[Reader-list] News Items posted on the net on National Identity Cards-5

[Taha Mehmood]

http://www.businessweek.com/magazine/content/01_45/b3756001.htm

Privacy in an Age of Terror
To track terrorists, government snoops will have to track you, too

 NOVEMBER 5, 2001


Khalid Al-Midhar came to the attention of federal law enforcers about a year
and a half ago. As the Saudi Arabian strolled into a meeting with some of
Osama bin Laden's lieutenants at a hotel in Kuala Lumpur in December, 1999,
he was videotaped by a Malaysian surveillance team. The tape was turned over
to U.S. intelligence officials and, after several months, Al-Midhar's name
was put on the Immigration & Naturalization Service's "watch list" of
potential terrorists. When the INS discovered in August that Al-Midhar was
already in the U.S., the FBI assigned agents to track him down.

By the time the FBI figured out where Al-Midhar was, downtown Manhattan was
in flames, part of the Pentagon had been destroyed, and more than 5,000
people were dead. Racing to reconstruct the disaster, agents pulled the
manifest of hijacked American Airlines Flight 77--and discovered that
Al-Midhar had bought a ticket for the flight using his real name.

As politicians, businesspeople, and terrorism experts try to prevent the
horror of September 11 from ever being repeated, they are taking a closer
look at the story of Khalid Al-Midhar. Could the tiny shred of information
about him--his name and his image--have been used to thwart the attack? The
answer may be yes. Technology exists that, had it been far more aggressively
deployed, might have tracked down Al-Midhar before he stepped on board the
plane. The FBI's list of potential terrorists, for instance, could have been
linked to commercial databases so that he might have been apprehended when
he used his Visa card days before the attack.

The videotape of Al-Midhar also could have been helpful. Using biometric
profiling, it would have been possible to make a precise digital map of his
face. This data could have been hooked up to airport surveillance cameras.
When the cameras captured Al-Midhar, an alarm would have sounded, allowing
cops to take him into custody.

The aim of these technologies is simple: to make it harder for terrorists to
hide. That's top priority now--and it's likely to drive a broad expansion of
the use of intrusive security measures. Polls taken since September 11 show
that 86% of Americans are in favor of wider use of facial-recognition
systems; 81% want closer monitoring of banking and credit-card transactions;
and 68% support a national ID card. But the quest for safety is also going
to come at an incalculable cost to personal privacy. Any tool that is
powerful enough to strip away the anonymity of Khalid Al-Midhar--one
dangerous traveler among millions of innocents--will do the same thing to
ordinary citizens. Their faces will have to be scanned by the same cameras,
their spending habits studied by the same computers.

The war on terrorism is still in its early days, but one thing is already
clear: In the future, information about what you do, where you go, who you
talk to, and how you spend your money is going to be far more available to
government, and perhaps business as well. "September 11 changed things,"
says former Federal Trade Commissioner Robert Pitofsky, one of the most
forceful privacy advocates in recent decades. "Terrorists swim in a society
in which their privacy is protected. If some invasions of privacy are
necessary to bring them out into the open, most people are going to say,
`O.K., go ahead."'

Across a wide range of battlefields, privacy is on the retreat. Many
high-tech surveillance tools that were deemed too intrusive before September
11, including the FBI's "Carnivore" Internet eavesdropping system, are being
unleashed. Pre-attack legislation aimed at protecting people from unwanted
privacy invasions has been shelved, while Congress is on the verge of
passing an anti-terrorism law giving cops broad new powers to wiretap,
monitor Internet activity, and peer into personal bank accounts. The notion
of forcing citizens to carry a national identity card--once anathema to
America's open culture--is getting more serious consideration than ever in
U.S. history.

