Security Holes at DMVs Feed ID Theft, Offer Lessons for National ID Card Debate
CDT POLICY POST Volume 10, Number 3, February 3, 2004
A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Security Holes at DMVs Feed ID Theft, Offer Lessons for National ID Card Debate
(2) Driver's License Facing Wider Uses, including Online Authentication
(3) Lax Security and Insider Abuse at the Local Level Pose National Challenges
(1) Security Holes at DMVs Feed ID Theft, Offer Lessons for National ID Card Debate
CDT has released a report pointing to security problems nationwide in the issuance of driver's licenses, at a time when the card is being increasingly looked to as a general form of identification. Culling news reports in the last year alone, the report found two dozen cases in 15 states where bribery or lax security at Department of Motor Vehicle (DMV) offices had resulted in fraudulent issuance of thousands of driver's licenses. The survey offers a warning to those who think that adding more biometric information to driver's licenses will make them reliable as a de facto national ID card.
Based on the findings of the survey, CDT recommends:
- An "Accountability Index" – Congress should direct the General Accounting Office (GAO) to develop a fraud and security index for state DMV offices, ranking the states on both internal and external security, and measuring performance over time.
- Federal penalties for DMV corruption – Congress should adopt legislation to clearly make it a federal crime for a state DMV employee to accept a bribe to issue a driver's license. Federal jurisdiction is justified because the crime affects security nationwide. A federal statute would allow a federal law enforcement response where states fail to act.
- Pilot Programs for Security – Congress should offer pilot grants for new technologies, programs and training aimed specifically at rooting out fraud and improving physical security at state motor vehicle offices.
Even with these measures, CDT recommends against reliance on any system that links state driver's license data for ID purposes unrelated to highway safety. Instead, security measures should rely on the concept of multiple forms of identification for different purposes. It is a well-known, but often forgotten, principle of security that broad reliance on a single form of identification creates a single point of failure. The security breaches that CDT's report catalogues in DMV offices across the country are a reflection of the incentives for fraud already being generated by overburdening the driver's license as a general purpose ID card.
CDT's report, "Unlicensed Fraud: How bribery and lax security at state motor vehicle offices nationwide lead to identity theft and illegal driver's licenses," is at http://www.cdt.org/privacy/20040200dmv.pdf.
2) Driver's License Facing Wider Uses, including Online Authentication
The state-issued driver's license is playing an important role in an increasing range of areas:
- Highway safety – Public safety depends on the ability of authorities to properly issue and revoke driver's licenses.
- Identity fraud and theft – As merchants use the driver's license as an identifier, the licenses have become a tool frequently used to perpetrate identity fraud. Identity theft is regularly cited as the fastest growing crime in America.
- Homeland security – Since September 11, 2001, heightened attention has been given to the driver's license issuance system in the United States. Several of the 9/11 hijackers had driver's licenses illegally obtained through state motor vehicle offices. The hijackers' use of these as their ID cards at the airports illustrated all too well that the driver's license has become more than just a license to drive.
- Online authentication – Proposals to create "smart" driver's licenses that could be used with a card reader on a computer for online authentication have far-reaching implications, which drew CDT into this area in the first place. Individuals and e-commerce sites cannot use traditional face-to-face techniques to establish identity, posing some difficult issues around trust online. Some companies and policymakers searching for stable online credentials have proposed using the driver's license as a medium for verifying identity in cyberspace.
In 2002, several proposals were put forth to create a National ID card or, more subtly, to create a back end database connecting driver's license information across the country and to begin to incorporate digital biometric information, such as a fingerprint, into the card and the linked databases. None of the major legislation on the subject has been reintroduced in this Congress, but more moderate proposals may be introduced this session.
For more background information on the use of the driver's license as a general ID card, see:
- CDT's Policy Post 8.17: PRIVACY AND SECURITY RISKS IN DRIVER'S LICENSE PROPOSALS (Sept. 5, 2002) http://www.cdt.org/publications/pp_8.17.shtml
- The National Academy of Sciences report, "IDs — Not that Easy" (2002) http://www.nap.edu/html/id_questions/
- "Reliable Identification for Homeland Protection and Collateral Gains" – Appendix A to the report of the Markle Foundation Task Force on National Security in the Information Age (Dec. 2003) http://www.markletaskforce.org/.
(3) Lax Security and Insider Abuse at the Local Level Pose National Challenges
CDT has been concerned that policymakers interested in ID issues are too focused on the quality of the driver's license as an identity document – thus proposals to improve the biometrics on the card – and are overlooking the bigger concern that the driver's license system is riddled with fraud at the point of issuance. All the biometrics in the world won't make a secure card if DMV employees can be bribed or the card-making equipment can easily be stolen. Our concern has been that the fraud issue, of grave national consequence, was being treated mostly as a local concern.
In October 2002, CDT called upon the American Association of Motor Vehicle Administrators (AAMVA) to begin compiling an index of cases of internal and external fraud relating to the issuance of driver's licenses at the DMVs. CDT believed fraud was more widespread than realized and that all state agencies should be evaluated and ranked based on performance. When AAMVA did not take up the idea, CDT undertook a survey of local news coverage in 2003 and found:
- 23 cases of publicly reported fraud or lax security at driver's license operations in 15 different states.
- Thousands of fraudulent driver's licenses issued by bribed state employees.
- Dozens, if not hundreds, of cases of identity theft tied back to internal fraud and bad security practices.
Some of the more egregious cases include:
- The entire 11 person staff of the Newark, New Jersey DMV office was fired after investigators determined fraud was rampant. New Jersey had multiple cases of fraud or theft. This is not to suggest that NJ has the worst problem, but may just be a reflection of the fact that New Jersey has an ongoing investigation based on the consistent concerns about the state agency.
- An identity theft ring in Oregon was found with a CD-ROM full of Oregon drivers' personal information and the casings and cards that could only have been taken from an Oregon Motor Vehicles Office. Officials say that they could link at least 40 cases of identity theft back to the thieves.
- Indiana officials are still investigating a bribery ring that led to the fraudulent issuance of more than 1000 licenses across the state.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_10.03.shtml.
Excerpts may be re-posted with prior permission of [email protected]
Policy Post 10.03 Copyright 2004 Center for Democracy and Technology