can be put in place such that restrictions could not be removed or added maliciously? The smaller the dataset can be made the less potential for abuse, but no matter the size of the database the problem exists.
A similar proposal for purchase of firearms based on a restriction notice placed on drivers licenses was objected to by the ACLU as having a high potential for abuse. If I recall correctly, the claim was that once the convicted felon had "paid his debt to society" they should not longer have a highly visible status in the general population. This system may also result in similar objections.
The population at large may simply refuse to cooperate. Canada's firearm registry is failing in part because of this. Most of the provinces have refused to enforce it because of the widespread opposition. It is estimated over 1 million firearms are not registered in defiance of the law. Only one conviction has been made because of their failure to registry a firearm. See http://www.globetechnology.com/servlet/ArticleNews/TPStory/LAC/20040107/REVIEWM07/TPTechInvestor for more details.
Does this really buy us anything that isn't already accomplished other ways? If it does, then does the money spent on this system represent the best return on investment in methods to solve the targeted problems?
Although I didn't consciously remember it until after I started working through the details there is a similar system being used today for real estate agents. A friend in the business explained the system to me last September. They have a card that is updated with permissions frequently (something like once a week or once a day) which allows them to open a box installed on the outside of a property. The box holds the key to the building's entrance and logs the transaction for later retrieval. This system may be patented by vendor.

I would also like to give credit to Henry Boitel for getting me "fired up" enough to try and prove him wrong about the workability of a UBID system. If some of my suggestions result in acceptance, implementation, then from there, somehow into a police state I would like everyone to blame Henry instead of me. :-)

Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA

509-375-2201

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Tuesday, January 13, 2004 7:58 AM
Subject: Re: An outline of UBID that might work.


Joe,

It would be helpful to me if you would recast your firearms/explosives examples within the following analysis. I think you will find that the none of your issues are with the UBID, but rather with the substantive rules that will continue to be administered by the appropriate federal and state agencies separate apart from the UBID card or the UBID database..

You express valid concerns with regard to the treatment of data, However, the UBID system does not manage data beyond the enrollee's basic identification information and whether he is a citizen, resident alien or visitor, a convicted felon, a fugitive, a parolee or probationer with travel restrictions, a missing person or on an authorized watch list, alive or dead, whether presently adjudicated incompetent and whether presently a minor.

All substantive data bases whether they be of a government agency or private entity or entry to your car or home, are under the exclusive control of the entities that manage those data bases. For example, you go to your bank.

a) Swipe your UBID card at the ATM. By doing so, you are claiming that you are the person to whom that card was issued.

b) You are asked to display your biometric(s), and it/they are compared to the card. The bank's system now knows that there is or is not a match.

c) If no match, a procedure is followed similar to present swipe failures, giving an opportunity to correct errors.

d) If there is a match, part 1 of the id process is completed successfully.

e) As the foregoing is occurring, the bank's system is checking with the UBID central database to make certain that this is a validly issued card. There is no central data base check against the biometric. Only against other data encrypted within the card. If that data does not match (e.g. name and public UBID number having been issued to a person with a certain non public UBID number), then the ID effort is rejected.

f) If the local biometric check and the central card validity check match then the ATM displays the options that are available to the identified person with regard to available transactions.

g) The central data base has no information concerning the substance of the transaction. Only that it certified the card to this bank at this date and time.

h) The bank has no information concerning any transactions you may have performed with the card elsewhere that day and has no information concerning the central bank validity check information. It has a record that validity was confirmed to it at this day and time.

i) The central database verification is no more complex or data intensive than typical credit card transactions involving central data bases - i.e. just about all credit card transactions.

j) If for any reason the central data base network and its redundancies should all fail, the bank would have the option of temporarily waiving central card verification..

The foregoing scenario can be recast to put any entity in place of the bank. In each instance, the central system is only certifying that the card details match details on file.

In any situation, a bank or other entity is free to also require a password, but if the UBID checks out, they must have an immediate reasonable alternative to password failure.

I think that the foregoing meets your primary concerns.

You suggest that the central database would only have a list of the people with restrictions. The UBID central database would have a list of all enrollees, but the information it would carry on them would be:

a) all information on the card, including biometric, and

b) the specified status information I have detailed above (citizen, etc.). The central database would be updated in as close to real time as possible with regard to changes in status -- e.g. felony convictions, shift from legal to illegal alien, fugitive, etc.

c) the UBID outline describes different levels of card - general, relative background, deep background, to cover different security levels. All cards would look the same except for name and photo and number on the face of card, and the details that are imbed electronically. There would be no indication of security level. However, if a person presents himself to a secure site, the site would have the option of externally verifying UBID security level or simply using its own database for that purpose or both.

