by Bruce Schneier @ Cryptogram
Imagine that you're going on vacation to some exotic country. You get your visa, plan your trip, and take a long flight. How would you feel if, at the border, you were photographed and fingerprinted? How would you feel if your biometrics stayed in that country's computers for years? If your fingerprints could be sent back to your home country? Would you feel welcomed by that country, or would you feel like a criminal?
This week the U.S. government began doing just that to an expected 23 million visitors to the U.S. The US-VISIT program is designed to capture biometric information at our borders. Only citizens of 27 countries who don't need a visa to enter the U.S., mostly in Europe, are exempt. Currently all 115 international airports and 14 seaports are covered, and over the next three years this program will be expanded to cover at least 50 land crossings, and also to screen foreigners exiting the country. None of this comes cheaply. The program cost $380 million in 2003 and will cost at least the same in 2004. But that's just the start; the Department of Homeland Security's total cost estimate nears $10 billion.
According to the Bush administration, the measures are designed to combat terrorism. As a security expert, it's hard for me to see how. The 9/11 terrorists would not have been deterred by this system; many of them entered the country legally on valid passports and visas. We have a 5,500-mile long border with Canada, and another 2,000-mile long border with Mexico. Two-to-three-hundred thousand people enter the country illegally each year from Mexico. Two-to-three-million people enter the country legally each year and overstay their visas. Capturing the biometric information of everyone entering the country doesn't make us safer.And even if we could completely seal our borders, fingerprinting everyone still wouldn't keep terrorists out. It's not like we can identify terrorists in advance. The border guards can't say "this fingerprint is safe; it's not in our database" because there is no comprehensive fingerprint database for suspected terrorists.
More dangerous is the precedent this program sets. Today the program only affects foreign visitors with visas. The next logical step is to fingerprint all visitors to the U.S., and then everybody, including U.S. citizens.
Following this train of thought quickly leads to sinister speculation. There's no reason why the program should be restricted to entering and exiting the country; why shouldn't every airline flight be "protected?" Perhaps the program can be extended to train rides, bus rides, entering and exiting government buildings. Ultimately the government will have a biometric database of every U.S. citizen--face and fingerprints--and will be able to track their movements. Do we want to live in that kind of society?
Retaliation is another worry. Brazil is now fingerprinting Americas who visit that country, and other countries are expected to follow suit. All over the world, totalitarian governments will use the our fingerprinting regime to justify fingerprinting Americans who enter their countries. This means that your prints are going to end up on file with every tin-pot dictator from Sierra Leone to Uzbeckistan. And Tom Ridge has already pledged to share security information with other countries.
Security is a trade-off. When deciding whether to implement a security measure, we must balance the costs against the benefits. Large-scale fingerprinting is something that doesn't add much to our security against terrorism, costs an enormous amount of money that could be better spent elsewhere. Allocating the funds on compiling, sharing, and enforcing the terrorist watch list would be a far better security investment. As a security consumer, I'm getting swindled. America's security comes from our freedoms and our liberty. For over two centuries we have maintained a delicate balance between freedom and the opportunity for crime. We deliberately put laws in place that hamper police investigations, because we know we are a more secure because of them. We know that laws regulating wiretapping, search and seizure, and interrogation make us all safer, even if they make it harder to convict criminals.
The U.S. system of government has a basic unwritten rule: the government should be granted only limited power, and for limited purposes, because of the certainty that government power will be abused. We've already seen the US-PATRIOT Act powers granted to the government to combat terrorism directed against common crimes. Allowing the government to create the infrastructure to collect biometric information on everyone it can is not a power we should grant the government lightly. It's something we would have expected in former East Germany, Iraq, or the Soviet Union. In all of these countries greater government control meant less security for citizens, and the results in the U.S. will be no different. It's bad civic hygiene to build an infrastructure that can be used to facilitate a police state.