US/Mexico Border Crossing Card (BCC):
A Case Study in Biometric, Machine-Readable ID
Software Litigation Consultant
Santa Rosa CA
March 30, 2002 (Revised April 24, 2002)†Click here for more recent Microsoft Word .DOC file
This is a “work in progress.” The reader will encounter the author’s notes to himself in double square brackets, e.g. “[[This paragraph is hopelessly lame; fix it.]]”
The terrorist attacks of Sept. 11 were quickly followed by calls for a national identification card in the United States. Though the best-known advocate of a national ID card is still Larry Ellison, CEO of Oracle, efforts by the American Association of Motor Vehicle Administrators (AAMVA) to “produce a uniform, secure, and interoperable driver's license/ID card to uniquely identify an individual” are more likely to hit their target.
Many groups and individuals, from all parts of the political spectrum, have expressed concerns over the privacy implications of a possible national ID card. However, the discussion appears stuck in an abstract consideration of security/privacy tradeoffs. Often, both opponents and supporters of National ID (and of similar proposals, such as for widespread facial recognition) make it appear that there is some kind of “privacy vs. security” sliding scale that individuals or societies could fine-tune to a desired setting.
Rather than engage in these often-sterile “privacy vs. security” debates over proposed solutions to the Sept. 11 crisis, let’s first see if the proposed technology is even going to work (and work in the Sept. 11 sense, i.e., would implementing this or that proposal have stopped the terrorists from getting on the planes?). The $10 billion homeland-security budget may cloud the thinking of even the most conscientious security vendor; for the least conscientious, the homeland-security budget spells “pork: it’s what’s for dinner.” Privacy advocates often abdicate discussions of practicality to security vendors, and in fact often take the vendors at their word for claims of how well technology will work; vendors can then sometimes rely on the dire predictions of privacy advocates for a kind of scarecrow marketing.
Scott McNealy of Sun Microsystems says he is “tired of the outrage” by privacy advocates. “Absolute anonymity breeds absolute irresponsibility…. If you get on a plane, I want to know who you are. If you rent a crop duster, I want to know who you are” (ZDNet, Oct. 11, 2001). It is useful to take McNealy’s desire at face value. What would it take to bring about this goal? McNealy’s own answer is “We need a thumbprint Java card in the hand of everybody in the country.” Ignoring the understandable self interest of using Sun’s Java technology, clearly the card by itself doesn’t do anything -- some system would need to be in place to issue, check, verify, and revoke these cards. What would such a system need to look like, to fulfull McNealy’s “I want to know you are” goal? (With the slight modification, of course, that it will be some government agency, rather than Mr. McNealy, that will know who you are.)
To assess what National ID for the US might look like, and how effective it might be, it makes sense to first look at an existing ID program run by the US government. This study examines the biometric, machine-readable Border Crossing Card (BCC), a joint project of the US State Dept. and the US Immigration and Naturalization Service (INS, a branch of the Justice Dept.).
About four million new BCCs, also called Laser Visas, micas, or pasaportes locales, are held by Mexican citizens, allowing them to cross into the US for up to 72 hours, staying within 25 miles of the border (65 miles for Tucson AZ); BCC holders are not supposed to work in the US. On October 1, 2001, older, non-machine-readable versions of the BCC became invalid. The BCC is probably the largest mandatory biometric ID program run by the federal government (there is also a new biometric version of the so-called “green card,” but older versions of the card are still valid). The card’s manufacturer, Drexler Technologies, calls it the “World's Most Secure ID Card” and the “World's Most Counterfeit Resistant Card” – so, clearly, this is being held up (at least by the vendor) as a good test case.
[[Drexler pres. Richard Haddock testimony at Senate Judiciary subcommittee on technology and terrorism, Nov. 14, 2001: the BCC and green card programs together, with more than 10 million cards in circulation, “represent the largest high security, biometrics-based, ID card program in US history.” Together with other, smaller optical-card and biometric programs, “these programs give a good insight into what is necessary to achieve a secure and cost-effective ID card system” (http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF).]]
National ID has, before Sept. 11, traditionally been proposed in the context of illegal immigration from Mexico. To the extent we have a history of semi-rational debate on this topic, it involves the Mexican border, and the widespread employment of unauthorized workers from Mexico and Central America. Past proposals for National ID have been in the context of illegal immigration, not only for border control, but also as an ID card that all employers would require of their new hires, to weaken the US jobs “magnet.” Some of the earlier advocates for a National ID to combat illegal immigration, such as Sen. Diane Feinstein (D-CA), are again advocating a National ID, to combat terrorism. Concerns have also been raised that terrorists can enter the US via its 2,000-mile (and in some ways unprotectable) border with Mexico.
Using the US/Mexican border to study the larger issue of using IDs to secure the US against terrorists is not meant to imply that immigration control is necessarily an appropriate way to fight terrorism. While this view is held for example by Phyllis Schlafly (“It should be repeated over and over again: The terrorism threat is from illegal aliens who are allowed to live in our midst”), this would, for one thing, overlook the US's own rich history of homegrown (and typically anti-immigrant) terrorists.
Rather, it is useful to look at the BCC from a process perspective: how is a card initially issued, when and where is it checked, how is it checked, what is it checked against, how is it enforced. More specifically:
This paper will be able to only give a hint of the complexities involved in even this relatively small biometric ID system. It seems likely that these complexities could be magnified many times over in a National ID, to be issued to perhaps 200 million or more people.
National ID advocates frequently claim – as, come to think of it, do some National ID opponents, particularly of the “Mark of the Beast” school – that we really already have a National ID, in the form of the Social Security Number (SSN) or state drivers’ licenses. For example, according to AAMVA spokesman Jason King, “There’s no need to create a second national ID card. You already have one, we're just talking about making it better and more secure” (Reuters, Jan. 9, 2002).
One of the key points that emerges from a study of the BCC, however, is that the gap between the existing state of affairs and a true national ID system is enormous. Under National ID, all cards would need to be machine readable. Card readers (and, likely, fingerprint readers) would need to be widely deployed; each card reader would need to be tied into a national database. This is a far cry from our current desultory visual inspection of cards.
The INS has dismissed any concern over the BCC’s possible broader implications. According to the Washington Post (Feb. 18, 1998), an INS spokesman said that “linking a travel document used only by Mexicans to a national ID card for Americans is ‘kind of a leap.... It's technology that's available to the credit card companies and anybody who wants to pay for it.’”
But the US State Dept. says that its joint BCC project with the INS “has given us the opportunity to conduct important research on a potential biometric visa for the future.” And, according to the US Consulate General in Cuidad Juarez, Mexico, “the future may require that all visas eventually be placed on these machine readable cards.” Thus, the BCC is already seen as a kind of pilot project for all visas (of which the US issues about 30 million each year).
[[In one version of his rather vague proposal, Larry Ellison suggested a digital ID card that would be optional for citizens but mandatory for “aliens” (see Jeffrey Rosen, “Silicon Valley’s Spy Game,” New York Times, April 14, 2002). As an ID issued by the US to non-citizens, the BCC may thus be particularly relevant to post-Sept. 11 ID discussions. See National Academies report, ch. 2 on foreign-issued credentials.]]
What, though, do BCCs, or even all visas, have to do with ID for US citizens? As shown in this study, it is difficult to enforce just the BCC’s 72 hour/25 mile/no work policy, without also checking IDs of non-immigrants within about 100 miles of the border; after all, BCC holders are not wearing special “BCC” tattoos on their foreheads. As also explained in this study, a BCC holder must carry the card at all times; it will be seen that would also need to be a feature of any effective (i.e., not just for show) National ID.
Because one can't tell by looking if someone is a citizen (and if an employer for example acts as if they can tell, it's discrimination), situations requiring ID from non-citizens will, in fairness, require ID from everyone. The discussion below of employment eligibility verification shows that, more generally, effective ID for non-citizens is – unless we have discriminatory “profiling” – a slippery slope to mandatory ID for everyone (thus, ironically, anti-discrimination can be a slippery slope to wholesale, as opposed to selective, privacy invasion). And, as also shown below, discriminatory policies produce security loopholes.
In sum, the US/Mexican border, and the Border Crossing Card in particular, provides a useful real-world way to think about and discuss National ID. This makes sense; it is often said that borders and immigration are at the forefront of social issues.
The United States has issued over four million new machine-readable biometric Border Crossing Cards (BCCs), form DSP-150, also called "laser visas," to Mexican citizens for the purpose of multiple short trips to the US. Starting on October 1, 2001, all old versions of the BCC became invalid, and holders of the old BCC were turned back at the US border. According to INS commissioner James Ziglar, about 1,600 visitors are being turned back each day for lack of the new card. The new cards started to be issued in April 1998; since then, on average, the US has issued about 100,000 cards each month. Over 15% of applicants for the card are not approved.
The biometric BCC is a joint project of the State Dept. and the Immigration and Naturalization Service (INS; an agency of the Justice Dept.), and is mandated by Section 104 of the Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) of 1996.
The IIRIRA required that every BCC issued after April 1, 1998 contain a biometric identifier such as a fingerprint, and be machine readable. However, widespread opposition from the business community, which feared that the security features of the new system would result in less border crossing – and hence fewer shoppers and reduced low-cost labor availability – produced several annual delays in the system's implementation. Congress would likely have approved another year's delay, had it not been for the Sept. 11 terrorist attacks.
The Border Trade Alliance (BTA) sent an appeal, dated Sept. 10 (!), 2001, asking for implementation of HR 2276 to extend the BCC deadline by another year. Rep. Silvestre Reyes (D-TX), himself a former Border Patrol sector chief, had been pushing to delay the BCC switchover to “prevent an economic disaster” (Dallas Morning News, Sept. 28, 2001).
Having declined to extend the deadline, and thereby finally having let the new card become mandatory for BCC holders, Congress is now rethinking its decision. The Enhanced Border Security Act and Visa Entry Reform Act, approved by the House, and now before the Senate, includes a re-extension of the BCC deadline to Oct. 2002. Declared Rep. Solomon Ortiz (D-TX): "Merry Christmas to the Southwest border from the House of Representatives ... We know the economic damage the refusal to extend the deadline has done to the border."
[[On April 18, 2002, the Senate unanimously approved the Enhanced Border Security and Visa Entry Reform Act (EBSVERA). Somewhat ironically, this enhanced-border-security act includes an extension allowing the older BCC to be used again, until October 2002 (section 601 [or 602 now?], “Extension of deadline for improvement in border crossing identification cards”). See http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills& docid=f:s1749is.txt.pdf. The act amends IIRIRA 104(b)(2), as it has been extended several times in the past, to now read “6 years” instead of “5 years.” Check that this really means that BCCs will become mandatory again in Oct. 2002. The period Oct. 2001 through April 2002, during which the machine-readable BCC was mandatory, perhaps provides an interesting experiment in biometric ID. How different was this brief period from the period before, in which older cards were acceptable? How different will the border situation be between now and October, when (unless there’s yet another extension) the high-tech card becomes mandatory again? Need to check San Diego, El Paso, etc. newspapers. San Diego Union-Tribune (April 16, 2002) didn’t specifically mention BCC, but described the bill as trying to walk “the tightrope” of security and enforcement on the one hand, vs. commerce and border flow and business interests on the other. The US Chamber of Commerce complained that heightened security after Sept. 11 “dealt a massive blow to the Southwestern economy.” Border inspectors have backed off inspecting every vehicle, for example, and are now conducting random checks. Also note that EBSVERA doesn’t include funding; Congress will have to approve funding (estimated at $3.2 billion over three years) in a separate bill. Fits into a pattern of legislation without appropriations?]]
Clearly, US businesses near the Mexican border are going to be hurt when some shoppers can’t cross the border until they get the new biometric BCC. It seems more likely (though unspoken in the Congressional debate) that more opposition to implementing the new BCC has come from employers of those BCC holders who now can’t get to their jobs. As discussed below, while BCC holders are not supposed to work in the US, many apparently do; attempts to implement the BCC law have led to an informal NIMBY (not in my backyard) movement by their employers.
The delay in, and local opposition to, implementing the BCC switchover – even after Sept. 11 – provides an example of the resistance there would likely be (not all of it high-minded) to National ID.
Like the older BCCs (form I-186 and I-586; see Figure 1 and Figure 2 ), the new "laser visa" (DSP-150; see Figure 3 ) shows the cardholder's name, photo, and fingerprint on the front, but the back of the new card has a mirror-like optical stripe. Embedded in the optical stripe is the person's biographical data, digital photo, fingerprints, and a control number.
[[More details from Haddock Senate Judiciary testimony (http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF): 80,000 bytes of biometric data, including image of card holder, FBI quality gray scale fingerprint image, digitized image of cardholder signature; BCC unlike green card also has two fingerprint minutiae files. Is only a single finger included, or two fingers? Or is photo image meant to supplement single finger as a biometric? Data placed on card is updateable, but non-alterable.]]
Figure 1 – Old BCC, no expiration (I-586)
Figure 2 – Old BCC, with expiration (I-586)
Figure 3 – New BCC (DSP-150)
Figure 4 – New "green card" (I-551)
There is also a new biometric Permanent Resident Card (see Figure 4 ); this is the famous “green card,” though it hasn't actually been green since 1964. As noted above, this study focuses on the less well-known BCC in part because the new biometric green cards are not mandatory. An interesting look at the new green card as a prototype for a National ID appeared in the Feb. 2002 Harper’s (Gregory Dicum, “A Study in Green: My National I.D. Card, Your Civil Liberties”; according to Dicum, fake copies of the new green card can be purchased in Tijuana for $500).
There were reportedly rampant counterfeiting problems with the old BCC. As noted by the Washington Post (Feb. 18, 1998), “At least five versions of the card have been issued, all but the latest with no expiration date. Many have decades-old photographs and are easily used by imposters. Over the years, the Border Crossing Card also has become one of the most counterfeited U.S. documents.” [[Need better evidence than this quotation; what is basis for statement that older BCC was easily counterfeited?]]
The new card's manufacturer, the LaserCard division of Drexler Technology (Nasdaq:DRXR, LaserCard.com), states that the LaserCard “places huge technological and financial barriers in the path of counterfeiters.” According to the San Diego Union-Tribune (Sept. 29, 2001), a Drexler VP states that, “because each card's digital information is tailored to each cardholder, it would be highly expensive and impractical for a counterfeiter to try to reproduce them.... ‘It's not something that you can make in a basement.’”
Indeed, as noted above, and as shown in the figures, Drexler calls its product the “World's Most Secure ID Card” and the “World's Most Counterfeit Resistant Card.” (While the figures happen to show the Permanent Resident Card, the same technology is used for the BCC.)
Figure 5 – From the vendor's web site, LaserCard.com
One key feature of the card is that the cardholder’s photograph is digital, and part of the media itself; it is not pasted in. There is a total of 4.1 megabytes Write Once Read Many (WORM) optical storage on the card, allowing an audit trail with up to 35,000 updates. Any unauthorized attempt to alter the card is supposed to lead to either a clear audit trail or destruction of the card.