The card never has on it or within it any information other than that necessary to confirm ID and card validity - with one exception. Optionally, the card can include some memory that is under the control of the card holder, both as to what can go in that memory and what can be read from that memory and what can be removed from that memory. This might typically be used to store emergency information, electronic transaction receipts and other things for the sole convenience and at the sole discretion of the card holder.

You express a concern that errors will inevitably occur in the UBID system. Since, for most people the scope of information is relatively narrow, and all information is relatively standardized, I suspect the error level will be immensely less than in the multiplicity of secure and pseudo identity systems that presently exist. The personal status information (citizen, etc.) will be as reliable as the systems that exist outside of UBID to determine and record that information. For most people, the basic id information and the status information, once properly input or corrected, will remain the same until death.

You do not mention it, but there is an issue with regard to changes in some biometrics that occur with the passage of time. In accordance with the state of technology, periodic updates would be required for such biometrics. Similarly, there is the problem of someone who experiences a temporary or permanent change or loss of a biometric. Alternate verification procedures will have to be available for such persons just as there are reasonable alternate methods for persons with other types of disabilities.

You mention that some of the population may refuse to cooperate. In this regard you have to distinguish between the ID function and the substantive activities for which the ID is used. If there is a doohicky agency that requires all people to register their doohickies and submit a full color picture of themselves alongside of their doohicky, someone may refuse to engage in that registration process, with or without a UBID. That is really not a UBID issue. I suspect that most refusals to cooperate would fall into that category. Clearly, there are some persons who will not want to participate in any ID program, particularly if it relates to a unique database designation, such as a number. Most such persons will eventually enroll since the lack of an ID will have practical consequences since it is difficult to live in the modern world without an ID and since some people, by their very status as non-citizens, professionals, government employees and felons, will not have any choice.

When we are dealing with hundreds of millions of people, regarding anything, there will always be at least tens of thousands of people who, out of protest or not getting up on time, will create bumps in the implementation landscape. If that kind of bump were seen as making a system unworkable, we simply would have not government or private systems of any kind.

The UBID is confronted by the same kind of problems that plague biometrics generally. 1) There is a real scarcity of scientific/acadmic minds that are devoted to this sort of thing beyond the power point level; 2) For competitive reasons, many who can talk about all or parts of such a system, decline to enter into the dialog; 3) There is an increasingly bureaucratic approach, in both the public and private sectors, that discourages giving an opinion as to things deemed controversial. To some extent, it is Galileo all over again. Meanwhile, at far greater cost, a de fecto BID systems are proliferating and being linked and huge amounts of personal data, of uncertain reliability or completeness, are being "mined" over and over again, without any apparent safeguards or unified policy.

Henry J. Boitel
New York

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Christopher Effgen
Sent: Tuesday, January 13, 2004 10:30 AM
Subject: Re: An outline of UBID that might work.


Henry,

Below is my understanding of your UBID proposal:

The UBID system does not manage data beyond the enrollee's basic identification information and whether he is a citizen, resident alien or visitor, a convicted felon, a fugitive, a parolee or probationer with travel restrictions, a missing person or on an authorized watch list, alive or dead, whether presently adjudicated incompetent and whether presently a minor.

The UBID system involves the mandatory use of an identity card, which contains a copy of an aspect of an individual's biometrics. The card is used to confirm the identity of the person using the card when an individual engages in transactions. Without a card, an individual can not engage in transactions as determined by governmental and non-government entities.

As used by government, an individual's legal status as a citizen is monitored and adjusted. The system maintains links to criminal history and investigative records. It is also used to maintain the suspect status of an individual, and determine if the individual is free to travel within the United States.

As used by non-governmental organizations the card can be used to determine if you are allowed to enter your car, home, or have access to your deposits in banks.

All cards would look the same except for name and photo and number on the face of card.

Optionally, the card can include some memory that is under the control of the card holder, both as to what can go in that memory and what can be read from that memory and what can be removed from that memory. This might typically be used to store emergency information, electronic transaction receipts and other things for the sole convenience and at the sole discretion of the cardholder.

If a segment of the population refuses to cooperate, they will not have a choice.

I think that I have been fair in representing your views.

I believe that this is where we are moving, and that if we implement this scheme we will inevitably move way beyond this. For example, the uses that you propose by government are minimal to say the least. The card would be required in all government benefit transactions, and virtually everyone with a commercial interest would want to use the card to track transactions of every type. Private industry would use this information to construct deep profiles of every citizen of the United States.

Years ago, I wrote a paper called the neural network. The neural network is a system in which our minds are linked electronically. The difference between that system and this system is that brains, not minds are linked. In your system that you would construct a mind, outside the control of the individual, which takes in the information and makes the determinations. The system studies the habits of individuals and makes determinations accordingly. The individual, who has no control of the mind/system making these determinations, exists in a chaotic world. The system tends to generate self-fulfilling prophecies with respect to an individual's future anticipated behavior.

