Sunday, March 06, 2005

High-tech solutions can't stop fake IDs

Did you have a fake ID in high school? I did. I had one for years, from when I was perhaps 16 years old or so. Smith County, where I grew up in East Texas, was "dry," so we'd drive 30 miles down state highway 31 to Kilgore in Gregg County, where to this day a passel of run-down liquor stores sit invitingly just across the county line. It was never rejected.

In fact, ultimately I had two fake IDs. Like Charles Kuffner, I'm one of the unhappy few Texans back in the 1980s who reached 19 years old, could legally drink for a few months, then saw the laws change to restrict drinking again until I was 21, so I had to get a second fake ID when I was in college. I don't really recall how I got them, or from whom, but it wasn't difficult, and I didn't know any underage folks who wanted to drink who found the ID thing to be a real barrier.

Supposedly, 9/11 upped the ante on fake IDs. Forget for a moment that the actual hijackers had real IDs issued by government agencies based on forged primary documents. None of these new high-tech ID card programs would have affected what they did at all. Regardless, though, technology vendors, motor vehicle registration agencies, and most of all the Bush Administration are promoting the wrongheaded notion that throwing more high tech gadgetry at the ID problem will solve it.

This technophile reaction to 9/11 holds that every potential danger can be resolved by purchasing this facial recognition technology or that newfangled, bar-coded ID to prevent terrorism. It won't. It can't even prevent 19-year olds from buying beer, much less prevent committed adults willing to give their own lives from killing a lot of people.

The frantic search for techological solutions doesn't even make sense. The terrorists' strategy on 9/11 was to use LOW-tech means to exploit our society's reliance on high tech gizmos -- they used box cutters to take over a plane, for heaven's sake -- so the high-tech solution is obviously, precisely the WRONG strategy to confront the direct threat, like fighting fires with gasoline.

A fascinating article in this morning's New York Times demonstrates to me the fallacy of thinking technology can stop a creative, determined opponent from getting a fake ID. Titled, "The ID Wars: The Fakes Gain," the fascinating conclusion is even worse than the title -- the fakes were always ahead, and those who would prevent the creation of fake IDs do not now and have never been able to do so. All the new technology brought to bear on the problem has been stymied, or even made things worse as the pool of people technically qualified to make sophisticated fakes has grown exponentially.

Despite these obvious unintended consequences to the security crowds techno-fervor, vendors and government agencies continue to tout endlessly more expensive high tech solutions, always justifying them with trying to prevent terrorism:

While getting a fake ID is a right [sic] of passage for many young people who want no more than access to the occasional six-pack or campus pub, the potential security threat posed by forged drivers' licenses - most prominently, the threat of access to commercial airliners - has cast the old barroom conflict in a new light.

"People think of fake ID's for buying beer or cigarettes when you're 19," said Sgt. William Planeta, who runs the New York Police Department's document fraud squad. "But it has a lot of different implications in a post-9/11 world. You can use that fake ID to do all sorts of things."

In an effort to catch up with counterfeiters, therefore, the government and a growing document verification industry are turning to both legislation and technological innovations. "We're going to give the fake ID a run for its money," said James E. Copple, the director of the nonprofit International Institute for Alcohol Awareness at the Pacific Institute for Research and Evaluation, with headquarters in Maryland, which studies public health.

That gentleman, Mr. Copple, is kidding himself -- or else blowing smoke to justify his next research grant or pet vendor's product. Those kids are going to run him to death. He'll never be smarter than a million committed underage would-be drinkers. Not on his best day. Not on anybody's. They know what they want, have money to get it, and that level of high-dollar demand will cause market solutions to avail themselves. Reported the Times:

"ID's made by students tend to be much better than ID's you buy in the Village or Times Square," said a 19-year-old Columbia sophomore who has a fake driver's license and asked not to be identified for fear of the police. As for the importance of having a fake ID, she said: "All of my friends have fake ID's, everyone I know from high school and all my friends at school. It's definitely a necessity."