Drexler also is responsibility for Italy’s smart-card ID, the Carta d'Identità Elettronica (CIE). According to Wired (Dec. 2001), though, Italy had only issued about 200,000 CIEs; the goal was to issue a CIE for all 55 million citizens before 2004.
To use the BCC as a way of seriously asking how a National ID would work, we should first look at how the new biometric BCCs are issued. Even if the BCC experience were argued to hold no direct lessons for a National ID, thinking through the processes involving the BCC – how is it issued?, when is it checked?, how is it checked?, etc. – would by itself still give us a better handle on what the phrase “National ID” really means. The monolithic abstraction “National ID” needs to be broken down into its component parts in order to be understood.
How does someone get a BCC, or if they already have an old BCC, how do they get one of the new biometric cards?
The applicant must have an in-person interview. No phone or mail (and certainly no Internet) applications are accepted. This makes perfect sense. If we are interested in having secure ID, we require confidence in the process by which the ID is handed out in the first place. Each request for a National ID – all 200 million or so of them – would have to be carefully handled. (Contrast for example the initial SSN project, in which over 35 million SSN cards were generated, largely by the post office, in 1936-37.)
The BCC interview process has led, however, to very long delays. In early October 2001, the Associated Press was reporting that US consulates in Mexico were not able to schedule appointments until March 2002. Already, scams are being reported, such as a business in a Brownsville TX strip mall that charges over $100, supposedly to help set up application appointments, after which one still has to wait the same number of months.
The consulates could in theory hire a lot more people, but quick hiring of personnel responsible for security decisions leads to “insider” problems (see below). It has also been noted that it might be easier to get a card from some consulates than from others (“consular shopping”).
Figure 6 – Also from the vendor's web site, LaserCard.com
When individuals have their BCC interviews at a US consulate in Mexico, they must present their IDs (see “Breeder Documents ,” below) and have their photographs and fingerprints taken. They must also present proof of a fixed address in Mexico, with utility bills and/or pay stubs being commonly accepted documentation. This measure appears to offer some genuine deterrence. Only about 70 percent of regular BCC applicants get the card; the most common reason for rejection is that the applicant is unable to prove a fixed address. [[Earlier said that 15% of applicants are not approved – which is it??]]
The relatively high rejection rate creates an additional need for care in determining the accuracy of the original documentation. One in-depth study from the US Commission on Immigration Reform states: “Several informants we interviewed in both El Paso and in Juarez averred that the purchase of false pay stubs, birth certificates, employment letters, utility receipts, and the like was not uncommon among persons who desired a BCC but not could not otherwise obtain the necessary documents.” While this statement is from 1994, the switchover to the biometric BCC would obviously not in itself affect the availability of fake pay stubs and the like.
A criminal background check is run on all BCC applicants. However, this apparently wasn’t the case as recently as 1995, when a GAO investigation found that routine background checks were not being conducted, “in order to promote ‘facilitation’ across the border.” It is worth noting that you can have the best biometrics in the world, and they wouldn’t help at all with this problem; it has to be addressed separately.
Even when criminal background checks are being run, it matters a great deal what is being checked. Do you take the name proffered by the applicant, and run that through the system to see if anything turns up under that name? Clearly, applicants could be presenting incorrect names. Therefore, their biometric itself (e.g., fingerprint), not the name, must be used as a database lookup. This is discussed in more detail below (see “1:1 vs. 1:N Lookup ”).
There’s one interesting twist to the BCC interview: the role of maquiladoras (foreign-owned factories along US border in Mexico). According to the Houston Chronicle (July 22, 2001), the US “effectively delegates responsibility for administering the special visas to foreign-owned factories in Mexico.... Daunted by the task of replacing the old documents and issuing new ones, the border consulates began allowing maquiladoras to do a lot of the paperwork and applicant vetting…. some Mexicans work in a maquiladora long enough only to get a laser visa and then disappear.” The article notes that “an ‘interview’ … seldom consists of more than typing each applicant's data into a computer. Later, the information is cross-checked against United States law-enforcement records to eliminate those who have run afoul of the INS. Photos are taken for applicants' identification cards, and each applicant submits to a fingerprint scan. The whole process takes less than 15 minutes per person.” According to researchers at Tijuana’s Colegio de la Frontera Norte, of the more than 40,000 workers commuting daily to jobs in neighboring San Diego, at least 4,000 do so with a laser visa; “Those using their visas to earn a casual income in the United States effectively subsidize the payrolls of companies employing their relatives in maquiladoras.” [[Need to explain this better: how does BCC misuse subsidize maquiladoras? Also, need a sentence on role of maquiladoras in the economy?]]
In contrast to the 30% rejection rate noted above, the rejection rate for those applying via maquiladora is only 1% (Migration News, August 2001). This would seem to be an area ripe for fraud.
Even if the maquiladoras’ rapid rate of 15 minutes per person is taken as a model for vetting this valuable ID, extrapolating this to a National ID in the US means that about 3,000 employees would need to work for ten years, just to conduct the interviews. If it is thought that the National ID has limited usefulness until everyone is carrying one, then cramming all the interviews into a single year would require something like 30,000 employees. Similarly, a Sept. 1997 Social Security Administration report estimated it would cost $10 billion, and take 10 years, to issue tamper-proof social security cards with pictures, fingerprints, work history and earnings for the 270 million social-security accounts. For $4 billion, the agency said it could issue simpler IDs that resemble credit cards.
It was noted above that, during the BCC interview, someone must present ID: to get ID, you must present ID. Documents, on the basis of which other documents are issued, are called “breeder” documents. The birth certificate is the classic breeder document.
What documents must be presented during the BCC interview? The applicant can either present an old-style BCC along with a recent photo ID, such as a Mexican passport, or “In lieu of a passport, a voter registration card is the preferred identity document.” If applying for a first-time BCC, the applicant must have valid Mexican passport. “We were willing to accept the Mexican Certificate of Nationality, issued by SRE (the Mexican Foreign Ministry), but the Ministry decided that the Certificate was not intended for general issuance.” [[More on certificate of Mexican nationality (CMN): see State Dept. rule on BCCs, Aug. 19, 1999 (http://www.vkblaw.com/news/twohundredthirtyfour.htm).]]
What, then, are the requirements for a Mexican passport? Men must present a birth certificate, photocopies of their military card, and photocopies of another picture ID. Married women must present their birth certificate and marriage certificate. Single women present a birth certificate and a photo ID.
The mention of the Mexican voter registration card is interesting because it has been claimed that this sophisticated piece of biometric ID, issued to 60 million voters, was successfully used in the 2000 elections to prevent voter fraud. Since this was the first Mexican election since 1929 not won by the PRI, this is a significant claim that deserves further research.
At any rate, birth certificates are at the root of the ID system. Any insecurities in birth certificates percolate up through the system.
[[Fix this section. BCC depends on Mexican IDs. Then study jumps to talk about US birth certificates. But a US anti-terrorist ID might well depend on IDs issued by other countries, so the study should probably stick with Mexican IDs for a while longer, before moving on to the discussion of US breeder documents.]]
Though we’re talking about Mexican birth certificates here, it is worth noting that, according to the Dept. of Health and Human Services’ Sept. 2000 report on “Birth Certificate Fraud,” 6,417 different state and local entities in the US issue birth certificates (New York state is the leader, with 1,505 counties, cities, and townships issuing their own birth certificates; a few states, such as Idaho and Virginia, have a single state birth certificate).
The New York Times (May 29, 2000) ran a lengthy article by Renwick McLean on the birth certificate as the “soft underbelly” of ID in the US: [[Following quotation is much too long; just use a little bit.]]
“the birth certificate can open the door to other documents... California, home to 40 percent of the 5 million to 6 million illegal immigrants that the immigration service estimates live in the United States, is particularly vulnerable to birth certificate fraud. An official at the Ventura County recorder's office said that to get a certified copy of someone's birth certificate, ‘you just need to know the name on the birth certificate and the date of birth.’ The cost is $12, and the wait about 15 minutes, she said.... While studying the issue as a member of the Commission on Immigration Reform, a bipartisan group formed by Congress in 1990 to study United States immigration policy, Michael S. Teitelbaum was so shocked to hear how easy it was to get someone's birth certificate in California that he decided to try it. He went to the county clerk-recorder's office in Orange County and requested the birth certificate of someone he knew was born in the area. Within 15 minutes, he had a certified copy of the person's birth certificate. ‘I basically walked out of there shaking my head in disbelief,’ said Mr. Teitelbaum... Now that office says that people asking for birth certificates in person may be asked to show picture identification. But all that is needed by mail is ‘the person's full name, date of birth, and a credit card number,’ an official said.... In most states, however, the full names of both parents, including the mother's maiden name, must be provided to get a birth certificate. But critics say that the system is only as strong as its weakest link, because a birth certificate from a state with loose restrictions can be used to establish residency and employment eligibility in any other state. And even in the strictest states, the information required for obtaining a birth certificate can often be found easily, critics say. One way is to scan the obituary pages of a local newspaper and write down the background information on a person of the appropriate age. Since most states do not match death and birth records, or do so very slowly, experts say, illegal immigrants assuming the identity of the recently deceased face little risk of detection. The fraudulent acquisition of valid birth certificates is only part of the problem. The I.N.S. says that birth certificates are vulnerable to counterfeiting, largely because there is no single national standard for them. Instead of one version, thousands of different but valid birth certificates flow from the more than 7,000 local and state agencies authorized to issue them…. In 1994, the Commission on Immigration Reform recommended that the federal government adopt one standard design for all certified copies of birth certificates. Almost six years later, no such design exists. The commission also recommended a nationwide system for matching birth and death records..."
[[Insert discussion of IIRIRA §656: “Improvements in identification-related documents – standards for birth certificates and identification documents (including drivers' licenses) by Federal agencies; matching of birth/death records.” (§657: “Development of prototype of counterfeit-resistant Social Security card – to include security features; cost studies mandated.”) Sounds like there was very little thought put into the drivers license proposal: “In deference to Simpson we gave him a stupid little provision to do with driving licenses with biometric information” (quoted in O’Hanlon, The New Irish Americans, p. 106). §656 repealed by H.R. 2084 signed by Pres. Clinton on Oct. 9, 1999; Pub. L. No. 106-69); opposition of Ron Paul and Bob Barr (http://www.house.gov/paul/legis/106/hr2337.htm); most debate was over drivers licenses in 656(b), but 656(a) had to do with birth certificates. Following should talk more about drivers licenses, and the AAMVA effort? But can’t use earlier successful efforts against de facto national ID, as evidence now that national ID wouldn’t work – unless if there was also business opposition to 656. PL 106-69 repeals only 656(b); 656(a) on birth certificates still stands, unimplemented (and unimplemented law can be used to show possible unworkability of national ID). See http://www.house.gov/judiciary/ib072299.htm; http://www4.law.cornell.edu/uscode/5/301.notes.html. Need to discuss identity theft here; a privacy+security issue, though the privacy depends ironically on better record matching? (Trade-off “petty privacy” for real privacy?) Matching records, such as birth certificates with death records, is more difficult than it might seem, even for statistical rather than individual ID purposes. A good intro is Ivan P. Fellegi, “Record Linkage and Public Policy – A Dynamic Evolution,” Record Linkage Techniques – 1997, http://www.fcsm.gov/working-papers/fellegi.pdf]]
Any National ID system in the US would first have to fix the birth certificate problem: for example, have at most a small handful of standard birth-certificate formats, so that examiners gain a better sense of whether they are looking at a genuine certificate or not; and check all birth-certificate requests against death records, to prevent identity vampirism (identity theft of the dead). Some states allow persons born there, whose births were never registered, to create a “delayed certificate of live birth”; this is perhaps another security hole. Sometimes baptismal certificates are accepted as substitutes for birth certificates; these seem easy to come by (for example, Ahmed Rassam, who confessed participation in a plan to bomb the LA airport during New Year’s 2000, obtained a valid Canadian passport on the basis of a stolen blank baptismal certificate; Coyotes, Ted Conover’s travelogue on illegal immigrants, mentions in passing the apparently successful use of a Mormon Certificate of Baptism as ID).
Given this well-known breeder document problem, then, it seems odd that Larry Ellison, interviewed by Steven Levy (“A Techie’s Solution,” Newsweek, Oct. 29, 2001), cannot imagine any way that terrorists could spoof his National ID card:
“What if terrorists or criminals learned to ‘spoof’ the system? Is there a danger of putting too much trust in such a system?”
“I do this for a living. If you can explain to me how the system can be spoofed, I’m ready to listen.”
“Any system can be compromised.”
“I don’t know how it can. Maybe there’s someone smarter than I am and knows more about this than I do, but I can’t figure it out.”
It’s good to have counterfeit-resistant cards, but is this really where the vulnerability is? Certainly, if a card is easy to counterfeit, then this is an obvious hole. But even if you make an ID card nearly impossible to counterfeit, then the vulnerability moves: you now have to ensure that it is not easy to get a valid card, on an invalid basis. As long as insecure documents such as birth certificates are the root of the ID system, then securing higher-level documents like the BCC seems at best a partial measure, and at worst an illusion. [[Perhaps a better question is, where do you want the vulnerability to be?]]
Another way the system can be subverted, without attempting to manufacture the cards themselves in one's basement, is through bribery. A Dept. of Justice (DOJ) audit report on "Document Fraud Records Correction" (Sept. 1996), discusses several cases in which INS employees sold legitimate INS documents to illegitimate recipients. The DOJ audit report notes that "The temptations and rewards for selling these official documents are great"; an old BCC would apparently sell for about $325. The newer laser visa has many more steps in its production process which should make such insider jobs more difficult to pull off, but the same DOJ audit also pointed to “inadequate inventory records and security for controlled documents and for equipment,” cases in which equipment went missing, lax security with respect to unauthorized database access, uncertainty over how to deal with fraudulent database entries, and so on.
The DOJ inspector general, noting the doubling of INS personnel along parts of the border since 1993, warned in 1997 that “Experience in other contexts indicates that massive law enforcement hirings may be accompanied by increased police corruption because of the great susceptibility of new recruits to temptation or because corners may be cut in screening and training the new hires.”
The DOJ inspector general also noted that “The mix of low paid employees, easy money in big sums, and relatively low risks makes for an extraordinarily volatile and risky situation…. An INS or Customs employee is not required to do very much or take much of a risk in order to earn a bribe. One or two bribes a year can effectively double an employee's income.”
Even if the vast majority of INS employees are honest, clearly there is a potential “insider” problem. In computer security, it has become clear over the years that the old firewall model of “a hard crunchy shell with a soft, chewy inside” (as described by Bellovin and Cheswick in their Firewalls and Internet Security) makes the unwarranted assumption that all insiders are trustworthy.