The system is operated by bureaucrats who, by the nature of the limits placed upon them by the nature of the organizations that they work for, can never achieve their potential as human beings, but must, at least at work, subordinate themselves to the goals of the organization. Bureaucracies, while necessary, tend to be incompetent, irresponsible and, when holding the power of sovereign, lawless. The tendency of the human race to create static repressive systems has been noted by others. When we survey the vast majority of human history, what we see are a few lights in which individuals were free to pursue their creative potential.

At this time too, we are dealing with the cultural phenomena of regression in the face of a disaster that has affected every level in our society. Add to this, the tendency of individuals to use such disasters for the justification of the pursuit of objects that they wanted to engage in anyway, and we have a fair summary of the why of what is happening in the world today.

Yet, there is a larger picture. We live in a risk/threat universe, in which the good is the absence of disasters. The reason that I gave up my work of mitigating disasters, 20 months before September 11, 2000, and became involved in this issue, was because I saw the danger of this.

Christopher Effgen
Anchorage
 

-----Original Message-----
From: The Biometric Consortium's Discussion List [mailto:BIOMETRICS@PEACH.EASE.LSOFT.COM] On Behalf Of Henry J. Boitel
Sent: Tuesday, January 13, 2004 11:09 AM
Subject: Re: An outline of UBID that might work.


Christopher,

Look at anything real clasp and it appears to be something other than it is, as Gulliver learned.

Step back a moment. The UBID would be mandatory only in the sense that if one wishes to engage in transactions where he must establish his identity, the UBID would be the identity standard. This whole thing, at its primary level, turns on the question of whether people/ agencies/ businesses have a right to know who you are when they deal with you.

On a secondary level, it turns on whether, when relevant, a person/agency/business has a right to know if you are a citizen, a minor, a person of various tupes of illegal status, or an incompetent.

If I turned the tables, we could come up with several principles that seem to flow from your approach:

1. Equivocal identificiation is good enough. There ought be something in the equation to keep people off balance when they are deciding whether to extend trust, credit or entitlements.

2. A private id certification, i.e., one that costs money is ok for those who can afford it, so that they can get to the head of the line and not be publicly embarassed. The rest can wait on line and be primary candidates for rejection.

3. Trust the government to defend amd protect you, keep you in a sanitary environment, oversee matters of health, etc., issue your birth certificate, your professional license, your marraige license and regulate the private sector, provide an ID for your real property and supervise your banks, but don't trust them to run an identification system.

4. Give the opportunity to both government and the private sector to jerk you around on identity issues if you do not have the power or influence to demand respect and attention.

5. Instead of focusing on a very narrow program of identity verification and illegals screening, it is preferable to have every person a suspect each time he or she is encontered, and we leave to chance the question of whether illegals will be screened out of the community.

6. In the absence of a unified system, that permits very targetted retrospective inquiries, retain the present non-system, that ensures broadbased, indiscrimnate rummaging through personal information and activities.

7. Keep the name list systems (that you have been fighting for some time in courts and agencies) as preferable to a unequivocal ID system.

My point is that it is not enough to say "I don't like the weapon that this gives to government/business". In order to be valid, one must compare the prospective situation to the present situation. The present situation is devoid of controls, is probably uncontrollable and results in huge personal and national insecurity, as well as great cost if even if the cost of identity theft is not counted.

If you have a better idea to remedy the present inadequacies, let's hear it. I would be happy to see a better solution and, in any event, I would enjoy picking apart someone else's proposal.

Best wishes,
Henry J. Boitel
New York

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Daniel C Landi
Sent: Tuesday, January 13, 2004 6:28 PM
Subject: RES: An outline of UBID that might work.


IMHO, it is a fact that UBID cannot rely on the secrecy of the biometric data. When such systems become a de facto standard for border checking and country club entrance, all this logged information will be too valuable to remain untouched.

I’m not saying that there will be foreign companies specialized on gathering biometric samples or an underground community that will create an open biometric repository on the Internet. But one should assume that all his ten fingers, face, irises, retinas, voice samples, etc will be known in a raw digital format. We won’t put all these images and data openly on our personal digital certificates, but it is just like so. Actually, when the future bio-hackers start enrolling fingerprint images associated to your name, you might just do it yourself (apart from government controlled systems).

I don’t think that changing from finger to finger then from biometric to biometric is a good countermeasure, and I’m not sure what the solution is. Should we adopt only tamper proof hardware with embedded digital certificates for signing and date stamping? Should we research more seriously the live checking mechanisms on the sensors? Maybe an option is to use short-term biometric technologies with constant updating and periodically re-issuing – so the data stolen will “expire” after some time – or intentionally degrading the biometric template to allow only limited 1:1 matches.

I did not read through all the posts concerning UBID, so pardon me if these ideas were discussed here before.



