I had the opportunity to speak at the Bahrain International e-Government Forum this year—an annual conference which promotes the development of e-government in Bahrain. As part of the event, numerous Bahrain government agencies participated in an expo where they showcased their latest e-government services. One of the most impressive aspects of e-government in Bahrain is its successful deployment of electronic IDs.
I’ve written quite a bit about electronic ID systems in other countries, the benefits that they provide, and how the United States can more aggressively pursue this goal. The ability to securely identify users is a prerequisite to many e-government and e-commerce services, and the lack of a common identity platform raises costs for both the public and private sectors who must establish their own one-off systems for identification and authentication. Given how much the United States has been lagging on this technology, it was a real pleasure to have the opportunity to visit a country that has implemented an advanced electronic ID system.
The smart card IDs in Bahrain replaced a paper-based ID card system developed in the 1980s. Cards are valid for five years, and they are available to all citizens and residents. Each card contains a variety of information about the cardholder. Information that does not change often, such as an individual’s name, place and date of birth, and blood type, is printed on the card. Every cardholder also has a unique card ID number that is stored and printed on the card. Other information that might change, such as an individual’s occupation and employer, are stored electronically on the card and can be updated. The card also stores biometric information such as the ID card holder’s fingerprint, signature, and photograph. The cards allow both contact (i.e. using a card reader) and contactless transactions (i.e. using RFID). The contactless chip is designed to allow payments, such as for parking and tolls.
Although the card has only been available for a few years, there are already a number of services and applications that citizens and residents can use with it. In addition to being used as an identity card for both online and offline transactions, it also serves as a driver’s license, travel document, and a limited electronic medical record. For example, citizens and residents can use the biometric features on the card to enter the country using “e-gates” which use a fingerprint reader to match the fingerprints stored on the card and verify the identity of an individual at an immigration control point. Citizens and residents can also use the payment application to pay for government services, such as their monthly water or electricity bills. And the police are using the ID card to more efficiently track and record traffic violations. These are just a few of the applications I saw on display. Other countries with widespread deployment of electronic IDs, such as Estonia, have deployed additional advanced applications, such as allowing individuals to sign documents electronically and even vote securely online.
Unfortunately, the goal of widespread deployment of electronic IDs in the United States still remains a long way off. To its credit, the U.S. government created the National Strategy for Trusted Identities in Cyberspace (NSTIC) calling for a private sector –led effort to develop an online identity ecosystem. Since then NIST has funded some pilot project to pursue this objective and recently announced a new set of funding opportunities for 2013.
But many citizens are inherently distrustful of government-led identity efforts, and this distrust has resulted in opposition to almost any effort to coordinate and modernize ID cards, digital or otherwise, in the United States (the most notable example being SECURE ID). This is unfortunate since developing a stronger identity ecosystem can actually help improve privacy. Citizens can use their secure credentials to prove aspects of their identity rather than their entire identity (e.g., individuals can provide a credential that says they are over the age of 21 rather than providing a credential that says their exact date of birth).
As a result, we find ourselves completing online transactions year after year with more or less the same level of security that has been available to us for the past decade. For example, the IRS requires very little in the way of verification for individuals to electronically file their tax returns. As a result, criminals often target the IRS for fraud. Using stolen social security numbers and other information, criminals can apply for refunds for legitimate taxpayers. Victims of this form of identity theft must wait months to receive their tax refund. The Treasury Inspector General for Tax Administration estimated that in 2011 there were approximately 1.5 million potentially fraudulent transactions that the IRS failed to prevent totaling more than $5.2 billion. (I’d point out that Bahrain has no income tax fraud, but that’s only because it doesn’t have personal income taxes.)
The Department of Commerce has requested $24.5 million to continue to develop NSTIC as part of its 2014 budget, an increase of $8 million over its 2013 funding level. Unfortunately this is not nearly enough to deploy the kind of large-scale identity ecosystem envisioned in the National Strategy.
Realistically, there is little hope of seeing a large investment in this technology in the current budget environment, although at least some cybersecurity legislation, such as the SECURE IT Act, requires NIST to continue to focus R&D on identity management solutions. But given the huge cost to individuals and the government in tax fraud alone, doesn’t it make sense to invest more in creating a modern electronic ID system?