There is an important relationship between the insider problem and the issue of employee monitoring: one person’s audit trail is another person’s workplace surveillance.
It was just suggested that quickly adding more employees, as part of a campaign to beef up security, can ironically lead to additional security problems among susceptible new recruits. Another example of the same phenomenon – adding security can, in certain circumstances, reduce security – involves the complex process needed to manufacture the new counterfeit-resistant BCCs.
A Drexler VP was quoted earlier to the effect that the new card is “not something that you can make in a basement.” But this also suggests that producing the cards is a fairly slow process. [[No, one doesn’t necessarily imply the other. Rework.]] According to Drexler's annual report, it is currently producing about 200,000 per month. As noted above, over the life of the program, about 100,000 cards have been issued per month. (To be unfair, at this rate it would take over 100 years to issue a similar card to everyone in the US.)
Partially as a result of the time-consuming production process, and also because of the in-person interviews needed to apply for the card, there is a substantial backlog. Long delays are not simply a matter of inconvenience: they can also subvert the whole security process. Between the time of someone's approval for a card, and the time they actually receive their new security-enhanced card, officials at the border will accept their old “mica” BCC, if it bears a sticker indicating that they have been approved for the new card (AP, Oct. 1, 2001). (An INS press release from Sept. 2001 states that the stickers were due to expire on Dec. 31, 2001.)
Placing stickers on older cards raises obvious questions about how counterfeit-proof such stickers are. (A national ID card would obviously have similar backlog and “catch up” issues, lasting many years longer.)
The DOJ is already familiar with this problem from the history of replacing old green cards. A report by the DOJ Office of the Inspector General (OIG) from August 1997 notes a “6 months to 1 year waiting period between replacement card application and receipt of a card. The delays undermine the integrity of the identity card system, as the INS must use easily counterfeited temporary stamps so applicants may obtain employment and public benefits in the interim.... INS Forensic Document Laboratory personnel suggested to us that a sticker with a holographic label affixed to temporary documents could improve the security of these documents. In our judgment, a reduction of the waiting period from application to card receipt would be the best solution.”
While referring to green cards, this clearly shows the security dangers of long delays in the card issuance process: “The delays undermine the integrity of the identity card system.” Delays are not simply a matter of inconvenience. When these delays are themselves caused by security measures, it nicely points up the way that increased security measures can themselves sometimes undermine security.
We’ve seen that, even assuming the card itself is counterfeit-resistant, there are several holes in the card issuance process: it appears to be readily spoofable with invalid downstream “breeder” documents such as birth certificates; the maquiladora program seems open to abuse; it’s unclear if criminal background checks are being done on identities, rather than on given names; there is a potential for bribery (caused partly by overly-rapid hiring to beef up security); and delays in producing secure cards require insecure temporary stickers.
This set of potential holes matches to some extent the findings of the DOJ OIG:
“The new biometric identification card, known as the laser visa, has shown to be more tamper-proof than previous documents. However, many problems reduce the effectiveness of the program, such as the lack of laser visa processing equipment at consular posts in Mexico, an inadequate criminal database against which to check applicants, and delays with biometric card production.”
A National ID program would need to carefully address each of these issues. Most of them are not really technical, but social issues. They cannot be finessed with biometrics.
Okay, we’ve been issued our BCC. Now what do we do with it?
Actually, we are skipping over an important step here: delivery of the card from the manufacturer to the cardholder. Is there anything that could go wrong here? Yes, the San Diego Union-Tribune (March 16, 2001) reported that a DHL delivery truck, carrying 6,000 BCCs worth as much as $9 million on the black market, was seized in an armed heist. Smugglers were expected to obtain many of the stolen BCCs, “and if you want to get across the border they will look through their piles for one that has a photo that looks like you.” This apparently works, despite the biometrics on the card, because of implementation problems at the border that we’ll discuss in a moment. Even with these problems, though, you would think that the stolen card numbers could be retired, and detected if anyone tries to use them. This gets into revocation issues, which this study does not examine, but which are a crucial feature of any ID system; for now, note that being able to revoke an ID depends on scanning it, rather than just looking at it, unless lists of bad IDs are distributed, as used to be done with credit cards. (By the way, it later turned out that the heist was an inside job involving a DHL employee and Tijuana police.)
Earlier, we saw that there has been widespread local opposition to the BCC switchover, and that Congress may even repeal it. In the meantime, however, BCC holders are required to have the new biometric, machine-readable card. What happens as we approach the border with our BCC, for example at the Tijuana/San Ysidro crossing just south of San Diego?
The amazing thing, after all the talk of heightened security, is that, if we “look American,” we’re waved through with barely a glance at our ID. Anyone who can pass as an American citizen, based perhaps on some fairly narrow prejudice as to what an American looks like, won’t have their ID swiped through a card reader. You might be asked what you were doing in Mexico, and how long you were there, but that’s about it. Given the long lines of both cars and pedestrians (there are about 800,000 legal crossings each day from Mexico into the US, about 16% of them on foot), there’s not much more that the border inspectors can do. It’s important to note that long delays are not just a matter of inconvenience: in late October, two children reportedly died from carbon monoxide asphyxiation while waiting in line to cross from Ciudad Juarez to El Paso; others have become dehydrated from long waits in the sun. [[Is there any positive incentive in place for inspectors to be vigilant?]]
What if you present a BCC? How are the biometrics employed? Section 104 of the IIRIRA said, “an alien presenting a border crossing identification card is not permitted to cross over the border into the United States unless the biometric identifier contained on the card matches the appropriate biometric characteristic of the alien.”
Yet, several trips through the Tijuana/San Ysidro crossing in February 2002 showed that while BCCs were being swiped through card readers, there were no fingerprint readers, so the inspector has maybe 45 seconds to see if the picture on the card looks like the cardholder. At least in primary inspection (there’s a separate building if you get bounced over to “secondary”), there is no automated way to see that the cardholder matches the card.
The same thing was observed in an AP story (Oct. 1, 2001) describing the Tijuana/San Ysidro crossing:
“Inspectors there have machines that can read basic data from the new cards with a small, tabletop device. They do not have the advanced readers that show a digitized photo and fingerprint.... Some border points still lack the machinery to read the cards. Without the machines, US authorities must eyeball them the same way they did the old ones, in essence rendering the new security features meaningless.”
According to the New York Times (Oct. 29, 2001), in El Paso, the INS had yet to install card readers. Rep. Silvestre Reyes stated, “They haven't identified the equipment they need. They don't even know yet how much it'll cost.” Richard Duran, who oversees the El Paso crossing at the Bridge of the Americas, “said the installation of the machines to read the laser visas might actually lengthen inspection times because inspectors checking cars full of passengers would have to swipe several visas through the machine” rather than just one for the driver.
[[Confirmed by Drexler itself. Drexler pres. Richard Haddock testimony before the US Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Nov. 14, 2001, “These cards have effectively eliminated counterfeiting, which was a major problem before the INS issued the first optical cards in 1997. However, neither of these programs has fully realized their true potential because the biometric features have never been used in automatic card readers” (see http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF). Similarly, testimony of Paul Collier of the Biometric Foundation, Oct. 12, 2001: “Currently, there are no systems in place to read the biometric data and authenticate the cardholders” (http://judiciary.senate.gov/oldsite/te101201st-collier.htm). Confirmed by INS spokeswoman Kimberly Weissman: “the card readers have not been deployed to the ports of entry.” INS made a FY2001 budget request “but was denied the funding” by OMB. According to Government Executive magazine (Nov. 16, 2001), “some close to the card reader project have been skeptical about the INS’ commitment to the project.” It’s starting to sound like something is absurdly wrong here: INS was sold a card technology without the system to read the cards (http://www.govexec.com/dailyfed/1101/111601h1.htm). However, a corporate profile of Drexler, by Raymond James & Assoc. (http://22.214.171.124/researchpdf/DRXR021902IOC.PDF), states that “because the LaserCard is highly resistant to alteration or counterfeiting, it can also be used on a stand-alone basis without a reader. For example, the INS has issued approximately five million cards for its LaserVisa program, but has not yet purchased R/W drives for field deployment. Instead, field agents are trained to visually compare the cardholder's appearance against the card's printed color photograph and the laserengraved ‘holographic’ image. If all three images match, the cardholder is granted entry.” Is this the only advantage of the new cards? Is it a significant advantage? Has INS basically lost interest in being able to machine read the cards?]]
[[Note somewhere that Identix fingerprint scanners are available at consulates for BCC applicant interviews (http://www.fbodaily.com/cbd/archive/2001/06(June)/25-Jun-2001/63sol001.htm).]]
Without fingerprint readers, the card really can’t be verified against the cardholder. It was noted earlier that the widest form of misuse of the old non-machine-readable BCCs, and a major reason for the switchover to the new card, was not counterfeiting the card, but having a valid card that wasn’t yours. According to a US Commission on Immigration Reform report from 1994, “While almost no one attempts to cross with an altered or fraudulent BCC, a fair number of people seem to attempt to cross with someone else's card, presumably betting on lax inspection of the photograph it bears on the part of INS personnel at the port of entry.” For example, a card can be legally acquired, then sold to a document “gang,” who can then rent the card out to someone who looks like the picture on the card, who can use the card to cross the border, and then mail the card back (what happens then, if the person is found inside the US, without the BCC, is discussed below in the section on “interior enforcement”).
Without fingerprint readers, then, it appears as if the new BCC with its sophisticated Drexler technology, solves the wrong problem. Instead of making it more difficult for the wrong person to use a valid card, instead it was made more difficult to create illegitimate cards.
Why does the INS apparently not have enough machines to read the new machine-readable cards, and not have equipment to compare every BCC holder’s fingerprint with the biometrics on their card?
Like many sagas involving the INS, this one appears to be long and complicated. According to the INS, Congress and the General Accounting Office (GAO) won’t give it the money. Each reader costs only about $3,000; the INS probably needs around 1,000 of them. According to the New York Times (Sept. 29, 2001), the INS
“asked Congress for money to buy the machines two years ago but was turned down because the agency did not know exactly what kind of equipment it needed, said Russ Bergeron, a spokesman for the immigration service. Now the agency knows what it needs to scan the border cards but does not have the money, Mr. Bergeron said.... The immigration service hopes to get financing for the scanning machines as part of a budget request that the Justice Department, the agency's parent, is putting together to help deal with the terrorist attacks, Mr. Bergeron said."
But why would Congress be so stingy over a few million dollars? Embattled INS commissioner James Ziglar has repeatedly asserted that Congress had declared a “moratorium” on machine readers to go with its machine-readable cards. In fact, it appears that Ziglar is referring to a moratorium on further deployment of the separate IDENT system, and that Ziglar would like to get 1,100 IDENT workstations (with a two-fingerprint recognition system) to also check BCCs. IDENT is the INS’s database that maintains information on every apprehension; it includes fingerprints for each apprehendee; IDENT also includes a “lookout” section in which, for example, criminals and recidivists (those with a dozen or more illegal crossings) are noted.
The IDENT moratorium will be discussed later in more detail (see “The Central Database ”), but in essence, at the time of the nine serial murders in 1998-9 by the so-called “Railroad Killer,” Rafael Resendez-Ramirez, the Border Patrol had repeatedly apprehended Resendez illegally crossing the border, and then voluntarily returned him to Mexico, unaware that he was wanted by law enforcement. INS employees had been contacted by by police about Resendez, but had apparently not placed a “lookout” for him in the IDENT database.
In July 1999, the House Committee on Appropriations raised doubts about IDENT’s ability to identify wanted criminals apprehended by Border Patrol, and in particular asked why IDENT was not integrated with the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) database; the committee directed that the INS suspend further deployment of IDENT until it submitted a plan for integration of IDENT with IAFIS. The congressional conference report for the DOJ’s 2000 appropriations included a moratorium on further deployment of IDENT.
While it is commendable for the INS to want to use an existing system such as IDENT to do double-duty for checking BCCs, it sounds passive-aggressive for the INS to apparently insist on using technology on which a moratorium has already been placed, and then to turn around and complain that it can’t intelligently use the biometrics on the BCC because a moratorium has been placed on the technology.
The current troubled state of the INS should make us cautious about extrapolating from its experience with the BCC to the US as a whole. It may seem as if we have picked, for our case study in National ID, a notoriously “incompetent” agency (though, as noted towards the end of this study, there are structural reasons for the INS’s difficulties, rooted in the US’s deeply conflicted attitude toward illegal immigration). Tthe INS’s inability to get card readers to go with its machine-readable cards seems consistent the same agency’s approval of student visas for two notorious dead hijackers, Mohamed Atta and Marwan Al-Shehhi (Boston Globe, March 13, 2002). What can this troubled agency really tell us about National ID?
But the INS is not alone in having biometrics that are all dressed up with nowhere to go. For example, the California State Auditor in Oct. 2001 reported that while it had been collecting fingerprints for the past 20 years, California's DMV “does not obtain the benefits of such technology” because many of its fingerprints are of poor quality; the state takes thumbprints, but basically does nothing with them; the state has photographs, of course, but it also fails to use these sensibly.
National ID advocates point to such ironies as precisely why we need a national ID system. It is often said that “we already have National ID, in the form of drivers license and social security cards; we just need to fix it.” The author will note how many times that week he had to show someone his drivers license. But show is the key word here. How many times have they had their drivers license, not quickly eyeballed, but swiped in a card reader, which is linked back to a central database?
It definitely does happen. See an interesting New York Times (March 21, 2002 ) article by Jennifer 8. Lee, “Finding Pay Dirt in Scannable Driver’s Licenses,” that describes how bars in Boston are buying $2,500 Intelli-Check systems – presumably like the ones that INS doesn’t have – and using them to make sure that patrons are over 21, and then also using the scanned-in personal data for marketing). The technology is cheap enough, and becoming cheaper: Moore’s Law is often what drives the adoption of new ID systems. [[Need to explain Moore’s Law?]]
But a National ID would require that the equipment that the INS had not managed to acquire in the year 2001, despite passage of the original law in 1996, would need to be available nearly everywhere. How realistic is this? Or, perhaps the lesson of the Boston bars is that this will only happen if card reading is turned over to the private sector, who would also be allowed to use personal data for marketing as they see fit.
In any event, there is an enormous difference between having someone take a quick glance at an ID card, and feeding it through a card reader, linked to a central database, and connected to a fingerprint reader (or other biometric input device) that matches the cardholder with the card. It may possibly be that National ID is a good idea, but if it is, it would represent an enormous change from the current situation. National ID advocates frequently downplay the significance of their proposal with claims that “we already have national ID, we just need to fix it.” That the INS has the cards, but not the equipment, should tell us something – and not just that the INS has problems. It tells us that we currently have nothing at all like National ID.
