Much as predicted, now that the national ID craze has blown over, there's a push to setup a state driver license program that can be used in the same fashion. Bruce Schneier published an informative essay on the matter of national ID cards which applies equally as well to the current debate. One of the things that I find so annoying about these types of proposals is that they totally ignore the Point-Of-Sale implications. For these new biometrics to supply any reasonable amount of trust at binding an ID to a person, two functions must be available at the location of the verifier:
- Equipment to read the biometrics off the card, off the person in question, and render a useful comparision of those two readings (i.e. a "match" or "don't match" indicator).
- Means to verify that the biometrics on the card match biometric information that has been verified when the ID was issued.
The reality is, even simplistic IDs current used by most states (i.e. a text description of things like height, age, race, and eye color, combined with a minimal photo) frequently are not verified, even though all the verifier has to do is look at the ID and look at the person. Even with the miniscule amount of information supplied on current IDs, no one actually bothers to verify the information matches what's on file with the state, except for people like law enforcement, who have expensive and specialized systems to support their needs. Now, with a newly proposed ID, the bouncer at the local club would need to have a special reader to get a finger-print off each patron, and then match it to their ID. And you can bet that people won't take to being finger-printed entering their favorite club....
And you can forget about verifying the new biometric data in real-time. Even for specialized uses like verifying airline passengers, the system will still be impractical. What are you going to do when the system is down? And it will be down. Even if they operate at 99.999% uptime (the holy grail of "Five Nines"), that's over 525 minutes of downtime per year! Nearly 45 minutes per month that the system will un-expectedly be offline. And operating a system this complex at Five Nines uptime would be incredibly expensive. Many critical government systems operate at closer to 98% uptime, which would be over 14 hours per month of downtime.