Best regards,


Daniel C Landi
Sao Paulo, BR

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Tuesday, January 13, 2004 7:51 PM
Subject: Re: RES: An outline of UBID that might work.


Daniel,

I agree with you. It will only be a matter of time before one's current
templates or actual images of one's ID biometrics are captured by
persons who have not been authorized to capture them. It should be noted
that open availability has always been inherent in what I will call
traditional biometrics, i.e., photos, signatures and recorded voice.

In my view, the best ID biometrics system is one in which it does not
matter whether anyone captures your biometric images or templates. After
all, it is not the biometric that gives you access, it is the fact that
you, a living person, match the biometric.

The foregoing notwithstanding, there is no doubt that you put your
finger on an area of security holes that must be plugged. To the extent
possible, these should be anticipated and resolved before inauguration
of the system. For potential problems that cannot yet be resolved, there
ought be automated oversight that flags potential irregularities.

It is important to distinguish between the ID process and the
substantive transactions that follow. For example, you go to a store,
present your UBID, it confirms you are who you claim, and you buy ten
widgets, charging them to your Mastercard account. The clerk charges 12
widgets to your card, and keeps the extra two. Or he charges only the
number you have purchased but puts only 8 in your bag and keeps 2.
Neither of these is an ID problem, Identification worked fine.

You go into the same store, purchase 10 widgets and get 10 widgets and
you leave. The clerk, a graduate of Mission Impossible school, has
plugged a device into the ID system and it captures all of the
interactions of you and your card with the local and central systems.
Without the need of breaking any encryptions, the clerk merely uses the
recording to feed back to the system a new order under the guise that
the biometric and card information is coming from you and your card.
Unlike the first example, I consider this to be a true ID biometrics
issue and I think it illustrates the type of thing about which you are
expressing concern. <<<<I hope members of the list will pick up on
Daniel's challenge and comment as to existing practical solutions to
this scenario.>>>> It should be noted that such scams are a lot easier
with current credit card systems, where the clerk forgets to give you
your card back or simply uses his record of your card number to enter
another order.

If we can get past arguments concerning the general UBID concept and
into discussions concerning solutions to implementation problems, we
will be accomplishing something. Thanks for taking the lead Daniel.

As a footnote, fraudulent practices by insiders will always be with us.
Biometrics may not prevent yielding to temptation; however, biometrics
can help us determine who it was that yielded to temptation. We already
have use of biometrics to track who is making entries into computer systems.



Best wishes,
Henry J. Boitel
New York
 

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph K
Sent: Tuesday, January 13, 2004 11:18 PM
Subject: Re: An outline of UBID that might work.


Henry wrote:
----
It would be helpful to me if you would recast your firearms/explosives examples within the following analysis. I think you will find that the none of your issues are with the UBID, but rather with the substantive rules that will continue to be administered by the appropriate federal and state agencies separate apart from the UBID card or the UBID database..
----

I believe I understand how the UBID as you envision it is to work and I don't believe you completely understand my concerns and those of probably millions of others, not just 10's of thousands.

As soon as there is a central database that is contacted with every use of the UBID there exists a mechanism for abuse -- the movement and activities of people can be tracked, and that movement and those activities can be, essentially, instantly halted. This mechanism must not EVER be allowed to exist. It will enable the creation of a police state, which I believe will inevitably follow. The people that find ways to avoid using it, to subvert it, and to attack it, will be some of the justification for more control over the population.

I have expressed this concern numerous times in numerous ways on this list and when I get a response from people it is of the nature of "you are paranoid, no further discussion needed". All that I can conclude is that the people that think I am paranoid have a completely different frame of reference and are not participating in the same reality that I am. This last weekend I did a quick, unscientific poll of the people (both adults and teenagers) from several different families. I asked the following question, "What do you think of a national ID card that would be required in your day-to-day activities such that it will be almost impossible for an illegal or a fugitive to function without encountering a situation that requires presentation of there card? This card would replace nearly all your other cards including credit cards and drivers license. You only have one card to carry with you. It would be secure and you could use it as easily as cash without the need to carry cash." The response varied from "That would suck, it will never happen in this country." To, "No. I wouldn't like that." Even though I tried to present it as positively as I could not a single person would waiver from their opinion that it was a bad (or REALLY BAD) idea. Even the teenagers were vehemently opposed. I would have expected them to have the frame of reference at least somewhat comfortable in lacking a sense of freedom from intrusion in their lives.

In the world where I live people can go out on their property and legally mix up and detonate explosives just for the fun of it with the only legal restriction being that you can't hurt anyone else or their property. Guns, including machine guns, and guns with suppressors are legally used for recreational purposes. When the local law enforcement shows up at these events they complain -- that they didn't know about it earlier so they could have arranged to have the time off to play with us. I expect this to be completely foreign and nearly unthinkable to many on this list and an indicator of the distance between our two (or more worlds).

