People are complaining that the guidelines prepared by the Department of Homeland Security (DHS) will turn state-issued identification cards into de facto internal passports and question whether the estimated $23 billion cost over the next decade will make any difference to security. Both civil libertarians and security experts have called on Congress to repeal the 2005 law known as the Real ID Act that mandates the changes. These critics say that the bill increases government access to data on individuals and increases the risk of identity theft, without providing significant security benefits. An ACLU spokesman said that "Real ID creates the largest single database about U.S. people that has ever been created… This is the people who brought you long lines at the DMV marrying the people at DHS who brought us Katrina. It’s a marriage we need to break up."
DHS officials point to the 9/11 hijackers’ ability to get driver’s licenses in Virginia using false information as justification. Clearly, it would be useful to stop terrorists from obtaining fake identity documents, or as in this case obtain real identity documents using fake "feeder" documents. This is why the UK Identity & Passport Service (IPS) wants to start interviewing new passport applications. So how will Real ID stop bad guys from getting driving licences (which are, in essence, ID cards in the US) ?
Well, the proposed rules (all 162 pages of them) require:
- Applicants must present a valid passport, certified birth certificate, green card or other valid visa documents to get a license and states must check all other states’ databases to ensure the person doesn’t have a license from another state.
- States must use a card stock that glows under ultraviolet light, and check digits, hologramlike images and secret markers.
- Identity documents must expire before eight years and must include legal name, date of birth, gender, digital photo, home address and a signature. States can propose ways to let judges, police officers and victims of domestic violence keep their addresses off the cards. There are no religious exemptions for veils or scarves for photos.
- States must keep copies of all documents, such as birth certificates, Social Security cards and utility bills, for seven to 10 years.
However, many difficult questions, such as how state databases will be linked or how people without an address can get identity documents, are left unanswered.
It seems that people from states that don’t abide by the guidelines will not be able to enter federal courthouses or use their identity cards to board a commercial flight. So it’s pretty important. But as Sophia Cope from the Center for Democracy and Technology notes, "The Real ID Act does not include language that lets DHS prescribe privacy requirements, so there are no privacy regulations related to exchange of personal information between the states, none about skimming of the data on the magnetic stripe, and no limits on use of information by the feds." So much for privacy by design.
The Real ID Act, slipped into an emergency federal funding bill without hearings, originally required states to begin issuing the ID documents by May 2008. The proposed rules allow states to ask for an extension until Jan. 1, 2010, but it’s still not clear how exactly the act will be applied. Who will pay, for instance. The DHS had proposed that states use as much as 20 percent of their Homeland Security Grant Program money to cover the costs of setting up an infrastructure for Real ID and printing new licenses and cards. But the National Governors Association estimated that states could spend up to $11 billion in their share of the costs to meet the original deadline and the grant program simply isn’t enough.
The thing that’s most worrying, from a security point of view, is that the people complaining that something like Real ID may in fact make identity theft much worse look to be correct. The idea that Americans should feel comfortable about giving birth certificates and so forth to the DMV is fundamentally flawed. If the states go down this route then they will just make the DMV, in this example, the weak link in the chain. And it’s pretty weak, as this story about serious identity thieves ramming a car through the back wall of a DMV near Las Vegas and stealing computer equipment containing personal information on more than 8,900 people shows. Note also that police periodically arrest DMV employees in various states for selling fake drivers licences anyway, and for not that much money. I just don’t see Real ID as being either a pioneer or a model for a 21st-century digital ID scheme.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]