Figure 1 – Old BCC, no expiration (I-586)
Figure 2 – Old BCC, with expiration (I-586)
The
US/Mexico Border Crossing Card (BCC):
A Case Study in Biometric, Machine-Readable ID
Andrew Schulman*
Software Litigation Consultant
Santa Rosa CA
http://www.undoc.com
undoc@sonic.net
March 30, 2002 (Revised April 24, 2002)†
Click here for more recent Microsoft Word .DOC fileThis is a “work in progress.” The reader will encounter the author’s notes to himself in double square brackets, e.g. “[[This paragraph is hopelessly lame; fix it.]]”
The terrorist attacks of Sept. 11 were quickly followed by calls for a national identification card in the United States. Though the best-known advocate of a national ID card is still Larry Ellison, CEO of Oracle, efforts by the American Association of Motor Vehicle Administrators (AAMVA) to “produce a uniform, secure, and interoperable driver's license/ID card to uniquely identify an individual” are more likely to hit their target.[1]
Many groups and individuals, from all parts of the political spectrum, have expressed concerns over the privacy implications of a possible national ID card. However, the discussion appears stuck in an abstract consideration of security/privacy tradeoffs.[2] Often, both opponents and supporters of National ID (and of similar proposals, such as for widespread facial recognition) make it appear that there is some kind of “privacy vs. security” sliding scale that individuals or societies could fine-tune to a desired setting.
Rather than engage in these often-sterile “privacy vs. security” debates over proposed solutions to the Sept. 11 crisis, let’s first see if the proposed technology is even going to work (and work in the Sept. 11 sense, i.e., would implementing this or that proposal have stopped the terrorists from getting on the planes?). The $10 billion homeland-security budget may cloud the thinking of even the most conscientious security vendor; for the least conscientious, the homeland-security budget spells “pork: it’s what’s for dinner.”[3] Privacy advocates often abdicate discussions of practicality to security vendors, and in fact often take the vendors at their word for claims of how well technology will work; vendors can then sometimes rely on the dire predictions of privacy advocates for a kind of scarecrow marketing.[4]
Scott McNealy of Sun Microsystems says he is “tired of the outrage” by privacy advocates. “Absolute anonymity breeds absolute irresponsibility…. If you get on a plane, I want to know who you are. If you rent a crop duster, I want to know who you are” (ZDNet, Oct. 11, 2001). It is useful to take McNealy’s desire at face value. What would it take to bring about this goal? McNealy’s own answer is “We need a thumbprint Java card in the hand of everybody in the country.” Ignoring the understandable self interest of using Sun’s Java technology, clearly the card by itself doesn’t do anything -- some system would need to be in place to issue, check, verify, and revoke these cards. What would such a system need to look like, to fulfull McNealy’s “I want to know you are” goal? (With the slight modification, of course, that it will be some government agency, rather than Mr. McNealy, that will know who you are.)
To assess what National ID for the US might look like, and how effective it might be, it makes sense to first look at an existing ID program run by the US government. This study examines the biometric, machine-readable Border Crossing Card (BCC), a joint project of the US State Dept. and the US Immigration and Naturalization Service (INS, a branch of the Justice Dept.).
About four million new BCCs, also called Laser Visas, micas, or pasaportes locales, are held by Mexican citizens, allowing them to cross into the US for up to 72 hours, staying within 25 miles of the border (65 miles for Tucson AZ); BCC holders are not supposed to work in the US. On October 1, 2001, older, non-machine-readable versions of the BCC became invalid. The BCC is probably the largest mandatory biometric ID program run by the federal government (there is also a new biometric version of the so-called “green card,” but older versions of the card are still valid). The card’s manufacturer, Drexler Technologies, calls it the “World's Most Secure ID Card” and the “World's Most Counterfeit Resistant Card”[5] – so, clearly, this is being held up (at least by the vendor) as a good test case.
[[Drexler pres. Richard Haddock testimony at Senate Judiciary subcommittee on technology and terrorism, Nov. 14, 2001: the BCC and green card programs together, with more than 10 million cards in circulation, “represent the largest high security, biometrics-based, ID card program in US history.” Together with other, smaller optical-card and biometric programs, “these programs give a good insight into what is necessary to achieve a secure and cost-effective ID card system” (http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF).]]
National ID has, before Sept. 11, traditionally been proposed in the context of illegal immigration from Mexico. To the extent we have a history of semi-rational debate on this topic, it involves the Mexican border, and the widespread employment of unauthorized workers from Mexico and Central America. Past proposals for National ID have been in the context of illegal immigration, not only for border control, but also as an ID card that all employers would require of their new hires, to weaken the US jobs “magnet.”[6] Some of the earlier advocates for a National ID to combat illegal immigration, such as Sen. Diane Feinstein (D-CA), are again advocating a National ID, to combat terrorism. Concerns have also been raised that terrorists can enter the US via its 2,000-mile (and in some ways unprotectable) border with Mexico.[7]
Using the US/Mexican border to study the larger issue of using IDs to secure the US against terrorists is not meant to imply that immigration control is necessarily an appropriate way to fight terrorism. While this view is held for example by Phyllis Schlafly (“It should be repeated over and over again: The terrorism threat is from illegal aliens who are allowed to live in our midst”),[8] this would, for one thing, overlook the US's own rich history of homegrown (and typically anti-immigrant) terrorists.
Rather, it is useful to look at the BCC from a process perspective: how is a card initially issued, when and where is it checked, how is it checked, what is it checked against, how is it enforced. More specifically:
This paper will be able to only give a hint of the complexities involved in even this relatively small biometric ID system. It seems likely that these complexities could be magnified many times over in a National ID, to be issued to perhaps 200 million or more people.
National ID advocates frequently claim – as, come to think of it, do some National ID opponents, particularly of the “Mark of the Beast” school[9] – that we really already have a National ID, in the form of the Social Security Number (SSN) or state drivers’ licenses. For example, according to AAMVA spokesman Jason King, “There’s no need to create a second national ID card. You already have one, we're just talking about making it better and more secure” (Reuters, Jan. 9, 2002).
One of the key points that emerges from a study of the BCC, however, is that the gap between the existing state of affairs and a true national ID system is enormous. Under National ID, all cards would need to be machine readable. Card readers (and, likely, fingerprint readers) would need to be widely deployed; each card reader would need to be tied into a national database. This is a far cry from our current desultory visual inspection of cards.
The INS has dismissed any concern over the BCC’s possible broader implications. According to the Washington Post (Feb. 18, 1998), an INS spokesman said that “linking a travel document used only by Mexicans to a national ID card for Americans is ‘kind of a leap.... It's technology that's available to the credit card companies and anybody who wants to pay for it.’”
But the US State Dept. says that its joint BCC project with the INS “has given us the opportunity to conduct important research on a potential biometric visa for the future.”[10] And, according to the US Consulate General in Cuidad Juarez, Mexico, “the future may require that all visas eventually be placed on these machine readable cards.” Thus, the BCC is already seen as a kind of pilot project for all visas (of which the US issues about 30 million each year[11]).
[[In one version of his rather vague proposal, Larry Ellison suggested a digital ID card that would be optional for citizens but mandatory for “aliens” (see Jeffrey Rosen, “Silicon Valley’s Spy Game,” New York Times, April 14, 2002). As an ID issued by the US to non-citizens, the BCC may thus be particularly relevant to post-Sept. 11 ID discussions. See National Academies report, ch. 2 on foreign-issued credentials.]]
What, though, do BCCs, or even all visas, have to do with ID for US citizens? As shown in this study, it is difficult to enforce just the BCC’s 72 hour/25 mile/no work policy, without also checking IDs of non-immigrants within about 100 miles of the border; after all, BCC holders are not wearing special “BCC” tattoos on their foreheads. As also explained in this study, a BCC holder must carry the card at all times; it will be seen that would also need to be a feature of any effective (i.e., not just for show) National ID.
Because one can't tell by looking if someone is a citizen (and if an employer for example acts as if they can tell, it's discrimination), situations requiring ID from non-citizens will, in fairness, require ID from everyone. The discussion below of employment eligibility verification shows that, more generally, effective ID for non-citizens is – unless we have discriminatory “profiling” – a slippery slope to mandatory ID for everyone (thus, ironically, anti-discrimination can be a slippery slope to wholesale, as opposed to selective, privacy invasion). And, as also shown below, discriminatory policies produce security loopholes.
In sum, the US/Mexican border, and the Border Crossing Card in particular, provides a useful real-world way to think about and discuss National ID. This makes sense; it is often said that borders and immigration are at the forefront of social issues.
The United States has issued over four million new machine-readable biometric Border Crossing Cards (BCCs), form DSP-150, also called "laser visas," to Mexican citizens for the purpose of multiple short trips to the US. Starting on October 1, 2001, all old versions of the BCC became invalid, and holders of the old BCC were turned back at the US border. According to INS commissioner James Ziglar, about 1,600 visitors are being turned back each day for lack of the new card.[12] The new cards started to be issued in April 1998; since then, on average, the US has issued about 100,000 cards each month. Over 15% of applicants for the card are not approved.
The biometric BCC is a joint project of the State Dept. and the Immigration and Naturalization Service (INS; an agency of the Justice Dept.), and is mandated by Section 104 of the Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) of 1996.[13]
The IIRIRA required that every BCC issued after April 1, 1998 contain a biometric identifier such as a fingerprint, and be machine readable. However, widespread opposition from the business community, which feared that the security features of the new system would result in less border crossing – and hence fewer shoppers and reduced low-cost labor availability – produced several annual delays in the system's implementation. Congress would likely have approved another year's delay, had it not been for the Sept. 11 terrorist attacks.
The Border Trade Alliance (BTA) sent an appeal, dated Sept. 10 (!), 2001, asking for implementation of HR 2276 to extend the BCC deadline by another year. Rep. Silvestre Reyes (D-TX), himself a former Border Patrol sector chief, had been pushing to delay the BCC switchover to “prevent an economic disaster” (Dallas Morning News, Sept. 28, 2001).
