According to the indictment, Wilhite had broken into the two DMV offices and used the stolen items to make counterfeit driver’s licenses. He then sold the fake IDs to other crooks who used them to forge checks and for other illicit purposes.
“ B R E E D E R ” D O C U M E N T S
All states require applicants to provide proof of identity but the AAMVA estimates that as many as 200
forms are accepted as this proof. Some of these so-called “breeder documents” are easy to fake.
Most states distinguish between primary IDs—in which they have a high degree of confidence—and secondary IDs. Common
primary IDs
include: •
a U.S. birth certificate; •
a current license from another state; •
a valid U.S. passport; •
military identification; •
an INS-issued “green card” that confers permanent residency status; and
6 8
C H A P T E R 3
•
an
I-94 form
that indicates a visa holder’s period of stay.
Secondary ID sources
cover a wide range of documents, including: •
a Social Security card; •
a credit card with signature; •
an employer identification card; •
a foreign driver’s license; and •
a baptismal certificate or family Bible record.
Most of the secondary IDs can be faked fairly easily, so they are usually accepted only as support of at least one primary ID. That’s why ID thieves concen-trate on developing high-quality documents from the primary list.
Birth certificates
are, in most cases, the easiest of those to fake.
Birth certificate fraud
usually occurs in one of three forms: •
a counterfeit certificate is created; •
an original certificate itself is altered; or •
a duplicate certificate is obtained by an imposter.
The main security problem posed by birth certificates is that so many agencies issue them. In addition to state registrars in the U.S., there are about
7,000 local registrars issuing certified copies of
birth certificates.
6 9
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
Requests for certified copies of birth certificates are handled either in person or by mail, the latter offering more opportunity for fraud. Someone seeking a new identity can read a newspaper’s obituary section, get the name and birth date of someone of similar age and request a certified copy of that person’s birth certificate.
State and local registrars are required by law to make
birth and death records public
. This has typically meant providing access to the physical records at government offices. However, throughout the 1990s, many local government agencies started posting public records online.
This
meant the records could be obtained by anyone with an Internet connection.
Most states’ vital record offices use unique paper and markings, seals and other features to deter alteration or counterfeiting of birth certificates. But these controls have not been put in place by many of the 7,000-odd local registrars. And, as of 2003, there was no mandated standard form for certified copies of birth certificates and no mandated national standard for issuance of birth certificates. The result: A
confusing
variety of vital records
.
The U.S. Commission on Immigration Reform has recommended a series of actions to reduce fraudulent access to birth certificates, including: •
Regulating requests for birth certificates through standardized application forms; •
Using a standard design and paper stock for certified copies of birth certificates;
7 0
C H A P T E R 3
•
Making certified copies of birth certificates issued by states or state-controlled vital records offices the only forms accepted by federal agencies (not certificates issued by local registrars); •
Encouraging states to computerize birth records repositories; and •
Creating a computerized system to match interstate and intrastate birth and death records.
The August 2002 arrest of a former clerk at the Texas Department of Health illustrates why these reforms are important.
Texas law enforcement officials charged Ana Laura Vasquez—a customer service representative at the state’s Bureau of Vital Statistics—with tampering with government records, abuse of official capacity and forgery of a government instrument. They claimed that Vasquez
manipulated a state computer database
to produce at least 74 fake birth certificates that sold for as much as $6,000 each.
Investigators alleged that Vasquez was part of a criminal ring that sold certificates in Austin, Laredo, Corpus Christi and other cities in central and south Texas.
According to the charges, Vasquez used office computers to pull up authentic birth certificates and alter them.
The computers in the Department of Health’s customer service area were assigned to specific clerks
but were not protected by passwords—so all clerks
7 1
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
had access to all terminals. A video camera recorded
Vasquez moving from one clerk’s terminal to another, making her fake birth certificates in a way
that would be difficult for computer system administrators to detect.
According to the investigators, Vasquez worked with at least one
accomplice
(a man married to her cousin).
The accomplice would request birth certificates from various Departments of Health offices, giving Vasquez an excuse for generating her altered documents.
Vasquez was ultimately undone not by her own forgeries—but by someone else’s shoddy work. One of her customers was a man who assembled various fake documents so that his daughter could get a Texas driver’s license. The clerk reviewing the documents thought that the daughter’s Social Security card
looked
fake
; the clerk told the man and his daughter that their documents would have to be reviewed by a supervisor.
After the man left, the clerk tried to verify the Social Security card but couldn’t get a timely response. So, instead, she checked with the state
Bureau of Vital
Statistics
and got a response that conflicted with the rest of the daughter’s personal information. An audit of the Bureau of Vital Statistics system using the birth record number pulled up information for another woman. And the certificate number pointed back to Vasquez’s office.
After Vasquez was arrested, the Health Department said that it had increased security to assure that birth
7 2
C H A P T E R 3
certificates wouldn’t be so easy to alter. But its spokeswoman declined to provide details.
N A T I O N A L I D C A R D
The reforms suggested by groups like the Social Security Administration, the American Motor Vehicle Administrators Association and various local law enforcement agencies seem to lead to a common solution to these various ID problems: A
national identification card
, separate from a Social Security card or driver’s license.
