April 11, 2007

The Very Real Problem of REAL ID


Since the tragic events of September 11, 2001, a stark divide has existed in America regarding the relationship between government-provided security, the rights of individuals and the role of citizen oversight. Abetted until November 2006 by what was largely single party rule, those who have maintained an historical perspective about the magnitude of the threat embodied by militant Islam have been at the mercy of those who believe - or profess to believe - that security justifies the sacrifice of civil liberties, diminishing transparency in government, and greater government intrusion into the lives of the people.

With the opposition now in control of both houses of the legislature, oversight has begun to be restored, but as the conduct of the executive branch has been revealed, claims that power can be safely ceded to government officials in anything but the most tightly controlled, revocable, and limited fashion are being revealed to be naive at best, and willfully ignorant at worst. Civil libertarians and close observers of the Bush Administration know that there is already a laundry list of laws, policies, initiatives and plans that significantly infringe on the individual rights of Americans, and it seems that more instances are brought to light every day.

Just last month, the Federal Bureau of Investigation (FBI) admitted it exceeded the broad powers granted it in the renewal of the USA PATRIOT Act, but - despite breaking the law by doing so - tried its best to dismiss concerns over its actions by promising to do better going forward. Also in March, it was revealed that the Treasury Department's so-called "Specially Designated Nationals" (SDN) list, a 265-plus page document compiling the names of individuals and organizations suspected of terrorism and published on the agency's website, is increasingly being used to deny services to innocent men and women unfortunate enough to share one of the 6,000 names on it. Worse still, the National Counter Terrorism Center (NCTC)'s terrorist watch database has ballooned to more than 435,000 files, and while the database's administrator expresses confidence in its accuracy even he concedes that it is only a matter time or error before "horror stories" of mistaken identity begin to occur.

Obscured by all of this worrisome mishandling of personal information - but undeniably related to it - is yet one more new authoritarian law that is slowly inching its way forward, but which may not be too late to stop. Originally designated H.R. 418, the REAL ID Act of 2005 passed the House of Representatives, but lay stagnant until it was attached as a rider to one of the off-budget funding bills for the Iraq War by Congressman James Sensenbrenner. It was signed into law in 2005 without any meaningful debate, and states have three years to come into compliance with the Act, which legislates the following:
  • State drivers licenses must conform to uniform standards developed by the Department of Homeland Security (DHS) in order to be accepted for "federal purposes" such as accessing planes, trains, national parks, and court houses
  • A national database linking all state ID records together must be constructed and maintained
  • State IDs must be compatible with "common machine-readable technology" so that the government and businesses can easily read personal information off the cards.
On March 1st, the DHS released draft regulations [PDF] for implementing REAL ID, but opposition has continued to grow, perhaps fueled by the examples of ineptitude and misapplied government power described above. In addition to the concerns of civil libertarians over the obvious intrusion into individual privacy by what would be a de facto national identification card, it is the states and individual taxpayers who will be forced to bear the estimated $23 billion burden of implementing the law. (That figure is also likely to be conservative, given that the required verification systems don't yet exist.) Even some Christian fundamentalists - usually solidly behind the GOP and so-called security issues - are against it, albeit because they believe it to be the biblical mark of the beast from the Book of Revelation.

Leaving aside for the moment the implications of prophecy, the reasons behind this rising tide of defiance are several and entirely legitimate:
  1. The technology to accomplish the aims of the REAL ID Act doesn't exist, and on top of the already considerable cost of implementation, represents a financial black hole.
  2. REAL ID is an unfunded federal mandate, pushing enormous costs down to the already-cash-strapped states.
  3. The Act fails to improve national security, since identification cards do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents.
  4. It has been reported that DHS will outsource the management of the REAL ID database and infrastructure, placing the personal information of millions of Americans in the hands of a private company.
  5. Perhaps most importantly, REAL ID represents the first step on a path to ever-increasing government interference with and monitoring of its citizens. (Social Security numbers for instance, were established ostensibly to enable the government to provide benefits, but are now a prerequisite for receiving almost all government services, and are widely used by private companies as unique key fields within massive databases of personal information.)
Under the REAL ID Act, the delivery of DHS regulations means that states must now create an implementation plan by October of this year. There is still time to turn back this gross encroachment of government intrusion and authoritarianism, and now is the time to make sure that your Congressional representatives support the repeal of REAL ID. When the Attorney General of the United States stands accused of firing U.S. attorneys for failing to be loyal enough to the president, there is no starker reminder of the good reasons the Founding Fathers had for constructing the Constitution around the rights of the individual, and not the convenience of the government. Call your Congressman and your Senators!

For more on the REAL ID Act, check out these links:

  • The Electronic Frontier Foundation's (EFF) REAL ID Act page
  • The American Civil Liberties Union's (ACLU) "Real Nightmare" page
  • The Electronic Privacy Information Center's (EPIC) March 2007 Spotlight on Surveillance

  • To contact your congressional representatives:

  • United States House of Representatives
  • United States Senate

    Rachel said...

    There's a new ACLU video on the Real ID issue (http://www.youtube.com/watch?v=8XObbEwI6P4 or http://www.aclu.tv/realid/).

    The piece (about 90 seconds long) stars Bill Cattorini, a retired Chicago fireman who's been caught in a bureaucratic limbo because of a discrepancy between the birth date listed on his driver's license and the date on his social security card. That was never an issue until Illinois began trying to comply with some parts of Real ID. Now Cattorini can't drive.

    Cattorini is hardly unusual in having a quirk or discrepancy in his bureaucratic records. He represents the millions of others who will face similar problems, and worse, if Real ID goes into effect.