Having declined to extend the deadline, and thereby finally having let the new card become mandatory for BCC holders, Congress is now rethinking its decision. The Enhanced Border Security Act and Visa Entry Reform Act, approved by the House, and now before the Senate, includes a re-extension of the BCC deadline to Oct. 2002. Declared Rep. Solomon Ortiz (D-TX): "Merry Christmas to the Southwest border from the House of Representatives ... We know the economic damage the refusal to extend the deadline has done to the border."[14]
[[On April 18, 2002, the Senate unanimously approved the Enhanced Border Security and Visa Entry Reform Act (EBSVERA). Somewhat ironically, this enhanced-border-security act includes an extension allowing the older BCC to be used again, until October 2002 (section 601 [or 602 now?], “Extension of deadline for improvement in border crossing identification cards”). See http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills& docid=f:s1749is.txt.pdf. The act amends IIRIRA 104(b)(2), as it has been extended several times in the past, to now read “6 years” instead of “5 years.” Check that this really means that BCCs will become mandatory again in Oct. 2002. The period Oct. 2001 through April 2002, during which the machine-readable BCC was mandatory, perhaps provides an interesting experiment in biometric ID. How different was this brief period from the period before, in which older cards were acceptable? How different will the border situation be between now and October, when (unless there’s yet another extension) the high-tech card becomes mandatory again? Need to check San Diego, El Paso, etc. newspapers. San Diego Union-Tribune (April 16, 2002) didn’t specifically mention BCC, but described the bill as trying to walk “the tightrope” of security and enforcement on the one hand, vs. commerce and border flow and business interests on the other. The US Chamber of Commerce complained that heightened security after Sept. 11 “dealt a massive blow to the Southwestern economy.” Border inspectors have backed off inspecting every vehicle, for example, and are now conducting random checks. Also note that EBSVERA doesn’t include funding; Congress will have to approve funding (estimated at $3.2 billion over three years) in a separate bill. Fits into a pattern of legislation without appropriations?]]
Clearly, US businesses near the Mexican border are going to be hurt when some shoppers can’t cross the border until they get the new biometric BCC. It seems more likely (though unspoken in the Congressional debate) that more opposition to implementing the new BCC has come from employers of those BCC holders who now can’t get to their jobs. As discussed below, while BCC holders are not supposed to work in the US, many apparently do; attempts to implement the BCC law have led to an informal NIMBY (not in my backyard) movement by their employers.
The delay in, and local opposition to, implementing the BCC switchover – even after Sept. 11 – provides an example of the resistance there would likely be (not all of it high-minded) to National ID.
Like the older BCCs (form I-186 and I-586; see Figure 1 and Figure 2 ), the new "laser visa" (DSP-150; see Figure 3 ) shows the cardholder's name, photo, and fingerprint on the front, but the back of the new card has a mirror-like optical stripe. Embedded in the optical stripe is the person's biographical data, digital photo, fingerprints, and a control number.[15]
[[More details from Haddock Senate Judiciary testimony (http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF): 80,000 bytes of biometric data, including image of card holder, FBI quality gray scale fingerprint image, digitized image of cardholder signature; BCC unlike green card also has two fingerprint minutiae files. Is only a single finger included, or two fingers? Or is photo image meant to supplement single finger as a biometric? Data placed on card is updateable, but non-alterable.]]
|
Figure 1 – Old BCC, no expiration (I-586) |
Figure 2 – Old BCC, with expiration (I-586) |
Figure 3 – New BCC (DSP-150) | 
Figure 4 – New "green card" (I-551) |
There is also a new biometric Permanent Resident Card (see Figure 4 ); this is the famous “green card,” though it hasn't actually been green since 1964. As noted above, this study focuses on the less well-known BCC in part because the new biometric green cards are not mandatory. An interesting look at the new green card as a prototype for a National ID appeared in the Feb. 2002 Harper’s (Gregory Dicum, “A Study in Green: My National I.D. Card, Your Civil Liberties”; according to Dicum, fake copies of the new green card can be purchased in Tijuana for $500).
There were reportedly rampant counterfeiting problems with the old BCC. As noted by the Washington Post (Feb. 18, 1998), “At least five versions of the card have been issued, all but the latest with no expiration date. Many have decades-old photographs and are easily used by imposters. Over the years, the Border Crossing Card also has become one of the most counterfeited U.S. documents.” [[Need better evidence than this quotation; what is basis for statement that older BCC was easily counterfeited?]]
The new card's manufacturer, the LaserCard division of Drexler Technology (Nasdaq:DRXR, LaserCard.com), states that the LaserCard “places huge technological and financial barriers in the path of counterfeiters.” According to the San Diego Union-Tribune (Sept. 29, 2001), a Drexler VP states that, “because each card's digital information is tailored to each cardholder, it would be highly expensive and impractical for a counterfeiter to try to reproduce them.... ‘It's not something that you can make in a basement.’”
Indeed, as noted above, and as shown in the figures, Drexler calls its product the “World's Most Secure ID Card” and the “World's Most Counterfeit Resistant Card.” (While the figures happen to show the Permanent Resident Card, the same technology is used for the BCC.)
Figure 5 – From the vendor's web site, LaserCard.com
One key feature of the card is that the cardholder’s photograph is digital, and part of the media itself; it is not pasted in. There is a total of 4.1 megabytes Write Once Read Many (WORM) optical storage on the card, allowing an audit trail with up to 35,000 updates. Any unauthorized attempt to alter the card is supposed to lead to either a clear audit trail or destruction of the card.
Drexler also is responsibility for Italy’s smart-card ID, the Carta d'Identità Elettronica (CIE). According to Wired (Dec. 2001), though, Italy had only issued about 200,000 CIEs; the goal was to issue a CIE for all 55 million citizens before 2004.
To use the BCC as a way of seriously asking how a National ID would work, we should first look at how the new biometric BCCs are issued. Even if the BCC experience were argued to hold no direct lessons for a National ID, thinking through the processes involving the BCC – how is it issued?, when is it checked?, how is it checked?, etc. – would by itself still give us a better handle on what the phrase “National ID” really means. The monolithic abstraction “National ID” needs to be broken down into its component parts in order to be understood.
How does someone get a BCC, or if they already have an old BCC, how do they get one of the new biometric cards?
The applicant must have an in-person interview. No phone or mail (and certainly no Internet) applications are accepted. This makes perfect sense. If we are interested in having secure ID, we require confidence in the process by which the ID is handed out in the first place. Each request for a National ID – all 200 million or so of them – would have to be carefully handled. (Contrast for example the initial SSN project, in which over 35 million SSN cards were generated, largely by the post office, in 1936-37.[16])
The BCC interview process has led, however, to very long delays. In early October 2001, the Associated Press was reporting that US consulates in Mexico were not able to schedule appointments until March 2002. Already, scams are being reported, such as a business in a Brownsville TX strip mall that charges over $100, supposedly to help set up application appointments, after which one still has to wait the same number of months.
The consulates could in theory hire a lot more people, but quick hiring of personnel responsible for security decisions leads to “insider” problems (see below). It has also been noted that it might be easier to get a card from some consulates than from others (“consular shopping”).
|  |
Figure 6 – Also from the vendor's web site, LaserCard.com
When individuals have their BCC interviews at a US consulate in Mexico, they must present their IDs (see “Breeder Documents ,” below) and have their photographs and fingerprints taken. They must also present proof of a fixed address in Mexico, with utility bills and/or pay stubs being commonly accepted documentation. This measure appears to offer some genuine deterrence. Only about 70 percent of regular BCC applicants get the card; the most common reason for rejection is that the applicant is unable to prove a fixed address. [[Earlier said that 15% of applicants are not approved – which is it??]]
The relatively high rejection rate creates an additional need for care in determining the accuracy of the original documentation. One in-depth study from the US Commission on Immigration Reform states: “Several informants we interviewed in both El Paso and in Juarez averred that the purchase of false pay stubs, birth certificates, employment letters, utility receipts, and the like was not uncommon among persons who desired a BCC but not could not otherwise obtain the necessary documents.”[17] While this statement is from 1994, the switchover to the biometric BCC would obviously not in itself affect the availability of fake pay stubs and the like.
A criminal background check is run on all BCC applicants. However, this apparently wasn’t the case as recently as 1995, when a GAO investigation found that routine background checks were not being conducted, “in order to promote ‘facilitation’ across the border.”[18] It is worth noting that you can have the best biometrics in the world, and they wouldn’t help at all with this problem; it has to be addressed separately.
Even when criminal background checks are being run, it matters a great deal what is being checked. Do you take the name proffered by the applicant, and run that through the system to see if anything turns up under that name? Clearly, applicants could be presenting incorrect names. Therefore, their biometric itself (e.g., fingerprint), not the name, must be used as a database lookup. This is discussed in more detail below (see “1:1 vs. 1:N Lookup ”).
There’s one interesting twist to the BCC interview: the role of maquiladoras (foreign-owned factories along US border in Mexico). According to the Houston Chronicle (July 22, 2001), the US “effectively delegates responsibility for administering the special visas to foreign-owned factories in Mexico.... Daunted by the task of replacing the old documents and issuing new ones, the border consulates began allowing maquiladoras to do a lot of the paperwork and applicant vetting…. some Mexicans work in a maquiladora long enough only to get a laser visa and then disappear.” The article notes that “an ‘interview’ … seldom consists of more than typing each applicant's data into a computer. Later, the information is cross-checked against United States law-enforcement records to eliminate those who have run afoul of the INS. Photos are taken for applicants' identification cards, and each applicant submits to a fingerprint scan. The whole process takes less than 15 minutes per person.” According to researchers at Tijuana’s Colegio de la Frontera Norte, of the more than 40,000 workers commuting daily to jobs in neighboring San Diego, at least 4,000 do so with a laser visa; “Those using their visas to earn a casual income in the United States effectively subsidize the payrolls of companies employing their relatives in maquiladoras.” [[Need to explain this better: how does BCC misuse subsidize maquiladoras? Also, need a sentence on role of maquiladoras in the economy?]]
In contrast to the 30% rejection rate noted above, the rejection rate for those applying via maquiladora is only 1% (Migration News, August 2001). This would seem to be an area ripe for fraud.
Even if the maquiladoras’ rapid rate of 15 minutes per person is taken as a model for vetting this valuable ID, extrapolating this to a National ID in the US means that about 3,000 employees would need to work for ten years, just to conduct the interviews. If it is thought that the National ID has limited usefulness until everyone is carrying one, then cramming all the interviews into a single year would require something like 30,000 employees. Similarly, a Sept. 1997 Social Security Administration report estimated it would cost $10 billion, and take 10 years, to issue tamper-proof social security cards with pictures, fingerprints, work history and earnings for the 270 million social-security accounts. For $4 billion, the agency said it could issue simpler IDs that resemble credit cards.[19]
It was noted above that, during the BCC interview, someone must present ID: to get ID, you must present ID. Documents, on the basis of which other documents are issued, are called “breeder” documents. The birth certificate is the classic breeder document.
What documents must be presented during the BCC interview? The applicant can either present an old-style BCC along with a recent photo ID, such as a Mexican passport, or “In lieu of a passport, a voter registration card is the preferred identity document.” If applying for a first-time BCC, the applicant must have valid Mexican passport. “We were willing to accept the Mexican Certificate of Nationality, issued by SRE (the Mexican Foreign Ministry), but the Ministry decided that the Certificate was not intended for general issuance.”[20] [[More on certificate of Mexican nationality (CMN): see State Dept. rule on BCCs, Aug. 19, 1999 (http://www.vkblaw.com/news/twohundredthirtyfour.htm).]]