Let’s say that there are fingerprint readers. What exactly are they checking? If it is simply that the cardholder’s fingerprints match the fingerprints stored on the card, that seems like an easy enough task. The new BCC not only has a visible photo of a fingerprint, but also contains a machine-readable representation of the fingerprint – this, in a way, was the whole point of the new cards. This type of verification involves a 1:1 check: does this cardholder match this card? The accuracy rates for such a check are pretty good, even though we’re dealing with non-discrete, real-world data.
If you read through the claims made for biometric ID cards such as the BCC, though, it becomes clear that the popular (and congressional) expectation, and the promises upon which the technology is sometimes sold, is a little different from this mere 1:1 check.
For example, what is to keep someone from applying for multiple cards under different names? Note that many names having multiple forms and spellings: Arabic names for example are transliterated; Mexicans frequently but not always use both the mother's and father's last name. The promise of biometrics is that you can basically discard the given name, or ID number, and use the fingerprint itself, for example, as a database lookup: has anyone with this fingerprint already applied for a card? This is a 1:N check, using real-world data as the database index. How good is it, when N is large? In a large population, how difficult is to balance false negatives (catch everyone who needs to be caught) against false positives (don’t create 10-hour waiting lines)?
How long would it take to uniquely identify one of the four million BCC holders, given only the fingerprint of a BCC holder? This may not seem to be an issue. After all, when someone presents their BCC, you can first do the 1:1 check that the cardholder matches the card, and then use the card number as a database lookup. But what happens when someone isn’t carrying a BCC? This was one of the big problems with the BCC: “Mexicans headed for big cities in the north are also using such cards to cross the border, then mailing the cards back to their homes in Mexico before proceeding north to look for work. If they are captured, the aliens tell the INS that they slipped across the border illegally.” To have any hope on stopping this mis-use of the BCC, all apprehendees would need to have a 1:N check done of their fingerprints (stored in IDENT) against the BCC database.
If such 1:N checks are widely used, then the ID card itself becomes irrelevant; your fingerprint is your ID. How feasible is this for the 200 or 250 million people who would have a National ID in the US? Not just technically feasible, but also socially: would it be able to overcome the “Mark of the Beast” overtones?
One alternative is to just have a (presumably) smaller database of the people you don’t want in, rather than a larger database of the people who you do. This has been one of the approaches of facial-recognition companies, which assert that – had facial recognition systems been in place in Portland ME on Sept. 10 and the morning of Sept. 11, when security cameras at ATMs, gas stations, and the airports caught last images of some of the terrorist hijackers – the attacks could have been prevented. What this claim overlooks, however, in addition to the unreliability of many facial-recognition systems, is that your “keep out” images must already be in your watchlist database.
We’ve seen how the BCC is checked. The next question is, what is the BCC checked against?
The earlier discussion of database “lookouts” in the case of the “railway killer” ought to sound familiar. This was an earlier version of the database-linkage debate fueled by the Sept. 11 attacks. On April 26, 2001, Mohamed Atta was stopped in Broward County FL for a traffic violation and was given a citation for driving without a license; on May 2, he acquired a Florida drivers license. Yet his visa had expired. If we could somehow rewind history, we would want the routine stop on April 26 to have led to something more than a citation; we would want the drivers license to be refused on May 2 because of the expired visa. Perhaps without the drivers license, he wouldn’t have been able to board Flight 11. It seems so simple: if only one database had known what the other database knew.
This is really the heart of the National ID idea. It’s not so much the cards, as the idea of a single, centralized database. The card would just be a handle into a national database. According to Larry Ellison, “The single thing we could do to make life tougher for terrorists would be to ensure that all the information in myriad government databases was integrated into a single national file” (Wall St. Journal, Oct. 8, 2002). In an amazing speech to Oracle employees, available on the web, besides asserting that we’ve made it impossible for the CIA and NSA to do their job, that we’ve made it impossible for the government to protect us, Ellison states that we have “too many databases,” that it’s impossible to correlate and cross-check them, that there really is no such thing as a federal “watch list,” but instead a disparate collection of lists like IBIS (Interagency Border Inspection System) and NAILS (National Automated Immigration Lookout System).
We saw earlier (see “Swiping Cards, Reading Fingerprints ”) that the INS doesn’t have all the machines it needs to read and fingerprint-verify BCCs, because it wants to use IDENT workstations, and that it can’t use IDENT because of a congressional order that it first figure out how to correlate IDENT and the FBI’s IAFIS. What all this means is that a BCC may be checked against the BCC database (of course, there’s no such check when the card is just eyeballed by a harried border inspector), but it seems likely that there is little integration with the other databases maintained by the INS. [[Lame; need to back this up.]] Precisely in the way National ID advocates complain, someone could “waltz” into the US on a BCC, even if they’re known to be wanted (though not necessarily under the same name) in another database like IDENT or IAFIS.
IDENT maintains biometric information on every INS apprehension. According to its developer, the Belgian company Keyware (apparently working with Lockheed Martin), “IDENT is an exclusive automated biometric identification system that uses advanced fingerprint and facial identification technologies to search for matches among over 400,000 ‘wanted person’ files and more than 2,000,000 files for people who have been previously detained.” The system was originally adapted from the US Navy’s Deployable Mass Population Identification and Tracking System (DMPITS), which in turn was originally designed by FingerPrint USA, for use in POW-type camps holding mass refugees from Haiti and Cuba.
This sounds like exactly what would be wanted for National ID. Yet we saw earlier that there was a hole in the system in the Resendez “railway killer” case. There has been debate over what the problem was, exactly. In some accounts, it appears the problem was as much one of training INS employees to properly use IDENT. In any case, clearly the biometrics by themselves don’t solve the problem.
[[Federal Computer Week (April 22, 2002; http://www.fcw.com/fcw/articles/2002/0422/cov-ins-04-22-02.asp) reports that “an investigation by the Justice Department's inspector general found that fewer than one out of three aliens apprehended on the U.S./Mexican border were being fingerprinted, photographed and entered into IDENT”; INS personnel often did not have time to take fingerprints and photos and enter them into IDENT; training for IDENT "was ineffective or nonexistent"; there were "virtually no controls in place to ensure the quality of data being entered into" the system. Find original DOJ OIG source for this. INS’s info mgmt commissioner Scott Hastings defends IDENT: it has caught "some real bad guys. It doesn't always hit the papers.” This is an important point: we tend to hear about system failures; when a system works, it’s not news.]]
In March 2000, the DOJ announced a plan to link IDENT with the FBI’s database, but said it could take five years and more than $200 million to complete. [[Why so long?]] Furthermore, “because the INS Border Patrol agents apprehend approximately 1.5 million aliens a year entering the United States illegally, INS requires a process that can record and identify a high volume of individuals in a very short period of time, generally two minutes or less.” It is not clear how this can be matched up with IDENT, since a Keyware official has bragged that the IDENT system delivers “response time in days, not weeks” for law-enforcement collaboration (Federal Computer Week, Nov. 14, 2000; emphasis added).
[[Insert material from Dec. 2001 DOJ OIG report on “Status of IDENT/IAFIS Integration” (http://www.usdoj.gov/oig/inspection/I-2002-003/index.htm). For example, a 1:N lookup in IDENT takes about 2 minutes, an electronic 1:N lookup in IAFIS takes about two hours; paper lookup takes several days.]]
Thoroughly assessing the call for a single national database would also require an in-depth look at the history of database linkage in the US, including not only other INS programs such as “Systematic Alien Verification for Entitlements” (SAVE), but also the history of widening use of the SSN.
Checking a card against a single national database, rather than against an individual agency database (and even more in contrast with simple checking of the card against the cardholder), raises important security issues. Any type of central database check requires a network connection; what happens if this connection goes down, or is compromised? One touted security feature of the current BCC is precisely that it’s not checked against a central database. Richard Norton of the International Biometric Industry Association (IBIA) testified at a Senate immigration subcommittee hearing that BCCs are “virtually immune to compromise, and the process can be conducted without having to establish a network connection to a central database.” [[This paragraph needs work: could we really have the touted benefits of a single central database, without requiring a network connection?]]
[[On important issue of online vs. offline operation, see Drexler pres. Haddock testimony to Senate Judiciary subcommittee, Nov. 14, 2001: “highly centralized, on-line systems are subject to overload, system-related failures, hacking, and cyber-terrorism. Creating a central database, national identification system that is always online could provide a single point of failure for our entire society if our enemies ever targeted it…. And ID card system should be capable of complete, secure verification of the cardholder to the card without any dependence on a[n] on-line database, although it may be present. The failure of many online systems to be effective, including the INS ‘INSPASS’ program, is their total dependence on a nationwide 100% uptime, on-line database to veriy the cardholder ID and allow entry. Most INSPASS system downtime is due to network and communication failures and has constricted the system to less than 100,000 people across the many years the program has been in place. Having the ability to completely verify the cardholder off-line, using local black-lists in each terminal, would eliminate this problem” (http://www.lasercard.com/downloads/files/Haddock%20U.S.%20Senate%2014%20Nov%2001.PDF). But is this consistent with the goal of having all watchlists (NAILS, IBIS, etc.) tied to a single database, and having the national ID always refer to this single database?]]
Another security issue is the insider problem: there would presumably be huge financial incentives for insiders to alter records in the single national database. The INS has a history of bribery leading, not just to documentation fraud (INS employees improperly providing ID cards such as BCCs, or even blank INS documents), but to database fraud: paying an INS employee to make entries or deletions in databases such as SAVE and NAILS. Oracle’s advertisements boast, “Can’t break it; can’t break in,” but this is a different issue. As a database becomes more important (and the single national database Ellison proposed would be the mother of all databases), the incentives grow for its maintainers to make improper changes. Any national ID would require sophisticated audit trails and employee monitoring. As noted recently by the DOJ Inspector General:
"in several reviews, the OIG has found deficient INS business practices that could open the agency to document fraud…. we have found that there is easy access to INS computers in order to change an entry, to order the issuance of an INS card or benefit, or to erase a disqualifying entry from an applicant's history. Computer passwords are shared and systems are unable to create an audit trail necessary to identify the users who accessed and amended a file. These deficiencies make it easier to make false computer entries that could result in the issuance of seemingly genuine INS documents."
Still, the basic idea behind a single national database seems simple enough: in the case of the BCC, someone provides the card at the border, the card is swiped, they put their finger on a reader which ensures that they match the fingerprint on the card, and the immigration officer immediately knows everything the US government knows about this person. That, even with a lot of the component technology having already been deployed, we are still quite far from this scenario (recall that simply linking with IDENT is estimated as a five-year project, and note that Section 1008 of the PATRIOT Act only calls for a feasibility study on IAFIS use at consulates and ports of entry), tells us that this scenario would actually represent an enormous undertaking.
It also would have dramatic social implications, discussed at the end of this paper. For now, it’s simply worth noting that such a large undertaking would inevitably have to be used for more than keeping terrorists off airplanes, and for keeping housecleaners and nannies from getting to their jobs in the US. The drive to use Ellison’s single national database for all sorts of goals – from the “war on drugs,” to eliminating welfare fraud, to tracking deadbeat dads, to combating tax evasion, to stopping illegal gun sales, to stopping underage drinking and smoking – would be irresistible. Even if every one of these goals is good, we can question whether American society is really ready for this level of consistency and accountability.
We’ve seen how the BCC is checked, and we’ve looked at some implications for a National ID. Now, where is the BCC checked? This may seem at first like a foolish question, since obviously Border Crossing Cards are checked when someone crosses the border. But that this is in fact not at all obvious becomes clear as soon as we ask whether BCCs are checked when leaving the US, as well as when entering; and when we ask the related question of how the card’s 72 hour/25 miles/no work policy is enforced.
How is the BCC’s 72-hour policy enforced? The quick answer is that it isn’t, because the BCC is not checked upon departure from the US. There is in fact essentially no check of any kind when someone crosses from the US into Mexico. On several recent (Feb. 2002) trips across the border crossing at Tijuana/San Ysidro, the long pedestrian ramp leading from the US to the Mexican side was equipped with a single private security guard, from Holiday International Security.
The conventional wisdom is that we only care when someone comes into the US, not when they leave, but how could a BCC cardholder’s compliance with the 72-hour policy even be known (much less enforced) without checking people when they leave the country? (The enforcement distinction is important: an exit check would tell if someone has overstayed, but would obviously not help locate an overstayer until they finally did exit.)
Exit controls are crucial to any considered anti-terrorist National ID proposal. Joseph W. Eaton, author of one of the few book-length studies of National ID (Card-Carrying Americans, 1986), and someone who has presumably devoted many years to thinking about these issues, in a post-Sept. 11 editorial titled “Cards Would Have Tripped Terrorists,” provides the following explanation of how this would have worked:
“Terror agents who entered our nation posing as ‘tourists’ would call attention to themselves if they failed to leave a digitized record of their departure from an airport, a harbor or a border crossing. They would have to start worrying that the FBI and INS would be looking for them.”
In other words, the desired effect of a National ID is only achieved if every departure is recorded, not only from an airport, but also via the US’s land borders with Mexico and Canada. The key is not so much the ID card as the exit control: one can easily have one without the other, and the ID card itself doesn’t perform any function here without the exit control. Note too that the best this achieves is a list of everyone who has overstayed their visa; as noted earlier, actually finding the overstays is a separate matter.
An “automated entry and exit control system” was, according to the Section 110 of the IIRIRA of 1996 (discussed earlier), supposed to be developed by 1998. This system was supposed to collect a departure record from every non-citizen leaving the US, and each departure record was supposed to be matched-up with an arrival record to determine who, upon leaving, had overstayed. The system was also supposed to be able to enable online searching to locate the entry records of those who had overstayed.
BCCs were supposed to play a role in this entry/exit control system. Having a BCC lets cardholders avoid filling out an I-94 arrival/departure card. At the same time, the BCC is intended to be used not only for entering the US, but also upon departure. Because the cards are machine readable, they can – assuming card readers are in place – be swiped upon exit from, as well as entry into, the US, thus giving the INS some handle on the problem of cardholders overstaying the 72-hour limit. According to the US Consulate General in Ciudad Juarez, Mexico, the new cards “will be used to facilitate the implementation of Section 110 of IIRIRA requiring an automated exit and entry control system to be established by the INS.”
On the other hand, as noted earlier, people using the BCC to work in the US may mail their cards back home, and present themselves as having illegally crossed the border, rather than as having legally crossed the border and then overstayed. In this way, they will still be returned to Mexico, but they won’t lose their BCC. But this would also diminish the BCC’s effectiveness for exit controls, except if the card itself were basically ignored, and a person’s biometric always relied upon for the database lookup (see “1:1 vs. 1:N Lookup ,” above).
