I read the book “Identity Crisis: How Identification Is Overused and Misunderstood” by Jim Harper at the CATO Institute last week, with the objective of improving my understanding of identification issues as they apply to key homeland security challenges.
Many of the most significant controversies in the homeland security policy realm today – REAL ID, a National ID card, aviation security screening, the use of biometrics – pivot upon issues of identification, and the way in which the imperatives for security, privacy, and freedom sometimes clash with one another in these debates. Too often, these issues are demagogued or misinterpreted by people on all sides of these debates, creating the need for clarity on the terms of these debates. This book adds a valuable dose of clarity to this debate, and while I disagree with some of Harper’s conclusions, I think that the implicit framework in the book provides a basis on which future identity- and security-related policy disputes can be mediated.
Harper’s book does an excellent job of laying the groundwork and clearly defining the different types of identification and the roles that they play in everyday societal interactions. He provides interesting historical context on the evolution of identification, and writes in an engaging style that is atypical for a think tank-published tome.
These early chapters of the book set the stage for the discussion of key identity-related policy issues today: the excessive use of Social Security numbers as an identifier, the role of the credit bureau industry, the changing roles of identification cards, the implications of the REAL ID Act, aviation screening issues, and the debate over whether the U.S. should have a national I.D. card., among others.
Harper argues generally that identification-based tools and techniques are a weak source of leverage in the fight against terrorism, suggesting instead a risk management approach focused on a non-person-centric approach to addressing threats and vulnerabilities. This passage from page 212 summarizes his argument:
Good risk management addresses threats and risks without regard to who might cause them, long before any bad actor has been identified. The reduced risk of commandeering since 9/11 illustrates this well. Hardened cockpit doors stop anyone who might enter the flight deck without permission. The resolve of crew and passengers to attack hijackers does not turn on who they are but extends to any and every hijacker. This entire method of attack has largely been cut off.
These techniques to reduce risk do not rely on identification. They meet threat vectors head-on. The same is true o fsecurity against other tools and methods of attack. Magnetometers screen for all weapons. X-ray machines scan for all guns and bombs. Sensors sniff for bomb residues and chemical or biological agents no matter whom or what they are on. Identification of people plays no role in the most direct and substantial methods for managing the risks to passenger air travel.
It’s on this point, as it applies to the key issues discussed in the book, that I have my main disagreement with the book. I don’t see identification vs. physical security as an either/or dichotomy. Instead, I seem them both as valid tools, each with their pro’s and con’s, that should be used in harmony with each other, based on cost, effectiveness, and societal values, as part of a broad systemic approach to securing the homeland. There are some instances where physical-based approaches will suffice on their own. And identification systems are no panacea, as they have sometimes been made out to be. But I think that identification-based tools can be appropriately used to improve protection or create deterrence within certain threat vectors.
Harper also has an interesting discussion in the latter part of the book about the relative merits of homogeneous vs. heterogeneous ID systems: a debate that is relevant to the ongoing discussions over the REAL ID Act and the concept of a National ID card. I’ve argued previously on this blog that a National ID card would be preferable to the heterogeneous 50-state system that we have today, and that the REAL ID Act is an expensive solution, providing some security benefits due to improved credentialing and verification but in a way that doesn’t capture the benefits from scale and integration. Harper argues, by contrast, that integration is inherently dangerous (creating the risk of excessive data aggregration) and that scale creates undue criminal temptations (i.e. makes the card valuable and motivates illicit acquisition). I take his points, but I still see these risks as lesser than the existing risks resulting from the lack of common standards, which allows certain states to maintain weak ID systems.
But overall, this was a very engaging book, and well-worth reading for anyone who works on or cares about these issues. The advocates of increased use of identification for security would be well-advised to read it to understand the perils that certain courses of action can create. And the foes of increased use of identification should read this as well, as a way to understand how to rationally and criticize ID-related programs, instead of making fear-inducing, emotive counter-arguments, as is too often the case. By thinking and operating along the parameters suggested in this book, I believe that we can come to a lot more common ground on these difficult issues.