Mixed signs

Two years after enactment of the Real ID Act to create national driver's license standards, the long ride toward implementation has been slow and bumpy, and the road ahead still has some potholes to dodge.

Recent developments suggest that deployment of the controversial Real ID national identification program still faces significant obstacles related to its $11 billion cost and its privacy and security risks.

Legislatures in 17 states have taken action opposing the act, according to the American Civil Liberties Union. What's more, the Senate recently took a stand against funding it. An amendment submitted by Sen. Lamar Alexander (R-Tenn.) to provide $300 million toward Real ID implementation costs failed July 26.

Real ID "is a massive, unfunded federal mandate on the states," Alexander said July 15 on the Senate floor. "I believe Congress has the responsibility to find the money to pay for this or repeal it."

The $300 million would have covered a small fraction of the estimated $11 billion price tag of Real ID over five years. So far, Congress has allocated $40 million.
Congress passed the Real ID Act of 2005 with little public debate. The goal was to strengthen national security by preventing terrorists from taking advantage of lax procedures and systems to get driver's licenses. Several of the attackers on Sept. 11, 2001, had obtained valid driver's licenses using fraudulent means.

The Bush administration and the 9/11 Commission have promoted the Real ID system as an important tool for homeland security, but a significant number of computer security experts say its design is flawed and insecure. And privacy advocates such as the ACLU have raised strong concerns about an increased risk of privacy loss, identity theft, racial tracking and Big Brother monitoring of citizens.

Congress included no mandatory protections for privacy in the Real ID Act, said Leslie Harris, executive director of the Center for Democracy and Technology, a nonprofit advocacy group. As currently conceived, the system does not respect basic privacy principles because it collects too much data, is susceptible to mission creep and has too much centralized information, she said.

"The Real ID Act fails every single privacy principle," Harris said. "I support hardening driver's licenses, but we have to do it right. Privacy cannot be an add-on after the fact."

In its notice of proposed rulemaking for Real ID earlier this year, the Homeland Security Department left the design of privacy protections up to the states. The final rule is expected within weeks.

Hybrid model

One of the major tests for Real ID in the months ahead could be Washington state's deployment of a hybrid ID card that combines in a single card what is expected to be a Real ID-compliant driver's license with the border-crossing card specified under DHS' Western Hemisphere Travel Initiative (WHTI).

DHS is co-sponsoring the demonstration project, which was announced in March, and encouraging other states to experiment with such dual-use ID cards.

Washington's proposed Real ID/border-crossing card could encounter resistance, although officials are hoping to minimize objections by making it voluntary for now. Gov. Chris Gregoire and DHS officials stress that the new card will serve as an alternative to a passport with added convenience and a lower cost of $40, compared to $97 for a passport.

"This pilot project is a way to boost security at our border without hampering trade and tourism," Gregoire said. "Our effort to keep our border crossing moving is particularly important with the upcoming 2009 World Police and Fire Fighter Games and the 2010 Winter Olympics and Paralympics in British Columbia."

The governor's office continues to focus on the WHTI aspects of the card rather than on Real ID. "To date, we do not know what the requirements of the Real ID Act will be," said Becky Loomis, assistant director of state and federal initiatives at the state Licensing Department. WHTI information on the card will not be shared with other states, she added.

But it remains to be seen how Washington residents will respond to the anticipated Real ID features of the card or to its use of controversial radio frequency identification technology. It is likely to be the first driver's license in the country with an embedded RFID chip readable at 20 feet.

There was a strong outcry against Real ID in April when state lawmakers called it an unfunded federal mandate. That led Washington state's legislature to vote to prohibit spending any state funds to implement the Real ID Act.

But most of those objections were related to concerns about paying for Real ID, and they could dwindle if more federal money flows in.

It also remains to be seen whether the people of Washington will object to the new card because of privacy and identity theft concerns or decide that the convenience and low cost of the new card outweigh its vulnerabilities.

National experts such as Neville Pattison, vice president of government affairs and standards at Gemalto North America and a member of DHS' Data Integrity and Privacy Committee, say predicting how public opinion will ultimately swing is difficult.

"We don't see any progression yet in Washington state," he said.

Risky business

Privacy risks might be heightened in Washington because the card design includes an RFID tag to conform with other border-crossing cards such as DHS' anticipated People Access Security Service card. The PASS card will use a Generation 2 RFID tag that can be read at 20 feet. The PASS card and the hybrid ID card in Washington are among the first human-identification programs in the world to use such long-distance RFID technology.

The technology is controversial because it was created for warehouse tracking of goods for sale. This type of RFID tag contains no encryption and can be scanned easily by readers at long distances, thus raising privacy and human-tracking concerns.

DHS has responded to those concerns by stating that its PASS card will contain only a reference number. That number, when read at U.S. borders, will link to a secure DHS database with personal information and a photograph to facilitate identification.

However, the same system design failed when applied in a recent test of I-94 documents in the U.S. Visitor and Immigrant Status Indicator Technology program. The I-94 documents contained embedded long-distance RFID tags, which were to be scanned by readers as the holders of the documents crossed the borders.
But testing showed such a low level of accuracy that the RFID system was scrapped, DHS Secretary Michael Chertoff said.

"The RFID test proved, as [the Government Accountability Office] indicated, unsuccessful," Chertoff told the House Homeland Security Committee earlier this year. "We're abandoning it."

Observers have speculated that placement of the readers resulted in multiple reads for a single I-94 document.

Furthermore, representatives of the smart-card industry are raising questions about the cloning of Gen2 RFID tags, which could compromise an otherwise secure
border-crossing card. The Smart Card Alliance demonstrated July 18 that a Gen2 RFID tag can easily be copied so multiple cards contain the same reference number.

"A smart card cannot be cloned or copied," Pattison said. "It has 20 years' worth of security features on it."

Staff writer Alice Lipowicz can be reached at alipowicz@1105govinfo.com.