Like the biometric visa itself, mandated by Section 104 of the IIRIRA, the entry/exit controls mandated by Section 110 were also opposed by the business community; for example, the Travel Industry Association of America, the US Conference of Mayors, and the US Chamber of Commerce opposed Section 110 in the name of “efficient borders.” A fellow of the Alexis de Tocqueville Institution predicted that, if entry/exit controls were implemented, “the borders between America and its neighbors would effectively close.... Americans can say good-bye to inexpensive produce in the markets," and further denied that entry/exit control has anything to do with countering terrorism. The Senate voted three times to repeal Section 110, and while the House voted against repeal, the system has not been implemented.
Now that the Sept. 11 terrorist attacks have highlighted the question of visa overstays, many of those who opposed Sections 104 and 110 of the IIRIRA in the name of “efficient borders” are now angrily asking how the INS could have possibly allowed some of the terrorists to overstay their visas, and how it could have “lost track” of them. As noted several years ago by Migration News (Aug. 1998), a superb publication from UC/Davis, “Many Congressional representatives continue to criticize illegal immigration in general, and then criticize the INS when it engages in enforcement actions that affect their constituents.”
In 2000, Congress passed the “Border Improvement and Immigration Act,” under which Section 110 was amended so that entry/exit controls won’t be required at airports until 2004, and at land borders with Mexico and Canada until 2005. Even after the terrorist attacks of Sept. 11, and the attention they drew to the issue of visa overstays, Section 414 of the PATRIOT Act calls merely for the integrated entry/exit data system of Section 110 of the IIRIRA to be implemented “with all deliberate speed and as expeditiously as practicable,” and makes the “Office of Homeland Security” part of an entry-exit “task force.”
Thus, after five years, and even after Sept. 11, there is really nothing being done to even learn about overstays, much less enforce the rules against them. One reason, as noted above, is opposition from the business community, which sees exit controls as contrary to the spirit of NAFTA, and “free trade” generally. Another reason may be that visa overstays are too small a problem for such a large solution as exit controls. In one test of an automated I-94 system in Philadelphia with selected US Airways flights to and from Munich, 99.6 percent of the 50,896 entry-exit records matched, i.e., only about 214 travelers did not leave as required (and some of these may have left through other airports, or a land border). Meanwhile, Electronic Data Systems (EDS) testimony on the cost of implementing an entry/exit system points out that this would be a large undertaking:
"We assume that at least 700 million traveler arrival and departure records will be captured in the system annually. For example, the automated I-94 pilot demonstrates that an arrival record for a non-citizen traveler uses 360 bytes of storage and the departure record uses 152 bytes. Extrapolating this estimate to the annual volume of non-citizen travelers suggests that a terabyte of storage may be needed for a nationwide system. To put some perspective on the magnitude of this number, the information in this system at the end of one year would be equal to the amount of data stored in the US Library of Congress."
When suggestions are made for large-scale projects such as National ID, we should ask why other large ID projects, required by law, have not been implemented. Sometimes our data-retention eyes are bigger than our stomach.
As noted above, an entry/exit system would at best let the INS know whether a given cardholder has overstayed a visa such as the BCC. It provides no help in actually locating a “visa jumper” or overstay. Yet, the INS is roundly denounced for having “lost track” of the Sept. 11 terrorists, and of “illegal immigrants” generally. For example, a guest editorial in the Seattle Times (Oct. 4, 2002) discusses ways to “learn the whereabouts of millions of illegal immigrants that the Immigration and Naturalization Service admits it has lost track of.”
What does this mean, “lost track”? Is the INS supposed to know the whereabouts of each of the millions of non-citizens present in the US?
Technically, yes. The Immigration and Nationality Act (INA) requires that all non-citizens notify the INS within 10 days of a change of address. The form to use in reporting an address change is AR-11 (INA § 265(a)). This does include the BCC, though of course BCC holders are not supposed to be in the US for more than three days.
Address registration can also be required during an emergency. During the Iranian hostage crisis, the DC Circuit Court of Appeals in Narenji v.Civiletti (1979) upheld the Attorney General's authority to order nonimmigrant Iranian students to report to INS district offices and to demonstrate their lawful status. [[Explain the outrage against the INS that it didn’t know where Iranian students were in the US.]]
However, the INS has stopped reminding non-citizens that they ought to notify the INS of their address and effectively has ceased administering the address-notification requirement. Although failure to give the written notice of address required by INA § 265 is a ground for removal, an INS operating instruction provides that failure of an alien to comply with the § 265 requirements regarding notification of address “shall not normally serve as the sole basis for initiating prosecution” or removal proceedings.
The Alien Registration Act of 1940 and Internal Security Act of 1950 had required the annual registration of all aliens living in the US, but this annual registration requirement (whether or not one had moved) was suspended in 1981. At the time, the INS apparently “acknowledged that it didn't much matter, that the alien registration requirement had been mostly for show, that the registration cards had never been matched up with the aliens’ files anyway.”
Thus, the US is, for better or worse, a long way from knowing where non-citizens are. Yet a National ID card would probably require address registration. Just as Sept. 11 was followed by angry questions over how INS could have lost track of the hijackers (some of whom had given “Marriott Hotel, New York” as their address), presumably the first terrorist attack to be committed (perhaps by a domestic terrorist, such as another Timothy McVeigh, Unabomber, or anthrax mailer) under the regime of a National ID, would be followed by angry questions about why can’t we get our hands on this guy: we’ve got a National ID card now; you mean we don’t know where each cardholder is at least supposed to be living? For the system to be more than a “mostly for show,” feel-good activity, this would eventually have to evolve into something like residential registration offices in Germany; hotels and other forms of lodging would presumably need to take the ID number of each occupant, as happens in some countries. It’s difficult to see how, without such extreme measures, any handle could be kept on someone’s whereabouts. [[This is lame; needs work.]]
In the meantime, note that we already have a national address registration, in the form of the New Hire Database (see “Employment and Employer Sanctions ” below).
We’ve seen that the current system provides no way of enforcing the BCC’s 72-hour policy, or of locating those who overstay. What about the 25-mile policy?
For one thing, just as INA § 265 ineffectually requires that non-citizens inform the INS of address changes (see above), INA § 264(e) requires that they carry their ID with them at all times. This includes the BCC.
What good does this do in enforcing the BCC? According to the INS:
“When passing through the Border Patrol checkpoints typically located at least 25 miles from the border, those Mexican BCC holders not in possession of an approved Form I-94 will not be allowed to pass and may be processed for administrative action.”
In other words, in addition to the border itself, there is in essence a “second border.” For example, on I-5 at San Onofre CA, about 70 miles north of the border (and near the former Nixon home in San Clemente), there is a 24-hour inspection of cars traveling between San Diego and Orange County. [[Also note the Temecula CA checkpoint; see the excellent long description of Temecula checkpoint problems in Ungar, Fresh Blood: New American Immigrants, pp. 53-70.]]
The INA gives the Border Patrol broad authority to conduct searches within a “reasonable distance” from the border. The Supreme Court has generally held that such searches do not violate the Fourth Amendment, and that probable cause is not required to justify a stop or search. The INS has defined “reasonable distance” to be 100 miles. The Supreme Court has given fixed checkpoints (as opposed to roving patrols) very wide discretion.
Why is there this second border? One reason would be to attempt to enforce the 25 mile and 72 hour BCC policies. More important, the Border Patrol is responsible for locating immigrants who have bypassed an official port of entry, and snuck in somewhere along the 2,000 mile border. As noted elsewhere, the practice of mailing one’s BCC back home during an overstay means that some BCC violations will appear as if they were simple cases of someone sneaking under a fence or across the Rio Grande, for example, without any ID at all.
It turns out, in other words, that simply checking IDs at the border is insufficient. Much illegal immigration doesn't actually happen at the border, but inside the country, when someone overstays their visa, for example. Or, to put it differently, the border turns out to be much thicker (100 miles wide) than one would have thought. At least according to some, within this area, pretty much anyone can be stopped and asked to present ID. The phrase “deconstitutionalized zone” has been angrily used (see, for example, US v. Newell, 1975, quoted in a dissent to US v. Guerrero-Barajas, Jan. 2001) to refer to this 100-mile strip. The phrase “Driving While Mexican” has also been used (New York Times, Jan. 26, 2000). If you live within this area, and fit a certain profile, we today have one aspect of National ID, in that you can be stopped at any time and demanded, “papers, please.”
In his discussions of a National ID, Larry Ellison dismisses the idea that the card would have to be carried at all times, and could be demanded at any time: “I’m not saying that police can stop you and ask you for your ID card when you’re walking your dog. I’m saying you must produce the ID when you’re going into a secure location like an airport” (Newsweek, Oct. 29, 2001).
But a National ID would have to be carried and presented much more frequently than Ellison thinks, and even other National ID advocates recognize this. Joseph Eaton’s editorial quoted earlier (see “Exit Controls and Overstays ”), opens by stating, “If Biometric ID cards had been in use, the 19 Saudis and other Arabs responsible for the Sept. 11 terror attacks could not have traveled all over the United States without drawing the attention of law-enforcement authorities” (emphasis added). Clearly, the card itself could not have accomplished this, so to deal with people traveling “all over” the US, by car for example, Eaton is presumably advocating (or assuming) frequent machine reading of the card.
In his The Limits of Privacy, ID card advocate Amitai Etzioni (who, one suspects, has thought about this question a lot more carefully than Larry Ellison) opens the chapter on ID cards with the following definition: “‘ID cards’ are domestic passportlike documents that citizens of many countries, including democracies, are required by law to have with them at all times.”
[[For what it’s worth, the Pew Research Center’s telephone survey of 1,200 adults, conducted the week following Sept. 11, found that 70 percent favored a requirement that “all citizens carry a national identity card at all times to show to a police office on request” (http://people-press.org/reports/print.php3?PageID=32, emphasis added; compare with other results from the same survey, e.g. 26% favored allowing US government to monitor personal phone calls and email, 40% favored allowing US government to monitor credit-card purchases).]]
[[Another advocate of national ID has said that a tamper-resistant Social Security card would serve many purposes, and would hardly ever need be used. Vernon W. Briggs, Immigration and American Unionism, 2001, p. 183: “The utility of such cards would far exceed simply the enforcement of the right to work in the United States. They could be used to reduce identity theft, welfare fraud … and entitlement program abuse…. Such cards would not be national identification cards to be carried by citizens and permanent resident aliens; they would have to be produced only on those few occasions over one’s lifetime when one is hired for a new job – and then only after the hiring decision has been made.” Note that, like Ellison, Briggs says you hardly ever need to present the card, but his occasion (taking a new job) is different from Ellison’s (getting on a plane). Each potential purpose of a card will likely present its own occasion during which the card must be carried and presented. It’s good that each advocate sees a limited use, but worrisome that they each see a different limited use.]]
If we’re just worried about terrorists getting on planes, we may end up “fighting the previous war”; for example, perhaps we now, again, need to be more worried about truck rentals (consider both the 1993 World Trade Center and the 1995 Oklahoma bombings). Consider too Mohamed Atta’s traffic-violation stop in Broward County FL: since this incident has been cited as an apparently perfect illustration of the failures of our current disjointed ID system, then (if we now try to replay the events of 2001 with a hypothetical National ID in place) obviously whatever ID Atta had with him that day would have to have been linked back to the central database. This is effectively the same thing as having to carry a National ID at all times. Or, since Atta actually was cited for driving without proper ID, then whatever biometric the police might have chosen to use from him, would have to have been used as a database lookup; again, this is functionally equivalent to having to present one’s ID at any time.
Again: if the biometric itself is the ID, and if it acts as an index into single central database, then in effect we carry ID at all times, despite reassurances that National ID wouldn’t represent a “papers, please” scenario. The protection against having to present our biometric at any time would then be the Fourth Amendment’s restrictions on stop and search. Racial and ethnic “profiling” show that parts of the population are already not truly covered by the Fourth Amendment, and statements by National ID advocates such as Ellison that we’ve “made it impossible for our government to protect us” sound an awful lot like traditional protests against the Fourth Amendment and its Supreme Court interpretation as an impediment to law enforcement.
The BCC presents another example of how one form of ID – if its policies were actually enforced – would require everyone to have at least some form of ID. How could the BCC’s 25-mile policy be enforced without also checking IDs of non-BCC holders within the 100-mile “second border”? It’s not as if BCC holders have “BCC” tattoos on their foreheads. Since BCC holders can’t be assumed to be always carrying their card, then either ID checking must be outwardly discriminatory based on some “profile,” or everyone’s ID must be checked. This type of ID, when enforced, creates a presumption of guilt. Note that it is really only ethnic profiling – i.e., a double standard – that keeps everyone in this area from having to carry ID at all times. In his book No Justice, David Cole makes a reasonable case that “privacy” and Fourth Amendment protections are currently based on inequality.
[[The American Legion calls for Congress to “Require that all legal aliens carry a counterfeit resistant registration card and that they be required to report, in a specified length of time, to local officials their location and place of employment.” (http://www.legion.org/our_legion/documents/americanism.rtf) Again, how can all legal aliens be required to carry an ID, without also requiring non-aliens to also carry ID?]]
[[Note that California’s unconstitutional Prop. 187 was in part an “interior enforcement” measure: required public employees, including police, nurses, social workers, and teachers, to report to INS anyone who could not prove their legal status in US. See Ono and Sloop, Shifting Borders: Rhetoric, Immigration, and California’s Proposition 187. On the other hand, note sanctuary cities (still?).]]
As with the discussion of address registration, these notes on interior enforcement are obviously half-baked; these parts of the study require more work.
It appears so far that exit controls – necessary to even begin to enforce the 72 hr. BCC policy --have been wildly unpopular, and are unlikely to be implemented any time soon, and that the “second border” (necessary, inter allia, to enforce the 25 mile BCC policy) has possibly already produced a civil-liberties nightmare within 100 miles of the border, all probably without keeping BCC holders within the 25-mile perimeter.
How about enforcing the BCC’s no-work policy? According to Adelita Sandoval, who lives in Tijuana and cleans houses in San Diego, “The pass allows you to cross to the other side in order to spend money, but they don't want you to come over to earn money. So you have to convince them that you're doing one when you're really doing the other.” Such workers, “dressed attractively – even elegantly – for what would be, in fact, a workday of scrubbing floors and toilers.” La migra (the INS) “almost never even ask to see our papers. They look at our hands.” Note that the INS is not looking at their hands for the fingerprints; it is looking to see if the BCC holder’s hands look like those of a middle-class shopper, or a worker. Real-world biometrics? La migra is also reputed to be alert to whether someone wearing fashionable clothes looks like they really “belong” in those clothes; literally the “fashion police.”
For the most part, though, the BCC no-work policy would be enforced as part of a larger effort that gives the appearance of preventing unauthorized work by non-citizens, essentially by deputizing employers as immigration officers.
