The Top 10 Hot Identity Topics: A Smart Card Alliance Identity Council White Paper

An in-depth report on issues affecting identity management and protection


  1. The authenticity of the documents presented to establish identity cannot be validated.

  2. The individual presenting a document cannot be tied to the document. 

Most documents simply do not have enough built-in security to be verified, and few documents can be tied to the individual presenting the document. 

In general, this problem is true of most of the documents used to establish identity in the United States, with the exception of the passport and the alien registration card. These documents, which are at the top of the identity food chain, are the product of an identity proofing or adjudication process and contain a variety of security features that can be authenticated and that make them virtually tamper-proof. 

However, the identity vetting process that precedes issuance of even these documents relies on much less secure documents: birth certificates, driver's licenses, Social Security cards, and foreign passports. The acceptance of documents that may not be genuine or of genuine documents that are not the property of the presenter can result in the issuance of a highly secure credential to an individual other than the individual identified by the breeder documents and a false sense of security in the identity verification process.

 

The United States has a breeder document problem that it is nowhere close to solving and that may not ever be solved. We do not have databases that can be accessed to determine whether a person actually exists. We do not, for the most part, produce birth certificates, social security cards, or, in some cases, driver's licenses that can be authenticated. We do not have the ability to tie most of these breeder documents to the bearer biometrically. 

The Root of the Problem

The birth certificate is both the start and the heart of the problem. Over 100 million birth certificates are issued in this country each year, and in about a dozen states, they are public documents available to anyone who wants a copy. Even in states that ask for some indication of entitlement the controls are very weak. We cannot readily verify the validity of a birth certificate, nor can we be sure that it belongs to the person presenting it. Very good false birth certificates are readily available over the Internet or (in certain geographical areas) from open document markets. These birth certificates can then be used to obtain other legitimate documents, such as driver's licenses, Social Security cards, and potentially even passports. Most issuers of legitimate documents have made little or no investment in the few available technologies that could help them detect bad breeder documents. For example, virtually no organization other than the U.S. Department of State has been willing to incorporate chip technology into documents issued to members of the public. 

Possible Solutions

Solving these problems can be expensive, and the solutions could take many years to implement. Some are sure to raise sensitive issues regarding identity information. One of the more comprehensive solutions involves capturing DNA, tying it to a birth certificate, and linking other biometric information (such as facial images, fingerprints, or retinal images) to the DNA. Another option is to require that older documents be reissued and tied to a rigorous identity-proofing process before a driver’s license or passport can be obtained. These solutions may require that national standards be set for a variety of documents issued by state and local governments. Perhaps most difficult and controversial of all, such solutions could involve the creation of central databases that contain not only vital records but also biometric measures that tie the records to a specific individual. Such databases could be used to verify not only the existence of a document but also that the presenter is the true owner of the identity to which the document attests. 

A more workable interim solution may be to require new identity document applicants to go through a rigor