What, then, are the requirements for a Mexican passport? Men must present a birth certificate, photocopies of their military card, and photocopies of another picture ID. Married women must present their birth certificate and marriage certificate. Single women present a birth certificate and a photo ID.[21]
The mention of the Mexican voter registration card is interesting because it has been claimed that this sophisticated piece of biometric ID, issued to 60 million voters, was successfully used in the 2000 elections to prevent voter fraud. Since this was the first Mexican election since 1929 not won by the PRI, this is a significant claim that deserves further research.[22]
At any rate, birth certificates are at the root of the ID system. Any insecurities in birth certificates percolate up through the system.
[[Fix this section. BCC depends on Mexican IDs. Then study jumps to talk about US birth certificates. But a US anti-terrorist ID might well depend on IDs issued by other countries, so the study should probably stick with Mexican IDs for a while longer, before moving on to the discussion of US breeder documents.]]
Though we’re talking about Mexican birth certificates here, it is worth noting that, according to the Dept. of Health and Human Services’ Sept. 2000 report on “Birth Certificate Fraud,” 6,417 different state and local entities in the US issue birth certificates (New York state is the leader, with 1,505 counties, cities, and townships issuing their own birth certificates; a few states, such as Idaho and Virginia, have a single state birth certificate).[23]
The New York Times (May 29, 2000) ran a lengthy article by Renwick McLean on the birth certificate as the “soft underbelly” of ID in the US: [[Following quotation is much too long; just use a little bit.]]
“the birth certificate can open the door to other documents... California, home to 40 percent of the 5 million to 6 million illegal immigrants that the immigration service estimates live in the United States, is particularly vulnerable to birth certificate fraud. An official at the Ventura County recorder's office said that to get a certified copy of someone's birth certificate, ‘you just need to know the name on the birth certificate and the date of birth.’ The cost is $12, and the wait about 15 minutes, she said.... While studying the issue as a member of the Commission on Immigration Reform, a bipartisan group formed by Congress in 1990 to study United States immigration policy, Michael S. Teitelbaum was so shocked to hear how easy it was to get someone's birth certificate in California that he decided to try it. He went to the county clerk-recorder's office in Orange County and requested the birth certificate of someone he knew was born in the area. Within 15 minutes, he had a certified copy of the person's birth certificate. ‘I basically walked out of there shaking my head in disbelief,’ said Mr. Teitelbaum... Now that office says that people asking for birth certificates in person may be asked to show picture identification. But all that is needed by mail is ‘the person's full name, date of birth, and a credit card number,’ an official said.... In most states, however, the full names of both parents, including the mother's maiden name, must be provided to get a birth certificate. But critics say that the system is only as strong as its weakest link, because a birth certificate from a state with loose restrictions can be used to establish residency and employment eligibility in any other state. And even in the strictest states, the information required for obtaining a birth certificate can often be found easily, critics say. One way is to scan the obituary pages of a local newspaper and write down the background information on a person of the appropriate age. Since most states do not match death and birth records, or do so very slowly, experts say, illegal immigrants assuming the identity of the recently deceased face little risk of detection. The fraudulent acquisition of valid birth certificates is only part of the problem. The I.N.S. says that birth certificates are vulnerable to counterfeiting, largely because there is no single national standard for them. Instead of one version, thousands of different but valid birth certificates flow from the more than 7,000 local and state agencies authorized to issue them…. In 1994, the Commission on Immigration Reform recommended that the federal government adopt one standard design for all certified copies of birth certificates. Almost six years later, no such design exists. The commission also recommended a nationwide system for matching birth and death records..."
[[Insert discussion of IIRIRA §656: “Improvements in identification-related documents – standards for birth certificates and identification documents (including drivers' licenses) by Federal agencies; matching of birth/death records.” (§657: “Development of prototype of counterfeit-resistant Social Security card – to include security features; cost studies mandated.”) Sounds like there was very little thought put into the drivers license proposal: “In deference to Simpson we gave him a stupid little provision to do with driving licenses with biometric information” (quoted in O’Hanlon, The New Irish Americans, p. 106). §656 repealed by H.R. 2084 signed by Pres. Clinton on Oct. 9, 1999; Pub. L. No. 106-69); opposition of Ron Paul and Bob Barr (http://www.house.gov/paul/legis/106/hr2337.htm); most debate was over drivers licenses in 656(b), but 656(a) had to do with birth certificates. Following should talk more about drivers licenses, and the AAMVA effort? But can’t use earlier successful efforts against de facto national ID, as evidence now that national ID wouldn’t work – unless if there was also business opposition to 656. PL 106-69 repeals only 656(b); 656(a) on birth certificates still stands, unimplemented (and unimplemented law can be used to show possible unworkability of national ID). See http://www.house.gov/judiciary/ib072299.htm; http://www4.law.cornell.edu/uscode/5/301.notes.html. Need to discuss identity theft here; a privacy+security issue, though the privacy depends ironically on better record matching? (Trade-off “petty privacy” for real privacy?) Matching records, such as birth certificates with death records, is more difficult than it might seem, even for statistical rather than individual ID purposes. A good intro is Ivan P. Fellegi, “Record Linkage and Public Policy – A Dynamic Evolution,” Record Linkage Techniques – 1997, http://www.fcsm.gov/working-papers/fellegi.pdf]]
Any National ID system in the US would first have to fix the birth certificate problem: for example, have at most a small handful of standard birth-certificate formats, so that examiners gain a better sense of whether they are looking at a genuine certificate or not; and check all birth-certificate requests against death records, to prevent identity vampirism (identity theft of the dead).[24] Some states allow persons born there, whose births were never registered, to create a “delayed certificate of live birth”;[25] this is perhaps another security hole. Sometimes baptismal certificates are accepted as substitutes for birth certificates; these seem easy to come by (for example, Ahmed Rassam, who confessed participation in a plan to bomb the LA airport during New Year’s 2000, obtained a valid Canadian passport on the basis of a stolen blank baptismal certificate; Coyotes, Ted Conover’s travelogue on illegal immigrants, mentions in passing the apparently successful use of a Mormon Certificate of Baptism as ID).
Given this well-known breeder document problem, then, it seems odd that Larry Ellison, interviewed by Steven Levy (“A Techie’s Solution,” Newsweek, Oct. 29, 2001), cannot imagine any way that terrorists could spoof his National ID card:
“What if terrorists or criminals learned to ‘spoof’ the system? Is there a danger of putting too much trust in such a system?”
“I do this for a living. If you can explain to me how the system can be spoofed, I’m ready to listen.”
“Any system can be compromised.”
“I don’t know how it can. Maybe there’s someone smarter than I am and knows more about this than I do, but I can’t figure it out.”
It’s good to have counterfeit-resistant cards, but is this really where the vulnerability is? Certainly, if a card is easy to counterfeit, then this is an obvious hole. But even if you make an ID card nearly impossible to counterfeit, then the vulnerability moves: you now have to ensure that it is not easy to get a valid card, on an invalid basis. As long as insecure documents such as birth certificates are the root of the ID system, then securing higher-level documents like the BCC seems at best a partial measure, and at worst an illusion. [[Perhaps a better question is, where do you want the vulnerability to be?]]
Another way the system can be subverted, without attempting to manufacture the cards themselves in one's basement, is through bribery. A Dept. of Justice (DOJ) audit report on "Document Fraud Records Correction" (Sept. 1996), discusses several cases in which INS employees sold legitimate INS documents to illegitimate recipients.[26] The DOJ audit report notes that "The temptations and rewards for selling these official documents are great"; an old BCC would apparently sell for about $325. The newer laser visa has many more steps in its production process which should make such insider jobs more difficult to pull off, but the same DOJ audit also pointed to “inadequate inventory records and security for controlled documents and for equipment,” cases in which equipment went missing, lax security with respect to unauthorized database access, uncertainty over how to deal with fraudulent database entries, and so on.[27]
The DOJ inspector general, noting the doubling of INS personnel along parts of the border since 1993, warned in 1997 that “Experience in other contexts indicates that massive law enforcement hirings may be accompanied by increased police corruption because of the great susceptibility of new recruits to temptation or because corners may be cut in screening and training the new hires.”[28]
The DOJ inspector general also noted that “The mix of low paid employees, easy money in big sums, and relatively low risks makes for an extraordinarily volatile and risky situation…. An INS or Customs employee is not required to do very much or take much of a risk in order to earn a bribe. One or two bribes a year can effectively double an employee's income.”
Even if the vast majority of INS employees are honest, clearly there is a potential “insider” problem. In computer security, it has become clear over the years that the old firewall model of “a hard crunchy shell with a soft, chewy inside” (as described by Bellovin and Cheswick in their Firewalls and Internet Security) makes the unwarranted assumption that all insiders are trustworthy.
There is an important relationship between the insider problem and the issue of employee monitoring: one person’s audit trail is another person’s workplace surveillance.[29]
It was just suggested that quickly adding more employees, as part of a campaign to beef up security, can ironically lead to additional security problems among susceptible new recruits. Another example of the same phenomenon – adding security can, in certain circumstances, reduce security – involves the complex process needed to manufacture the new counterfeit-resistant BCCs.
A Drexler VP was quoted earlier to the effect that the new card is “not something that you can make in a basement.” But this also suggests that producing the cards is a fairly slow process. [[No, one doesn’t necessarily imply the other. Rework.]] According to Drexler's annual report, it is currently producing about 200,000 per month.[30] As noted above, over the life of the program, about 100,000 cards have been issued per month. (To be unfair, at this rate it would take over 100 years to issue a similar card to everyone in the US.)
Partially as a result of the time-consuming production process, and also because of the in-person interviews needed to apply for the card, there is a substantial backlog. Long delays are not simply a matter of inconvenience: they can also subvert the whole security process. Between the time of someone's approval for a card, and the time they actually receive their new security-enhanced card, officials at the border will accept their old “mica” BCC, if it bears a sticker indicating that they have been approved for the new card (AP, Oct. 1, 2001). (An INS press release from Sept. 2001 states that the stickers were due to expire on Dec. 31, 2001.[31])
Placing stickers on older cards raises obvious questions about how counterfeit-proof such stickers are. (A national ID card would obviously have similar backlog and “catch up” issues, lasting many years longer.)