In my world government has given us numerous examples in how well it can be "trusted" to obey laws, rules, and regulations, that "protect" the private citizen from abuse. Some of those examples follow:

In my world (this happened just a few miles from where I used to live) someone is asked by a Federal informant to use a hacksaw and cut off the barrel of a gun 1/4" shorter than is legal, he does so, is arrested, gets out on bail, is given a court date a month later than has actually been scheduled, doesn't show up for the actual court date, then when the Federal Marshals show up spy on him prior to arrest they shoot his 10-year old son in the back, killing him. A friend shoots a Marshall in the confrontation, killing him, the FBI snipers show up the next day and without announcing they are present, follow written orders to shoot to kill any armed person that comes out of the house. Never mind all the adults and all the older children never leave the house unarmed -- entirely legal in my world. The original arrestee is shot in the back (wounded and survived), the friend that shot the Marshall is severely wounded, and the arrestee's wife, carrying a baby on one hip and a pistol on the other hip is shot in the head and killed. At the trial the jury finds the original arrestee only guilty of failing to show up in court and is sentenced to time served, the friend who killed the Marshal is found not-guilty and walks out. The Feds publicly insist AFTER THE TRIAL their Marshal was murdered although the jury found the "murderer" acted in self-defense. The state tries to put the FBI sniper on trial for manslaughter. The Feds insist the sniper was "just following orders" and is therefore immune from prosecution of any type. The person that wrote the orders to "kill on sight" is never discovered because the paper trail was literally run through the shredder. The person that did the shredding was punished for destruction of evidence, but he was a low level person that certainly was not the one that wrote the order. Both the sniper that shot the three adults and the person believed to have written the orders also have roles in the confrontation in Waco with the Branch Dravidians. Neither are ever punished for their roles in either tragedy.

In my world I visit friends of Japanese descent and see in their living room a framed poster from 60+ years ago. The poster announces that all people of Japanese descent must report to the detention camps. My friend was born in my home state, 300 miles from his home and his parents home, a month after his parents were released from the camp after the end of WWII. His mother was too far along in her pregnancy to travel and his parents and older siblings stayed until after he was born to return to their "home" which was no longer theirs. In college I wondered why there was such a concentration of people of Japanese descent from one area of my state attending the state college. It turns out it was the location of one of the detention camps and when the people were released many of them had no homes to return to and stayed to start a new life in the local area. When I went to the county fair in Puyallup (south of Seattle) I marveled at the large building used for the exhibits and pens for the animals. How could a relatively poor county afford to build such large nice buildings for a fair? Those building were built by the Federal government as "pens" for people -- Japanese Americans who had done nothing wrong other than having parents, grandparents, and great-grandparents that had been born in another country. Those buildings were turned over to the county after the war. Census data, supposedly protected by Federal law, was used to help find people that were to be sent to the camps. No person was ever punished for using that data illegally.

In my world when you look closely at the laws regulating your sporting equipment you find that, on the average, you rack up five potential years in prison for every year of your participation in the sport -- should you be discovered and convicted. All without there ever being a single victim and many of those "crimes" being committed in such a fashion that it was virtually impossible for you to know you were committing a crime.

In my world the federal government has made it illegal for a group of people to pool their money, form a corporation, and place advertisements advocating the voting for or a against a particular candidate within N days of an election. If they can say 60 days, can they say 90 or 365 days? If you put up a web site using your existing computer and spare time that costs you only an hour or so of your time and the use of your spare bandwidth purchased for your recreational use and this web site advocates voting for or against a particular candidate you can be fined unless you report the "fair market value" of the web site to the authorities. If this isn't an infringement of "free speech", what is?

In my world when the President of the country comes into town they mark off a "Free Speech Zone" a third of a mile or more away from his path where people carrying signs opposing his policy are "free" to exercise their speech out of obvious sight and sound of the media following the President. People in support of his policies are allowed close access.

In my world when AIDS starting being noticed and there it was noticed the number of people infected was doubling every year it was suggested that unless drastic action was taken virtually the entire population of the U.S. would be infected within 10 years some politicians started talking about quarantines of all homosexual men. Having a central database with health and family/marital status information in it have been very useful to implement such a plan. As it was it simply wasn't possible to gather the information -- had the political will materialized.

In my world people from certain mid-eastern countries are detained, questioned, and deported without being allowed to confront their accusers and the evidence against them, without their names or numbers ever being made public, and (I may be mistaken on this final point) without ever having access to effective legal counsel.

In my world if law enforcement finds you with large amounts of cash on your person they can confiscate it and you have the burden to prove it was not obtained illegally.

In my world if the police believe you know or should have known that someone was selling a herbal remedy for nausea associated with anti-cancer drugs from your property they can seize that property and you have the burden of proof that you did not know and could not have known it was happening before you can obtain your property.

