% fortune -ae paul murphy

Bad guy detectors and ID

Do you know who Deborah Davis is?

Think a possible Rosa Parks for the Patriot Act era - here's the 411 from a supporter web site:

One morning in late September 2005, Deb was riding the public bus to work. She was minding her own business, reading a book and planning for work, when a security guard got on this public bus and demanded that every passenger show their ID. Deb, having done nothing wrong, declined. The guard called in federal cops, and she was arrested and charged with federal criminal misdemeanors after refusing to show ID on demand.

The bus was crossing through the Denver Federal center at the time, and three months later the US attorney in Denver announced a decision not to prosecute, but you can see that what really happened here was a collision between individual rights and government's reflexive belief in identification.

A thousand years ago people in western Europe were identified either as members of noble families or by members of noble families - and that's still fundamentally how it's done in places like Cuba, Vietnam, and Communist China. Even in democracies like Canada, however, we have remenants of that approach: to get a passport, for example, a Canadian has to be vouched for by three qualified professionals - doctors, lawyers, or priests.

In general, however, western governments have been handing the identification job over to computers - that is, to us IT grunts.

Here's the opening paragraph from a report by John Lettice, on the theregister headlined "EU ministers approve biometric ID, fingerprint data sharing"

The European biometric ID card takes another step forward this week, with the European Justice and Home Affairs Council set to approve "minimum security standards" for national ID cards. Alongside this the Council will be roadmapping the rollout of Europe's biometric visa system, which will contain the fingerprints of 70 million people within the next few years, and hearing European Commission proposals for greater sharing of fingerprint data.

There are two very different sets of issues here: the first involving effectiveness and the second human rights.

In thinking about effectiveness, consider that effectiveness comes in two forms. As perfected in East Germany the "Papieren, Bitte" smirk is part of an intimidation policy that really doesn't have anything to do with identification, but that's not what happened in Denver. There the cops barely glanced at identification documents produced by people who choose to comply because the cops really didn't care who these people were - they cared about the response they got when they asked for identification because they hoped that would help them separate the good guys from the bad guys.

Basically what's going on there is that the individual cop has to deal with large numbers of people he doesn't know anything about, and so asking for identification allows him to assess whether the individual confronted exhibits unusual hesitation or other odd behavior -and they have to ask people obviously not guilty of anything because not doing so gives people who are selected for questioning both an excuse not to co-operate and a defence if caught out.

If we set aside the ethical issues so we can concentrate on the technological ones we can see that what's wanted is a kind of social memory: an electronic prostheses making up for the fact that we live in a big world in which the cop probably didn't grow up with all the people he comes in contact with and therefore doesn't know them. In this context the identification document acts as an index to a life history access to which is intended to give the cop a fair chance of knowing enough about the people he's dealing with to separate the good guys from the bad guys.

Notice that this is contextual: you can be the worst kind of street scum or corporate criminal and still have every right to use public transit or get a hamburger at an airport kiosk. In the United States at least, the police can't wander around randomly accosting people on the street to arrest those with unpaid parking tickets or other public malfeasence on their records.

It's the elision (cutting out) of this contextual component in the issue of identification that's at the heart of the design mistakes governments everywhere are making as they embark on national id card schemes. Basically, they're asking everyone to carry an identification card that can be used, on demand, as an index to a life history when all they really need, and all they should get, is a token that lets the cop on the street make the good guy / bad guy call in context and provides no other information.

Nobody's proposing anything like this, and the reason is clear: the bureaucrats know with certainty that they need identification -because that's the only thing they've ever had, and no-one's told them that alternatives exist. The big consulting companies, people like Accenture, EDS, and IBM, are trapped too: they can only respond to an RFI (request for information) on national identification systems with proposals on national identification systems.

In other words this is a closed loop that repeats its mistakes until change is forced on it from outside. That force has to come from the politicians: who have to sell this stuff to the public: show them that sensible alternatives exist, let internal presure for change build from a few expensive failures, and change might have a chance.

The failure process is well underway already. Every major western government has embarked on a national identity card scheme of some kind - and the same people who brought us Canada's two billion dollar gun registery, who can't get the IRS into the ninties, and who blew a few hundred million pounds on the latest failed child welfare information system in the UK, are profitably deploying their usual expertise to take these solutions to new heights.

Meanwhile, of course, Ms. Davis was absolutely right and by the time governments get their national ID cards issued you can expect her right to refuse to be widely supported in case law - at least in the United States and possibly in the UK.

So what's coming is a collision between an immoveable object (government's tendency to demand identification) and an irresistible force: human rights, into which it should be possible to slip a perceptional change about what's really needed and so get an alternative accepted.

Starting tomorrow I want to talk about how that could be made to work; meanwhile consider that we're the guys caught in the middle - the IT grunts about to receive impossible, and objectionable, marching orders we'll be expected to dog trot around a very large pile of taxpayer money and human rights issues.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.