Chairman Petri and members of the Committee, the Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about driver's license security issues.
The state driver's license has become much more than a license to drive. It is now used as a primary means of authenticating identity in a wide range of commercial and governmental transactions having nothing to do with operating a motor vehicle. In the wake of the horrific attacks of September 11, some have suggested that we should standardize the design of the state driver's license, add more features to the card and create data systems linked to the card. The new functionality of the card would create yet further reliance on it, including for access control and security screening purposes. Yet, the policy structure for issuance and use of driver's licenses has not kept pace with the increased weight already being placed upon the cards and is totally inadequate for the expansions proposed in the name of fighting terrorism.
One year after the September 11 attacks, there is no evidence that flaws in the design and security of drivers' licenses themselves facilitated the hijackers in carrying out their plans. From what we know, most of the hijackers were not using stolen, counterfeit or altered ID cards or ID cards from a foreign country. Rather, they were using legitimate state driver's licenses or non-driver ID cards obtained from DMV offices. The hijackers appear to have obtained these cards from several different states using methods that highlight basic problems in the process of issuing ID cards ranging from weak laws and procedures to the bribery of DMV employees. These problems are not ones that could be cured by introducing more biometrics in the cards themselves or by creating databases that link together state or commercial databases.
Better procedures for issuing driver's licenses are clearly needed. However, putting more features in the card and encouraging the its frequent use as an authentication device may have the undesirable effect of increasing the value of fraudulently obtained cards. To ensure that the card is not abused by private or public entities, we would still need to develop a national policy on use of the card for non-driving related purposes. At the very least, we should not increase the amount of data on the card or encourage an increased reliance on driver's licenses and state-issued ID cards without first addressing the major problems of fraud in the issuance of the cards.
We could benefit from the experience of other countries. The most recent example, the Juki Net system in Japan, illustrates the flaws in an ID card program that involves linked databases and broad, undefined uses without adequate attention to privacy and security concerns. In developing Juki Net, the Japanese government failed to address the issues of identity theft, computer security and commercial privacy. The program is so fraught with risk that municipalities have backed out of the system despite a federal mandate.
To best protect security and eliminate fraud, we must encourage the Motor Vehicles Administrators to focus their efforts on improving the foundations of the current system -- especially the process for issuing cards -- before building new and unproven capabilities.
CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values in digital technologies. One of our core goals is to enhance privacy protections for individuals in the development and use of new technology.
The current process for obtaining a driver's license is rife with fraud and corruption. While the DMVs have spent time and effort on technologies such as laminates to make counterfeiting more difficult, other forms of fraud have arisen that are of equal or greater consequence. In particular, the fraudulent obtaining of legitimate driver's licenses calls into question the utility of many of the newly suggested security features.
To date, many documented cases of fraud involve identity theft. For example, recent GAO reports on identity theft point to the growing concern of fraud within the driver's license system. While much of this concern comes from counterfeit licenses, there are a significant and growing number of cases of real licenses falsely obtained. GAO documents the increase in the fraudulent use of credit cards, social security numbers and driver's licenses. The reports point to the ease at which driver's license can be obtained with fraudulent source or
breeder documents such as forged birth certificates.
The most alarming case of illegally obtained driver's license involves the September 11 hijackings. It has been reported that at least 13 of the 19 hijackers obtained valid licenses or non-driver ID cards from Florida, New Jersey or Virginia.
While the Virginia cases -- involving weak Virginia residency requirements -- have been well documented and involved laws that were immediately changed by the Virginia legislature, many other problems in the issuance process remain across the country. In particular, multiple recent cases involve the bribing of DMV personnel point to a disturbing trend. For example, two recent cases have included elaborate schemes creating hundreds of fraudulently issued but otherwise legitimate licenses:
Other reports point to small-scale schemes:
Even in the area of commercial licensing -- where states do have a single database and follow uniform federal standards as required and the under the Commercial Motor Vehicle Safety Act of 1986 (CMVSA) -- bribery is common. For example:
Another, more disturbing case indicates that there is already a known market for personal information held by the DMV:
The bribery cases are one more piece of evidence that the current driver's license and driver's license information are not being adequately protected. Adding new features to the card, such as a smart chip, a biometric identifier and/or a uniform ID number, clearly increases the value of the card to society and in the marketplace and will increase its use. If the states do not fundamentally, if not completely, address the known problems with the system to issue cards before we add any new features, then fraud will increase even as the use of the card increases.
