Many people are profoundly uncomfortable with the Real ID programme, and its important to understand what their concerns are. The central worry is, I suppose, the same as in the U.K. Creating a highly centralised big meta-database containing personal information on virtually every American will result in an extremely valuable central source of ID data that might be vulnerable to terrorists, thieves, and unscrupulous employees and others. The Real ID cards have to have a machine-readable zone (MRZ) that is standardised across all states, and this leads to other concerns about organisations scanning these and storing the data. I have a lot of sympathy with this “mission creep” worry: it’s wrong to dismiss those of us with concerns as cranks or luddities. When sensible people observe that
What’s more, the REAL ID Act does not mandate specific, robust privacy and security standards for the protection of personal information, and DHS has cited this fact in attempting to excuse its weak proposed regulations.
I don’t see why they shouldn’t expect a proper answer. Like many other privacy-sensitive people (and organisations) I would like to see ID documents (such as driver’s licences in the U.K. and U.S.) work in a better way, but this can and must be done without compromising personal privacy. As the CDT note in this article, it may be inappropriate to expect the card to be a magic bullet against identity theft and fraud if the surrounding processes are not dealt with. Consider the simple measures of verifying the authenticity of source documents, securing the physical locations where the cards are made and supplies stored to deter outsider fraud, and deterring insider fraud by strictly controlling access to card-making systems and supplies and conducting employee background checks. All of these will go a lot further in making things like driver’s licenses more secure forms of identification without posing serious risks to personal privacy. The effect of the REAL ID Act may well turn out to be quite the opposite: by encouraging trust in the card, it may well undermine other security measure: when the guard at the airport (or wherever) sees the REAL ID, they’ll wave you through. The fact that you may have bribed a DMV clerk to issue you with a REAL ID in a false identity will go undetected. That’s UNREAL ID, isn’t it?
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]