A number of years ago, Australia embarked on a project to digitize all birth, death, and immigration records and maintain them centrally as electronic records. The thinking was “if you are here, you were either born here or you came here, and thus there should be a record on you.” In the United States, an E-Government project known as E-Vital was initiated to digitize and make available some of the same kinds of records. However, only death records are currently (mostly) centralized and electronically stored, as a result of the Federal government paying the states to digitize death certificates. Progress on automating other vital records has been very slow. Birth, death, marriage, divorce, and other records may be both issued and maintained in multiple places. At best, such records are automated and maintained at the state level; at worst, they are not automated and are stored in counties across the country.
The Challenge with Breeder Documents
Australia is a good example to use to consider the concept of providing a secure and verifiable identity for every person in a country. Suppose that Australia decided to issue a national ID card to all of its residents. Australia certainly has the technology needed to produce a credential that could include biometrics, the issuer’s digital signature, and PKI certificates. Such a credential could properly be viewed as very secure and be tied to the holder in a way that would make it very hard to counterfeit or alter. By issuing such a credential, Australia would solve half the problem: a central database would confirm the existence and legal presence of every credential holder. The other half of the problem would remain unsolved, however: how to be certain that the person who presents a birth certificate or other “breeder” document to obtain the credential is the true owner of that document. The Australian example illustrates the obvious problem for the United States. The United States can automate a record system and put records in a central place. A central database can be queried to verify a person’s existence and permit a very secure, biometrically linked credential to be issued. However, two very important things cannot be done:
1. The authenticity of the documents presented to establish identity cannot be validated. 2. The individual presenting a document cannot be tied to the document.
Most documents simply do not have enough built-in security to be verified, and few documents can be tied to the individual presenting the document. In general, this problem is true of most of the documents used to establish identity in the United States, with the exception of the passport and the alien registration card. These documents, which are at the top of the identity food chain, are the product of an identity proofing or adjudication process and contain a variety of security features that can be authenticated and that make them virtually tamper-proof. However, the identity vetting process that precedes issuance of even these documents relies on much less secure documents: birth certificates, driver’s licenses, Social Security cards, and foreign passports. The acceptance of documents that may not be genuine or of genuine documents that are not the property of the presenter can result in the issuance of a highly secure credential to an individual other than the individual identified by the breeder documents and a false sense of security in the identity verification process. The United States has a breeder document problem that it is nowhere close to solving and that may not ever be solved. We do not have databases that can be accessed to determine whether a person actually exists. We do not, for the most part, produce birth certificates, social security cards, or, in some cases, driver’s licenses that can be authenticated. We do not have the ability to tie most of these breeder documents to the bearer biometrically.
The Root of the Problem
The birth certificate is both the start and the heart of the problem. Over 100 million birth certificates are issued in this country each year, and in about a dozen states, they are public documents available to anyone who wants a copy. Even in states that ask for some indication of entitlement the controls are very weak. We cannot readily verify the validity of a birth certificate, nor can we be sure that it belongs to the person presenting it. Very good false birth certificates are readily available over the Internet or (in certain geographical areas) from open document markets. These birth certificates can then be used to obtain other legitimate documents, such as driver’s licenses, Social Security cards, and potentially even passports. Most issuers of legitimate documents have made little or no investment in the few available technologies that could help them detect bad breeder documents. For example, virtually no organization other than the U.S. Department of State has been willing to incorporate chip technology into documents issued to members of the public.
Solving these problems can be expensive, and the solutions could take many years to implement. Some are sure to raise sensitive issues regarding identity information. One of the more comprehensive solutions involves capturing DNA, tying it to a birth certificate, and linking other biometric information (such as facial images, fingerprints, or retinal images) to the DNA. Another option is to require that older documents be reissued and tied to a rigorous identity-proofing process before a driver’s license or passport can be obtained. These solutions may require that national standards be set for a variety of documents issued by state and local governments. Perhaps most difficult and controversial of all, such solutions could involve the creation of central databases that contain not only vital records but also biometric measures that tie the records to a specific individual. Such databases could be used to verify not only the existence of a document but also that the presenter is the true owner of the identity to which the document attests. A more workable interim solution may be to require new identity document applicants to go through a rigorous proofing process that attempts to thoroughly validate the information on current breeder documents. This proofing or vetting process can be a combination of authenticating the physical breeder document, contacting the issuing authority to verify the individual’s claim to the breeder document, checking other pubic and private database sources for activity on the identity information, and cross-checking the demographic information in these databases for matches. As more data sources are checked, the probability of a valid identity is higher. See topic number 6 in this paper for a more detailed discussion of the options for identity proofing and verification.
Breeder documents are a challenge that at some point must be faced. Ignoring this challenge can only compromise the security of any identity system. Even governments with the money and the political will to start down the path to a solution now, however, will find that the path is lengthy and twisted. But there are feasible solutions, combining both procedural and technical elements, that can bolster current breeder document systems, and more radical alternatives are available for replacing or redefining certain breeder documents. All of the breeder document issues must be examined soon, so that a plan to further secure citizen identity information can be implemented