Last month, Japanese citizens took to the streets to protest a new government identification system, called Juki Net. In a society that Westerners sometimes assume does not care about privacy, the project touched a nerve, even prompting several local officials to declare their intent not to cooperate with the national plan. The system's promises of convenience and enhanced security were apparently insufficient to overcome worries about centralization of personal data.
This committee should examine the concerns raised about Juki Net in detail before moving forward with the current proposals for linking driver's license data.
Juki Net is based on a national database in Tokyo, intended to link a set of personal information--the 11-digit ID number already assigned to all Japanese citizens, plus name, date of birth, sex and address. The goal of the network, in the short term, is to make it easier for individuals to apply for residency cards from anywhere in the country.
But identity theft is a fast-growing crime in Japan. Opponents of Juki Net warned that creating a network that concentrates sensitive information in a single network or location creates a juicy target for identity thieves.
Furthermore, Japan, like the U.S., has no comprehensive privacy law for the commercial sector. This means that as essential information, such as the ID number, becomes more centralized and more commonly used, it can be collected, stored, sold and combined with other information with no notice, consent or access and correction rights afforded the individual.
Sharing in a growing uneasiness about the Information Age's impact on personal autonomy, Japanese protesters wore face paint in the lines of bar codes. Polls indicate that three in four Japanese citizens now oppose Juki Net despite the fact that the program was popular when first announced.
Remarkably, several major cities have backed away from involvement in the project. Yokahama, a city of 3.4 million people, has decided to let each resident choose whether to include personal information in the database. The mayor of Kokubnji held an official "disconnecting" ceremony to show the residents of his city that they would not be included in the database at all.
The state of privacy in Japan and the U.S. is strikingly similar. Identity theft has been considered by some officials to be the fastest growing crime in the U.S., and the potential threat of misuse of large amounts of information required in the creation of driver's systems is enormous. Increasing the amount of information collected and linking it together only serves to increase its attractiveness to thieves. GAO reports continue to warn that
weaknesses in federal systems remain pervasive including at the Department of Transportation, which would necessarily oversee any such project on driver's licenses. The December 2001 bribery of a New York DMV employee who sold the personal information of individuals in the DMV database, described above, suggests that thieves are already finding ways to exploit the information held at the state level.
Like Japan, the U.S. has no comprehensive private-sector law to protect individual privacy rights in the commercial sector. Marketers have increasingly relied on government issued identifiers to sell and market goods. Many companies use government identifier responsibly. However, without baseline requirements of consumer controls for their own information, some companies have recklessly used personal information including government identifiers risking the viability of social security numbers and driver's licenses as a security tool and invading the privacy of individuals.
Identity theft, computer security and consumer privacy protections are difficult issues that remain unsolved in the U.S. But policymakers must address these fundamental concerns before proceeding to link state databases together. Privacy cannot be an afterthought in the design of information systems. If privacy concerns are not addressed adequately, American projects similar to Juki Net will face the reaction from a society with a proud history of individualism and public protest.
Even if Americans do not take to the streets against a new system that is seen as overly troublesome, as have the Japanese, the marginal added convenience and untested security benefits of most of the features of the proposed distributed identity system are not worth the potential risks. Instead of building new controls, we should focus on strengthening the physical and policy infrastructure of the current driver's license system.
Building a linked database of information and adding new functionality to the cards is a risky proposition for all of the reasons listed above. Instead Congress should work to address the known problems with the current driver's license system:
Fixing the issuing process of driver's licenses is a complex and difficult undertaking, but must be the top priority. In particular: fraud and bribery are rampant in the DMVs; the basic documents used to make decisions about individuals applying for licenses and ID cards are rife with inconsistencies and fraud; and the laws in each state are not harmonized, leading to
weak states that have been targets of fraud. Work has begun in this area. The American Association of Motor Vehicle Administrators has several task groups to address various aspects of these concerns. However, Congress should study the policy implications of reforms in each area; act quickly based on the new information; and then, continue oversight to ensure that the enacted reforms are successful.
Use and storage of personal information in networked government computer systems remains a major concern while computer security continues to lag. As the use of information technology to identify individuals increases, the federal and state governments must ensure that this valuable information can be protected.
The use of the driver's license and other identifiers will only continue to increase in the commercial sector. Without privacy legislation on the use of personally identifiable information in the commercial arena, Americans cannot be assured that adequate protections exist to prohibit the misuse of important government identifiers. By privacy, we mean rules addressing when the card can be demanded, what information can be taken from it, how individuals denied access or service can resolve doubts about themselves, how the policy will treat people without cards, etc.
Before this work is done, Congress should not allow new functionality in a system that we already know is broken. Placing more reliance on the driver's license Ð such as using it as the centerpiece of an airport security
fast lane Ð serves to increase the value of illegally obtained documents at a time when there is a known marketplace for such items. Once reforms of the issuance process, security and privacy protections have been enacted, Congress should cautiously and skeptically study how a driver's license system that is not rife with fraud and misuse can function under the increased weight of any new proposals.
We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies supporting democratic values and the vibrant use of new communications media.
1 Identity Theft: Prevalence and Cost Appear to be Growing GAO-02-363, March 2000 and Identity Theft: Greater Awareness and Use of Existing Data Are Needed, GAO-02-766, June 2002.
2 Associated Press,
Hijackers' bogus identification cards prompt scrutiny of state licensing rules Jefferson City News Tribune, October 9, 2001,
3 Office of the Attorney General of the State of New Jersey,
Criminal Indictments Charge 36 Persons with Trafficking in Fraudulent New Jersey Driver's Licenses and Identification Documents: Multi-Agency Investigation Targeted "Brokers" & Corrupt DMV Employees, Press Release, June 24, 2002, http://www.state.nj.us/lps/dcj/releases/2002/dmv0624.htm
4 Joe Torres,
Elaborate Fake ID Scheme Nets Nine Arrests, Leads To Changes At DMV Offices, February 26, 2002. http://abclocal.go.com/wabc/news/WABC_022602_dmvscheme.html
5 Associated Press,
BMV employee accused of bribe, Cincinnati Enquirer, March 4, 2001. http://enquirer.com/editions/2001/03/04/loc_bmv_employee_accused.html
Today's Trucking News: North Carolina governor plans reorganization of DMV, Land Line Magazine, June 27,2002, http://www.landlinemag.com/todays_news/Daily/June02/062702.htm
9 Office of the Attorney General of the State of New York,
Three Charged in DMV Bribery Scheme Former DMV Employee and Local Private Investigator Charged in 20-Count Indictment, Press Release, December 7, 2001. http://www.oag.state.ny.us/press/2001/dec/dec07d_01.html
10 Several stories about Juki Net have been published in the western press, yet the most interesting analysis has come from the Japanese newspaper the Asahi Shimbum, which publishes an online edition in English. The paper's August 30, 2002 editorial on Juki Net
Keeping Privacy Private can be found at http://www.asahi.com/english/op-ed/k2002083100216.html.
11 Critical Infrastructure Protection: Significant Challenges in Safeguarding Government and Privately Controlled Systems from Computer-Based Attacks. GAO-01-1168T September 26, 2001
12 The titles are too numerous to mention but include ongoing warnings such as: Computer Security: Weaknesses Continue to Place Critical Federal Operations and Assets at Risk. GAO-01-600T April 5, 2001 and FAA Computer Security: Recommendations to Address Continuing Weaknesses. GAO-01-171 December 6, 2000