These developments could wind up having profound implications for our
democracy. Privacy involves the most fundamental issue in governance: the
relationship of the individual to the state. Since the forefathers,
Americans have been committed to the idea that people have the right to
control how much information about their thoughts, feelings, choices, and
political beliefs is disclosed. It's a matter, first and foremost, of
dignity--creating a boundary that protects people from the prying eyes of
the outside world. That, in turn, helps to shield religious minorities,
political fringe groups, and other outsiders from persecution by the
majority.

By reducing our commitment to privacy, we risk changing what it means to be
Americans. To the extent that ID cards, databases, and surveillance cameras
help the government track ordinary citizens, they may make people marginally
less willing to exercise basic freedoms--to travel, to assemble, to speak
their minds. "It's possible that through a tyranny of small decisions, we
could make a nightmare society," says Harvard Law School Professor Laurence
H. Tribe.

Of course, we're still a long way from that point. Although many civil
libertarians worry that the era of Big Brother is dawning, polls show that
Americans are still committed to personal privacy and are unwilling to give
law enforcers a blank check. President George W. Bush quickly dismissed the
notion of a national ID card. And a coalition of left- and right-wing
libertarians gave the Anti-Terrorism Act far rougher going than most
commentators initially expected. Furthermore, none of the proposals
currently on the table--such as installing facial-recognition systems at
airports or linking the FBI's databases to those run by the
airlines--fundamentally threatens civil liberties.

But this is a rapidly evolving issue. We have already abandoned a number of
old privacy taboos. If new attacks come and the U.S. is powerless to stop
them, a mandate could develop for greater levels of surveillance. Here are
some of the key areas in which personal privacy could begin to erode:

*What You Do*
No matter how hard terrorists try to keep a low profile, they live in the
real world. The team that attacked the World Trade Center had to buy plane
tickets, take flying lessons, communicate with one another, and draw money
from bank accounts.

All of these moves leave traces on widely dispersed computer databases.
That's why the tool that probably has the most potential to thwart terrorism
is data-mining. Think of it as a form of surveillance that casts its eye on
computer networks. If cops could survey the nation's computer systems and
discover that a member of an extremist group also bought explosives and
visited a Web site about building demolition, they might be able to halt a
potential attack. Or if someone tried to purchase anthrax, the seller could
run an instant background check.

Today, those databases aren't linked. The FBI's watch list of suspected
terrorists hasn't even been connected to the INS or the State Dept., much
less the private sector. A wide variety of laws and taboos has prevented the
government from hooking up its files with those of airlines, credit-card
companies, and private data-collection organizations. But that's already
changing: On Oct. 11, INS chief James Ziglar told a Congressional committee
that he is moving to link the agency's computers to the FBI's central
database of bad guys. He also wants to require air carriers to submit
passenger lists to the INS to prevent suspected terrorists from boarding
U.S.-bound planes.

Some people, including Oracle Corp. CEO Lawrence J. Ellison, are
recommending the creation of even broader databases. Other industry experts,
all of whom stand to profit from such a plan, argue that such vast systems
are already feasible. For example, Wal-Mart Stores Inc. and Kmart Corp. have
databases containing over 100 terabytes of information about everything from
sales to inventory to deliveries. That's the equivalent of about 200 billion
documents--some 100 times larger than the Internal Revenue Service's
commercial tax-filing database. "There are real-life data warehouses that
absorb information in near real time, process it, and issue alerts within
seconds or minutes," says Richard Winter, an independent expert on large
database systems.

A key challenge will be developing sophisticated software to sift through
the databases, pinpointing likely terrorists and suspicious behavior.
Working together, a team of criminologists and software developers would
need to design profiles of potential evildoers. That has been done in the
past to track down serial killers and to thwart hijackings with mixed
results. The airline industry's Computer Assisted Passenger Screening system
(CAPS) failed to pick out almost all of the September 11 terrorists. But
there's good reason to believe the technology can improve. Software maker
Sybase Inc.'s new mining software can already analyze up to 1,000 variables,
vastly increasing cops' ability to find the needle in a haystack of personal
data.