The DOJ is already familiar with this problem from the history of replacing old green cards. A report by the DOJ Office of the Inspector General (OIG) from August 1997 notes a “6 months to 1 year waiting period between replacement card application and receipt of a card. The delays undermine the integrity of the identity card system, as the INS must use easily counterfeited temporary stamps so applicants may obtain employment and public benefits in the interim.... INS Forensic Document Laboratory personnel suggested to us that a sticker with a holographic label affixed to temporary documents could improve the security of these documents. In our judgment, a reduction of the waiting period from application to card receipt would be the best solution.”[32]
While referring to green cards, this clearly shows the security dangers of long delays in the card issuance process: “The delays undermine the integrity of the identity card system.” Delays are not simply a matter of inconvenience. When these delays are themselves caused by security measures, it nicely points up the way that increased security measures can themselves sometimes undermine security.
We’ve seen that, even assuming the card itself is counterfeit-resistant, there are several holes in the card issuance process: it appears to be readily spoofable with invalid downstream “breeder” documents such as birth certificates; the maquiladora program seems open to abuse; it’s unclear if criminal background checks are being done on identities, rather than on given names; there is a potential for bribery (caused partly by overly-rapid hiring to beef up security); and delays in producing secure cards require insecure temporary stickers.
This set of potential holes matches to some extent the findings of the DOJ OIG:
“The new biometric identification card, known as the laser visa, has shown to be more tamper-proof than previous documents. However, many problems reduce the effectiveness of the program, such as the lack of laser visa processing equipment at consular posts in Mexico, an inadequate criminal database against which to check applicants, and delays with biometric card production.”[33]
A National ID program would need to carefully address each of these issues. Most of them are not really technical, but social issues. They cannot be finessed with biometrics.
Okay, we’ve been issued our BCC. Now what do we do with it?
Actually, we are skipping over an important step here: delivery of the card from the manufacturer to the cardholder. Is there anything that could go wrong here? Yes, the San Diego Union-Tribune (March 16, 2001) reported that a DHL delivery truck, carrying 6,000 BCCs worth as much as $9 million on the black market, was seized in an armed heist. Smugglers were expected to obtain many of the stolen BCCs, “and if you want to get across the border they will look through their piles for one that has a photo that looks like you.” This apparently works, despite the biometrics on the card, because of implementation problems at the border that we’ll discuss in a moment. Even with these problems, though, you would think that the stolen card numbers could be retired, and detected if anyone tries to use them. This gets into revocation issues, which this study does not examine,[34] but which are a crucial feature of any ID system; for now, note that being able to revoke an ID depends on scanning it, rather than just looking at it, unless lists of bad IDs are distributed, as used to be done with credit cards. (By the way, it later turned out that the heist was an inside job involving a DHL employee and Tijuana police.)
Earlier, we saw that there has been widespread local opposition to the BCC switchover, and that Congress may even repeal it. In the meantime, however, BCC holders are required to have the new biometric, machine-readable card. What happens as we approach the border with our BCC, for example at the Tijuana/San Ysidro crossing just south of San Diego?
The amazing thing, after all the talk of heightened security, is that, if we “look American,” we’re waved through with barely a glance at our ID. Anyone who can pass as an American citizen, based perhaps on some fairly narrow prejudice as to what an American looks like, won’t have their ID swiped through a card reader. You might be asked what you were doing in Mexico, and how long you were there, but that’s about it. Given the long lines of both cars and pedestrians (there are about 800,000 legal crossings each day from Mexico into the US, about 16% of them on foot), there’s not much more that the border inspectors can do. It’s important to note that long delays are not just a matter of inconvenience: in late October, two children reportedly died from carbon monoxide asphyxiation while waiting in line to cross from Ciudad Juarez to El Paso; others have become dehydrated from long waits in the sun. [[Is there any positive incentive in place for inspectors to be vigilant?]]
What if you present a BCC? How are the biometrics employed? Section 104 of the IIRIRA said, “an alien presenting a border crossing identification card is not permitted to cross over the border into the United States unless the biometric identifier contained on the card matches the appropriate biometric characteristic of the alien.”
Yet, several trips through the Tijuana/San Ysidro crossing in February 2002 showed that while BCCs were being swiped through card readers, there were no fingerprint readers, so the inspector has maybe 45 seconds to see if the picture on the card looks like the cardholder. At least in primary inspection (there’s a separate building if you get bounced over to “secondary”), there is no automated way to see that the cardholder matches the card.
The same thing was observed in an AP story (Oct. 1, 2001) describing the Tijuana/San Ysidro crossing:
“Inspectors there have machines that can read basic data from the new cards with a small, tabletop device. They do not have the advanced readers that show a digitized photo and fingerprint.... Some border points still lack the machinery to read the cards. Without the machines, US authorities must eyeball them the same way they did the old ones, in essence rendering the new security features meaningless.”
According to the New York Times (Oct. 29, 2001), in El Paso, the INS had yet to install card readers. Rep. Silvestre Reyes stated, “They haven't identified the equipment they need. They don't even know yet how much it'll cost.” Richard Duran, who oversees the El Paso crossing at the Bridge of the Americas, “said the installation of the machines to read the laser visas might actually lengthen inspection times because inspectors checking cars full of passengers would have to swipe several visas through the machine” rather than just one for the driver.
[[Confirmed by Drexler itself. Drexler pres. Richard Haddock testimony before the US Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Nov. 14, 2001, “These cards have effectively eliminated counterfeiting, which was a major problem before the INS issued the first optical cards in 1997. However, neither of these programs has fully realized their true potential because the biometric features have never been used in automatic card readers” (see http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF). Similarly, testimony of Paul Collier of the Biometric Foundation, Oct. 12, 2001: “Currently, there are no systems in place to read the biometric data and authenticate the cardholders” (http://judiciary.senate.gov/oldsite/te101201st-collier.htm). Confirmed by INS spokeswoman Kimberly Weissman: “the card readers have not been deployed to the ports of entry.” INS made a FY2001 budget request “but was denied the funding” by OMB. According to Government Executive magazine (Nov. 16, 2001), “some close to the card reader project have been skeptical about the INS’ commitment to the project.” It’s starting to sound like something is absurdly wrong here: INS was sold a card technology without the system to read the cards (http://www.govexec.com/dailyfed/1101/111601h1.htm). However, a corporate profile of Drexler, by Raymond James & Assoc. (http://170.12.99.3/researchpdf/DRXR021902IOC.PDF), states that “because the LaserCard is highly resistant to alteration or counterfeiting, it can also be used on a stand-alone basis without a reader. For example, the INS has issued approximately five million cards for its LaserVisa program, but has not yet purchased R/W drives for field deployment. Instead, field agents are trained to visually compare the cardholder's appearance against the card's printed color photograph and the laserengraved ‘holographic’ image. If all three images match, the cardholder is granted entry.” Is this the only advantage of the new cards? Is it a significant advantage? Has INS basically lost interest in being able to machine read the cards?]]
[[Note somewhere that Identix fingerprint scanners are available at consulates for BCC applicant interviews (http://www.fbodaily.com/cbd/archive/2001/06(June)/25-Jun-2001/63sol001.htm).]]
Without fingerprint readers, the card really can’t be verified against the cardholder. It was noted earlier that the widest form of misuse of the old non-machine-readable BCCs, and a major reason for the switchover to the new card, was not counterfeiting the card, but having a valid card that wasn’t yours. According to a US Commission on Immigration Reform report from 1994, “While almost no one attempts to cross with an altered or fraudulent BCC, a fair number of people seem to attempt to cross with someone else's card, presumably betting on lax inspection of the photograph it bears on the part of INS personnel at the port of entry.”[35] For example, a card can be legally acquired, then sold to a document “gang,” who can then rent the card out to someone who looks like the picture on the card, who can use the card to cross the border, and then mail the card back (what happens then, if the person is found inside the US, without the BCC, is discussed below in the section on “interior enforcement”).
Without fingerprint readers, then, it appears as if the new BCC with its sophisticated Drexler technology, solves the wrong problem. Instead of making it more difficult for the wrong person to use a valid card, instead it was made more difficult to create illegitimate cards.
Why does the INS apparently not have enough machines to read the new machine-readable cards, and not have equipment to compare every BCC holder’s fingerprint with the biometrics on their card?
Like many sagas involving the INS, this one appears to be long and complicated. According to the INS, Congress and the General Accounting Office (GAO) won’t give it the money. Each reader costs only about $3,000; the INS probably needs around 1,000 of them. According to the New York Times (Sept. 29, 2001), the INS
“asked Congress for money to buy the machines two years ago but was turned down because the agency did not know exactly what kind of equipment it needed, said Russ Bergeron, a spokesman for the immigration service. Now the agency knows what it needs to scan the border cards but does not have the money, Mr. Bergeron said.... The immigration service hopes to get financing for the scanning machines as part of a budget request that the Justice Department, the agency's parent, is putting together to help deal with the terrorist attacks, Mr. Bergeron said."
But why would Congress be so stingy over a few million dollars? Embattled INS commissioner James Ziglar has repeatedly asserted that Congress had declared a “moratorium” on machine readers to go with its machine-readable cards. In fact, it appears that Ziglar is referring to a moratorium on further deployment of the separate IDENT system, and that Ziglar would like to get 1,100 IDENT workstations (with a two-fingerprint recognition system) to also check BCCs.[36] IDENT is the INS’s database that maintains information on every apprehension; it includes fingerprints for each apprehendee; IDENT also includes a “lookout” section in which, for example, criminals and recidivists (those with a dozen or more illegal crossings) are noted.
The IDENT moratorium will be discussed later in more detail (see “The Central Database ”), but in essence, at the time of the nine serial murders in 1998-9 by the so-called “Railroad Killer,” Rafael Resendez-Ramirez, the Border Patrol had repeatedly apprehended Resendez illegally crossing the border, and then voluntarily returned him to Mexico, unaware that he was wanted by law enforcement. INS employees had been contacted by by police about Resendez, but had apparently not placed a “lookout” for him in the IDENT database.[37]
In July 1999, the House Committee on Appropriations raised doubts about IDENT’s ability to identify wanted criminals apprehended by Border Patrol, and in particular asked why IDENT was not integrated with the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) database; the committee directed that the INS suspend further deployment of IDENT until it submitted a plan for integration of IDENT with IAFIS. The congressional conference report for the DOJ’s 2000 appropriations included a moratorium on further deployment of IDENT.[38]
While it is commendable for the INS to want to use an existing system such as IDENT to do double-duty for checking BCCs, it sounds passive-aggressive for the INS to apparently insist on using technology on which a moratorium has already been placed, and then to turn around and complain that it can’t intelligently use the biometrics on the BCC because a moratorium has been placed on the technology.
The current troubled state of the INS should make us cautious about extrapolating from its experience with the BCC to the US as a whole. It may seem as if we have picked, for our case study in National ID, a notoriously “incompetent” agency (though, as noted towards the end of this study, there are structural reasons for the INS’s difficulties, rooted in the US’s deeply conflicted attitude toward illegal immigration). Tthe INS’s inability to get card readers to go with its machine-readable cards seems consistent the same agency’s approval of student visas for two notorious dead hijackers, Mohamed Atta and Marwan Al-Shehhi (Boston Globe, March 13, 2002). What can this troubled agency really tell us about National ID?