As the reader probably knows, employers in the US are supposed to check the ID of every new hire, and fill out an I-9 form which is kept on file. If they fail to check ID, or if they accept obviously fake ID, they can face fines. This policy is known as employer sanctions. According to the INS:
"The landmark 1986 Immigration Reform and Control Act (IRCA) legislation changed forever the concept of traditional immigration interior enforcement, making it unlawful to employ an individual without verifying the identity and employment eligibility of an employee at the time of hire, thereby shifting emphasis from the alien violator to the employer.”
[[The I-9 reads in part “I certify, under penalty of perjury, that I have examined the above described documents which were presented to me by the individual named [above] and that the documents appear to be genuine, that they appear to relate to the individual named…” (quoted in Roger Daniels, Coming to America, p. 395). Daniels notes, “Within a year millions of such documents were reposing, uninspected, in the files of employers all over America.”]]
Meanwhile, several sectors of the US economy depend vitally on the work performed by illegal immigrants, and by legal immigrants, such as BCC holders, who are not supposed to be working. The “Nannygate” cases of Zoe Baird, Kimba Wood, and Linda Chavez were newsworthy examples of the prevalence of unauthorized work in the US. It is generally held that the construction, hotel/restaurant, garment, agricultural, and meatpacking industries would collapse without their large reserve army of “undocumented” workers.
While the crucial role of undocumented labor in the US shows that this is all something of a farce, the fact remains that every new hire is supposed to have their ID checked. (This should make the earlier discussion of address registration sound a little less unrealistic than it probably did. Given that we already have employment registration, does residential registration really sound so impossible?)
It is sometimes asked, in all seriousness, why check everyone’s ID, if we’re only interested in keeping out unauthorized workers? Why not just check the ID of non-citizens? It seems obvious, but the mistake underlying these questions was made a while back by the INS:
“In the mid-1990s, the INS began to experiment with a system to verify employment eligibility prior to hiring. Employers voluntarily communicated I-9 form information for prospective or new hires to an office in Washington, DC, which then verified that the documents supplied, such as alien employment authorization numbers, were authentic. However, only non-U.S. citizen employment eligibility was verified. The documents of individuals claiming to be U.S. citizens were not verified. All an unauthorized alien had to do was to borrow bona fide documents or purchase forged ones and claim that he or she was a U.S. citizen. Firms would duly record the corresponding information on I-9 forms, which could be inspected. But alien workers falsely claiming U.S. citizenship could circumvent the verification system in this way.”
This illustrates the point made earlier, that ID systems present slippery slopes. Discriminatory double standards are not only discriminatory: they also create loopholes. To truly enforce the BCC and other no-work policies, everyone’s ID needs to be checked.
[[Also illustrates the earlier point that you often can’t just do a lookup by name or ID number. Another example of same point: following the arrest of 104 airport workers in the DC area, “investigators said checking backgrounds is more intensive work than they had anticipated. Some employees' Social Security numbers were checked against a national database of felony convictions and came back clean, one investigator said, but the workers were later found to have used numbers that were made up or that belonged to others” (New York Times, April 24, 2002).]]
In 1994, the US Commission on Immigration Reform, chaired by the late Rep. Barbara Jordan (D-TX), found that employer sanctions lacked credibility, and that the current methods of worker verification were “too susceptible to fraud, particularly through counterfeiting of documents.” The Commission asserted that “the most promising option for secure, non-discriminatory verification is a computerized registry using data provided by the Social Security Administration [SSA] and the INS. The key to this process is the social security number. For decades, all workers have been required to provide employers with their social security number. The computer registry would add only one step to this existing requirement: an employer check that the social security number is valid and has been issued to someone authorized to work in the United States.”
In other words, this commission, headed by a important civil-rights legislator (who, in addition to her most famous role drafting the articles of impeachment against Richard Nixon, also brought language minorities such as Mexican-Americans under the Voting Rights Act), was saying that, in order to “restore credibility” to US immigration policy, there needed to be a verified national “registry” of the country’s entire workforce.
However, Jordan’s registry was not implemented. Instead, the 1996 IIRIRA simply chose to initiate several pilot projects. Only one of these, in Iowa (because the state drivers license employs a machine-readable SSN), involves machine-readable documents. Thus, our current system is really just the I-9, which is notoriously circumvented with counterfeit documents.
While I-9 forms are hardly ever checked by the INS, which keeps the process miles away from constituting any kind of national employment database, it is worth noting in passing that the US does have a national employment database, connected not with immigration, but with the important goal of locating deadbeat dads and making them provide financial support for their children. The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 created a “National Directory of New Hires” (NDNH), better known as the New Hire Database. Within twenty days of each new hire or rehire, the employer must report the SSN, name, and address of the new hire, along with the employer’s name, address, and employer ID number. While there are also state databases, the NDNH exists because 30 percent of child-support cases involve parents who live in a different state from their children. It would be worth studying this system in more detail, to see whether it meets its goal of arranging child-support payments, whether there have been pressures to use the system for additional purposes, and so on.
Getting back to employer sanctions, while the large amount of under-the-table employment in the US indicates that they have not been a rousing success, have they at least perhaps helped enforce ID systems such as the BCC?
Ironically, the effect of employer sanctions, as currently implemented, has been almost the opposite. A GAO report from 1999 observed that allowing a wide variety of documents to fulfill I-9 requirements had resulted in widespread counterfeiting. Peter Andreas, who has written several important works on immigration and the US/Mexican border, states:
“The perverse impact of the law was to generate an enormous business in fake documents. Since IRCA did not require employers to check the authenticity of documents, they could simply continue to hire illegal workers at minimal risk – as long as the documents looked genuine and they made sure to fill out the proper forms. In the short term, IRCA helped to defuse some of the domestic pressure to ‘do something’ about illegal immigration. But the law’s failures would help make immigration control an even more daunting task in years to come.”
“the primary impact of the poorly designed and minimally enforced employer sanctions was to create a booming business in fraudulent documents. IRCA’s perverse consequences helped set the stage for a powerful backlash against illegal immigration in the 1990s, most acute in California.”
What went wrong? Clearly, the law really didn’t deputize employers as immigration officers, as claimed facetiously at the beginning of this section. But for the employer sanctions to have any effect on unauthorized employment, it would have had to. Because there were no sanctions placed on an employer who accepted anything but the most obviously fake ID, the result was, as Andreas notes, to create a booming market in plausibly fake ID. To have had any other result, the system would have required that there be some verifiable form of ID, and ubiquitous card readers with which to do the verification (perhaps similar to what exists today for credit cards, but with an additional biometric component): eyeballing cards wouldn’t be good enough. This sounds just like the National ID, so National ID advocates may want to view the experience of employer sanctions as another reason for adopting their proposals. But notice that suddenly we see another scenario in which the card would be mandatory: not just to get on an airplane, but also to get a job (shades of Revelation 13:16).
Preventing non-citizens from working would require rigorous document checking by employers (or by third-party background checking services, such as Interquest). The 1999 GAO report quoted above states:
“According to an INS official in Los Angeles, that office has already seized counterfeit versions of the new green card INS began issuing in April 1998. According to this official, the counterfeit cards do not have all of the security features of the new INS green card. While they are easily detectable by trained INS employees, they will appear genuine to untrained employers.”
In other words, either each employer, or the third-party services, would need machine readers for this scheme to work. Note that background-check companies right now appear to depend on the employer having accurate I-9s, and aren't placed to verify the ID itself. This appears to even be true of services such as www.i9check.com that specialize in I-9 forms.
Why is there so little incentive for employers to properly inspect employee IDs? Fines are generally sufficiently minimal – especially given the money saved by paying below US minimum wage, avoiding overtime pay, and avoiding environmental, health, and safety regulations – that some employers view any possible sanction as “the cost of doing business.” [[Insert figures on fines: about $1 per unauthorized worker per year??]] The INS has only a small number of workplace inspectors. Migration News (Jan. 1999) relates two telling points:
“The INS did not request more inspectors to enforce employer sanctions in the FY99 budget; in its FY98 proposal, 130 more inspectors were requested, but Congress did not provide funding for them. In spring 1998, when the INS in Georgia tried to enforce sanctions laws against onion growers, Congress intervened and the INS agreed to stop its raids so that Vidalia onions could be harvested.”
There is a long history of immigration doubletalk in the US, where a supposed “flood” or “invasion” of illegal aliens is deplored out of one side of the mouth, while agriculture and other businesses are guaranteed the undocumented workers they want out of the other. A prime example is the so-called “Texas Proviso” to the INA, which states that “for the purposes of this section, employment (including the usual and normal practices incident to employment) shall not be deemed to constitute harboring” an alien. This amazing exemption, written in 1952 apparently by then Sen. Lyndon Baines Johnson, was eliminated in 1986, but its spirit lives on. No-work policies are enforced sufficiently to help keep down wages, but not enough to seriously reduce the flow of undocumented labor.
Enforcement of the BCC’s no-work policy would likely come only as part of a larger reduction in employment of unauthorized workers in the US, and would represent a major social and economic change (not necessarily a desirable change, either). Even the small amount of enforcement we currently have has entailed going through the motions of seeing ID from every new hire, producing new incentives for false documentation. This charade shows some of the obstacles that, for better or worse, would stand in the way of a genuine national ID.
Has the switchover to a biometric, machine-readable BCC made a significant change in the use and misuse of these cards?
The answer appears to be that it hasn’t. One might say that this is only because implementation has been half-hearted: machine-readable biometrics on the card, but no fingerprint readers to use them; no exit controls; and other seeming mistakes detailed earlier. Perhaps if everything were done right, then the cards would work. Yet we’ve also seen how adding security features can sometimes reduce security (long manufacturing times for ID cards spawns insecure temporary stickers). It is also possible to fix the wrong problem, for example by making BCCs counterfeit-proof while leaving birth certificates and other breeder documents untouched.
We have to ask, why has implementation been so seemingly half-hearted? The reasons are really social, political, and economic; a technical fix is unlikely to change the fact that (as noted in more detail below) immigration policy in the US is the result of conflicting interests. For example, we’ve seen that significant business opposition has delayed exit controls for year after year, and had delayed the BCC switchover. National ID advocates would need to show why this time it would be different; how would National ID overcome the same opposition that has (for better or worse) hampered previous ID efforts? Why would this one not end up becoming another expensive and yet largely ineffectual show?
Probably the best that can be hoped for from an ID like the new BCC is that it would speed up the processing of regular users, so that inspectors could spend more time on a small set of selected individuals. This is more realistic than hoping that the card itself would provide security. However, such “fast lane” cards would be abused by determined terrorists, unless the interview process, by which one gets the card in the first place, were far more sophisticated (with much more rigorous inspection of “breeder documents”) than, e.g., the current BCC interviews.
Calling efforts to reinforce the border ineffectual does not mean they have no effect. Rather, they have been ineffectual in the way that alcohol Prohibition was, or that the “war on drugs” is. Some “Prohibition” effects have already been noted, such as the way employer sanctions helped to solidify and professionalize the fraudulent-document business. Another Prohibition effect has been the way that installation of IDENT has apparently led to higher fees for coyotes, who are in the business of smuggling people across the border. Indeed, the coyote business itself was created by efforts to prevent unauthorized border crossing. Higher fees for coyotes means also more money available for bribes. (Note to libertarians, however: not every rule or regulation has “Prohibition” effects.)
Efforts to control border crossing appear to simply move the problem (if it is a problem) from one place to another. For example, “entry without inspection” (EWI) was seen as the big problem for a while – recall media images of people sneaking through fences – but attempts to solve this problem, by making EWI more difficult, had the unintended consequence of increasing misuse of documents like the BCC. David Spener notes that “Making ‘entry without inspection’ more difficult raises the salience of the use of fraudulent immigration documents or the misuse of valid documents,” and he gives BCC use to get to jobs in the US as a key example. (Note to libertarians: not every rule or regulation has unintended consequences.)
Alternatively, if the focus shifts to more carefully checking the IDs of each person entering at an official port of entry into the US, then illegal immigration is pushed back to “entry without inspection.” As noted in an August 2001 GAO report, the current INS strategy is to
“incrementally increase control of the border in four phases to make it so difficult and costly for aliens to attempt illegal entry that fewer individuals would try.... The primary discernable effect of the strategy, based on INS’ apprehension statistics, appears to be a shifting of the illegal alien traffic. Between 1998 and 2000, apprehensions declined in three Border Patrol sectors, San Diego, CA, and El Paso and McAllen TX, but increased in five of the other six Southwest border sectors. The extent to which INS’ border control efforts may have affected overall illegal entry along the Southwest border remains unclear, however.... although INS has realized its goal of shifting illegal alien traffic away from urban areas, this has been achieved at a cost to both illegal aliens and INS. In particular, rather than being deterred from attempting illegal entry, many aliens have instead risked injury and death by trying to cross mountains, deserts, and rivers.”
In addition to shifting illegal immigration to more dangerous, less controllable areas, INS’s strategy (combined with the 12:1 wage disparity between the US and Mexico) has, ironically, tended to make illegal immigrants stay longer in the US than they had intended. According to Douglas Massey, codirector of the U. of Pennsylvania’s Population Studies Center:
“The massive militarization of the border has not had the effect of deterring Mexicans from coming to the U.S. but has deterred them from going home. What we've seen since 1993 is a sharp decline in the probability of return migration once Mexicans are in the U.S.”
Strictly enforcing immigration laws would raise prices of many goods and services, and/or would lower profits for many businesses. On the other hand, legalizing currently unauthorized workers might well have same effect. Thus, the current situation of widespread – but not total – non-enforcement suits the needs of US society.
All US immigration law is the result of compromise between competing interests. Even after Sept. 11, the same set of competing interests revealed in study of BCC also would apply to a national ID. Given that the much smaller BCC system has so many holes, how could we expect national ID to “work” in the sense that advocates want, i.e., well enough to prevent future Sept. 11-type attacks? National ID would inevitably represent a compromise, not so much of “security vs. privacy,” as one of security vs. the many US interests that depend on lax enforcement of the laws.
The IRCA of 1986 is a perfect example of such compromises. As noted in one book on immigration law, “It represented a political compromise between four interests – (1) those people seeking to deter illegal immigration by discouraging unauthorized employment in the U.S.; (2) those seeking a one-time amnesty for aliens who, for years, had been locked out as illegal immigrants; (3) those who wanted to insure continued access to low-cost agricultural labor without elaborate federal regulation; and (4) those who wished to insure that penalizing employers for illegally hiring aliens who not encourage discriminatory employment practices.”
Many INS actions that look incompetent are the direct result of this compromise at the heart of our immigration laws. Our immigration legislation is the product of several competing interests and policies, and INS is left to sort out (and catch the flak for) the mess. Perhaps this explains the Border Patrol’s conflicting reputations for both brutality (Amnesty International has investigated the US Border Patrol) and laxness.
The INS is not given the resources to “do their job,” because it's not really its job (as mandated by immigration legislation from 1986, 1990, and 1996) to have a secure border. If Congress really desired a secure border, it would have voted for tough employer sanctions, for example.
