EFF: Letter to Assemblymember Nunez Re: AB 25 -- biometrics concerns

The Honorable Fabian Nunez
State Capitol, Room 2117
Sacramento, CA 95814
By fax: (916) 319-2146

Re: AB 25 -- EFF biometrics concerns

Dear Assemblymember Nunez:

The Electronic Frontier Foundation (EFF) is a non-profit public-interest organization based in San Francisco that seeks to protect civil liberties in a high-tech world; EFF maintains one of the most linked-to websites in the world at http://www.eff.org.

EFF is concerned about AB 25's apparent endorsement of biometrics for identification, and will oppose it unless amended. Our primary concern is that under the most recent version of AB 25, state agencies would only accept foreign-government-issued identification (ID) cards that use biometrics (in this case, digitized thumb prints that meet National Institute of Standard and Technology (NIST) standards).

EFF has significant problems with the growing use of biometrics and with any movement toward a national ID card or system (See EFF's biometrics reference page.) By placing the weight of the state of California behind biometrics-equipped ID cards, AB 25 is doubly dangerous to privacy and civil liberties.

Discussion

Many people have looked to biometrics as a "silver bullet" for identification. The fact is, however, that very little independent, objective scientific testing of biometrics has been done. Failing to address the concrete aspects of biometric systems, without sufficient attention to their dangers, makes it likely that they will be used in a way dangerous to civil liberties.

Biometrics is an inherently individuating technology that makes it easier to violate privacy given the proliferation of databases in society. Biometrics are useful for identification and as linking identifiers for the exchange of personal information precisely because they are more-or-less immutable. This immutability means, unfortunately, that when your biometric information falls into someone else's control, you cannot simply replace it. In general, biometrics greatly raise the stakes for identity theft and fraud. If someone impersonates you using a digitized thumbprint, you would be hard-pressed to deny that it was yours.

AB 25 also raises implementation issues. While AB 25 requires digitized thumbprints, it says nothing about the authority of state agencies to capture the thumbprint information. Presumably, agencies will try to capture the data. If state agencies only accept foreign ID cards with digitized thumbprints, will the agencies have the equipment needed to process those digital images? How much will the card readers cost? How will the thumbprints be stored securely? How will access to them be controlled? How much will it cost to protect the prints? EFF strongly recommends that the Legislature review a recent federal government report that raises many questions about the use of biometrics in U.S. border control. General Accounting Office, Biometrics for Border Security (GAO-03-74, November 2002).

If we are to have such systems, it is critical to design privacy into them from the beginning, because it will be hard to retrofit privacy. As written, however, AB 25 contains no recognition of the privacy and security issues involved.

EFF is also unclear on why AB 25 requires digitized thumbprints in the first place. What problem is being solved here? The biometrics requirement appears in proposed Section 11204(c)(1), which pertains to protecting the card against fraud and counterfeiting. See also proposed Sec. 11028.5 (declaring intent of legislature to enhance security measures). But we see no reason why using biometrics would effectively protect against fraud or counterfeiting. If the card is secure against counterfeiting, what does a digitized thumbprint add? If the card technology is not secure, e.g., the card can be easily duplicated or altered, then so can the digitized thumbprint.

Most experts in the field of identity documentation recognize that the greatest problem with ID cards is the use of false or doctored "breeder documents" that are used to obtain an ID card in the first place. This is a well-known identity fraud problem within the United States. (Office of Inspector General, Dept. of Health and Human Services, Birth Certificate Fraud, Sept. 2000 [PDF]). The problem is probably greater in many other countries.

EFF also questions the propriety of California's attempting to set requirements for foreign governments, which we believe to be the proper province of the federal government. We would, of course, oppose similar legislation at the federal level.

Finally, EFF is concerned that AB 25, if enacted, will set a precedent for the generic use of biometrics as ID and lead to the use of biometric ID cards for all Californians. The American Association of Motor Vehicle Administrators has been urging the standardized use of fingerprints on all state-issued driver's licenses, which we regard as an unnecessary and dangerous move toward a national biometric ID system. I have enclosed a copy of an "action alert" opposing the AAMVA proposal that EFF circulated to its members last year.

Thank you very much for considering EFF's concerns. We hope that you will remove any requirement for the use of biometrics from AB 25.

Sincerely,
Lee Tien
Senior Staff Attorney
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
(415) 436-9333 x 102
tien@eff.org

Cc: Mary Kennedy
Senate Public Safety Committee
(916) 445-4688

Enclosure: EFF Action Alert