But the INS is not alone in having biometrics that are all dressed up with nowhere to go. For example, the California State Auditor in Oct. 2001 reported that while it had been collecting fingerprints for the past 20 years, California's DMV “does not obtain the benefits of such technology” because many of its fingerprints are of poor quality; the state takes thumbprints, but basically does nothing with them; the state has photographs, of course, but it also fails to use these sensibly.[39]
National ID advocates point to such ironies as precisely why we need a national ID system. It is often said that “we already have National ID, in the form of drivers license and social security cards; we just need to fix it.” The author will note how many times that week he had to show someone his drivers license. But show is the key word here. How many times have they had their drivers license, not quickly eyeballed, but swiped in a card reader, which is linked back to a central database?
It definitely does happen. See an interesting New York Times (March 21, 2002 ) article by Jennifer 8. Lee, “Finding Pay Dirt in Scannable Driver’s Licenses,” that describes how bars in Boston are buying $2,500 Intelli-Check systems – presumably like the ones that INS doesn’t have – and using them to make sure that patrons are over 21, and then also using the scanned-in personal data for marketing). The technology is cheap enough, and becoming cheaper: Moore’s Law is often what drives the adoption of new ID systems. [[Need to explain Moore’s Law?]]
But a National ID would require that the equipment that the INS had not managed to acquire in the year 2001, despite passage of the original law in 1996, would need to be available nearly everywhere. How realistic is this? Or, perhaps the lesson of the Boston bars is that this will only happen if card reading is turned over to the private sector, who would also be allowed to use personal data for marketing as they see fit.
In any event, there is an enormous difference between having someone take a quick glance at an ID card, and feeding it through a card reader, linked to a central database, and connected to a fingerprint reader (or other biometric input device) that matches the cardholder with the card. It may possibly be that National ID is a good idea, but if it is, it would represent an enormous change from the current situation. National ID advocates frequently downplay the significance of their proposal with claims that “we already have national ID, we just need to fix it.” That the INS has the cards, but not the equipment, should tell us something – and not just that the INS has problems. It tells us that we currently have nothing at all like National ID.
Let’s say that there are fingerprint readers. What exactly are they checking? If it is simply that the cardholder’s fingerprints match the fingerprints stored on the card, that seems like an easy enough task. The new BCC not only has a visible photo of a fingerprint, but also contains a machine-readable representation of the fingerprint – this, in a way, was the whole point of the new cards. This type of verification involves a 1:1 check: does this cardholder match this card? The accuracy rates for such a check are pretty good, even though we’re dealing with non-discrete, real-world data.
If you read through the claims made for biometric ID cards such as the BCC, though, it becomes clear that the popular (and congressional) expectation, and the promises upon which the technology is sometimes sold, is a little different from this mere 1:1 check.
For example, what is to keep someone from applying for multiple cards under different names? Note that many names having multiple forms and spellings: Arabic names for example are transliterated; Mexicans frequently but not always use both the mother's and father's last name. The promise of biometrics is that you can basically discard the given name, or ID number, and use the fingerprint itself, for example, as a database lookup: has anyone with this fingerprint already applied for a card? This is a 1:N check, using real-world data as the database index. How good is it, when N is large? In a large population, how difficult is to balance false negatives (catch everyone who needs to be caught) against false positives (don’t create 10-hour waiting lines)?
How long would it take to uniquely identify one of the four million BCC holders, given only the fingerprint of a BCC holder? This may not seem to be an issue. After all, when someone presents their BCC, you can first do the 1:1 check that the cardholder matches the card, and then use the card number as a database lookup. But what happens when someone isn’t carrying a BCC? This was one of the big problems with the BCC: “Mexicans headed for big cities in the north are also using such cards to cross the border, then mailing the cards back to their homes in Mexico before proceeding north to look for work. If they are captured, the aliens tell the INS that they slipped across the border illegally.”[40] To have any hope on stopping this mis-use of the BCC, all apprehendees would need to have a 1:N check done of their fingerprints (stored in IDENT) against the BCC database.
If such 1:N checks are widely used, then the ID card itself becomes irrelevant; your fingerprint is your ID. How feasible is this for the 200 or 250 million people who would have a National ID in the US? Not just technically feasible, but also socially: would it be able to overcome the “Mark of the Beast” overtones?
One alternative is to just have a (presumably) smaller database of the people you don’t want in, rather than a larger database of the people who you do. This has been one of the approaches of facial-recognition companies, which assert that – had facial recognition systems been in place in Portland ME on Sept. 10 and the morning of Sept. 11, when security cameras at ATMs, gas stations, and the airports caught last images of some of the terrorist hijackers – the attacks could have been prevented. What this claim overlooks, however, in addition to the unreliability of many facial-recognition systems, is that your “keep out” images must already be in your watchlist database.[41]
We’ve seen how the BCC is checked. The next question is, what is the BCC checked against?
The earlier discussion of database “lookouts” in the case of the “railway killer” ought to sound familiar. This was an earlier version of the database-linkage debate fueled by the Sept. 11 attacks. On April 26, 2001, Mohamed Atta was stopped in Broward County FL for a traffic violation and was given a citation for driving without a license; on May 2, he acquired a Florida drivers license. Yet his visa had expired. If we could somehow rewind history, we would want the routine stop on April 26 to have led to something more than a citation; we would want the drivers license to be refused on May 2 because of the expired visa. Perhaps without the drivers license, he wouldn’t have been able to board Flight 11. It seems so simple: if only one database had known what the other database knew.
This is really the heart of the National ID idea. It’s not so much the cards, as the idea of a single, centralized database. The card would just be a handle into a national database. According to Larry Ellison, “The single thing we could do to make life tougher for terrorists would be to ensure that all the information in myriad government databases was integrated into a single national file” (Wall St. Journal, Oct. 8, 2002). In an amazing speech to Oracle employees, available on the web,[42] besides asserting that we’ve made it impossible for the CIA and NSA to do their job, that we’ve made it impossible for the government to protect us, Ellison states that we have “too many databases,” that it’s impossible to correlate and cross-check them, that there really is no such thing as a federal “watch list,” but instead a disparate collection of lists like IBIS (Interagency Border Inspection System) and NAILS (National Automated Immigration Lookout System).
We saw earlier (see “Swiping Cards, Reading Fingerprints ”) that the INS doesn’t have all the machines it needs to read and fingerprint-verify BCCs, because it wants to use IDENT workstations, and that it can’t use IDENT because of a congressional order that it first figure out how to correlate IDENT and the FBI’s IAFIS. What all this means is that a BCC may be checked against the BCC database (of course, there’s no such check when the card is just eyeballed by a harried border inspector), but it seems likely that there is little integration with the other databases maintained by the INS. [[Lame; need to back this up.]] Precisely in the way National ID advocates complain, someone could “waltz” into the US on a BCC, even if they’re known to be wanted (though not necessarily under the same name) in another database like IDENT or IAFIS.
IDENT maintains biometric information on every INS apprehension. According to its developer, the Belgian company Keyware (apparently working with Lockheed Martin), “IDENT is an exclusive automated biometric identification system that uses advanced fingerprint and facial identification technologies to search for matches among over 400,000 ‘wanted person’ files and more than 2,000,000 files for people who have been previously detained.”[43] The system was originally adapted from the US Navy’s Deployable Mass Population Identification and Tracking System (DMPITS), which in turn was originally designed by FingerPrint USA, for use in POW-type camps holding mass refugees from Haiti and Cuba.[44]
This sounds like exactly what would be wanted for National ID. Yet we saw earlier that there was a hole in the system in the Resendez “railway killer” case. There has been debate over what the problem was, exactly. In some accounts, it appears the problem was as much one of training INS employees to properly use IDENT. In any case, clearly the biometrics by themselves don’t solve the problem.
[[Federal Computer Week (April 22, 2002; http://www.fcw.com/fcw/articles/2002/0422/cov-ins-04-22-02.asp) reports that “an investigation by the Justice Department's inspector general found that fewer than one out of three aliens apprehended on the U.S./Mexican border were being fingerprinted, photographed and entered into IDENT”; INS personnel often did not have time to take fingerprints and photos and enter them into IDENT; training for IDENT "was ineffective or nonexistent"; there were "virtually no controls in place to ensure the quality of data being entered into" the system. Find original DOJ OIG source for this. INS’s info mgmt commissioner Scott Hastings defends IDENT: it has caught "some real bad guys. It doesn't always hit the papers.” This is an important point: we tend to hear about system failures; when a system works, it’s not news.]]
In March 2000, the DOJ announced a plan to link IDENT with the FBI’s database, but said it could take five years and more than $200 million to complete. [[Why so long?]] Furthermore, “because the INS Border Patrol agents apprehend approximately 1.5 million aliens a year entering the United States illegally, INS requires a process that can record and identify a high volume of individuals in a very short period of time, generally two minutes or less.”[45] It is not clear how this can be matched up with IDENT, since a Keyware official has bragged that the IDENT system delivers “response time in days, not weeks” for law-enforcement collaboration (Federal Computer Week, Nov. 14, 2000; emphasis added).
[[Insert material from Dec. 2001 DOJ OIG report on “Status of IDENT/IAFIS Integration” (http://www.usdoj.gov/oig/inspection/I-2002-003/index.htm). For example, a 1:N lookup in IDENT takes about 2 minutes, an electronic 1:N lookup in IAFIS takes about two hours; paper lookup takes several days.]]
Thoroughly assessing the call for a single national database would also require an in-depth look at the history of database linkage in the US, including not only other INS programs such as “Systematic Alien Verification for Entitlements” (SAVE), but also the history of widening use of the SSN.
Checking a card against a single national database, rather than against an individual agency database (and even more in contrast with simple checking of the card against the cardholder), raises important security issues. Any type of central database check requires a network connection; what happens if this connection goes down, or is compromised? One touted security feature of the current BCC is precisely that it’s not checked against a central database. Richard Norton of the International Biometric Industry Association (IBIA) testified at a Senate immigration subcommittee hearing that BCCs are “virtually immune to compromise, and the process can be conducted without having to establish a network connection to a central database.”[46] [[This paragraph needs work: could we really have the touted benefits of a single central database, without requiring a network connection?]]
