Real ID, real debate

Sides argue about whether license standardization can or should be done

"It is a private network with multiple security layers. If we had to support the same concept for 280 million people, it is doable." ? Philippe Guiot, AAMVA

Rick Steele

"Computer scientists don't know how to keep a database of this magnitude secure."? Bruce Schneier, BT Counterpane Internet Security

Rick Steele

Security experts, vendors and
trade associations are sharpening
the debate on the controversial
2005 Real ID Act that calls
for the standardization of driver's
licenses. Critics say the law
could create privacy issues and
increase the risk of identity theft.

The act requires states to collect
and electronically store the
personal information of millions
of people. The states' databases
will link together in a network
of systems with shared
access. Although the idea was
recommended by the 9/11
Commission to close loopholes
in the existing system, critics
say the new requirements create,
in effect, a national ID
management structure that will
make people more vulnerable to
identity theft, privacy loss,
racial tracking and other civil-liberty

But supporters say there are
similar shared databases that
prove Real ID can work.

Bruce Schneier, chief technology
officer at BT
Counterpane Internet Security
Inc., is one of the skeptics.
"Computer scientists don't
know how to keep a database of
this magnitude secure," he said
in testimony May 8 to the
Senate Judiciary Committee.

Another security expert,
Eugene Spafford, U.S. policy
committee chairman at the
Association for Computing
Machinery, told the committee
that Real ID creates the potential
for identity theft on an
unprecedented scale. Spafford
is also a computer science professor
at Purdue University.

May 8 was the final day to
submit public comments to the
Homeland Security Department
on the notice of proposed
rulemaking for implementation
of Real ID.

On the pro side, the
Information Technology
Association of America, an IT
industry group, published a
statement asserting Real ID's
advantages compared to current
driver's licenses. "Today's
system is the system that
helped to bring us the terrorist attacks of Sept. 11, 2001," said
Phil Bond, ITAA president, in
the statement. "We know the
problem, and we have the technology
to fix it."

Another trade association,
the Smart Card Alliance,
focused on the shortcomings of
the bar codes that the new driver's
licenses will likely use
under Real ID. It recommended
encrypted data on smart
cards instead.

The debate also has brought
heightened attention to the
paths technology advocacy
takes in Washington. There are
complaints that industry trade
groups support initiatives such
as Real ID because their members
stand to benefit.

"A lot of the technology input
to Congress is driven by industry,"
said Lillie Coney, associate
director at the Electronic
Privacy Information Center.
"There is no formal mechanism
for a pure and independent perspective
on the technology."

ITAA dismisses that argument.
The group's support of
Real ID is "based upon the experience
and expertise of our member
companies," said Charles
Greenwald, a spokesman at

Academics, consultants and
vendors are putting forth views
on whether available technology
can achieve the program's
goals. Other related arguments
  • If the cost is too high for the
    benefits achieved.
  • If there are significant unintended
  • If it is possible to protect
    against myriad possible failures,
    including lost and stolen
    cards, determined hackers
    and data thieves, bribed
    motor vehicle department
    officials, and simple errors.

Some liken the debate to the
skepticism related to electronic
voting machines, which 37
states have purchased since
2000. Lawmakers are re-examining
these machines because
they may record votes inaccurately
and lack a way to independently
audit their results.

Spafford is worried that as
states rush to meet Real ID
deadlines, they will skimp on
privacy protections, such as
audit trails, background checks
on workers and strong access
controls on data. He recommends
a paper trail for the Real
ID system. The potential is
huge for human error, fraud
and security holes, he said.

Although the core databases
for Real ID are composed primarily
of data already on driver's
licenses, there also are
requirements for databases
with digital images of documents
such as birth certificates,
marriage certificates,
Social Security numbers and
others that include far more
personal information to be
shared and transferred among
states. That means weak links
anywhere in the country will
be likely targets.

Forgery target

"The costs of Real ID are so
great, and the benefits are so
small," Schneier told
Washington Technology. "By
making the Real ID card more
valuable, it is more likely to be

A likely influential commentary
was distributed by the
DHS Data Privacy and
Integrity Advisory Committee,
an 18-member panel sponsored
by the department's chief privacy
chief containing both IT
experts and privacy experts,
many of them attorneys who
have served as privacy officers
and policy directors.

The panel called the Real ID
Act one of the largest identity
management programs in history
and concluded that the
program raises serious concerns
about privacy, data security,
cost, fairness and mission
creep. Because those concerns
have not been fully resolved, the
panel declined to endorse the

However, the panel did point
to a database system used by
the American Association of
Motor Vehicle Administrators
as a possible model for Real ID.
Since 1992, the association has
been operating the Commercial
Driver's License Information
System, which shares information
among states on 30 million
commercial drivers.

"We have had no security
breaches," said Philippe Guiot,
senior vice president and chief
information officer at AAMVA.
"It is a private network with multiple
security layers. If we had to
support the same concept for
280 million people, it is doable."

Creating a national ID

The computer machinery
association, in its published
remarks on Real ID, also
praised AAMVA's system as
effective, and it said that if the
same system design is simply
scaled up to handle more people,
it would create a national
database and a national ID card.

Aside from the technology
issues, Real ID has been controversial
for other reasons.
Governors worry about its cost,
which is estimated at $11 billion
to $23 billion. At the same
time, law enforcement officials
point to the potential benefit of
thwarting terrorists by making
it more difficult for them to
obtain false identification cards.
Several of the 2001 terrorist
attackers had fraudulent driver's
licenses from multiple

To give states adequate time
to address the concerns, the
National Governors Association,
National Council of State
Legislatures and AAMVA have
said the proposed 2013 completion
date is too rushed and they
have asked for a workable

Spafford and Coney suggest
five additional years are needed.
"We need to treat this as a manon-
the-moon project that will
take a decade to complete,"
Coney said.

Staff writer Alice Lipowicz can be reached at alipowicz@1105

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB