Focusing public attention on emerging privacy and civil liberties issues

Worker ID Card

Latest News

  • Sen. Franken Questions Apple on iPhone Fingerprint Scanning: Senator Al Franken has raised questions about the privacy and security implications of the fingerprint reader on Apple's new iPhone 5S. "If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints," Senator Franken wrote. He also pressed Apple for additional details on the protection available to users against law enforcement access to biometric data. In Congressional testimony, EPIC has previously warned that biometric identifiers will "allow for greater data collection and tracking of individuals." For more information, see EPIC: Biometric Identifiers. (Sep. 21, 2013)
  • EPIC Opposes DHS Biometric Collection: EPIC has submitted comments to the Department of Homeland Security, staunchly opposing the agency's border biometric collection, facilitated through the Office of Biometric Identity Management program. Since at least 2004, DHS has collected fingerprint and facial photos from individuals entering the United States. DHS then disseminates this information to DHS agency components, other federal agencies, and "federal, state, and local law enforcement agencies," and the "federal intelligence community." Currently, at least 30,000 individuals from federal, state, and local governments access the data contained obtained by DHS's biometric collection program. DHS shares this biometric data with foreign governments, including Canada, Australia, and the United Kingdom. In its comments, EPIC urged the agency to cease collecting biometric information without proper privacy safeguards in place. Should the agency continue to collect this sensitive information, EPIC recommends that DHS: (1) impose strict information security safeguards on its biometric information collection and limit its dissemination of biometric information; (2) conduct a comprehensive privacy impact assessment on the biometric collection program; (3) grant individuals Privacy Act rights before collecting additional biometric information; and (4) adhere to international privacy standards. For more information, see EPIC: US-VISIT and EPIC: Biometric Identifiers. (Jun. 21, 2013)
  • EPIC Sues FBI to Obtain Details of Massive Biometric ID Database: EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition. (Apr. 8, 2013)
  • EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques: Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed two complaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy. (Jun. 10, 2011)
  • National Academies Releases New Report on Biometrics: The National Academy of Sciences has released a report entitled "Biometric Recognition: Challenges and Opportunities." The report concluded that biometric recognition technologies are inherently probabilistic and inherently fallible. Sources of uncertainty in biometric systems include variation within persons, sensors, feature extraction and matching algorithms, and data integrity. The report recommends a more comprehensive systems level approach to the contexts, design, and use of biometric technologies as well as peer-reviewed testing and evaluation of the technologies. EPIC has urged the Department of Defense to establish privacy safeguards for the biometric database the US established of Iraqis. See EPIC - Biometric Identifiers and EPIC - Iraqi Biometric Identification System. (Sep. 28, 2010)
  • US Withdrawal from Iraq Raises Questions about Future of Biometric Database: President Obama's address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict. In 2007, EPIC, Privacy International, and Human Rights Watch wrote to Defense Department Secretary Robert Gates to express concern about the creation of secret profiles on hundreds of thousand of Iraqis, tied to unique biometric identifiers, including digital fingerprints, photographic images, iris scans, and even DNA. Citing misuses of secret files and personal data in other conflicts, the organizations warned that the identification practices "contravene international treaties and could lead to potentially devastating consequences." EPIC, PI, and HRW urged the Defense Department to "adopt clear guidelines that incorporate strong privacy safeguards to ensure that Iraqis are afforded basic human rights in their personal information." For more information, see EPIC - Iraqi Biometric Identification System. (Sep. 1, 2010)
  • Worker Biometric ID Under Consideration in US: Senators Charles Schumer and Lindsey Graham have proposed a new national identity card. The Senators would require that "all U.S. citizens and legal immigrants who want jobs" obtain a "high-tech, fraud-proof Social Security card" with a unique biometric identifier. The card, they say, would not contain private information, medical information, or tracking techniques, and the biometric identifiers would not be stored in a government database. EPIC has testified in Congress and commented to federal agencies on the privacy and security risks associated with national identification systems and biometric identifiers. For more information, see EPIC: National ID and the REAL ID Act, EPIC: Biometric Identifiers, and the Privacy Coalition’s Campaign Against REAL ID. (Mar. 24, 2010)

Summary

On March 19, 2010, Senator Charles Schumer (D-NY) published an op-Ed in the Washington Post co-authored with Senator Lindsey Graham (R-SC) outlining his vision for comprehensive immigration reform. At the center of this vision was a plan for the Social Security Administration to issue new Social Security cards containing biometric identification to all U.S. citizens and legal immigrants. Employers would then be required to scan these IDs and verify a potential employee’s eligibility to work in the United States and their identity as the cardholder before making a hiring decision. Workers unable to present the biometric ID card or who fail the verification process in any way would be denied employment. The idea is that this will discourage future migrants from crossing the border illegally by preventing them from finding work when they arrive.