[[On important issue of online vs. offline operation, see Drexler pres. Haddock testimony to Senate Judiciary subcommittee, Nov. 14, 2001: “highly centralized, on-line systems are subject to overload, system-related failures, hacking, and cyber-terrorism. Creating a central database, national identification system that is always online could provide a single point of failure for our entire society if our enemies ever targeted it…. And ID card system should be capable of complete, secure verification of the cardholder to the card without any dependence on a[n] on-line database, although it may be present. The failure of many online systems to be effective, including the INS ‘INSPASS’ program, is their total dependence on a nationwide 100% uptime, on-line database to veriy the cardholder ID and allow entry. Most INSPASS system downtime is due to network and communication failures and has constricted the system to less than 100,000 people across the many years the program has been in place. Having the ability to completely verify the cardholder off-line, using local black-lists in each terminal, would eliminate this problem” (http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF). But is this consistent with the goal of having all watchlists (NAILS, IBIS, etc.) tied to a single database, and having the national ID always refer to this single database?]]
Another security issue is the insider problem: there would presumably be huge financial incentives for insiders to alter records in the single national database. The INS has a history of bribery leading, not just to documentation fraud (INS employees improperly providing ID cards such as BCCs, or even blank INS documents), but to database fraud: paying an INS employee to make entries or deletions in databases such as SAVE and NAILS.[47] Oracle’s advertisements boast, “Can’t break it; can’t break in,” but this is a different issue. As a database becomes more important (and the single national database Ellison proposed would be the mother of all databases), the incentives grow for its maintainers to make improper changes. Any national ID would require sophisticated audit trails and employee monitoring.[48] As noted recently by the DOJ Inspector General:
"in several reviews, the OIG has found deficient INS business practices that could open the agency to document fraud…. we have found that there is easy access to INS computers in order to change an entry, to order the issuance of an INS card or benefit, or to erase a disqualifying entry from an applicant's history. Computer passwords are shared and systems are unable to create an audit trail necessary to identify the users who accessed and amended a file. These deficiencies make it easier to make false computer entries that could result in the issuance of seemingly genuine INS documents."[49]
Still, the basic idea behind a single national database seems simple enough: in the case of the BCC, someone provides the card at the border, the card is swiped, they put their finger on a reader which ensures that they match the fingerprint on the card, and the immigration officer immediately knows everything the US government knows about this person. That, even with a lot of the component technology having already been deployed, we are still quite far from this scenario (recall that simply linking with IDENT is estimated as a five-year project, and note that Section 1008 of the PATRIOT Act only calls for a feasibility study on IAFIS use at consulates and ports of entry), tells us that this scenario would actually represent an enormous undertaking.
It also would have dramatic social implications, discussed at the end of this paper. For now, it’s simply worth noting that such a large undertaking would inevitably have to be used for more than keeping terrorists off airplanes, and for keeping housecleaners and nannies from getting to their jobs in the US. The drive to use Ellison’s single national database for all sorts of goals – from the “war on drugs,” to eliminating welfare fraud, to tracking deadbeat dads, to combating tax evasion, to stopping illegal gun sales, to stopping underage drinking and smoking – would be irresistible. Even if every one of these goals is good, we can question whether American society is really ready for this level of consistency and accountability.
We’ve seen how the BCC is checked, and we’ve looked at some implications for a National ID. Now, where is the BCC checked? This may seem at first like a foolish question, since obviously Border Crossing Cards are checked when someone crosses the border. But that this is in fact not at all obvious becomes clear as soon as we ask whether BCCs are checked when leaving the US, as well as when entering; and when we ask the related question of how the card’s 72 hour/25 miles/no work policy is enforced.
How is the BCC’s 72-hour policy enforced? The quick answer is that it isn’t, because the BCC is not checked upon departure from the US. There is in fact essentially no check of any kind when someone crosses from the US into Mexico. On several recent (Feb. 2002) trips across the border crossing at Tijuana/San Ysidro, the long pedestrian ramp leading from the US to the Mexican side was equipped with a single private security guard, from Holiday International Security.
The conventional wisdom is that we only care when someone comes into the US, not when they leave, but how could a BCC cardholder’s compliance with the 72-hour policy even be known (much less enforced) without checking people when they leave the country? (The enforcement distinction is important: an exit check would tell if someone has overstayed, but would obviously not help locate an overstayer until they finally did exit.)
Exit controls are crucial to any considered anti-terrorist National ID proposal. Joseph W. Eaton, author of one of the few book-length studies of National ID (Card-Carrying Americans, 1986), and someone who has presumably devoted many years to thinking about these issues, in a post-Sept. 11 editorial titled “Cards Would Have Tripped Terrorists,”[50] provides the following explanation of how this would have worked:
“Terror agents who entered our nation posing as ‘tourists’ would call attention to themselves if they failed to leave a digitized record of their departure from an airport, a harbor or a border crossing. They would have to start worrying that the FBI and INS would be looking for them.”
In other words, the desired effect of a National ID is only achieved if every departure is recorded, not only from an airport, but also via the US’s land borders with Mexico and Canada. The key is not so much the ID card as the exit control: one can easily have one without the other, and the ID card itself doesn’t perform any function here without the exit control. Note too that the best this achieves is a list of everyone who has overstayed their visa; as noted earlier, actually finding the overstays is a separate matter.
An “automated entry and exit control system” was, according to the Section 110 of the IIRIRA of 1996 (discussed earlier), supposed to be developed by 1998. This system was supposed to collect a departure record from every non-citizen leaving the US, and each departure record was supposed to be matched-up with an arrival record to determine who, upon leaving, had overstayed. The system was also supposed to be able to enable online searching to locate the entry records of those who had overstayed.
BCCs were supposed to play a role in this entry/exit control system. Having a BCC lets cardholders avoid filling out an I-94 arrival/departure card. At the same time, the BCC is intended to be used not only for entering the US, but also upon departure. Because the cards are machine readable, they can – assuming card readers are in place – be swiped upon exit from, as well as entry into, the US, thus giving the INS some handle on the problem of cardholders overstaying the 72-hour limit. According to the US Consulate General in Ciudad Juarez, Mexico, the new cards “will be used to facilitate the implementation of Section 110 of IIRIRA requiring an automated exit and entry control system to be established by the INS.”
On the other hand, as noted earlier, people using the BCC to work in the US may mail their cards back home, and present themselves as having illegally crossed the border, rather than as having legally crossed the border and then overstayed. In this way, they will still be returned to Mexico, but they won’t lose their BCC. But this would also diminish the BCC’s effectiveness for exit controls, except if the card itself were basically ignored, and a person’s biometric always relied upon for the database lookup (see “1:1 vs. 1:N Lookup ,” above).
Like the biometric visa itself, mandated by Section 104 of the IIRIRA, the entry/exit controls mandated by Section 110 were also opposed by the business community; for example, the Travel Industry Association of America, the US Conference of Mayors, and the US Chamber of Commerce opposed Section 110 in the name of “efficient borders.” A fellow of the Alexis de Tocqueville Institution predicted that, if entry/exit controls were implemented, “the borders between America and its neighbors would effectively close.... Americans can say good-bye to inexpensive produce in the markets," and further denied that entry/exit control has anything to do with countering terrorism.[51] The Senate voted three times to repeal Section 110, and while the House voted against repeal, the system has not been implemented.
Now that the Sept. 11 terrorist attacks have highlighted the question of visa overstays, many of those who opposed Sections 104 and 110 of the IIRIRA in the name of “efficient borders” are now angrily asking how the INS could have possibly allowed some of the terrorists to overstay their visas, and how it could have “lost track” of them. As noted several years ago by Migration News (Aug. 1998), a superb publication from UC/Davis, “Many Congressional representatives continue to criticize illegal immigration in general, and then criticize the INS when it engages in enforcement actions that affect their constituents.”
In 2000, Congress passed the “Border Improvement and Immigration Act,” under which Section 110 was amended so that entry/exit controls won’t be required at airports until 2004, and at land borders with Mexico and Canada until 2005.[52] Even after the terrorist attacks of Sept. 11, and the attention they drew to the issue of visa overstays, Section 414 of the PATRIOT Act calls merely for the integrated entry/exit data system of Section 110 of the IIRIRA to be implemented “with all deliberate speed and as expeditiously as practicable,” and makes the “Office of Homeland Security” part of an entry-exit “task force.”
Thus, after five years, and even after Sept. 11, there is really nothing being done to even learn about overstays, much less enforce the rules against them. One reason, as noted above, is opposition from the business community, which sees exit controls as contrary to the spirit of NAFTA, and “free trade” generally. Another reason may be that visa overstays are too small a problem for such a large solution as exit controls. In one test of an automated I-94 system in Philadelphia with selected US Airways flights to and from Munich, 99.6 percent of the 50,896 entry-exit records matched, i.e., only about 214 travelers did not leave as required (and some of these may have left through other airports, or a land border).[53] Meanwhile, Electronic Data Systems (EDS) testimony on the cost of implementing an entry/exit system points out that this would be a large undertaking:
"We assume that at least 700 million traveler arrival and departure records will be captured in the system annually. For example, the automated I-94 pilot demonstrates that an arrival record for a non-citizen traveler uses 360 bytes of storage and the departure record uses 152 bytes. Extrapolating this estimate to the annual volume of non-citizen travelers suggests that a terabyte of storage may be needed for a nationwide system. To put some perspective on the magnitude of this number, the information in this system at the end of one year would be equal to the amount of data stored in the US Library of Congress."[54]
When suggestions are made for large-scale projects such as National ID, we should ask why other large ID projects, required by law, have not been implemented. Sometimes our data-retention eyes are bigger than our stomach.
As noted above, an entry/exit system would at best let the INS know whether a given cardholder has overstayed a visa such as the BCC. It provides no help in actually locating a “visa jumper” or overstay. Yet, the INS is roundly denounced for having “lost track” of the Sept. 11 terrorists, and of “illegal immigrants” generally. For example, a guest editorial in the Seattle Times (Oct. 4, 2002) discusses ways to “learn the whereabouts of millions of illegal immigrants that the Immigration and Naturalization Service admits it has lost track of.”
What does this mean, “lost track”? Is the INS supposed to know the whereabouts of each of the millions of non-citizens present in the US?
Technically, yes. The Immigration and Nationality Act (INA) requires that all non-citizens notify the INS within 10 days of a change of address. The form to use in reporting an address change is AR-11 (INA § 265(a)).[55] This does include the BCC, though of course BCC holders are not supposed to be in the US for more than three days.
Address registration can also be required during an emergency. During the Iranian hostage crisis, the DC Circuit Court of Appeals in Narenji v.Civiletti (1979) upheld the Attorney General's authority to order nonimmigrant Iranian students to report to INS district offices and to demonstrate their lawful status. [[Explain the outrage against the INS that it didn’t know where Iranian students were in the US.]]