    We've also set up an action center (http://www.realnightmare.org/news/105/), where activists can see what's going on in their state - in states where legislation is moving, it lets activists shoot a message to their state legislators.

    a Motor Vehicle worker said...

    I agree with everything except your assertion that "the technology to accomplish the aims of the REAL ID Act doesn't exist".

    Several states already have drivers' licenses and ID cards which (with possibly one exception) meet or exceed the requirements set forth in the Minimum Standards document you linked to.

    I don't know of any state that doesn't already include requirements 1-5 (full legal name, DL/ID number, photograph, address and signature).

    As to #6, many states' licenses already have physical security features, such as laminate in which a hologram is embedded (and which can't be removed without destroying the laminate), as well as other "forensic" security features.

    The 2D barcode and/or magnetic strip, at least in some states, contains much more information than you'll find on the front of the license.

    Barcodes, magstrips and steganographic data embedded in the images can all be read by machine (not to mention the data on the front of the license can be read via OCR), thus satisfying requirement #8.

    As to requirement #9, encryption, I don't know offhand if any states already implement that, but it's fairly trivial to do so.

    The only other major technology requirement is a centralized database, but what with this "series of tubes" connecting computers, that also is certainly possible (if not necessarily trivial).

    So the technology already exists, and all of it (or nearly so) is already implemented in some states. All your other reasons, though, are perfectly valid causes for concern.

    PBI said...

    a Motor Vehicle worker said...
    I agree with everything except your assertion that "the technology to accomplish the aims of the REAL ID Act doesn't exist".

    Thanks for your comment!

    There are constituent elements of the technology that do, as you point out, exist. However, the verification elements, which are in the guts of the Act and into which I did not delve deeply in the interests of space, do not. Likewise, the database and reader technology elements are not ready for prime time. For more on the above, check out some of the links at the bottom of the post, which explore more extensively the "missing pieces."

    a Motor Vehicle worker said...

    With all respect, PBI, the verification elements do indeed exist as well. Magnetic stripe readers are widely available - you can even buy a USB magstripe reader to plug into your computer and see what data is stored on your license and credit cards.

    2D barcode readers are certainly less common, but still available; if a state's license contains a 2D barcode, you can be sure the DL offices (and many police vehicles) are equipped with readers. Again, you can buy USB barcode readers which handle 2D barcodes.

    Where steganographic data or watermarks are embedded in the images, all you need is a scanner and software to decrypt the data (which is provided by the companies which develop the steganography/watermarking components of the issuance system). This obviously isn't available over-the-counter to anyone who asks for it, but is employed (at least in my state). And even the scanner technology is portable enough to be deployed to police vehicles; you can buy USB scanners designed to scan in business cards or ID cards, which work just fine with the decryption software.

    My state uses all three of these security methods, as well as a centralized state database which already meets the REAL ID requirements (including storing scanned images of all documents presented as proof of identity when the license or ID card is issued).

    I can assure you from daily first-hand experience that the technology - not only for producing the ID cards, but for verifying their authenticity - does exist and is currently employed.

    PBI said...

    a Motor Vehicle worker said...
    With all respect, PBI, the verification elements do indeed exist as well.


    Apologies if I am being unclear. The verification elements of the bill about which I wrote are again, not the constituent elements of any new proposed ID cards; I fully grant you that everything you have desribed is true. The pieces to which I refer make up the as-yet-unbuilt technology that would underpin the processes allowing people to acquire said new ID cards in the first place, and to execute an exception process for instances of failure.

    From the EPIC link at the bottom of the post:

    The federal agency is imposing more difficult standards for acceptable identification documents. According to the DHS, the only documents that could be accepted by the states to issue these new identity cards would be: valid unexpired U.S. passport or the proposed passport card under the Western Hemisphere Travel Initiative; certified copy of a birth certificate; consular report of birth abroad; unexpired permanent resident card; unexpired employment authorization document; unexpired foreign passport with valid U.S. visa affixed; U.S. certificate of citizenship; U.S. certificate of naturalization; or REAL ID driver’s license or identification card.

    DHS is also proposing to require the states to change their procedures to verify these identification documents. The states must contact the issuing agency to verify the “issuance, validity, and completeness of each document required to be presented.” The federal agency requires that state DMV workers must physically inspect the identification document and verify the data in the document “with an authoritative or reference database."

    Perhaps we are getting hung up on the term "technology" and the various shades of its meaning. It's not that a system of communication and database management that performs what would necessarily be an automated version of the process described above COULDN'T be constructed using existing knowledge augmented with new integration and new know-how, it's that it hasn't been. For that reason - although it might be an obstacle that, as you described it earlier, isn't insurmountable - it is still vaporware at this point in time.

    A good example of a smiliar situation would be color computer monitors. Color televisions existed for years before color monitors, even though they used essentially the same CRT technology. While one of the reasons for such a lag was a lack of market demand for color screens in the years prior to highly visual interfaces like Microsoft Windows, several generations of Macs - which HAD visual interfaces at the time and were the most popular personal computers in the world - still used monochrome screens because solving the cost and technology issues to make color a viable option on personal computers hadn't yet taken place. Were color CRTs for computers new technology in the strictest sense of being COMPLETELY new to the world? No, but they were new technology in the sense that they had never been executed in the form that was required, and it is in that sense of the term "technology" that I group the verification portions of the REAL ID Act.

    In any case, if you would prefer to use the phrase "technology has never been implemented in such a manner or on such a scale" instead of "technology doesn't exist yet," I don't have any problem with that!