The end result is profound US ambivalence about its border controls, and the INS reflects that ambivalence; its structural role is that of a “Dept. of Surplus Labor,” keeping labor both illegal and flowing. Because of the compromises in US immigration law, INS’s role in the US economy is to make illegal immigration difficult, but not too difficult. Looked at structurally, its role is to provide a reserve army of cheap, docile labor for the construction, hotel/restaurant, garment, meatpacking, and agricultural businesses. This might also be accomplished with a guest-worker program (such as the old bracero program administered by the INS for agricultural employers between 1942 and 1964), but right now it's accomplished through difficult-but-not-impossible illegal entry.
How could something like biometrics hope to resolve the conflicted over-150 year history of migration between Mexico and what used to be northern Mexico, but which is now part of the US?
National ID in the US faces analogous structural impediments. For one thing, countries with sophisticated national ID are often small. What may work in some sense in Singapore, Hong Kong, or Israel may not scale to the US; and even in Hong Kong, for example, issuing approximately six million new mandatory “smart” ID cards is expected, by completion, to have required seven years and $US 400 million. The strong US tradition of “states rights,” which was for example part of massive resistance to federally-ordered desegregation, combined with a strong anti-government tradition (which led in part to the Oklahoma City bombing), combined with fundamentalist fears over the “Mark of the Beast,” may all make National ID impossible for the wrong reasons. Add in the NIMBY protests like those that have hampered biometric BCC and exit-control implementation, and it’s difficult to see what hope there would be for National ID.
Of course, for a rule or regulation to not work, or to produce the sorts of Prohibition effects and unintended consequences we’ve seen with border controls, there has to be some sort of demand or pull for whatever it is that the rule or regulation forbids. Is there really any demand in the US for shoddy documentation, for easily-forged birth certificates, for databases that seemingly should be linked together but aren’t?
Surprisingly, there is large demand in the US in essence for shoddy documentation. As noted earlier, key sectors of the economy rely upon illegal immigration: there’s not so much a demand from business to make it legal, nor is there a business demand to stop it, but instead the curious combination of the two, which produces a large, cheap, docile labor force. Having reliable documentation in the form of a National ID, on which I-9 forms could be based for example, would represent a massive change to our current situation of large-scale under-the-table, off-the-books employment.
Such a massive change would in turn require multiple uses. “Feature creep” is built into the idea of a National ID because the expense and the extensive coverage that would be necessary, before the system started to work, would dictate more uses than simply checking people getting on airplanes. National ID card adoption would involve the phenomenon of “parasitic vitality” that was seen in Britain’s experience with ID cards: adoption of the card means that “it must be made obligatory in regard to as many as possible of the organised activities in close touch with the life of the people,” as one British bureaucrat put it in 1923.
While there is something faintly dishonest about “slippery slope” arguments (“don’t do this small thing, because it could lead eventually to this big thing”), the fact is that – perhaps in the same way that information is reputed to “want” to be free – identification technology wants to be useful. It manages to find multiple uses; which is to say, even a mercifully-inefficient government will find multiple uses. Even someone who can laugh at the sort of “Mark of the Beast” fears and conspiracy theories that met the introduction of the Social Security Number in the 1930s, today has to admit that “the early critics were at least close to being correct in their predictions that the numbers would become all-purpose identifiers, despite the assurances of the supporters that it would not happen.” Face scanning originally implemented for locating terrorists in Northern Ireland is now used (perhaps with more success) to locate football hooligans.
Besides a slippery slope apparently being built into identification systems, it is also important to remember that the very definition of privacy in US law has a “reasonable expectation” tautology built into it. As we become inured to one use of ID, it really does become less reasonable to object to the next use. The end result is something much more extensive than the original plan (though presumably not as extensive as the ID in the right hand, or in the forehead, that was predicted in Revelation 13:16).
Would National ID even initially be limited to keeping terrorists off planes? Joseph Eaton, whose post-Sept. 11 I-told-you-so editorial in favor of National ID was quoted earlier (see “Exit Controls and Overstays ”), says that a biometric ID card “could have saved victims of past terrorist acts as well as the many all-too-successful white-collar criminals” (emphasis added).
Amitai Etzioni lists the following as the “high costs of not having ID cards,” which costs an ID card would reduce: criminal fugitives; child abuse and sex offenders; income tax fraud; nonpayment of child support; illegal gun sales; illegal immigration; welfare fraud; identity theft; and credit card fraud. It seems odd that terrorism isn’t on the list, but that could always be added – something can always be added.
Catching white-collar criminals, criminal fugitives, and tax cheats would of course be a good thing. Perhaps every use to which a National ID would be put is good: keeping terrorists off planes, making deadbeat dads pay for child support, preventing underage smoking and drinking (just ask a teenager what the term “ID” means to them), making sure that gun purchasers don’t have criminal records, stopping tax evasion, helping with voter registration.
But the sum total of all these goods may not be what we want. Moore’s Law makes it possible to have something like Total Accountability: many of the everyday things we do or say could be recorded, cross-linked, and searched (Google.com’s searchable archive of more than 700 million newsgroup messages going back to 1981, may be a small example). A true National ID card, linked to a single national database, could help tie together all the disparate little pieces of our lives. The five-year history of resistance to implementing the biometric, machine-readable Border Crossing Card is a small example of how even much lower levels of consistency have little support in the US, and of how there is widespread support for crappy ID. Ivan Fellegi of Statistics Canada (and a founder of the field of record linkage) put it well: “In effect, record linkage came about to accomplish a task that was rendered difficult precisely because there was a social consensus that it should be difficult.”
National ID may be a good idea or a bad idea, but the BCC experience shows us that it is a huge idea. National ID advocates should not claim that we already have de facto national ID that merely needs to be made more secure. The security they see a National ID providing would require much more besides a counterfeit-resistant card; making the BCC counterfeit-resistant hasn’t helped enforce the card’s policies. Meanwhile, National ID opponents should stop saying that National ID is around the corner, every time a new use is found for the SSN. Our current situation is, for better or worse, a far cry from National ID.
Peter Andreas, Border Games: Policing the U.S.-Mexico Divide, Ithaca: Cornell U. Press, 2000
Peter Andreas and Timothy Snyder, eds., The Wall Around the West: State Borders and Immigration Controls in North America and Europe, Lanham: Rowman & Littlefield, 2000 (See especially Joseph Nevins, “The Remaking of the California-Mexico Boundary in the Age of NAFTA”; David Spener, “The Logic and Contradictions of Intensified Border Enforcement in Texas”)
Jane Caplan and John Torpey, eds., Documenting Individual Identity: The Development of State Practices in the Modern World, Princeton: Princeton U. Press, 2001 (See especially Jon Agar, “Modern Horrors: British Identity and Identity Cards”; Dita Vogel, “Identifying Unauthorized Foreign Workers in the German Labor Market”)
David Carliner et al., The Rights of Aliens and Refugees (ACLU Handbook), 2nd Ed., Carbondale IL: Southern Illinois U. Press, 1990
Leo R. Chavez, Shadowed Live: Undocumented Immigrants in American Society, Fort Worth TX: Harcourt Brace, 1992
Ted Conover, Coyotes: A Journey Through the Secret World of America’s Illegal Aliens, NY: Vintage, 1987
John Crewdson, The Tarnished Door: The New Immigrants and the Transformation of America, NY: Times Books, 1983
Mariam Davidson, Lives on the Line: Dispatches from the U.S.-Mexico Border, Tucson: U. of Arizona Press, 2000
Mike Davis, Magical Urbanism: Latinos Reinvent the US, London: Verso, 2000
Debra DeLaet, U.S. Immigration Policy in an Age of Rights, Westport CT: Praeger, 2000
Joseph W. Eaton, Card-Carrying Americans: Privacy, Security, and the National ID Card Debate, Totowa NJ: Rowman & Littlefield, 1986
Amitai Etzioni, The Limits of Privacy, NY: Basic Books, 1999 (Chapter 4: “Big Brother or Big Benefits? ID Cards and Biometric Identifiers”)
Judith Adler Hellman, Mexican Lives, NY: New Press, 1994 (Chapter 7: “The Border”)
Helen Hayes, U.S. Immigration Policy and the Undocumented: Ambivalent Laws, Furtive Lives, Westport CT: Praeger, 2001
David Jacobson, Rights Across Borders: Immigration and the Decline of Citizenship, Baltimore: Johns Hopkins U. Press, 1997
David Kyle and Rey Koslowski, eds., Global Human Smuggling: Comparative Perspectives, Baltimore; Johns Hopkins U. Press, 2001 (See especially Peter Andreas, “The Transformation of Migrant Smuggling Across the U.S.-Mexican Border”; David Spener, “Smuggling Migrants Through South Texas: Challenges Posed by Operation Rio Grande”; Mark Miller, “The Sanctionizing of Unauthorized Migration and Alien Employment”)
Ruben Martinez, Crossing Over: A Mexican Family on the Migrant Trail, NY: Henry Holt, 2001
Joseph Nevins, Operation Gatekeeper: The Rise of the “Illegal Alien” and the Making of the U.S.-Mexico Boundary, NY: Routledge, 2001
David M. Reimers, Unwelcome Strangers: American Identity and the Turn Against Immigration, NY: Columbia U. Press, 1998
Sebastian Rotella, Twilight on the Line: Underworlds and Politics at the U.S.-Mexico Border, NY: WW Norton, 1998
Ramón Eduardo Ruiz, On the Rim of Mexico: Encounters of the Rich and Poor, Boulder CO: Westview, 1998
John Torpey, The Invention of the Passport: Surveillance, Citizenship and the State, Cambridge: Cambridge U. Press, 2000
Luis Alberto Urrea, Across the Wire: Life and Hard Times on the Mexican Border, NY: Anchor, 1993
Luis Alberto Urrea, By the Lake of Sleeping Children, NY: Anchor, 1996
David Weissbrodt, Immigration Law and Procedure in a Nutshell, 4th Ed., St. Paul MN: West, 1998
* Stephen Keating, Director of the Privacy Foundation, suggested using the BCC as a case study to shed light on post-Sept. 11 proposals for a national ID card. Pam Dixon and publishing consultant Trudy Neuhaus made crucial changes and suggestions. The paper was presented at the 12th annual Computers, Freedom & Privacy conference.
† This is a “work in progress.” The reader will encounter the author’s notes to himself in double square brackets, e.g. “[[This paragraph is hopelessly lame; fix it.]]”
 See http://www.aamva.org/events/evt_PresentationsIDSecurityLeadershipSummit.asp; see also Washington Post, Jan. 14, 2002. The AAMVA’s goal is “one driver, one license, one identity.” The AAMVA says it is not creating a national ID card, but “The person, driver license/ID card record will be inextricably linked.” The project deals explicitly with the sorts of problems, such as “breeder documents” and bribery of DMV officials, which have been ignored in Larry Ellison’s statements on national ID.
 But see a new report from the National Academies’ National Research Council, IDs – Not That Easy: Questions about Nationwide Identity Systems (April 2002; http://search.nap.edu/html/id_questions/), which focuses on the practicalities of what a national ID system would look like. A superb example of studying the practicalities of proposed security technologies is the ACLU’s case study on facial recognition in Tampa FL, Drawing a Blank (see note 41 ).
 A Computerworld article (Nov. 2, 2001) in favor of a national ID card gives the following as its first reason: “A national ID card program would be good for the IT industry. The program would generate a demand for IT products and services.”
 Gary Marx, in his superb Undercover: Police Surveillance in America (Berkeley: U. of California Press, 1988) refers to this scarecrow effect as the “myth of surveillance”: “The suspiciousness and paranoia generated by the myth may far transcend their actual use, but, by creating uncertainty, they may have a far greater repressive impact (at a much lower cost) than overt forms of surveillance” (p. 100; see also pp. 66-7, 225-6). The classic example is of course Jeremy Bentham’s “panopticon.” It is said that polygraphs “work” because they are believed to work. Some airports have reportedly conducted noisy publicity campaigns about the adoption of facial recognition, not so much because they believe that facial recognition will “work,” as because they hope the publicity might scare potential terrorists into using some other airport (also a classic example of problem-shifting).
 See http://www.lasercard.com/app/secure.htm and http://www.lasercard.com/app/app2.htm.
 See Eaton, Card-Carrying Americans: Privacy, Security, and the National ID Card Debate
 See, e.g., the Denver Post (Oct. 21, 2001; http://www.denverpost.com/Stories/0,1002,6439%257E190297,00.html) on a Mexican immigration official who co-ran the smuggling of hundreds from Syria, Iraq, and Jordan via Mexico into the US.
 "The Threat of Terrorism is from Illegal Aliens," Phyllis Schlafly Report, Oct. 2001, http://www.eagleforum.org/psr/2001/oct01/psroct01.shtml (interestingly, Schlafly opposes a national ID card, in part because “We cannot tolerate new security measures that treat citizens and aliens alike, such as a national ID card”).
 Revelation 13:16: “He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name.” See my entry on “Identification cards” (http://www.sonic.net/~undoc/idcon.doc) for the forthcoming Encyclopedia of American Conspiracy Theories, ed. Peter Knight (ABC-Clio, 2004; see http://www.art.man.ac.uk/ENGLISH/staff/pk/research/Encyclopedia/front.html). A Google search for “mark beast drexler” (Drexler being the company that manufactures the BCC) turns up many pages on the role of smart ID cards in the so-called New World Order, and as a prophetic sign of the final days. See e.g. http://www.friendsofliberty.com/shondaponder/2001/shondaponder110401.shtml, http://www.geocities.com/americaslastdays/cardmark.htm (“Tribulation Card”) and http://www.logicsouth.com/~lcoble/conspire/beyond_a.txt (Gary Null). However, Drexler’s ID cards hardly compete in the “Mark of the Beast” market, compared with the claimed-to-be implantable “Digital Angel” from Applied Digital Solutions (in fact, it’s ADS’s VeriChip that’s implantable), as can be seen by a Google search for “mark beast digital angel”.
 Statistical Yearbook of the INS, 1998, http://www.ins.gov/graphics/aboutins/statistics/1998yb.pdf
 See http://www.fairus.org/html/08270110.htm
 IIRIRA: “Section 104. Improvements in Border Crossing Identification Card. New border crossing cards will include biometric identifiers (such as fingerprints or handprints) that are machine-readable. The cards will begin to be issued in April 1998 and the machine-readable checking will occur on or after October 1999.”