However, the INS has stopped reminding non-citizens that they ought to notify the INS of their address and effectively has ceased administering the address-notification requirement. Although failure to give the written notice of address required by INA § 265 is a ground for removal, an INS operating instruction provides that failure of an alien to comply with the § 265 requirements regarding notification of address “shall not normally serve as the sole basis for initiating prosecution” or removal proceedings.[56]
The Alien Registration Act of 1940 and Internal Security Act of 1950 had required the annual registration of all aliens living in the US, but this annual registration requirement (whether or not one had moved) was suspended in 1981. At the time, the INS apparently “acknowledged that it didn't much matter, that the alien registration requirement had been mostly for show, that the registration cards had never been matched up with the aliens’ files anyway.”[57]
Thus, the US is, for better or worse, a long way from knowing where non-citizens are. Yet a National ID card would probably require address registration. Just as Sept. 11 was followed by angry questions over how INS could have lost track of the hijackers (some of whom had given “Marriott Hotel, New York” as their address), presumably the first terrorist attack to be committed (perhaps by a domestic terrorist, such as another Timothy McVeigh, Unabomber, or anthrax mailer) under the regime of a National ID, would be followed by angry questions about why can’t we get our hands on this guy: we’ve got a National ID card now; you mean we don’t know where each cardholder is at least supposed to be living? For the system to be more than a “mostly for show,” feel-good activity, this would eventually have to evolve into something like residential registration offices in Germany;[58] hotels and other forms of lodging would presumably need to take the ID number of each occupant, as happens in some countries. It’s difficult to see how, without such extreme measures, any handle could be kept on someone’s whereabouts. [[This is lame; needs work.]]
In the meantime, note that we already have a national address registration, in the form of the New Hire Database (see “Employment and Employer Sanctions ” below).
We’ve seen that the current system provides no way of enforcing the BCC’s 72-hour policy, or of locating those who overstay. What about the 25-mile policy?
For one thing, just as INA § 265 ineffectually requires that non-citizens inform the INS of address changes (see above), INA § 264(e) requires that they carry their ID with them at all times. This includes the BCC.
What good does this do in enforcing the BCC? According to the INS:
“When passing through the Border Patrol checkpoints typically located at least 25 miles from the border, those Mexican BCC holders not in possession of an approved Form I-94 will not be allowed to pass and may be processed for administrative action.”[59]
In other words, in addition to the border itself, there is in essence a “second border.” For example, on I-5 at San Onofre CA, about 70 miles north of the border (and near the former Nixon home in San Clemente), there is a 24-hour inspection of cars traveling between San Diego and Orange County.[60] [[Also note the Temecula CA checkpoint; see the excellent long description of Temecula checkpoint problems in Ungar, Fresh Blood: New American Immigrants, pp. 53-70.]]
The INA gives the Border Patrol broad authority to conduct searches within a “reasonable distance” from the border. The Supreme Court has generally held that such searches do not violate the Fourth Amendment, and that probable cause is not required to justify a stop or search. The INS has defined “reasonable distance” to be 100 miles. The Supreme Court has given fixed checkpoints (as opposed to roving patrols) very wide discretion.[61]
Why is there this second border? One reason would be to attempt to enforce the 25 mile and 72 hour BCC policies. More important, the Border Patrol is responsible for locating immigrants who have bypassed an official port of entry, and snuck in somewhere along the 2,000 mile border. As noted elsewhere, the practice of mailing one’s BCC back home during an overstay means that some BCC violations will appear as if they were simple cases of someone sneaking under a fence or across the Rio Grande, for example, without any ID at all.
It turns out, in other words, that simply checking IDs at the border is insufficient. Much illegal immigration doesn't actually happen at the border, but inside the country, when someone overstays their visa, for example. Or, to put it differently, the border turns out to be much thicker (100 miles wide) than one would have thought. At least according to some, within this area, pretty much anyone can be stopped and asked to present ID. The phrase “deconstitutionalized zone” has been angrily used (see, for example, US v. Newell, 1975, quoted in a dissent to US v. Guerrero-Barajas, Jan. 2001[62]) to refer to this 100-mile strip. The phrase “Driving While Mexican” has also been used (New York Times, Jan. 26, 2000). If you live within this area, and fit a certain profile, we today have one aspect of National ID, in that you can be stopped at any time and demanded, “papers, please.”
In his discussions of a National ID, Larry Ellison dismisses the idea that the card would have to be carried at all times, and could be demanded at any time: “I’m not saying that police can stop you and ask you for your ID card when you’re walking your dog. I’m saying you must produce the ID when you’re going into a secure location like an airport” (Newsweek, Oct. 29, 2001).
But a National ID would have to be carried and presented much more frequently than Ellison thinks, and even other National ID advocates recognize this. Joseph Eaton’s editorial quoted earlier (see “Exit Controls and Overstays ”), opens by stating, “If Biometric ID cards had been in use, the 19 Saudis and other Arabs responsible for the Sept. 11 terror attacks could not have traveled all over the United States without drawing the attention of law-enforcement authorities” (emphasis added). Clearly, the card itself could not have accomplished this, so to deal with people traveling “all over” the US, by car for example, Eaton is presumably advocating (or assuming) frequent machine reading of the card.
In his The Limits of Privacy, ID card advocate Amitai Etzioni (who, one suspects, has thought about this question a lot more carefully than Larry Ellison) opens the chapter on ID cards with the following definition: “‘ID cards’ are domestic passportlike documents that citizens of many countries, including democracies, are required by law to have with them at all times.”[63]
[[For what it’s worth, the Pew Research Center’s telephone survey of 1,200 adults, conducted the week following Sept. 11, found that 70 percent favored a requirement that “all citizens carry a national identity card at all times to show to a police office on request” (http://people-press.org/reports/print.php3?PageID=32, emphasis added; compare with other results from the same survey, e.g. 26% favored allowing US government to monitor personal phone calls and email, 40% favored allowing US government to monitor credit-card purchases).]]
[[Another advocate of national ID has said that a tamper-resistant Social Security card would serve many purposes, and would hardly ever need be used. Vernon W. Briggs, Immigration and American Unionism, 2001, p. 183: “The utility of such cards would far exceed simply the enforcement of the right to work in the United States. They could be used to reduce identity theft, welfare fraud … and entitlement program abuse…. Such cards would not be national identification cards to be carried by citizens and permanent resident aliens; they would have to be produced only on those few occasions over one’s lifetime when one is hired for a new job – and then only after the hiring decision has been made.” Note that, like Ellison, Briggs says you hardly ever need to present the card, but his occasion (taking a new job) is different from Ellison’s (getting on a plane). Each potential purpose of a card will likely present its own occasion during which the card must be carried and presented. It’s good that each advocate sees a limited use, but worrisome that they each see a different limited use.]]
If we’re just worried about terrorists getting on planes, we may end up “fighting the previous war”; for example, perhaps we now, again, need to be more worried about truck rentals (consider both the 1993 World Trade Center and the 1995 Oklahoma bombings). Consider too Mohamed Atta’s traffic-violation stop in Broward County FL: since this incident has been cited as an apparently perfect illustration of the failures of our current disjointed ID system, then (if we now try to replay the events of 2001 with a hypothetical National ID in place) obviously whatever ID Atta had with him that day would have to have been linked back to the central database. This is effectively the same thing as having to carry a National ID at all times. Or, since Atta actually was cited for driving without proper ID, then whatever biometric the police might have chosen to use from him, would have to have been used as a database lookup; again, this is functionally equivalent to having to present one’s ID at any time.
Again: if the biometric itself is the ID, and if it acts as an index into single central database, then in effect we carry ID at all times, despite reassurances that National ID wouldn’t represent a “papers, please” scenario. The protection against having to present our biometric at any time would then be the Fourth Amendment’s restrictions on stop and search. Racial and ethnic “profiling” show that parts of the population are already not truly covered by the Fourth Amendment, and statements by National ID advocates such as Ellison that we’ve “made it impossible for our government to protect us”[64] sound an awful lot like traditional protests against the Fourth Amendment and its Supreme Court interpretation as an impediment to law enforcement.
The BCC presents another example of how one form of ID – if its policies were actually enforced – would require everyone to have at least some form of ID. How could the BCC’s 25-mile policy be enforced without also checking IDs of non-BCC holders within the 100-mile “second border”? It’s not as if BCC holders have “BCC” tattoos on their foreheads. Since BCC holders can’t be assumed to be always carrying their card, then either ID checking must be outwardly discriminatory based on some “profile,” or everyone’s ID must be checked. This type of ID, when enforced, creates a presumption of guilt. Note that it is really only ethnic profiling – i.e., a double standard – that keeps everyone in this area from having to carry ID at all times. In his book No Justice, David Cole makes a reasonable case that “privacy” and Fourth Amendment protections are currently based on inequality.
[[The American Legion calls for Congress to “Require that all legal aliens carry a counterfeit resistant registration card and that they be required to report, in a specified length of time, to local officials their location and place of employment.” (http://www.legion.org/our_legion/documents/americanism.rtf) Again, how can all legal aliens be required to carry an ID, without also requiring non-aliens to also carry ID?]]
[[Note that California’s unconstitutional Prop. 187 was in part an “interior enforcement” measure: required public employees, including police, nurses, social workers, and teachers, to report to INS anyone who could not prove their legal status in US. See Ono and Sloop, Shifting Borders: Rhetoric, Immigration, and California’s Proposition 187. On the other hand, note sanctuary cities (still?).]]
As with the discussion of address registration, these notes on interior enforcement are obviously half-baked; these parts of the study require more work.
It appears so far that exit controls – necessary to even begin to enforce the 72 hr. BCC policy --have been wildly unpopular, and are unlikely to be implemented any time soon, and that the “second border” (necessary, inter allia, to enforce the 25 mile BCC policy) has possibly already produced a civil-liberties nightmare within 100 miles of the border, all probably without keeping BCC holders within the 25-mile perimeter.
How about enforcing the BCC’s no-work policy? According to Adelita Sandoval, who lives in Tijuana and cleans houses in San Diego, “The pass allows you to cross to the other side in order to spend money, but they don't want you to come over to earn money. So you have to convince them that you're doing one when you're really doing the other.” Such workers, “dressed attractively – even elegantly – for what would be, in fact, a workday of scrubbing floors and toilers.” La migra (the INS) “almost never even ask to see our papers. They look at our hands.”[65] Note that the INS is not looking at their hands for the fingerprints; it is looking to see if the BCC holder’s hands look like those of a middle-class shopper, or a worker. Real-world biometrics? La migra is also reputed to be alert to whether someone wearing fashionable clothes looks like they really “belong” in those clothes; literally the “fashion police.”
For the most part, though, the BCC no-work policy would be enforced as part of a larger effort that gives the appearance of preventing unauthorized work by non-citizens, essentially by deputizing employers as immigration officers.
