Real ID, real debate

Security experts, vendors andtrade associations are sharpeningthe debate on the controversial2005 Real ID Act that callsfor the standardization of driver'slicenses. Critics say the lawcould create privacy issues andincrease the risk of identity theft.The act requires states to collectand electronically store thepersonal information of millionsof people. The states' databaseswill link together in a networkof systems with sharedaccess. Although the idea wasrecommended by the 9/11Commission to close loopholesin the existing system, criticssay the new requirements create,in effect, a national IDmanagement structure that willmake people more vulnerable toidentity theft, privacy loss,racial tracking and other civil-libertythreats.But supporters say there aresimilar shared databases thatprove Real ID can work.Bruce Schneier, chief technologyofficer at BTCounterpane Internet SecurityInc., is one of the skeptics."Computer scientists don'tknow how to keep a database ofthis magnitude secure," he saidin testimony May 8 to theSenate Judiciary Committee.Another security expert,Eugene Spafford, U.S. policycommittee chairman at theAssociation for ComputingMachinery, told the committeethat Real ID creates the potentialfor identity theft on anunprecedented scale. Spaffordis also a computer science professorat Purdue University.May 8 was the final day tosubmit public comments to theHomeland Security Departmenton the notice of proposedrulemaking for implementationof Real ID.On the pro side, theInformation TechnologyAssociation of America, an ITindustry group, published astatement asserting Real ID'sadvantages compared to currentdriver's licenses. "Today'ssystem is the system thathelped to bring us the terrorist attacks of Sept. 11, 2001," saidPhil Bond, ITAA president, inthe statement. "We know theproblem, and we have the technologyto fix it."Another trade association,the Smart Card Alliance,focused on the shortcomings ofthe bar codes that the new driver'slicenses will likely useunder Real ID. It recommendedencrypted data on smartcards instead.The debate also has broughtheightened attention to thepaths technology advocacytakes in Washington. There arecomplaints that industry tradegroups support initiatives suchas Real ID because their membersstand to benefit."A lot of the technology inputto Congress is driven by industry,"said Lillie Coney, associatedirector at the ElectronicPrivacy Information Center."There is no formal mechanismfor a pure and independent perspectiveon the technology."ITAA dismisses that argument.The group's support ofReal ID is "based upon the experienceand expertise of our membercompanies," said CharlesGreenwald, a spokesman atITAA.Academics, consultants andvendors are putting forth viewson whether available technologycan achieve the program'sgoals. Other related argumentsquestion:Some liken the debate to theskepticism related to electronicvoting machines, which 37states have purchased since2000. Lawmakers are re-examiningthese machines becausethey may record votes inaccuratelyand lack a way to independentlyaudit their results.Spafford is worried that asstates rush to meet Real IDdeadlines, they will skimp onprivacy protections, such asaudit trails, background checkson workers and strong accesscontrols on data. He recommendsa paper trail for the RealID system. The potential ishuge for human error, fraudand security holes, he said.Although the core databasesfor Real ID are composed primarilyof data already on driver'slicenses, there also arerequirements for databaseswith digital images of documentssuch as birth certificates,marriage certificates,Social Security numbers andothers that include far morepersonal information to beshared and transferred amongstates. That means weak linksanywhere in the country willbe likely targets."The costs of Real ID are sogreat, and the benefits are sosmall," Schneier toldWashington Technology. "Bymaking the Real ID card morevaluable, it is more likely to beforged."A likely influential commentarywas distributed by theDHS Data Privacy andIntegrity Advisory Committee,an 18-member panel sponsoredby the department's chief privacychief containing both ITexperts and privacy experts,many of them attorneys whohave served as privacy officersand policy directors.The panel called the Real IDAct one of the largest identitymanagement programs in historyand concluded that theprogram raises serious concernsabout privacy, data security,cost, fairness and missioncreep. Because those concernshave not been fully resolved, thepanel declined to endorse theprogram.However, the panel did pointto a database system used bythe American Association ofMotor Vehicle Administratorsas a possible model for Real ID.Since 1992, the association hasbeen operating the CommercialDriver's License InformationSystem, which shares informationamong states on 30 millioncommercial drivers."We have had no securitybreaches," said Philippe Guiot,senior vice president and chiefinformation officer at AAMVA."It is a private network with multiplesecurity layers. If we had tosupport the same concept for280 million people, it is doable."The computer machineryassociation, in its publishedremarks on Real ID, alsopraised AAMVA's system aseffective, and it said that if thesame system design is simplyscaled up to handle more people,it would create a nationaldatabase and a national ID card.Aside from the technologyissues, Real ID has been controversialfor other reasons.Governors worry about its cost,which is estimated at $11 billionto $23 billion. At the sametime, law enforcement officialspoint to the potential benefit ofthwarting terrorists by makingit more difficult for them toobtain false identification cards.Several of the 2001 terroristattackers had fraudulent driver'slicenses from multiplestates.To give states adequate timeto address the concerns, theNational Governors Association,National Council of StateLegislatures and AAMVA havesaid the proposed 2013 completiondate is too rushed and theyhave asked for a workableextension.Spafford and Coney suggestfive additional years are needed."We need to treat this as a manon-the-moon project that willtake a decade to complete,"Coney said.