Of course, there are huge political and legal hurdles to launching such
systems. For one thing, government officials have a long history of abusing
their power to collect personal information. Remember J. Edgar Hoover and
Richard M. Nixon? For another, databases created for one purpose have a way
of being reused in unintended ways. Files that Massachusetts accumulated
about citizen health insurance claims, for example, had to be turned over to
the tobacco industry when the state sued cigarette makers (though the state
took steps to ensure that individuals' identities were masked). Over the
long term, widespread deployment of data-mining will depend in large part on
the ability of law enforcers to persuade the public that effective
guidelines can be designed--and followed.

*Who You Are*
One of the most controversial issues on the privacy landscape is that of
national ID cards. Many Americans are instinctively repulsed by the idea.
Passion runs so strong on this issue that the government has repeatedly
blocked efforts to use Social Security numbers for drivers' licenses, voter
registration, and prison records. The fear is that the Social Security
number would become the equivalent of a national ID card.

More than 100 other countries, many of them democracies, disagree. They come
in many varieties. Germany, after the human rights abuses of the Nazis,
takes a minimal approach. Cards contain basic information, including name,
place of birth, and eye color. Malaysia, on the other hand, this year
launched a project to issue 2 million "multipurpose" cards in Kuala Lumpur.
A computer chip allows the card to be used as a combination drivers'
license, cash card, national health service card, and passport.

That's only the beginning of what's theoretically possible. Given the power
of digital technology, criminal records, immigration data, and more could be
packed onto ID cards. In fact, they could contain so much data that they
become the equivalent of portable personal files.

That's still a long way off. From a cop's perspective, ID cards are
desirable because they make anticrime databases work better. As things stand
now, one typing error at the airline check-in counter--say, John Smiht--and
all the fancy efforts to unite Delta Air Lines Inc.'s database with the INS
watch list don't add up to much. Forged drivers' licenses or passports--not
to mention legitimate alternative spellings, such as Jon Smith or John K.
Smith--produce the same problem.

A national ID card solves this by turning every person into a reliable data
point for entry into larger databases. Once national ID cards are in place,
airlines, explosives manufacturers, and border-crossing guards will know
exactly which John Smith they are dealing with. So terrorists will have a
harder time passing themselves off as ordinary citizens. True, ID cards can
be forged. But that problem can largely be managed via "smart" cards
equipped with computer chips that can store the cardholders' fingerprints or
iris scans as biometric authentication devices.

The concern, of course, is that ID cards could lead the country down a
slippery slope. Over the long run, say critics, they might be used as a
platform for creating new databases. Starting with a card like, say, the one
Malaysia just launched, governments could require the ID cards to be swiped
into electronic readers every time people shopped, traveled, or surfed the
Web and could accumulate an unprecedented quantity of information on their
citizens.

For now, though, the question of a national ID card appears to be off the
agenda, though it's nowhere near dead. Even some longtime civil libertarians
are reevaluating. On Sept. 10, "I was a knee-jerk opponent of ID cards,"
says Harvard University law professor Alan M. Dershowitz. "Now, I've had to
rethink the whole thing."

*Where You Go*
In recent years, scientists have made enormous advances in location-tracking
tools. Surveillance cameras with facial-recognition software can pick out
criminals in public places. Global positioning satellite (GPS) transponders
in cars, boats--and one day, in handheld devices such as phones--send out
signals identifying people's latitude and longitude to within 10 feet. Both
of these technologies will flourish in an environment free of many of the
privacy concerns that clouded their future before September 11.

So far, facial-recognition systems are used primarily in highly controlled
situations as authentication devices, to vouch for the identities of workers
entering, say, a nuclear power plant. They are not often used, especially in
the U.S., as a general surveillance device in public places. Tampa police
use them in high-crime districts. A few casinos have also installed them.
But in the wake of the terror attacks, a security committee formed by
Secretary of Transportation Norman Y. Mineta has recommended the aggressive
rollout of facial-recognition systems in airports. But it's still unclear
how useful they will be. They can still be tricked by people wearing fake
beards. And they tend to generate too many false alarms. Unless these
glitches get fixed, the devices may never be appropriate for high-traffic
settings such as tunnels and bridges.