As the reader probably knows, employers in the US are supposed to check the ID of every new hire, and fill out an I-9 form which is kept on file. If they fail to check ID, or if they accept obviously fake ID, they can face fines. This policy is known as employer sanctions. According to the INS:
"The landmark 1986 Immigration Reform and Control Act (IRCA) legislation changed forever the concept of traditional immigration interior enforcement, making it unlawful to employ an individual without verifying the identity and employment eligibility of an employee at the time of hire, thereby shifting emphasis from the alien violator to the employer.”[66]
[[The I-9 reads in part “I certify, under penalty of perjury, that I have examined the above described documents which were presented to me by the individual named [above] and that the documents appear to be genuine, that they appear to relate to the individual named…” (quoted in Roger Daniels, Coming to America, p. 395). Daniels notes, “Within a year millions of such documents were reposing, uninspected, in the files of employers all over America.”]]
Meanwhile, several sectors of the US economy depend vitally on the work performed by illegal immigrants, and by legal immigrants, such as BCC holders, who are not supposed to be working. The “Nannygate” cases of Zoe Baird, Kimba Wood, and Linda Chavez were newsworthy examples of the prevalence of unauthorized work in the US. It is generally held that the construction, hotel/restaurant, garment, agricultural, and meatpacking industries would collapse without their large reserve army of “undocumented” workers.
While the crucial role of undocumented labor in the US shows that this is all something of a farce, the fact remains that every new hire is supposed to have their ID checked. (This should make the earlier discussion of address registration sound a little less unrealistic than it probably did. Given that we already have employment registration, does residential registration really sound so impossible?)
It is sometimes asked, in all seriousness, why check everyone’s ID, if we’re only interested in keeping out unauthorized workers? Why not just check the ID of non-citizens? It seems obvious, but the mistake underlying these questions was made a while back by the INS:
“In the mid-1990s, the INS began to experiment with a system to verify employment eligibility prior to hiring. Employers voluntarily communicated I-9 form information for prospective or new hires to an office in Washington, DC, which then verified that the documents supplied, such as alien employment authorization numbers, were authentic. However, only non-U.S. citizen employment eligibility was verified. The documents of individuals claiming to be U.S. citizens were not verified. All an unauthorized alien had to do was to borrow bona fide documents or purchase forged ones and claim that he or she was a U.S. citizen. Firms would duly record the corresponding information on I-9 forms, which could be inspected. But alien workers falsely claiming U.S. citizenship could circumvent the verification system in this way.”[67]
This illustrates the point made earlier, that ID systems present slippery slopes. Discriminatory double standards are not only discriminatory: they also create loopholes. To truly enforce the BCC and other no-work policies, everyone’s ID needs to be checked.
[[Also illustrates the earlier point that you often can’t just do a lookup by name or ID number. Another example of same point: following the arrest of 104 airport workers in the DC area, “investigators said checking backgrounds is more intensive work than they had anticipated. Some employees' Social Security numbers were checked against a national database of felony convictions and came back clean, one investigator said, but the workers were later found to have used numbers that were made up or that belonged to others” (New York Times, April 24, 2002).]]
In 1994, the US Commission on Immigration Reform, chaired by the late Rep. Barbara Jordan (D-TX), found that employer sanctions lacked credibility, and that the current methods of worker verification were “too susceptible to fraud, particularly through counterfeiting of documents.” The Commission asserted that “the most promising option for secure, non-discriminatory verification is a computerized registry using data provided by the Social Security Administration [SSA] and the INS. The key to this process is the social security number. For decades, all workers have been required to provide employers with their social security number. The computer registry would add only one step to this existing requirement: an employer check that the social security number is valid and has been issued to someone authorized to work in the United States.”[68]
In other words, this commission, headed by a important civil-rights legislator (who, in addition to her most famous role drafting the articles of impeachment against Richard Nixon, also brought language minorities such as Mexican-Americans under the Voting Rights Act), was saying that, in order to “restore credibility” to US immigration policy, there needed to be a verified national “registry” of the country’s entire workforce.
However, Jordan’s registry was not implemented. Instead, the 1996 IIRIRA simply chose to initiate several pilot projects.[69] Only one of these, in Iowa (because the state drivers license employs a machine-readable SSN), involves machine-readable documents.[70] Thus, our current system is really just the I-9, which is notoriously circumvented with counterfeit documents.
While I-9 forms are hardly ever checked by the INS, which keeps the process miles away from constituting any kind of national employment database, it is worth noting in passing that the US does have a national employment database, connected not with immigration, but with the important goal of locating deadbeat dads and making them provide financial support for their children. The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 created a “National Directory of New Hires” (NDNH), better known as the New Hire Database. Within twenty days of each new hire or rehire, the employer must report the SSN, name, and address of the new hire, along with the employer’s name, address, and employer ID number. While there are also state databases, the NDNH exists because 30 percent of child-support cases involve parents who live in a different state from their children.[71] It would be worth studying this system in more detail, to see whether it meets its goal of arranging child-support payments, whether there have been pressures to use the system for additional purposes, and so on.
Getting back to employer sanctions, while the large amount of under-the-table employment in the US indicates that they have not been a rousing success, have they at least perhaps helped enforce ID systems such as the BCC?
Ironically, the effect of employer sanctions, as currently implemented, has been almost the opposite. A GAO report from 1999 observed that allowing a wide variety of documents to fulfill I-9 requirements had resulted in widespread counterfeiting.[72] Peter Andreas, who has written several important works on immigration and the US/Mexican border, states:
“The perverse impact of the law was to generate an enormous business in fake documents. Since IRCA did not require employers to check the authenticity of documents, they could simply continue to hire illegal workers at minimal risk – as long as the documents looked genuine and they made sure to fill out the proper forms. In the short term, IRCA helped to defuse some of the domestic pressure to ‘do something’ about illegal immigration. But the law’s failures would help make immigration control an even more daunting task in years to come.”[73]
And:
“the primary impact of the poorly designed and minimally enforced employer sanctions was to create a booming business in fraudulent documents. IRCA’s perverse consequences helped set the stage for a powerful backlash against illegal immigration in the 1990s, most acute in California.”[74]
What went wrong? Clearly, the law really didn’t deputize employers as immigration officers, as claimed facetiously at the beginning of this section. But for the employer sanctions to have any effect on unauthorized employment, it would have had to. Because there were no sanctions placed on an employer who accepted anything but the most obviously fake ID, the result was, as Andreas notes, to create a booming market in plausibly fake ID. To have had any other result, the system would have required that there be some verifiable form of ID, and ubiquitous card readers with which to do the verification (perhaps similar to what exists today for credit cards, but with an additional biometric component): eyeballing cards wouldn’t be good enough. This sounds just like the National ID, so National ID advocates may want to view the experience of employer sanctions as another reason for adopting their proposals. But notice that suddenly we see another scenario in which the card would be mandatory: not just to get on an airplane, but also to get a job (shades of Revelation 13:16).
Preventing non-citizens from working would require rigorous document checking by employers (or by third-party background checking services, such as Interquest). The 1999 GAO report quoted above states:
“According to an INS official in Los Angeles, that office has already seized counterfeit versions of the new green card INS began issuing in April 1998. According to this official, the counterfeit cards do not have all of the security features of the new INS green card. While they are easily detectable by trained INS employees, they will appear genuine to untrained employers.”
In other words, either each employer, or the third-party services, would need machine readers for this scheme to work. Note that background-check companies right now appear to depend on the employer having accurate I-9s, and aren't placed to verify the ID itself.[75] This appears to even be true of services such as www.i9check.com that specialize in I-9 forms.
Why is there so little incentive for employers to properly inspect employee IDs? Fines are generally sufficiently minimal – especially given the money saved by paying below US minimum wage, avoiding overtime pay, and avoiding environmental, health, and safety regulations – that some employers view any possible sanction as “the cost of doing business.” [[Insert figures on fines: about $1 per unauthorized worker per year??]] The INS has only a small number of workplace inspectors. Migration News (Jan. 1999) relates two telling points:
“The INS did not request more inspectors to enforce employer sanctions in the FY99 budget; in its FY98 proposal, 130 more inspectors were requested, but Congress did not provide funding for them. In spring 1998, when the INS in Georgia tried to enforce sanctions laws against onion growers, Congress intervened and the INS agreed to stop its raids so that Vidalia onions could be harvested.”
There is a long history of immigration doubletalk in the US, where a supposed “flood” or “invasion” of illegal aliens is deplored out of one side of the mouth, while agriculture and other businesses are guaranteed the undocumented workers they want out of the other. A prime example is the so-called “Texas Proviso” to the INA, which states that “for the purposes of this section, employment (including the usual and normal practices incident to employment) shall not be deemed to constitute harboring” an alien. This amazing exemption, written in 1952 apparently by then Sen. Lyndon Baines Johnson, was eliminated in 1986, but its spirit lives on. No-work policies are enforced sufficiently to help keep down wages, but not enough to seriously reduce the flow of undocumented labor.
Enforcement of the BCC’s no-work policy would likely come only as part of a larger reduction in employment of unauthorized workers in the US, and would represent a major social and economic change (not necessarily a desirable change, either). Even the small amount of enforcement we currently have has entailed going through the motions of seeing ID from every new hire, producing new incentives for false documentation. This charade shows some of the obstacles that, for better or worse, would stand in the way of a genuine national ID.
Has the switchover to a biometric, machine-readable BCC made a significant change in the use and misuse of these cards?
The answer appears to be that it hasn’t. One might say that this is only because implementation has been half-hearted: machine-readable biometrics on the card, but no fingerprint readers to use them; no exit controls; and other seeming mistakes detailed earlier. Perhaps if everything were done right, then the cards would work. Yet we’ve also seen how adding security features can sometimes reduce security (long manufacturing times for ID cards spawns insecure temporary stickers). It is also possible to fix the wrong problem, for example by making BCCs counterfeit-proof while leaving birth certificates and other breeder documents untouched.
We have to ask, why has implementation been so seemingly half-hearted? The reasons are really social, political, and economic; a technical fix is unlikely to change the fact that (as noted in more detail below) immigration policy in the US is the result of conflicting interests. For example, we’ve seen that significant business opposition has delayed exit controls for year after year, and had delayed the BCC switchover. National ID advocates would need to show why this time it would be different; how would National ID overcome the same opposition that has (for better or worse) hampered previous ID efforts? Why would this one not end up becoming another expensive and yet largely ineffectual show?
Probably the best that can be hoped for from an ID like the new BCC is that it would speed up the processing of regular users, so that inspectors could spend more time on a small set of selected individuals. This is more realistic than hoping that the card itself would provide security. However, such “fast lane” cards would be abused by determined terrorists, unless the interview process, by which one gets the card in the first place, were far more sophisticated (with much more rigorous inspection of “breeder documents”) than, e.g., the current BCC interviews.
Calling efforts to reinforce the border ineffectual does not mean they have no effect. Rather, they have bee