If they build it, will it work?

It's been almost 15 years since I last considered forging a driver's license but, thanks to modern technology, it's easier than ever. Scan a real license, import it into Photoshop, change the name, birth date, and picture, and print to photo paper on a color printer. Add your state's watermark on transparency film and laminate it all together. You're all set—go buy yourself a beer, son. Or, more to the point, go get on an airplane. As proof of identity, today's ID cards are a joke.

As Oracle Corp. CEO Larry Ellison recently pointed out, any credit card is substantially more sophisticated than most government-issued IDs. He went on to propose that the United States adopt a system of "digital IDs" backed by Oracle database software, which he would provide for free. Modern technology can vastly improve the field of personal identification. The question is, will it do enough to help the fight against terrorism?

When civil libertarians heard the phrase "national ID card," they dived into their bunkers. But Ellison only proposed the following:

• That a single digital ID replace the many government ID cards currently issued, such as driver's licenses and Social Security cards.
• That these IDs be instantly readable, so they could be used, say, by airline passengers who volunteered to carry them to speed the process of clearing airline security.
• That existing governmental databases be combined to make access to information easier and faster.

Ellison isn't alone in proposing a national ID. The new terrorism bill just signed into law requires digital IDs for all travelers arriving in the United States, and the Defense Department has ordered "smart cards" as IDs for all 4.3 million military personnel.

Should the nation commit itself to deploying national ID standards or requiring citizens to carry them, as some members of Congress urge? Webhead will leave it to the lawyers, politicians, and civil libertarians to argue it out. But how they work and whether or not they're practical—given today's technology—is Webhead's meat and potatoes.

Building the National ID Card
Proponents of a national ID card envision a "smart card" the size of a credit card and probably a little thicker and somewhat more durable. What makes a smart card smart is the capacity to store digital information, often rerecordable. A standard credit card actually qualifies as smart, because it encodes your card number, expiry date, and name on the magnetic strip on the back. The New York City subway's MetroCard is also a smart card, but both are pretty dumb as smart cards go. Moving up the IQ ladder, you find smart cards equipped with "flash" memory (the kind used in digital cameras), a microprocessor, or other electronics that aid in scanning the card and storing vast quantities of information. Many corporations (Microsoft among them) and governmental agencies issue smart cards to employees as IDs so they can enter secure buildings by waving their cards near a scanner.

An ID such as Ellison proposes must match the ID to its holder. The easiest way to do this is to use a PIN, as ATM cards do. The U.S. military is taking this approach. But PINs can be stolen, so something more reliable is desirable. Driver's licenses and passports use photographs, but photographs can easily be altered and depend on fallible humans to make the matches.

The best way to match an ID to an individual is to record his unique "biometric" information—fingerprint whorls, the shape of the bones in his hand, voiceprint, or the pattern of his retina—onto the ID. Fingerprint scanning is widely available at reasonable cost from Digital Persona, Identix, Sony, and others. Because biometrics are statistical in nature—"this thumbprint looks 97 percent like the one on record"—the wrong person might be matched to an ID. But even with today's technology, this is already statistically very unlikely. I'd trust my bank account (and my family's safety) to a modern fingerprint reader if IDs must be unforgeable (and otherwise what's the point?). Thanks to encryption technology, which allows issuers to "lock" the contents (biometric data, name, age, date and place of birth, and other information) and allows only authorized users to read it, the best of today's cards are unforgeable. But building the card itself is only the beginning. Ellison wants to link ID cards to databases maintained by the Immigration and Naturalization Service, the military, FBI, and state and local police. Is modern database technology up to the job of maintaining such a gargantuan storehouse of data?

Let's say we go whole hog with our national ID and store 50 pages of text per U.S. resident in the database. That would be more than adequate to accommodate the information kept on each individual by the various branches and agencies of government. Fifty pages translates into 100 kilobytes of data, so given a resident population of 280 million, the national ID database would contain 28 terabytes of data (a terabyte is a trillion bytes). That's big, but demonstrably within the realm of today's technology. For instance, SBC Communications (one of the Baby Bells) maintains a 125-terabyte data warehouse. To be of any use in airport security or immigration clearance, authentication of the card against a national database would have to be fast. But today's databases are very fast—consider how quickly Amazon.com customizes a home page for each of its tens of millions of customers. A recent Wall Street Journal article speculated that maintaining an entry and exit database for foreign visitors would swamp current database technologies, but that's not really the case. Some 350 million visitors enter the United States every year. On an extremely busy day at the border, the authorities would have to make 10 million database changes. That sounds like lots of transactions, but it's no more than a medium-sized bank handles daily.