In my world the Holocaust was not a myth, it was real. It was perpetuated by a group of people that via the Weapons Control Act of 1938 disarmed their victims, required them to have ID showing their ethnic background, required ID to function in day-to-day life, then deported the disarmed victims from the country to work camps as a temporary solution. The final solution came later. The U.S. Gun Control Act of 1968 (GCA-68) was written by the same senator that asked the Library of Congress to translate a document he had brought back from the Nuremburg trials years earlier -- the Weapons Control Act of 1938. There are many of the same phrases, terms, and requirements in the documents -- it's obvious the documents are related, and it's obvious from the functionality of GCA-68 as well as from the crime data prior to and following the passage of GCA-68 that prevention or solving of crimes could not be expected and was not achieved. However it could be useful in disarming a class of victims, similar in function to it's parent document.

In my world when someone starts talking about government issued ID that is essentially required to function in society and has the potential track every person it is a struggle to remain civil. It is a struggle to not proclaim their intentions, in the most vigorous and most energetic terms possible, to be consistent with the governments in times past who implemented similar systems and then proceeded to engage in genocide.

Before someone again suggests I am being paranoid and dismiss my concerns or suggest that "regulations can provide the protection required" I suggest you look at two things:

1) My personal life. Just two years ago I allowed the government to do an extensive background check in order to receive a high level security clearance. They asked detailed personal questions about me of my neighbors, friends and acquaintances for the past ten years, found out things about my financial situations I didn't even know, and asked my wife to tell our entire history of knowing each other since we first met in algebra class in 1969. They may monitor my phone calls and can search me without cause while at work. My personal web sites have hundreds of pages of information about me and even a web cam of my bedroom (http://www.joehuffman.org/cam.htm). Is this consistent with your vision of a paranoid person?

2) History. The history of just this country in the past 100 years -- how many regulations and protections have been violated without the government perpetrators ever being punished? Expand that review of history to include other countries and the violations "legal protections" become even more obvious -- the millions of people killed by their own government for their political, religious, or ethnic backgrounds. By what means can you guarantee that a system and technology put in place with the capability to track the every action of a political enemy will not be used it to do so? What if Richard Nixon had such a system at his disposal? Do you believe he would have not have used it or would have punished those that used it in his behalf? I believe the only way to prevent the abuse of such as system is if the system is never allowed to exist in the first place. I believe it is possible I am excessively concerned. But I also believe those people who propose such a system are either naïve, have large financial incentives, or desire to control the power such a system would give them.

Henry wrote:
----
It would be helpful to me if you would recast your firearms/explosives examples within the following analysis. I think you will find that the none of your issues are with the UBID, but rather with the substantive rules that will continue to be administered by the appropriate federal and state agencies separate apart from the UBID card or the UBID database..
----

If you believe "substantive rules ... will continue to be administered" will assure me the database will not be abused then you haven't been listening. The "substantive rules" that I would required to be put in place in order to believe the contents of the database would not abused would cause the most enthusiastic Auschwitz guard to cringe at my creativity in punishment methods, violate numerous protections of the Bill of Rights, and probably inspire several additions to it.

Henry wrote:
----
Most such persons will eventually enroll since the lack of an ID will have practical consequences since it is difficult to live in the modern world without an ID and since some people, by their very status as non-citizens, professionals, government employees and felons, will not have any choice.
----

You dismiss with "people will have no choice" or imply they will comply simply because it's more convenient. They may not have legal choices to avoid the system but they have many choices. You apparently underestimate the power of the free as well as black markets. Whatever products or services are difficult or impossible to get without an ID will find an alternate route to the person willing to pay a premium for that product or service in order to not show an ID. In many cases the product or service may actually be CHEAPER on the black market. It is that way now with illegal entry into this country. It is cheaper (including the cost of the wait for legal entry) to buy clandestine transportation, false documents, enter this country, and go about their desired business than it is to follow the legal routes. It is also that way with machine guns in the country. If you want a new machine gun, unregistered and no trace of it "on the books" it can be had for close to it's retail price. A legally registered machine gun (all privately owned machine guns must have been registered prior to May 1986) is almost certainly used and costs five to ten times it's retail price. Another example: the gun registry in Canada. You can register yourself and your guns and continue to function legally or you can turn them in and not be registered with the national government. You cannot legally continue to own firearms without complying. Yet they do. They buy ammunition, they go hunting, and they target practice with illegal owned firearms -- an estimated 1 million firearms. How is that possible? Most of the provinces REFUSE to enforce the national law. The special national law enforcement officials sent to enforce the firearms laws arrive at their desks in the morning and leave at night and do not identify themselves to their neighbors and friends. They do not attempt to enforce the laws. Only one person in the entire country has been convicted of failure to follow that law. What happens to your ID card, mandated by the national government, is not used by the local governments and they refuse to assist in enforcing laws requiring it's use? If you don't believe that can happen -- Would you have believed the local governments of Canada would have refused to enforce gun registration laws? I doubt it. You live in a completely different world than I do. I am only surprised by how peaceful the opposition has been.