Over time, technology, skills, and high-tech resources have become cheap and available to anybody, in particular to many, many students. New high-tech ID card gadgetry, by the time it's identified by the govenment, researched, opened for bids, a vendor is chosen, and the technology is used in the real world, often has already been rendered antiquated upon its release by the rapid-pace growth of cutting edge technology, and lots of people know how to manipulate it. Said the Times:

THE nation's fixation with security cards and ID systems has also been a boon for manufacturers of fake ID's. The widespread use of corporate ID's has created a large pool of people who know the inner workings of the security features in the cards. In online chat rooms dedicated exclusively to the manufacture of fake ID's, unscrupulous members of this pool - including some drivers' license bureau workers, the police say - share or sell information about security features and even run a black market in the more sophisticated components of ID's.

"There are guys online who manufacture the bar codes and holograms," said the Columbia student who made fake ID's. "The hologram like on a Texas will glow. I can order that." ...

Licenses store information in two formats: magnetic stripes like those on credit cards, and two-dimensional bar codes, strips of small dots arranged to convey information in a kind of graphic Morse code. Magnetic stripes can be erased with a magnet and reprogrammed with, say, a new birth date, using basic ID-making equipment, and bar codes can be photocopied or transferred from a legitimate ID to a fake one.

None of the current drivers license re-engineering proposals in Texas will stop fake ID-makers who are able to do all that. I can't think of any that would, and if they did, the idea would probably be outdated by the time it hit the streets. The technical capabilities and physical means for making fakes have simply become too democratized and well-dispersed to think ID cards can be a source of absolute security. Texas DPS was awfully proud of that hologram, for example, bragging to the Legislature when it was implemented, just as we hear now, that it would solve the fake ID problem. Instead, the kids think it's a joke and it hasn't even come close to stopping the fakes. The Times described a Louisiana case where LSU students were manufacturing "perfect" Texas IDs:

Often when the police encounter a fake ID these days, they are more interested in getting information on who made it than in prosecuting the under-age user.

That was the case in Louisiana in late 2003, when a 19-year-old L.S.U. student named Corey James Domingue died of acute alcohol poisoning after using a fake Texas driver's license to buy four fifths of liquor from a local Winn-Dixie supermarket. By questioning Mr. Domingue's roommate and friends with similar forged ID's, Louisiana authorities were able to unravel a high-tech ring that had issued thousands of counterfeit licenses.

"These kids built their own computers from scratch," said Steven E. Spalitta, the enforcement director of the Louisiana Office of Alcohol and Tobacco Control, who handled the case. "We learned the ID's were not just perfect but they were encoded. There's almost no way you can tell it's a fake with the naked eye."

In all, five people pleaded guilty to forgery and a sixth is facing trial. Using computer records Mr. Spalitta's agency also tracked down and issued hundreds of criminal citations to students who bought fake ID's from the ring.

The worst part, I'll guarantee there were 20 more ready to take their place. They're never going to stop that. If every 19 year old who wants one can get a fake ID, then no terrorist would have any difficulty -- that much of the technophile's arguments are true. But the nexus of possibility they fear has nothing to do with how the terrorists attacked us -- they planted sleepers in the U.S. who had legitimate documentation, not crude, dorm-room fakes. It's a logical fallacy, then, to conclude that to stop the terrorists, one must prevent underage drinkers from getting fake IDs. The latter may be a desirable goal, and society may even decide it's worthy of investing substantial resources to try, however futilely, to do so. But everyone should be clear -- it has nothing to do with Al Quaeda or stopping terrorism.

High-tech government ID schemes are expensive, speculative, and, to judge from recent technological history and trends, doomed to fail at the goal of preventing their reproduction. They serve only to limit and regulate the law abiding. Anybody determined to obtain a fake ID will find a way to do so.


Adina said...

Hear, hear.

Adina said...

Hear, hear.

Gritsforbreakfast said...