Proponents of a national ID card—Oracle Corp. CEO
Lawrence Ellison is an outspoken one—use the 9/11
terrorist attacks to argue for standardized IDs that
would contain data ranging from complete medical
histories to shopping preferences.
The proponents argue that the national ID should be a so-called “smart card.” Smart cards are rapidly becoming popular in Europe, Latin America, Asia and Africa—regions plagued by rampant ID theft and high fraud losses. The smart card addresses this problem with an embedded computer chip, which gives it multi-use capability (it can be coded for telephone, ATM and other electronic uses) while simultaneously improving protection against identity theft and card counterfeiting. It can do this by containing encoded biometric data.
Immediately after 9/11, a Pew Research Center poll found that 70 percent of those surveyed favored such
7 3
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
a card. But this wasn’t only reaction to the terrorist attacks. Gallup Polls taken in 1983, 1993 and 1995
had also shown that a majority of Americans favored a national ID. When demographic subcategories were indicated,
immigrants favored the card
at a higher rate than native-born Americans.
Efforts to create a national ID—usually by combin-ing state driver’s licenses systems into one national database—are not new. When Congress passed the Illegal Immigration Reform and Immigrant Responsibility Act of 1996, a provision was included requiring driver’s licenses to contain a Social Security number that could be read visually or electronically. By requiring the use of the SSN, the federal government was instituting the Social Security number as a national identification number. After much outrage from civil libertarians, the SSN/National ID provision was repealed in 1999.
But 9/11 has tilted opinion more heavily in favor of some form of national ID.
Alan Dershowitz, a Harvard Law School professor and one of America’s most outspoken civil libertarians, wrote a much-quoted column in
The New York
Times
saying that
anonymity is not a freedom
guaranteed by the Constitution. He argued that fears of government intrusion could be allayed by clearly de-lineating the criteria under which a national identity card could be requested.
But the mere hint of national ID cards remains a big problem for some
civil libertarians
. For example, Edmund Mierzwinski of the U.S. Public Interest Research Group has said:
7 4
C H A P T E R 3
While we are sensitive to the critical need for federal and state governments to take action to respond and prevent future outbreaks of terrorism, we do not believe that national ID
and driver’s-license policy solutions proposed as a result of 9/11 will help stop identity theft.
Mierzwinski and his liberal organization found a strange bedfellow in Lori Waters, executive director of the conservative Eagle Forum. In September 2002
congressional testimony, Waters said: Driver’s license standardization is the national ID wolf in sheep’s clothing. No member of Congress has introduced legislation entitled, “The National ID Card Act of 2002.” The House did the right thing by including specific language in the Homeland Security Act of 2002 to ensure that nothing in the bill could be construed to authorize a national identification system or card. However, the fact is that a national ID system will more likely happen through a bureaucratic backdoor, an appropriations rider, confer-ence report language or a bill with a suppos-edly different but noble cause.
Waters claimed that the Driver’s License Moderniza-tion Act of 2002 was one such bill. It essentially would turn a driver’s license into a smart card, connecting the various aspects of anyone’s life. It required driver’s licenses to
contain a computer chip
capable of containing all the text written on the card, encoded biometric data and—in some cases—data from non-governmental sources. Most strikingly, it established the framework for a national ID: a unique identifier through biometrics and database linkage.
7 5
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
Once government and private industry databases are
interoperable through a unique identifier
, access to and uses of sensitive personal information would expand, insists Waters. Law enforcement, tax collectors and other government agencies would want access to the data. Landlords, insurers, credit agencies, mortgage brokers, direct mailers, private investigators, civil litigants and a long list of other private parties would likely require the new smart card ID—just as they have with the SSN.
Some proponents of a national ID openly admit that this broader use would follow. In AAMVA’s
Customer
Focus White Paper
on the topic, the group’s member DMV administrators are mentioned as only one of almost 20 “user communities” of a proposed national ID card. Other users include law enforcement, government agencies at the federal, state and local level, restaurants and bars, employers, insurance providers, the health care industry, airlines, building and facility security, storeowners, schools, the retail industry generally and even the gaming industry. And, the national ID would be used for
functions beyond
simply establishing identity
. For example, AAMVA suggests that many of these users would be able to gather and record demographic information to create mailing and marketing lists, purchase histories, etc., or use the ID for personal banking and securing online transactions.
The most compelling argument against the idea gets back to the basics of identity theft. What happens, under a national ID system, when your card is stolen?
Will it be any easier to remedy ID theft? Enhancing the value of these documents will only make it more
7 6
C H A P T E R 3
lucrative to sell IDs (or even whole databases of information) under the table.
What would happen if an ID card had your name on it, but someone else’s biometric identifier? If the system depends on a thumbprint, how do you reclaim your identity once the digital version of your thumbprint has been spread across the Internet? An identification system is only as “smart” as the information that establishes identity in the first place.
Standardiz-ing state driver’s licenses
, suggest ID theft experts, would cement false identities onto national ID cards.
Most ID theft experts worry that smart crooks are
just as crafty as smart cards. There are always ways
to beat the system.
One German magazine tested several different types of biometrics, including facial recognition, fingerprint devices and iris scans, and was able to circumvent all of them. The fingerprint scanner was outsmarted by some adhesive film (similar to scotch tape) and resin; the iris scan was fooled by a photo image of one person’s iris held in front of another’s person’s eye.