Henry wrote:
----
e) As the foregoing is occurring, the bank's system is checking with the UBID central database to make certain that this is a validly issued card. There is no central data base check against the biometric. Only against other data encrypted within the card. If that data does not match (e.g. name and public UBID number having been issued to a person with a certain non public UBID number), then the ID effort is rejected.
----

I don't see the checking with the central database as being required. And this contact with a central database is the fatal flaw that generates the opposition and creates the single point failure for the entire functioning of our society that must not be allowed. You seem to be aware that it is not required because you say the bank (or whoever) has the option to continue even if the central database is unavailable.

Henry wrote:
----
g) The central data base has no information concerning the substance of the transaction. Only that it certified the card to this bank at this date and time.
----

At day one in the implementation I believe this might actually be true. However the mechanism will be in place such that "the loophole" (ask me about the "gun show loophole" someday -- it doesn't exist although "everyone knows" that it does) will be "closed" in later implementations. And there are already efforts to portions of this right now. Haven't you heard of the "Know Your Customer" program for banks?

Henry wrote:
----
i) The central database verification is no more complex or data intensive than typical credit card transactions involving central data bases - i.e. just about all credit card transactions.
----

Credit cards are not required to function in our society, the databases are not owned by the government, and are distributed across a large number of private businesses.


Henry wrote:
----
The foregoing scenario can be recast to put any entity in place of the bank. In each instance, the central system is only certifying that the card details match details on file.

...

I think that the foregoing meets your primary concerns.

...

The UBID central database would have a list of all enrollees...
----

Nope, it violates my primary concerns. The central system as you envision it cannot be allowed to exist. Both from the standpoint of potential for abuse and from the standpoint of being a single point failure mechanism.

Henry wrote:
----
You express a concern that errors will inevitably occur in the UBID system. Since, for most people the scope of information is relatively narrow, and all information is relatively standardized, I suspect the error level will be immensely less than in the multiplicity of secure and pseudo identity systems that presently exist.
----

Perhaps I failed to express my concerns accurately. I was not referring to accidental errors but errors deliberately introduced via people motivated by bribes or hostile intent. The more secure and fool-proof the system appears to be the more value there will be in deliberately corrupting the database. This is because people will be more likely to ignore contradicting data about the ID of the user. Similar to "child proof" lids on medicine bottles increasing the number of child poisonings when people left the bottles accessible to children and trusted the lids to protect the access to the medicine.

I've been setting at my desk at work writing this for nearly seven hours straight. Time to drag my tired paranoid body off to my web cam monitored bedroom. I'll probably sleep in tomorrow morning. You can check on me by looking at my web cam. But perhaps you won't want to do that if YOU are too paranoid -- I keep a log of all the accesses to my web sites and I will be looking at the logs and examining the IP addresses to see what I can discover about my viewers. I will count the number of different visitors to compare against the number of people on this list. Send me an email telling me who you think is the most paranoid -- those that didn't visit my web site because I would be checking up on their visit or me because of my concerns over the abuse of a government controlled central database.



Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA

509-375-2201

-----Original Message-----
From: The Biometric Consortium's Discussion List [mailto:BIOMETRICS@PEACH.EASE.LSOFT.COM] On Behalf Of Huffman, Joseph K
Sent: Wednesday, January 14, 2004 10:48 AM
To: BIOMETRICS@PEACH.EASE.LSOFT.COM
Subject: Re: An outline of UBID that might work. 2


I'm perplexed at something Henry. In what I thought was a rather dramatic turn around of my position I proposed a system that would alleviate nearly all my concerns and yet achieve what I thought were all of your stated purposes for a UBID. Rather than outline the deficiencies of my proposed system you reverted to your original proposed system. Are there objectives you have not shared with us? Or is it that you really want the capability for a police state?

Life is filled with ironies. Has anyone else shared my mirth that it is someone with a German surname arguing against an intrusive authoritarian government and someone with a (apparently) French surname that is arguing for it?

Most of my day yesterday was spent working on or presenting a new biometric technology for use by a rather secretive government agency which I think has an entirely legitimate function. I amuse myself on a daily basis.


Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA

509-375-2201


-----Original Message-----
From: Henry J. Boitel [mailto:boitel@MINDSPRING.COM]
Sent: Wednesday, January 14, 2004 8:23 AM
To: BIOMETRICS@PEACH.EASE.LSOFT.COM
Subject: Re: An outline of UBID that might work. 2


Joe,

Your comments primarily focus on your fears and general distrust of
government. My initial reaction was that you were engaging in an
inappropriately extended rant, rather than addressing the specific
elements of UBID that you see as being insecure and less desirable than
the status quo. However, your fears and distrust,. to a greater or
lesser extent, reflect concerns held by many in the United States. While
not everyone will agree with some of the examples your cite, it is
likely that there are many similar examples that they might site or that
are not matters of public knowledge. In that regard you probably have
more in common with some inner city residents than you might think.