A draft legislative framework released in late April shed further light on how the biometric Social Security card and verification system is supposed to work. Each card would contain the person’s name, date of birth, Social Security number, and a biometric identifier, all in machine-readable format. When an employer scans the potential employee’s card, the cardholder’s work authorization would be verified by matching a digital encryption key on the card to a digital key stored in a work authorization database. The cardholder’s identity would be verified by matching the biometric stored on the card to a biometric scanned on site by the employer. The system is to be designed so that the individual’s identity can be confirmed locally, without the need to access a 24/7 biometric database. The card will feature “security features” that protect the information on the card and protections that permit the individual cardholder to control who is able to access data on the card.

Privacy Issues

A mandatory, biometrically-enabled employment authorization and identity check as a prerequisite for employment presents several serious issues privacy issues.

Database Errors

First and foremost, this plan places the Department of Homeland Security and the Social Security Administration in the position of approving or disapproving every hiring decision across the country. The decision about whether an individual is authorized to work in the United States would likely depend on the data in a new central work authorization database compiled from government records and commercial databases.

Studies have shown that government databases are filled with errors. In a 1997 report and a 2002 follow-up review, the Inspector General of the Department of Justice found that data from the Immigration and Naturalization Service, the predecessor to U.S. Citizenship and Immigration Services, was unreliable and "flawed in content and accuracy." In August 2005, the Government Accountability Office investigated and found errors in information from Department of Homeland Security databases. A December 2006 report by the Social Security Administration's Office of Inspector General estimated that the SSA's Numerical Identification File ("NUMIDENT") contained 17.8 million records with discrepancies between name, date of birth or death, or citizenship status. Commercial databases are also suspect and the DHS Data Privacy and Integrity Advisory Committee has twice issued reports warning against the use of commercial data for government purposes.

There are currently 139,420,000 people employed in the United States. If the new work authorization database has errors in even 1% of records, it could result in millions of people wrongly denied work authorization. Even the Social Security Administration estimates that if the Schumer proposal is adopted, as many as 3.6 million workers would have to visit SSA field offices to correct information each year.

The consequences for an individual who is wrongly denied approval due to errors in the database could be very burdensome. A 2006 report by the Social Security Administration’s Office of the Inspector General reviewing the Basic Pilot found that 42 percent of employers used the program to prescreen employees before hiring them even though the practice is prohibited, thus denying individuals employment. The same report found that 30 percent of employers used the program to screen their existing workforce, again despite legal prohibition of the practice. Employees who failed the verification often faced loss of job opportunities such as delayed job training, cuts in pay or benefits, or even loss of the job itself. Anecdotal evidence suggests this practice has continued under the E-Verify system. Furthermore, errors in the database resulting in disapproval will force employees to go through a lengthy appeals process in order remedy the government’s error.

Security

Centralized databases create the risk for massive privacy failures. Given the numbers of individuals with information stored in a central database and the importance of that data, central databases make highly visible targets for identity thieves. Storing all relevant employment information in one place means that if security is breached, data about every worker in the United State’s data would be at risk of exposure. These security breaches could happen in a number of ways. Criminal hackers might target the database. Authorized users might be threatened or bribed into exceeding their authorization. Data breaches could even happen by mistake if a laptop or hard drive with information from the database was misplaced. Adoption of the Schumer plan would result in the creation of at least one, possibly two large national databases of citizen information: the work authorization database and a biometric database.

The work authorization database is one the central features of the Schumer plan. Considering how the Schumer plan pins employment to having a valid entry in this database, the work authorization database would be an especially tempting target for identity thieves seeking “authorized” social security cards.

While the draft framework calls for the system to be designed so that an individual’s identity can be confirmed locally and prohibits storage biometric data in a government database, a government biometric database remains a possibility. Every other government identity system has a central database of some kind and a database is also necessary to keep the same documents from being used repeatedly to create multiple cards with different biometrics. Furthermore, databases are needed to address the customer service type issues of replacing lost or stolen cards. Because biometric data is difficult to change, the consequences of a security breach for those whose data is lost could be extremely harsh. While a password or identification number can be changed, a thumbprint generally cannot. Thus, breaches of biometric database would likely have serious long term effects.

Mission Creep

Once the new cards are issued, they will be a trusted means of identification in the possession of every American worker. This will make them a tempting target for other organizations and government agencies seeking to confirm an individual’s identity. While the current proposal posts legal barriers to expanding the cards’ use beyond employment authorization verification, nothing prevents a future Congress from removing those barriers. Mission creep is a real danger. A similar pattern played itself out with social security numbers, which were originally intended for the singular purpose of identifying people in the Social Security system and gradually expanded into other contexts as their convenience as a national identifier became clear. As use of the new social security card expanded, it could evolve into the type of national ID card thoroughly rejected throughout American history.

Resources

News Items