Can You See the Real Me?
[I originally wrote this essay in early March of 2007 as a reaction to the public request for comments by DHS on the implementation measures of the law. The RealID Act has been analyzed a number of times and is still in the process of being challenged, repealed, and amended by a number of groups. And we still have not seemed to learn how to safeguard identity documents. -Ed.]
The REAL ID Act of 2005 is a controversial U.S. law that establishes standards for State-issued driver’s licenses and identification cards that citizens would use for a “Federal purpose.” The DHS currently chooses to limit the definition of a “Federal purpose” to three activities: gaining access to a Federal facility, boarding federally-regulated commercial aircraft, and gaining entrance to a nuclear power plant. The Act itself was passed as part of a massive spending bill that included provisions for Tsunami Relief — a bill that would have been difficult to vote against. On March 1, 2007, the Department of Homeland Security (DHS) announced draft regulations (a Notice of Proposed Rulemaking, or NPRM) [1] meant to set standards to fulfill the Act’s requirements. The NPRM discusses the information and security features that must appear on each card, the verification process for each applicant’s claim of residence and immigration status, and the physical security of the facilities (including background checks of DMV employees) that issue REAL IDs.
The NPRM claims that REAL ID both increases security and does not substantially threaten privacy [2] because the systems and databases for carrying out the information storage and retrieval remain firmly under the control of the states. This claim has sparked a great deal of controversy, and bills are currently before both the House and Senate to repeal the Act [4]. There are at least two problems with this claim.
First, as many researchers and privacy advocates have pointed out, the Act creates a de facto national ID card, despite protestations to the contrary within the text of the NPRM. The central claim — which can only exist unchallenged in a society that misunderstands the underlying technology — asserts that since the storage of personal information is physically distributed among the States, no centralized Federal database exists.
In our networked society, the distinction between centralized and distributed is almost meaningless. The physical location of data has little to do with whether or not it can be accessed. In fact, the NPRM requires that Federal agents (or even civilian employees like those hired for airport screening) have access to the data when validating an identity. Since it seems likely that such an employee would access this data through a network computing system, whatever software they are using to do so would merely be a veil over a set of linked databases. The NPRM also requires that the States to explicitly share REAL ID information. These requirements create a logical, nationwide, distributed database accessible to Federal employees at will.
Second, establishing identity does not necessarily establish intent or motive [3]. The London and Madrid bombings were carried out by home-grown terrorists. In the U.S., Timothy McVeigh, Theodore Kaczynski, the DC-area snipers of 2002, and the alleged perpetrator in the recent Holocaust Museum shooting [5] would have been able to unabashedly carry their REAL ID as they committed their crimes. Identity does not automatically predict criminal behavior, and assuming that citizenship somehow confers the inability to engage in criminal acts is a faulty judgment at best.
Driver’s Licenses
Driver’s licenses serve as a default method of establishing age or identity in U.S. society. Standardizing the information appearing on a license (which can vary because each State manages its own licenses) as well as the process of verifying this information seems to confer a benefit to at least the people who need to check this information. From this perspective, the REAL ID Act simply proposes to ensure that an inconsistent, distributed identity system contains information in a form suitable for authenticating the bearer to a Federal agency or delegate.
Since licenses routinely serve as the default method of establishing age or identity for most U.S. citizens, the Federal government has to rely on them for certain sensitive situations. But it remains unclear that REAL IDs will substantially improve homeland security. This intangible and unproven benefit does not seem to justify the increased risk that attends a single, highly-trusted identification document and a distributed, highly-accessible database of personal information.
One could see how the underlying thinking here seems rational. For example, we might think that a license conveys information about the level of an individual’s commitment, involvement, or investment in the society that granted the license. A driver’s license provides a very weak attestation of such commitment, but the underlying idea has merit: a Soccer Mom or Nascar Dad that pays taxes, is on the PTA, holds a mortgage, and coaches Little League is probably less likely to engage in the mass murder of fellow citizens.
Let’s undertake a thought experiment. Hypothesis: the government could most readily increase security by issuing tamper-resistant cards that display a number from 0 to 100 indicating the level of a person’s investment in the American Dream. Even this solution is fraught with uncertainty. How is the measure obtained in the first place? What threshold is suitable for disallowing people from boarding a flight? What if the “patriotism level” varies (e.g., it may tend to dip on April 15th)? How can these cards be protected against forgery and theft? Finally, establishing such a score arguably represents a greater government intrusion on a person’s life than the current proposed REAL ID standard. The chief lesson to learn here is that any credential system has problems, and even a credential system that tells the authorities exactly what they want to know (thus providing the greatest security benefit) is far too invasive.
Summary
I’ll close with some mildly disheartening observations. First, the estimated extra wait time per application is 44 minutes. I would expect patient terrorists to find 44 more minutes to be a reasonable sacrifice. Second, even though I know security metrics presents a tough challenge, the hemming and hawing of the “Estimated Benefits” beginning on page 107 and ending on 109 of the NPRM is amusing and saddening.
With all the criticism, the NPRM does have two bright spots: it rejects the use of RFID, saying that “there is not an identifiable need for driver’s licenses and identification cards to be routinely read at a distance.” In addition, the the NPRM concludes that encrypting the machine-readable 2D barcode on a REAL ID would involve a great deal of cost (in setting up and maintaining a key infrastructure) while imparting little increase in security.
The NPRM details no reward for states that aggressively protect their citizen’s privacy, nor does it detail punishment for states that lose, leak, or destroy a citizen’s information. Although the NPRM requires States to assemble a cybersecurity plan, it does not define a concrete method of review and assessment of such a plan, and it seems unlikely that the DHS would revoke a State’s ability to issue REAL IDs or summarily declare existing REAL ID licenses invalid as punitive measures.
References:
[1] NPRM Press Release:
http://www.dhs.gov/xnews/releases/pr_1172765989904.shtm
[2] REAL ID Act FAQ:
http://www.dhs.gov/xprevprot/laws/gc_1172767635686.shtm
[3] Real-ID: Costs and Benefits. Bruce Schneier.
http://www.schneier.com/essay-160.html
[4] REAL ID Repeal and Identification Security Enhancement Act of 2007
HR 1117 IH. http://thomas.loc.gov/home/gpoxmlc110/h1117_ih.xml
[5] Security Guard Dies in D.C. Holocaust Museum Shooting
http://www.cbc.ca/world/story/2009/06/10/washington-holocaust-musuem569.html
