Monday, May 08, 2006

"Real ID" Resistance

NH is having congressional battles over enactment of the Real ID system. NH is supposedly being offered funding for a trial state for this very bad idea.
Real ID grew out of recommendations by the Sept. 11 Commission, which studied the terrorist attacks and how to prevent a recurrence. It requires that by 2008, states verify birth certificates, Social Security numbers, passports and immigration status when people get driver's licenses.

Licenses will have to be machine-readable and state databases with driver information and photographs will be linked in what opponents fear will become a national identity database.

Critics say that undercuts personal privacy and violates New Hampshire's "Live Free or Die" ethos. Gov. John Lynch, who said he would sign the ban if it passed, argues Real ID would be costly for the state.

Those who favored a rejection of the program argued it was seriously flawed.

"If we get drawn into Real ID, tens of thousands of New Hampshire citizens are going to be denied their right to get licenses because of the bureaucratic nightmare that will descend," said Sen. Peter Burling, D-Cornish.

Our federal representatives seem to think it's a good idea, but the facts by real security analysts show that the system will just open people to the effects of abuses of the database and will hand you a card that can be abused by anyone stealing it.

Here's an article by Schneier from a year ago that clearly lines out the risks that far outweigh any alleged benefits.
Aside from those generalities, there are specifics about REAL ID that make for bad security.

The REAL ID Act requires driver's licenses to include a "common machine-readable technology." This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn't matter how well the states and federal government protect the data on driver's licenses, as there will be parallel commercial databases with the same information.

Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver's licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).

REAL ID requires that driver's licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police -- even undercover police officers. This seems like a major unnecessary security risk.

REAL ID also prohibits states from issuing driver's licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses -- which isn't going to help anyone's security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

REAL ID is expensive. It's an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I've seen estimates that the cost to the states of complying with REAL ID will be $120 million. That's $120 million that can't be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver's licenses, the security measures recommended by the 9/11 Commission Report. That's already done. It's already law.

REAL ID goes way beyond that. It's a huge power-grab by the federal government over the states' systems for issuing driver's licenses.

REAL ID doesn't go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver's license will bring a new level of "show me your papers" checks by the government. Already you can't fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I've already heard rumblings about requiring states to check identities against "government databases" before issuing driver's licenses. I'm sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

If the implementation of READ ID could show how they were going to address these concerns, I'd be less resistant to the implementation. But this analysis, by one of the top security analysts, makes me believe that risks outweigh any benefits.

No comments: