Security experts, vendors and trade associations are sharpening the debate on the controversial 2005 Real ID Act that calls for the standardization of driver’s licenses. Critics say the law could create privacy issues and increase the risk of identity theft.
The act requires states to collect and electronically store the personal information of millions of people. The states’ databases will link toget
|  |
her in a network of systems with shared access. Although the idea was recommended by the 9/11 Commission to close loopholes in the existing system, critics say the new requirements create, in effect, a national ID management structure that will make people more vulnerable to identity theft, privacy loss, racial tracking and other civil-liberty threats.
But supporters say there are similar shared databases that prove Real ID can work.
Bruce Schneier, chief technology officer at BT Counterpane Internet Security Inc., is one of the skeptics. “Computer scientists don’t know how to keep a database of this magnitude secure,” he said in testimony May 8 to the Senate Judiciary Committee.
Another security expert, Eugene Spafford, U.S. policy committee chairman at the Association for Computing Machinery, told the committee that Real ID creates the potential for identity theft on an unprecedented scale. Spafford is also a computer science professor at Purdue University.
May 8 was the final day to submit public comments to the Homeland Security Department on the notice of proposed rulemaking for implementation of Real ID.
On the pro side, the Information Technology Association of America, an IT industry group, published a statement asserting Real ID’s advantages compared to current driver’s licenses. “Today’s system is the system that helped to bring us the terrorist attacks of Sept. 11, 2001,” said Phil Bond, ITAA president, in the statement. “We know the problem, and we have the technology to fix it.”
Another trade association, the Smart Card Alliance, focused on the shortcomings of the bar codes that the new driver’s licenses will likely use under Real ID. It recommended encrypted data on smart cards instead.
The debate also has brought heightened attention to the paths technology advocacy takes in Washington. There are complaints that industry trade groups support initiatives such as Real ID because their members stand to benefit.
“A lot of the technology input to Congress is driven by industry,” said Lillie Coney, associate director at the Electronic Privacy Information Center. “There is no formal mechanism for a pure and independent perspective on the technology.”
ITAA dismisses that argument. The group’s support of Real ID is “based upon the experience and expertise of our member companies,” said Charles Greenwald, a spokesman at ITAA.
Academics, consultants and vendors are putting forth views on whether available technology can achieve the program’s goals. Other related arguments question:
- If the cost is too high for the benefits achieved.
- If there are significant unintended consequences.
- If it is possible to protect against myriad possible failures, including lost and stolen cards, determined hackers and data thieves, bribed motor vehicle department officials, and simple errors.
Spafford is worried that as states rush to meet Real ID deadlines, they will skimp on privacy protections, such as audit trails, background checks on workers and strong access controls on data. He recommends a paper trail for the Real ID system. The potential is huge for human error, fraud and security holes, he said.
Although the core databases for Real ID are composed primarily of data already on driver’s licenses, there also are requirements for databases with digital images of documents such as birth certificates, marriage certificates, Social Security numbers and others that include far more personal information to be shared and transferred among states. That means weak links anywhere in the country will be likely targets.
Forgery target
“The costs of Real ID are so
great, and the benefits are so
small,” Schneier told
Washington Technology. “By
making the Real ID card more
valuable, it is more likely to be
forged.”
A likely influential commentary was distributed by the DHS Data Privacy and Integrity Advisory Committee, an 18-member panel sponsored by the department’s chief privacy chief containing both IT experts and privacy experts, many of them attorneys who have served as privacy officers and policy directors.
The panel called the Real ID Act one of the largest identity management programs in history and concluded that the program raises serious concerns about privacy, data security, cost, fairness and mission creep. Because those concerns have not been fully resolved, the panel declined to endorse the program.
However, the panel did point to a database system used by the American Association of Motor Vehicle Administrators as a possible model for Real ID. Since 1992, the association has been operating the Commercial Driver’s License Information System, which shares information among states on 30 million commercial drivers.
“We have had no security breaches,” said Philippe Guiot, senior vice president and chief information officer at AAMVA. “It is a private network with multiple security layers. If we had to support the same concept for 280 million people, it is doable.”
Creating a national ID
The computer machinery
association, in its published
remarks on Real ID, also
praised AAMVA’s system as
effective, and it said that if the
same system design is simply
scaled up to handle more people,
it would create a national
database and a national ID card.
Aside from the technology issues, Real ID has been controversial for other reasons. Governors worry about its cost, which is estimated at $11 billion to $23 billion. At the same time, law enforcement officials point to the potential benefit of thwarting terrorists by making it more difficult for them to obtain false identification cards. Several of the 2001 terrorist attackers had fraudulent driver’s licenses from multiple states.
To give states adequate time to address the concerns, the National Governors Association, National Council of State Legislatures and AAMVA have said the proposed 2013 completion date is too rushed and they have asked for a workable extension.
Spafford and Coney suggest five additional years are needed. “We need to treat this as a manon- the-moon project that will take a decade to complete,” Coney said.
Staff writer Alice Lipowicz can be reached at alipowicz@1105