 Brownsville Herald, Dec. 12, 2001, http://www.brownsvilleherald.com/sections/archive/topstoryjmp/12-20-01/News3.htm
 See US Immigration and Naturalization Service (INS), "A Guide to Selected U.S. Travel/Identity Documents for Law Enforcement Officers," Aug. 1, 1998, http://www.fels.org/insforms/insdocs.htm
 See http://www.ssa.gov/history/reports/briefhistory.html
 Frank D. Bean et al., “Illegal Mexican Migration and the United States/Mexico Border: The Effects of Operation Hold the Line on El Paso/Juarez,” US Commission on Immigration Reform, July 1994, http://www.utexas.edu/lbj/uscir/respapers/imm_jul94.pdf, p. 117
 See http://www.house.gov/hunter/brdrchron3.htm
 See http://www.house.gov/judiciary/ib072299.htm; http://www.house.gov/judiciary/stan0722.pdf
 US State Dept., "Border Crossing Card (BCC) and Border Biometrics Program," Oct. 2001, http://travel.state.gov/bcc.html
 See http://www.mexico-info.com/consulate/documentation.htm#passports
 Simson Garfinkel, “Identity Card Delusions,” Technology Review, April 2002, http://technologyreview.com/articles/garfinkel0402.asp: “States that digitize driver's-license photographs can use face recognition systems to find out if the same person has multiple identity cards issued in different names. (Last year the Mexican Federal Election Institute adopted this technology to help stamp out duplicate voter registrations.)” See also http://www.bioprivacy.org/Mexico.htm, http://www.wola.org/mexbulletin2.html, http://www.cnn.com/2000/WORLD/americas/06/30/mexico.elections/
 Office of Inspector General, Dept. of Health and Human Services, Birth Certificate Fraud, Sept. 2000, http://oig.hhs.gov/oei/reports/a492.pdf
 “In the third cemetary he visited the Jackal found a gravestone to suit his purpose, that of Alexander Duggan who died at the age of two and a half years in 1931. Had he lived, the Duggan child would have been a few months older than the Jackal in July 1963….” (Frederick Forsyth, The Day of the Jackal, NY: Bantam, 1971, p. 78).
 See http://mozcom.com/~nso8/LateRegn.htm; see also Crewdson, The Tarnished Door, p. 41.
 The case of Juan Medrano Jr. v. US (1988; 836 F.2d 861) deals specifically with BCCs acquired through bribery (see http://www.usdoj.gov/osg/briefs/1988/sg880493.txt).
 Michael R. Bromwich, Inspector General, US DOJ, before the US Senate Caucus on International Narcotics Control, May 14, 1997, http://www.usdoj.gov/oig/tesswbr1.htm. See also Peter Andreas, Border Games: Policing the U.S.-Mexico Divide, p. 99; http://www.ndsn.org/SEPT96/CUSTOMS.html; http://www.usdoj.gov/oig/sa971/sa971p2.htm.
 See discussion below at note 48 . [[Actually, that whole discussion should probably be moved here.]] See also National Academies CSTB, “Cyber-Security and the Insider Threat to Classified Information,” Nov. 2000, http://www4.nationalacademies.org/cpsma/cstb.nsf/files/wp-insiderthreat.pdf/$file/wp-insiderthreat.pdf.
 http://www.usdoj.gov/oig/au9706/a9706tc.htm; emphasis added.
 [[Need to get figures on BCC revocation. Latest I can find are figures from 1965-9 (!) in Samora, Los Mojados, p. 184; 12,346 I-186 voided in 1965, 28,347 in 1967, 31,121 in 1969 – sounds like a lot, actually.]]
 Frank D. Bean et al., “Illegal Mexican Migration…” (see note 17 ), p. 116
 See House Immigration Subcommittee Oversight Hearing on Electronic Technology Border Control, Oct. 11, 2001 (summarized at http://www.fairus.org/html/08270110.htm), and Senate Judiciary Committee-Subcommittee on Technology, Terrorism and Government Information Subcommittee, Oct. 12, 2001 (summarized at http://www.fairus.org/html/08271110.htm)
 See DOJ/OIG, “The Rafael Resendez-Ramirez Case: A Review of the INS's Actions and the Operation of Its IDENT Automated Fingerprint Identification System,” March 20, 2000, http://www.usdoj.gov/oig/resenrpt/resentoc.htm
 See DOJ report on “Integration of Fingerprint Systems,” Dec. 7, 2001, http://www.usdoj.gov/oig/inspection/I-2002-003/finger.htm
 See http://www.wired.com/news/print/0,1294,47201,00.html; http://www.msnbc.com/news/647826.asp; http://www.ocregister.com/breakingnews/attack/09282001/dmv00928cci4.shtml
 See Crewdson, Tarnished Door, p. 43. See also Julian Samora’s classic Los Mojados: The Wetback Story (Notre Dame: U. of Notre Dame Press, 1971), pp. 59-60, 145, 185.
 See Richard Smith’s excellent work on facial recognition: http://www.computerbytesman.com/facescan/presentation/index.htm; see also Jay Stanley and Barry Steinhardt, “Drawing a Blank: The Failure of Facial Recognition Technology in Tampa, Florida” (ACLU special report), Jan. 3, 2002, http://www.aclu.org/issues/privacy/drawing_blank.pdf; http://www.aclu.org/features/f110101a.html. The National Biometric Test Center at San Jose State University (http://www.engr.sjsu.edu/biometrics), headed by Dr. James Wayman, has studied automated face recognition. See William A. Barrett, “A Survey of Face Recognition Algorithms and Testing Results,” in http://www.engr.sjsu.edu/biometrics/nbtccw.pdf: “The matching performance in current AFR systems is relatively poor compared to that achieved in fingerprint and iris matching, yet it may be the only available measuring tool for an application. Error rates of 2-25% are typical. It is also effective if combined
with other biometric measurements.”
 See http://www.oracle.com/pls/ebn/popup.on_demand?p_referred=related_show&p_shows_id=919253&p_win_size=L150
 See Andreas, Border Games, p. 91; see also http://www.fpusa.com/dmpits.htm; National Institute of Justice
Journal, Oct. 1998 (http://www.ncjrs.org/pdffiles/jr000237.pdf), pp. 21-25; http://www.fpusa.com/dmpits.zip
 http://www.usdoj.gov/opa/pr/2000/March/108jmd.htm; see also http://www.apbonline.com/crimesolvers/serialkiller/2000/03/20/resendiz0320_01.html
 See http://www.usdoj.gov/oig/i9609.htm
 On employee monitoring, see Schulman, “Computer and Internet Surveillance in the Workplace,” http://www.sonic.net/~undoc/survtech.htm
 DOJ Inspector General, before the Senate Judiciary Committee, Subcommittee on Technology, Terrorism, and Government Information, Oct. 21, 2001, www.senate.gov/~judiciary/te101201st-inspector.htm
 Joseph W. Eaton, “Cards Would Have Tripped Terrorists,” The Ledger (Lakeland FL), Dec. 4, 2001, http://www.theledger.com/attack/04pro.htm
 http://migration.ucdavis.edu/mn/archive_mn/apr_1999-06mn.html; see also http://www.ins.usdoj.gov/graphics/aboutins/congress/testimonies/1999/990318.pdf
 See http://www.international.duke.edu/FAQ/int_address_report.html
 David Weissbrodt, Immigration Law and Procedure in a Nutshell, 4th E., pp. 468-7
 Crewdson, Tarnished Door, p. 125
 *See Dita Vogel, "Identifying Unauthorized Foreign Workers in the German Labor Market," in Jane Caplan and John Torpey, eds., Documenting Individual Identity: The Development of State Practices in the Modern World
 INS, “25-Mile Zone – Regulatory History,” Oct. 8, 1999, http://www.ins.usdoj.gov/graphics/publicaffairs/backgrounds/BGround.htm (emphasis added)
 See Mike Davis, Magical Urbanism, ch. 7; see also http://www.arc.org/C_Lines/CLArchive/story2_3_08.html
 See Weissbrodt, Immigration Law and Procedure, pp. 195-7; Carliner et al., The Rights of Aliens and Refugees (ACLU), pp. 118-125; David A. Harris, Profiles in Injustice: Why Racial Profiling Cannot Work, NY: New Press, 2002, ch. 6; some of the key Supreme Court cases are Almeida-Sanchez v. US (1973), US v. Ortiz (1975), US v. Brignoni-Ponce (1975), and US v. Martinez-Fuerte (1976). Two 9th Circuit Court of Appeals cases, US v. Montero-Camargo and US v. Sanchez-Guillen (1999) peripherally involved BCCs. Murillo v. Musegades (1992) is a key case (settled) involving constant Border Patrol stops and searches of students at Bowie High School near El Paso; some parents, fearing accidental deportations of their children, would have their children bring their birth certificates with them to school every morning (see Amnesty International’s report on the US/Mexican border, 1998, http://www.web.amnesty.org/ai.nsf/index/AMR510031998).
 Amitai Etzioni, The Limits of Privacy, p. 103, emphasis added.
 Ellison presentation on national ID to Oracle employees: see note 42
 Judith Adler Hellman, Mexican Lives, pp. 169-70
 Mark J. Miller, “The Sanctioning of Unauthorized Migration and Alien Employment,” in Kyle and Koslowski, eds., Global Human Smuggling, p. 325; emphasis added
 US Commission on Immigration Reform, “US Immigration Policy: Restoring Credibility,” Sept. 1994, http://www.utexas.edu/lbj/uscir/exesum94.html
 For some, the term “pilot project” has a particularly sinister sound, almost as if a test were worse than something fully implemented; some described the mandated pilot projects as “softening up” the population for the Antichrist. The idea seems to be that, instead of implementing a plan that everyone would immediately notice, the heat is instead turned up slowly. Thus, pilot projects can be seen as examples of “boiling the frog.” See note 87 .
 See INS Systematic Alien Verification for Entitlements (SAVE), http://www.ins.usdoj.gov/graphics/services/SAVE.htm#two. This web page notes that in Jan. 2002, Pres. Bush extended the basic pilot program to 2004. The page also has useful illustration of why everyone’s ID must be checked. Above a picture of three identical paper-doll figures is the question, “Which of the following people is not legally employable in the United States?,” and is followed by the answer, “It is impossible to tell by looking.”
 See http://www.usda.gov/oce/oce/labor-affairs/newhires.htm; http://www.acf.dhhs.gov/programs/cse/newhire/nh/state_cb.htm; http://www.acf.dhhs.gov/programs/cse/newhire/nh/answers.doc
 Miller, “Sanctioning of Unauthorized Migration,” p. 325; see also "Illegal Aliens: Fraudulent Documents Undermining the Effectiveness of the Employment Verification System," July 1999, http://www.house.gov/judiciary/stan0722.pdf
 Peter Andreas, "The Transformation of Migrant Smuggling across the U.S.-Mexican Border," in Kyle and Koslowski, Global Human Smuggling, p. 112
 Peter Andreas, Border Games, p. 86
 See http://www.workforce.com/section/00/feature/23/13/85/
 See e.g. Gustavo Lopez Castro, "Coyotes and Alien Smuggling," www.utexas.edu/lbj/uscir/binpapers/v3a-6lopez.pdf
 David Spener, “The Logic and Contradictions of Intensified Border Enforcement in Texas,” in Andreas and Snyder, eds., Wall Around the West, pp. 119, 134 n. 17.
 GAO, "INS' Southwest Border Strategy: Resource and Impact Issues Remain After Seven Years," August 2001, http://www.bordercounties.com/documents/goa_boarder_strategy.pdf
 See http://dailynews.yahoo.com/h/azstar/20011226/lo/many_mexicans_stay_in_u_s_for_yule_1.html
 Weissbrodt, Immigration Law and Procedure, p. 22
 See http://www.web.amnesty.org/ai.nsf/index/AMR510031998
 See Kitty Calavita, Inside the State: The Bracero Program, Immigration, and the INS, NY: Routledge, 1992
 See http://www.wired.com/news/technology/0,1282,50961,00.html; see also http://www.info.gov.hk/immd/english/idcard/content.htm.
 See, e.g., Bruce Wiegand, Off the Books: A Theory and Critique of the Underground Economy, Dix Hills NY: General Hall, 1992; Thomas Gabor, Everybody Does It!: Crime by the Public, Toronto: U. of Toronto Press, 1994
 This is sometimes seen as a feature of security itself. According to Philip B. Heymann’s Terrorism and America (Cambridge: MIT Press, 1998), the ability to obtain and maintain anti-terrorism resources “will depend significantly on whether other uses can be found for these simultaneously” (p. xiv). At the same time, though, “The task with regard to legal authority is the opposite of the task with regard to other resources. For new legal powers, we must avoid ‘dual purpose’ authority in order to prevent the use of dangerous legal authority except in the most demanding of circumstances” (p. xv).
 See Jon Agar, “Modern Horrors: British Identity and Identity Cards,” in Caplan and Torpey, eds., Documenting Individual Identity, pp. 101-120.
 Also called the domino effect, the snowball, the parade of horrors, the foot in the door, the thin edge of the wedge, the death by a thousand cuts, the camel’s nose in the door, and boiling the frog. See Douglas Walton, Slippery Slope Arguments, Oxford: Oxford U. Press, 1992 (reprint Newport News VA: Vale Press, 1999).
 I’ve somewhere read the aphorism that “Expense and inefficiency are the two great guardians of liberty,” but cannot now locate the quotation. The closest I can find is Gary Marx’s observation that “Physical limitations and, to some extent, human inefficiency have lost their usefulness as unplanned protectors of liberty” (Undercover: Police Surveillance in America, p. 217). Richard Smith’s observation, “Moore’s Law is driving the privacy debate,” presents the other side of the coin: many contemporary privacy invasions are the result of cheap technology.
 Max. J. Skidmore, Social Security and Its Enemies, Boulder CO: Westview, 1999, p. 48
 Amitai Etzioni, The Limits of Privacy, pp. 104-111. At the same time, Etzioni makes a useful point against the technological/incremental determinism at the heart of the slippery-slope argument: “Totalitarian governments do not creep up on the trails of measures such as ID cards; they arise in response to breakdowns in the social order…” (p. 127). On the other hand, to take one example, the US Census really was used to aid the Japanese internment during WWII (see Margo Anderson and William Seltzer, “After Pearl Harbor: The Proper Role of Population Data Systems in Time of War,” http://www.stat.cmu.edu/~fienberg/stat149/Seltzer-Anderson-2001.doc). On the third hand, this is not a reason to not have a census; it is a reason to have very strict oversight, and to have lots of zealous privacy and civil-liberties advocates.
 See http://www.bradycampaign.org/
 I was shocked to find my good-input-bad-output argument here neatly paralleled in a “Christian Analysis of American Culture” position paper on “The Mark of the Beast”: “The Bible warns us that the anti-Christ will seem to have ‘all the answers’ to the world's problems. Alleviating robbery and drug dealing by removing cash, the very basis of these crimes, would certainly seem to be an answer to a world problem. But see the true purpose – this ‘answer’ is not from God!” (http://www.capalert.com/capreports/markofbeast/beast.htm).
 Ivan P. Fellegi, “Record Linkage and Public Policy – A Dynamic Evolution,” Record Linkage Techniques – 1997, http://www.fcsm.gov/working-papers/fellegi.pdf.