Tech.gov: National IDs in Need of a Fix

Without any real Senate debate, the Real ID Act of 2005 was passed by Congress in May and promptly signed into law by President Bush. It got no debate because it was tacked onto an emergency spending bill needed for U.S. troops in the Middle East--no congressperson was going to vote against it.

Politically underhanded tactics aside, if you're not philosophically opposed to the concept of a national identity card, the law isn't a disaster. However, it leaves a few too many unanswered questions that could turn it into one.

At a minimum, regardless of how those questions are answered, you and I will have to pay more for a driver's license--which will double as the national ID--and we'll have to wait longer to get one.

Few Changes in Practice

Though some critics have decried the very existence of a national ID card in the United States, pointing out that we've opted against creating one numerous times in our history, driver's licenses and Social Security cards have functioned much as national ID cards do in other countries. You need a driver's license to board a plane, to open a bank account, to buy age-restricted goods like cigarettes and alcohol, to obtain utilities like electricity and phone service, to sign up for insurance or get a job in many cases, and even to enter certain types of buildings (mostly federal buildings, but occasionally others--heck, my dentist's office required me to show my license for a while after 9/11). None of that changes under the new law, which goes into effect in 2008.

Many people who don't drive end up getting an identity card from the DMV because they need something like a driver's license to do the things I've mentioned above. Some--but not all--places accept a passport instead of a DMV identity card.

It's possible that immigrants who legally reside in the United States will need to show both the newly required ID and a green card in order to get the benefits they're entitled to. In my opinion, this is a minor change. The law also states that the Secretary of Homeland Security may define other situations in which any person must show this card; this clause is somewhat worrisomely vague, but we'll have to wait to see what it amounts to in practice.

The more significant changes occur behind the scenes, and they affect your privacy.

Potential Privacy Leaks

The new driver's license will differ from the old one in three major ways. First, the databases that house the data--your name, address, phone number, Social Security number, and the like--will no longer be isolated in the state where you live, but rather will all be linked together. Second, the license must incorporate "machine-readable" technology that will be uniform throughout the nation. Previously, states chose their own technology without reference to national standards. Third, the DMV must check your information with several sources (including a new check on your immigration/citizenship status) prior to issuing you a license. That requirement was imposed to serve the bill's other purpose: to modify U.S. immigration standards and border security procedures in order to prevent terrorists from coming here and freely moving about the nation.

The law offers very little guidance on the privacy and security measures that states must take to safeguard this new, nationwide database of information on driving-age adults--although it does mandate physical security of the premises and background checks on employees that work with the database and issue licenses. But your information is only as secure as the weakest link in the chain. If Wisconsin opts for extremely tight measures on its systems but Connecticut doesn't, identity thieves can still target Wisconsin residents if they break into Connecticut's servers.

At a minimum, the Department of Homeland Security--which, together with the Department of Transportation and the states, has been given the task of setting up specific guidelines for some portions of the new driver's license/ID--needs to make it clear that all states must adhere to very high standards when securing our data, and it should then perform spot checks to make sure these standards are implemented correctly. This is especially important because the states are required to store (for up to 10 years) digital images of the original documents you use to prove your identity.

It's also time to put some serious limits--starting with providing users an opt-out mechanism--on how all this data can be bought and sold, since it will now be much easier for insurance companies and other marketers to get your info no matter where you live.

Alarmingly, the law makes no exceptions for people who have previously been allowed to keep their real address off their driver's licenses, such as battered women or judges in sensitive positions. I hope that between now and 2008, such individuals will regain some measure of protection.

Some people have taken the provision requiring machine-readable technology to be referring to RFID, a technology that has already stirred considerable controversy because it will be used in new passports. The law itself does not mention any specific technology, however, which means the DHS will decide the matter. I hope officials there exercise caution and intelligence in selecting the technology to use, and include strong encryption to ensure that you won't be broadcasting your vital data to all and sundry. Another important safeguard needs to be included: a short list of companies authorized to own machines that can read the information on your license/ID, along with guidelines on how long they can store your data on their end.

Otherwise, the opportunities for abuse are obvious. As my colleague, Brad Grimes, wrote several months ago in "ID, Please," over-18 clubs and bars you enter (or any places you go to buy alcohol or cigarettes) currently don't have a quick and easy way to record your address, phone number, or other information short of writing it down and manually inputting it into a PC. They just check your license and you go on your way. But if they obtain machine readers that take and store your data, you become a potential source of more income for them: They can sell your information to others or send you promotional materials themselves. Companies already have too many opportunities to get my information; I don't want casual purchases and a night on the town to add more.

The few businesses and organizations with a legitimate need to own readers also need enforceable rules governing how long they store your information and what they do with it. Places like banks already store that information under preexisting regulations (though given the recent problems with Citigroup, Bank of America, and others, those standards, too, may need revision). However, places like video rental outlets that ask for a license if you want to open an account need new rules authorizing them to store and see only the minimum data they need for business purposes--name and address. Buildings where you must show a license prior to entering don't need to store any of the information at all, with the possible exception of your name, at government offices that must keep security records.

More Money, More Time

The one sure thing in this whole proposal is that costs--both in dollars and in hours--will rise for states, as well as for you and me. States will need new equipment and new workers to handle the data and the verification process that will be required prior to issuing licenses. Taxes or tolls may rise so that states can pay for the necessary equipment and training, though those expenses should theoretically drop over time (but really, how often does a toll go down?). In "Coming Soon: National ID Cards?" Medill News Service reporter Erik Larkin quotes Cheye Calvo, transportation committee director for the National Conference of State Legislatures, as saying that the new law could cost states as much as $1 billion; Virginia alone estimates it will have to spend $237 million.

The law contains provisions authorizing the Secretary of Homeland Security to make some federal money available to states to cover part of the costs. For you and me, however, that may simply translate into higher federal taxes instead of higher state taxes. You can count on having to wait longer to get your license, too. I was grudgingly impressed the last time I went to the California DMV to get a title for my car because it took far less time than I had anticipated. I had an appointment, I saw a rep fairly quickly, and I was on my way. Similarly, renewing my license--or getting a new one when I moved here from New York--was a fairly efficient process.

No more. Fewer people will be seen each day. All of us will have to wait longer to get an appointment, spend more time at the DMV, and wait longer for the license to arrive in the mail--all because states must now check your information with various sources before issuing licenses. There will be glitches and delays when the system first comes online, of course, but even after those are ironed out, verification will add more time; there's no way around it.

How Many IDs Do We Need?

I have a driver's license, a passport, a Social Security card, multiple insurance cards (medical, dental, auto), and a key card that lets me into the building I work in. The insurance cards and my building's security card have limited functions, but I wouldn't have obtained either of them if I hadn't already had at least one of the other cards (I needed a Social Security number to get my job and to get insurance, for example). Am I going to be able to consolidate any of these cards as a result of the impending Real ID? Not likely, even though the license and the Social Security number could be combined. And since the Real ID will include a check of a resident alien's immigration status, you could argue that having a separate green card is redundant.

Of course, there are other dangers in combining multiple government systems into one, but practically, this is what the Real ID is supposed to do. So if we must have it, why not get some real benefit out of it?

Subscribe to the Security Watch Newsletter

Comments