GPS is a different story. The technology works--and it has been rapidly
spreading to new places. Before September 11, privacy groups and some
legislators had been working to limit the ability of companies to collect
location data from customers surreptitiously and to raise the legal
standards for enforcement officials to subpoena this material. Those
battles, for the time being, are lost causes. If GPS information helps track
down terrorists, it will be collected.

*Whom You Talk To*
Law enforcers need the ability to find out with whom suspected terrorists
are talking and what they are saying. That's why the government lobbied for
the Anti-Terrorism Act, which gives the feds increased powers to eavesdrop
on telephone calls and digital communications made through e-mail, online
service providers, and digital devices.

Unlike facial surveillance, ID cards, or data-mining--which invade
everybody's privacy--the government's new eavesdropping powers will
primarily target known suspects. So they don't raise as many issues for the
public at large.

There's one major exception: Carnivore, a technology the FBI uses to monitor
e-mails, instant messages, and digital phone calls. Carnivore generated
widespread controversy before September 11 for being too powerful. When
installed on a suspect's Internet service provider, it searched through not
only the suspect's Web activities but also those of people who used the same
ISP. After privacy advocates complained, the FBI scaled back its deployment.
Now, the brakes are off. There are widespread reports that the government
has hooked up Carnivore to ISPs with minimal oversight. The government will
probably soon demand that ISPs and digital wireless providers design
networks to make them easier to tap. Just a few months ago, the FBI wouldn't
have dared to ask. Now, such a move would barely make the papers.

Facial-recognition software. Data mining. National ID cards. Carnivore. For
the near future, these technologies are going to be deployed as stand-alone
systems, if at all. But we live in a digital age. All of these technologies
are built on ones and zeros. So it is possible to blend them together--just
as TVs, computers, video games, and CD players are converging--into one
monster snooping technology. In fact, linking them together makes each one
exponentially more effective.

A national ID card, for example, could be used to launch a new unified
database that would track everybody's daily activities. Information culled
from Carnivore could be stored in the same place. This super database, in
turn, could be linked to facial-recognition cameras so that an all-points
bulletin could go out for a potential terrorist the second the data-mining
program detected a suspicious pattern of conduct.

Other, more futuristic new technologies could be added to the mix.
Scientists will be able to make much more powerful surveillance devices if
they're freed of the privacy concerns that have restrained them in recent
years. Already, researchers are working on satellites that can read the
unique color spectrums emitted by people's skin and cameras that can tell
whether people are lying by how frequently they blink. Left unchecked,
technologists could eventually create a nearly transparent society, says
David J. Farber, a pioneering computer scientist who helped develop the Net.
"All the technology is there," he says. "There is absolutely nothing to stop
that scenario--except law."

To be sure, nobody is proposing such systems. And they are a long, long way
from technical feasibility. But they are within sight--and no more
far-fetched than, say, eBay Inc.'s auction-everything Web site was a
generation ago. Indeed, unifying the various surveillance systems makes
sense from a technological standpoint, and there's likely to be strong
pressure, once the tools are in place, to try to make them work better.

As the U.S. enters the next phase of the war on terror, it is useful to keep
this Orwellian scenario in mind, if only as a warning beacon of some of the
hazards ahead. It is also reassuring to know that privacy principles
developed in the past still apply in this new world. Surveillance can be
checked by laws that require regular audits, that call for citizens to be
notified when they're investigated, and that give people the right to
correct information collected about them. That's the best way of
guaranteeing that, in our efforts to catch the next Khalid Al-Midhar, we
don't wind up with Big Brother instead.


 By Mike France and Heather Green in New York, with Jim Kerstetter in San
Mateo, Calif., Jane Black and Alex Salkever in New York, and Dan Carney in
Washington