All the biometric identifiers do is tell you that the individual with their iris scanned is the same person whose information is on the magnetic strip on the back of the card. Since students can already manipulate that magnetic strip information, they can add iris scan info, too, when it comes to that -- especially since government implementation of the program would take years of ramp-up time. By the time a convenience store will have an iris scanner, the technology will be well-dispersed and widely available for counterfeiters to use. Remember, an iris scan is just a piece of data, like your address or your phone number. Couterfeiters can add that onto the card, too, no problem. I don't see biometrics' advancement at all changing the fake ID scenario -- in practice, the more high tech the IDs get, the larger the scale on which they're being faked. If that seems counterintuitive, it's also empirically true.

Also, the shackle idea, while intriguing, would never pass constitutional muster because the convenience store clerk has no authority to detain you. While we have entered the world of Big Brother, for sure, we haven't gone that far, yet, I hope.

Thanks for stopping by! sh

Gritsforbreakfast said...

Texas Feller: The database you describe doesn't exist, and an effort to create it in 2003 was voted down 111-26 in the TX House. I don't see it happening any time soon.

And Dennis, I tried to post this comment on your blog but had some weird server error. Since you've included your post in the comments, I'll put it here:

It's always easy to sound certain predicting the omnipotence of new technology. When Texas DPS put the hologram on TX drivers licenses, they told the Legislature it would put a stop to ID theft once and for all. But by the time the solution was fully rolled out, any 19-year old with photoshop could mimic it. I predict the same will be true with other technologies, since what's new today is old hat tomorrow, and certainly by the time it's implemented years down the line. The argument that computers are too slow to do "X" changes constantly as computers' speed increases year after year.

The democratization of the skillset is the key factor -- with so many people knowledgeable about the details of security technology, it only takes a handful deciding to misuse the knowledge to screw the whole system.

High tech solutions empirically so far have expanded the number of fake IDs, not diminished them. When fakes were made by an art student with an exacto knife, it was on a relatively small scale. Now, the reliance on electronic gadgetry makes it as easy to produce 10,000 fakes as one. They've made IDs less secure, not more.

Gritsforbreakfast said...

Thanks, Texas feller. I understand your concerns, and if you read some of the linked Grits biometrics coverage you'll see I've been making a lot of those privacy arguments. But I also think the technology is being oversold as to its capabilities. I don't see that it's a conflict to make both arguments, and as many others as we can come up with, besides.

BTW, I met with DPS this morning (that's where I found out about the RFP), and they say that the fingerprints they've been gathering are unsearchable because it's harder to get a valid print than it might seem, and if you don't get the angle, pressure, etc., right the prints won't match. They anticipate that, if they implement new scanner technology, the print database may be functional in 12 years! Meanwhile, unless they successfully change the law, they still don't have the authority to use that data for anything but verifying your ID when you get a drivers license, not in the convenience store or in any other context.

To me, debunking overstated claims of effectiveness is part and parcel of arguing to protect privacy. But even if the technology is 100%, the privacy-tradeoff issue you'd prefer to emphasize still plays well with the new Republican majority at the Lege, in a lot of ways, better than it used to with the Democrats.

Best, sh

Gritsforbreakfast said...

Hell, Texas feller, it wouldn't bother me if you WERE arguing! When my Mom was alive she always said I'd argue with a tree stump.

I'd suggest you look at the arguments in my biometric blues series, for starters, and in other recent coverage on biometrics (search at the top left). There's more points to be made, but that's a start.

Also, check out the ACLU national page on Privacy and Technology, which contains extensive resources. Best,

Anonymous said...

you dumb asses. Implementing the iris scan and/or thumb scan won't change anything. Students, like me, will always beat the system. Us college kids have such an outrageous amount of resources at our disposal. Plus, with the thum and iris scanner, kids today already buy fake IDs that belong to different states in the union because people in their own states know the tricks with fake IDs. If a person carries a fake ID from another state, they can't be asked to take a thumb scan or an iris scan. THose are state tests, not federal. Yes states can share that information but they NEVER do. You can be an at large drug dealer and cross a state line and be okay, as long as you don't get arrested. You might even be able to get arrested if the warrent out for your arrest isn't large enough to pop up on a national screen. The point is however that the fake ID will never be beat. We are too good at it. Not to mention, many stores don't really give a shit about underage kids, they just want them to have some sort of fake identification so that the store doesn't get in trouble for selling.