[Dave Birch] Things haven’t been going terribly well for America’s ambitious Real ID scheme. Government agencies missed the end of October deadline to complete background checks for employees and contractors who have worked for the federal government for 15 years or less and to begin issuing the new identity cards that include employees’ fingerprints as required under Homeland Security Presidential Directive 12, which President Bush issued in 2004. In all, about 1.9 million federal employees and 591,358 contractors require credentials. As of that deadline, 97 percent of federal employees and 79 percent of contractors had completed the required background checks, but federal agencies had issued only 1 percent of the new cards. Now it turns out that some of the other deadlines around driving licenses are being rolled back as well.

Many people are profoundly uncomfortable with the Real ID programme, and its important to understand what their concerns are. The central worry is, I suppose, the same as in the U.K. Creating a highly centralised big meta-database containing personal information on virtually every American will result in an extremely valuable central source of ID data that might be vulnerable to terrorists, thieves, and unscrupulous employees and others. The Real ID cards have to have a machine-readable zone (MRZ) that is standardised across all states, and this leads to other concerns about organisations scanning these and storing the data. I have a lot of sympathy with this “mission creep” worry: it’s wrong to dismiss those of us with concerns as cranks or luddities. When sensible people observe that

What’s more, the REAL ID Act does not mandate specific, robust privacy and security standards for the protection of personal information, and DHS has cited this fact in attempting to excuse its weak proposed regulations.

I don’t see why they shouldn’t expect a proper answer. Like many other privacy-sensitive people (and organisations) I would like to see ID documents (such as driver’s licences in the U.K. and U.S.) work in a better way, but this can and must be done without compromising personal privacy. As the CDT note in this article, it may be inappropriate to expect the card to be a magic bullet against identity theft and fraud if the surrounding processes are not dealt with. Consider the simple measures of verifying the authenticity of source documents, securing the physical locations where the cards are made and supplies stored to deter outsider fraud, and deterring insider fraud by strictly controlling access to card-making systems and supplies and conducting employee background checks. All of these will go a lot further in making things like driver’s licenses more secure forms of identification without posing serious risks to personal privacy. The effect of the REAL ID Act may well turn out to be quite the opposite: by encouraging trust in the card, it may well undermine other security measure: when the guard at the airport (or wherever) sees the REAL ID, they’ll wave you through. The fact that you may have bribed a DMV clerk to issue you with a REAL ID in a false identity will go undetected. That’s UNREAL ID, isn’t it?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: