The REAL ID Boondoggle Drags On
The REAL ID boondoggle drags on. The REAL ID Act was passed in 2005 yet the Department of Homeland Security still has not issued implementing regulations. Proposed regulations were published by DHS in March of this year. Now there are rumblings that the final regulations, initially expected late summer, will be released around Christmas or even after the New Year.
Back in May we submitted extensive comments to DHS highlighting the utter lack of meaningful privacy and security standards for the protection of personal information in the proposed regulations. Now some believe that the final regulations will be even more stripped down than the proposed regulations were. This doesn't bode well for privacy or security, and underscores what CDT and many other civil liberties advocates have been saying for a long time: the REAL ID Act itself is fundamentally flawed and must be revisited by Congress.
In particular, the REAL ID Act paves the way for making centrally accessible highly sensitive personal information on virtually every American, including copies of birth certificates, Social Security Cards, passports and other personal documents. This will create an extremely valuable central source of identification data that would be vulnerable to terrorists, ID thieves, and unscrupulous DMV or other state and federal employees.
The law also requires that each card contain a machine-readable zone (MRZ) that is standardized across states. The MRZ mandate was solely intended to aid law enforcement in processing suspects with greater accuracy and efficiency. But the standardized technology, along with the absence of use limitations and an encryption requirement, will create a serious risk that government agencies and commercial entities will scan the MRZ to log a multitude of public and private transactions. This would facilitate the creation of a comprehensive digital record of citizens' travels and purchases that could be used for both government surveillance and unwanted marketing.
What's more, the REAL ID Act does not mandate specific, robust privacy and security standards for the protection of personal information, and DHS cited this fact in attempting to excuse its weak proposed regulations.
CDT has never been opposed to making state driver's licenses and ID cards more reliable assertions of identity by making the issuance process more secure - but this can and must be done without compromising personal privacy. Consider the simple measures of verifying the authenticity of source documents, establishing security standards for the cards themselves to deter tampering and counterfeiting, securing the physical locations where the cards are made and supplies stored to deter outsider fraud, and deterring insider fraud by strictly controlling access to card-making systems and supplies and conducting employee background checks. All of these will go a lot further in making driver's licenses more secure forms of identification without posing serious risks to personal privacy, as the REAL ID Act currently does.
Some in Congress appear to believe that if more money is thrown at REAL ID then its massive privacy and security holes will somehow disappear. Consider the Homeland Security Appropriations Bill for Fiscal Year 2008: the House version appropriated $50 million for REAL ID, while the Senate version appropriated no funds whatsoever following the bi-partisan defeat in July of Sen. Alexander's (R-TN) amendment to provide $300 million in funding for REAL ID. The FY2008 Homeland Security Appropriations Bill has now been attached to an omnibus appropriations bill, which is expected to be considered this week by Congress. It's not clear what the compromise will be on REAL ID - somewhere between $0 and $50 million.
CDT opposes throwing any more money at this poorly conceived driver's license "reform" program, and we recently signed a coalition letter to this effect. Congress must revisit the REAL ID Act and address the serious privacy and security threats posed by the law and exacerbated by what are sure to be weak implementing regulations by DHS. A majority of states (39) have in some way spoken out against REAL ID: 17 states have passed legislation rejecting the REAL ID program, 11 states have passed such legislation in one chamber, and 11 additional states have introduced anti-REAL ID bills in their legislatures. Congress can't let the boondoggle that is REAL ID drag on any longer. It's time Congress listened to the people.