That said, there are probably four broad approaches that people with
such views might take: a) Yours, which appears to be to (literally)
circle the wagons locally, and reject efforts at broad-based solutions;
or b) Realization that there are no local solutions to some problems,
and ,therefore, a focus must be had on improving the accountability of
government for its actions, while vesting government with the power to
resolve problems that are national in scope, or c) Opting out and going
with the flow, i.e., out of naiveté, or lack of concern, or fear, or
d) Those who are not particularly concerned because they derive profits
or power or status from what your or I might characterize government or
government/semi-private sector abuse of power.

There are some floaters who are in one group or the other depending upon
the issue. As regards a national identity card, the ACLU appears to be
in your group, but I suspect they are beginning to see that they are
playing a losing hand and can be more effective if they moderate their
position.

The group I describe as (c) is probably the largest group. Of course,
each group has a number of subgroups that range over a rather
substantial spectrum. Ironically, quite a few people in your group are
government employees or are engaged in activities that are heavily
government dependent, and, in order to qualify for their employment
positions, have waived privacy rights on a rather broad scale, as you
describe you have done. I suppose such ironies or inconsistencies are
fundamental to human nature.

On your views, as you have expressed them, I guess our positions are
irreconcilable. However, as I have hope for government, I also have
hope for you. You see, while you are protesting against a basic ID
card, the government is going forward with intrusive procedures that go
far beyond anything contemplated by a UBID, and a good part of their
tacit rationale is that we don't know who people are.

Anyway, let's keep in mind that this is a biometrics discussion group.
We have heard loud and clear from you and others that Government is
untrustworthy and that a common id card can be leveraged into a massive,
oppressive tracking system. For the time being at least, I am going to
opt out of further discussions on those fundamental issues. I am
looking for more specific discussion as to: 1). How the UBID can be made
to work for its stated purpose and 2) how protective features can be
put in place to prevent abuse, and 3) How the UBID provides more or less
identity protection and individual empowerment that the status quo id
systems.

Best wishes,
Henry J. Boitel
New York
 

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Huffman, Joseph K
Sent: Wednesday, January 14, 2004 10:48 AM
Subject: Re: An outline of UBID that might work. 2


I'm perplexed at something Henry. In what I thought was a rather dramatic turn around of my position I proposed a system that would alleviate nearly all my concerns and yet achieve what I thought were all of your stated purposes for a UBID. Rather than outline the deficiencies of my proposed system you reverted to your original proposed system. Are there objectives you have not shared with us? Or is it that you really want the capability for a police state?

Life is filled with ironies. Has anyone else shared my mirth that it is someone with a German surname arguing against an intrusive authoritarian government and someone with a (apparently) French surname that is arguing for it?

Most of my day yesterday was spent working on or presenting a new biometric technology for use by a rather secretive government agency which I think has an entirely legitimate function. I amuse myself on a daily basis.


Joe Huffman
Senior Research Scientist
Cyber Security Group
Pacific Northwest National Laboratory
Richland, WA

509-375-2201

-----Original Message-----
From: The Biometric Consortium's Discussion List On Behalf Of Henry J. Boitel
Sent: Wednesday, January 14, 2004 11:29 AM
Subject: Re: An outline of UBID that might work. 2


Joe,

As regards objectives, I do not think I could have been more clear than
was specified in the UBID outline and as further specified in response
to specific questions. I also assure you that I am at least as opposed
to a "police state" as you are. regardless of whether oppression comes
from big government, local government, local, self-styled militants or
irresponsible business.

With due respect, it seems to me that most of your presentations have
been directed at why we should not trust the government and conclusory,
but not analytical, statements concerning why a central database, used
for confirming card validity and flagging illegals, presents an
unacceptable vulnerability for individual rights and privacy.

While eternal vigilance is the price of liberty, I am prepared to
believe that we have the capability of setting ground rules and electing
and appointing officials that will faithfully enforce the law. If our
energy were spent in that direction, rather than in giving up on
government, I think we would all live more securely within a context of
liberty.

We have had a sea change in the liberty and privacy environment in the
past two years. The free flow of guns and explosives and opposition to
a coherent ID system have not been doing anything to arrest that change.
To the contrary, they create an environment that tends to be relied upon
by those who champion that change.

If you think your proposed changes in the UBID will secure ID security
objectives, then you will have to explain that in a way that is more
detailed than what you have said thus far.

Henry
Henry J. Boitel
New York