[Infowarrior] - Real ID, real debate

[Richard Forno]

Washington Technology home > 05/28/07 issue
05/28/07; Vol. 22 No. 09

Real ID, real debate
Sides argue about whether license standardization can or should be done

By Alice Lipowicz

http://www.washingtontechnology.com/print/22_09/30734-1.html

Security experts, vendors and trade associations are sharpening the debate
on the controversial 2005 Real ID Act that calls for the standardization of
driver¹s licenses. Critics say the law could create privacy issues and
increase the risk of identity theft.

The act requires states to collect and electronically store the personal
information of millions of people. The states¹ databases will link toget
her in a network of systems with shared access. Although the idea was
recommended by the 9/11 Commission to close loopholes in the existing
system, critics say the new requirements create, in effect, a national ID
management structure that will make people more vulnerable to identity
theft, privacy loss, racial tracking and other civil-liberty threats.

But supporters say there are similar shared databases that prove Real ID can
work.

Bruce Schneier, chief technology officer at BT Counterpane Internet Security
Inc., is one of the skeptics. ³Computer scientists don¹t know how to keep a
database of this magnitude secure,² he said in testimony May 8 to the Senate
Judiciary Committee.

Another security expert, Eugene Spafford, U.S. policy committee chairman at
the Association for Computing Machinery, told the committee that Real ID
creates the potential for identity theft on an unprecedented scale. Spafford
is also a computer science professor at Purdue University.

May 8 was the final day to submit public comments to the Homeland Security
Department on the notice of proposed rulemaking for implementation of Real
ID.

On the pro side, the Information Technology Association of America, an IT
industry group, published a statement asserting Real ID¹s advantages
compared to current driver¹s licenses. ³Today¹s system is the system that
helped to bring us the terrorist attacks of Sept. 11, 2001,² said Phil Bond,
ITAA president, in the statement. ³We know the problem, and we have the
technology to fix it.²

Another trade association, the Smart Card Alliance, focused on the
shortcomings of the bar codes that the new driver¹s licenses will likely use
under Real ID. It recommended encrypted data on smart cards instead.

The debate also has brought heightened attention to the paths technology
advocacy takes in Washington. There are complaints that industry trade
groups support initiatives such as Real ID because their members stand to
benefit.

³A lot of the technology input to Congress is driven by industry,² said
Lillie Coney, associate director at the Electronic Privacy Information
Center. ³There is no formal mechanism for a pure and independent perspective
on the technology.²

ITAA dismisses that argument. The group¹s support of Real ID is ³based upon
the experience and expertise of our member companies,² said Charles
Greenwald, a spokesman at ITAA.

Academics, consultants and vendors are putting forth views on whether
available technology can achieve the program¹s goals. Other related
arguments question:

    * If the cost is too high for the benefits achieved.
    * If there are significant unintended consequences.
    * If it is possible to protect against myriad possible failures,
including lost and stolen cards, determined hackers and data thieves, bribed
motor vehicle department officials, and simple errors.

Some liken the debate to the skepticism related to electronic voting
machines, which 37 states have purchased since 2000. Lawmakers are
re-examining these machines because they may record votes inaccurately and
lack a way to independently audit their results.

Spafford is worried that as states rush to meet Real ID deadlines, they will
skimp on privacy protections, such as audit trails, background checks on
workers and strong access controls on data. He recommends a paper trail for
the Real ID system. The potential is huge for human error, fraud and
security holes, he said.

Although the core databases for Real ID are composed primarily of data
already on driver¹s licenses, there also are requirements for databases with
digital images of documents such as birth certificates, marriage
certificates, Social Security numbers and others that include far more
personal information to be shared and transferred among states. That means
weak links anywhere in the country will be likely targets.

Forgery target
³The costs of Real ID are so great, and the benefits are so small,² Schneier
told Washington Technology. ³By making the Real ID card more valuable, it is
more likely to be forged.²

A likely influential commentary was distributed by the DHS Data Privacy and
Integrity Advisory Committee, an 18-member panel sponsored by the
department¹s chief privacy chief containing both IT experts and privacy
experts, many of them attorneys who have served as privacy officers and
policy directors.

The panel called the Real ID Act one of the largest identity management
programs in history and concluded that the program raises serious concerns
about privacy, data security, cost, fairness and mission creep. Because
those concerns have not been fully resolved, the panel declined to endorse
the program.

However, the panel did point to a database system used by the American
Association of Motor Vehicle Administrators as a possible model for Real ID.
Since 1992, the association has been operating the Commercial Driver¹s
License Information System, which shares information among states on 30
million commercial drivers.

³We have had no security breaches,² said Philippe Guiot, senior vice
president and chief information officer at AAMVA. ³It is a private network
with multiple security layers. If we had to support the same concept for 280
million people, it is doable.²

Creating a national ID
The computer machinery association, in its published remarks on Real ID,
also praised AAMVA¹s system as effective, and it said that if the same
system design is simply scaled up to handle more people, it would create a
national database and a national ID card.

Aside from the technology issues, Real ID has been controversial for other
reasons. Governors worry about its cost, which is estimated at $11 billion
to $23 billion. At the same time, law enforcement officials point to the
potential benefit of thwarting terrorists by making it more difficult for
them to obtain false identification cards. Several of the 2001 terrorist
attackers had fraudulent driver¹s licenses from multiple states.

To give states adequate time to address the concerns, the National Governors
Association, National Council of State Legislatures and AAMVA have said the
proposed 2013 completion date is too rushed and they have asked for a
workable extension.

Spafford and Coney suggest five additional years are needed. ³We need to
treat this as a manon- the-moon project that will take a decade to
complete,² Coney said.

Staff writer Alice Lipowicz can be reached at alipowicz at 1105