Startling Incompetence at ANSI Standards Group
I have always regarded standard-setting organizations as serious players who take care to keep slightly boring the work of establishing uniformity in products and protocols. But a press release from the American National Standards Institute (ANSI) may cause me to reassess.
“IDSP Issues Report Calling for National Identity Verification Standard” is the release, and it’s bristling with error and malformed policy assertions. IDSP is the “Identity Theft Prevention and Identity Management Standards Panel,” an ANSI subgroup.
Take this doozy:
[T]he Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and the REAL ID Act of 2005 require verification of identity prior to the issuance of birth certificates and driver’s licenses / ID cards, respectively. However, the IRTPA regulations have not yet been released even in draft form and the REAL ID regulations do not provide practical guidance on how to corroborate a claim of identity under different circumstances.
Folks, REAL ID repealed the identity security provisions in the Intelligence Reform and Terrorism Prevention Act. (It’s a good bet that regulations for a repealed law aren’t going to move out of draft form for a very long time, eh?) And REAL ID does not require verification of identity prior to issuance of birth certificates. What could that even mean?! “Hey you—little baby—let me see some ID before I issue you your birth certificate.”
The release repeats the tired mantra that 9/11 terrorists got U.S. identity documents—”some by fraud.” The 9/11 Commission dedicated three-quarters of a page to its identity recommendations—out of 400 substantive pages—and neither the commission nor anyone since has shown how denying people U.S. identity documents would prevent terrorism.
Are there needs for identity standards? Of course. And there are a lot of projects in a lot of places working on that. If an organization doesn’t know the law, and doesn’t know how the subject matter it’s dealing with functions in society, I don’t know how it could possibly be relied on to set appropriate standards.
ANSI should take a look at this subgroup and see if its work is actually competent. Judging by this press release, it’s not.
Some Thoughts on the New Surveillance
Last night I spoke at “The Little Idea,” a mini-lecture series launched in New York by Ari Melber of The Nation and now starting up here in D.C., on the incredibly civilized premise that, instead of some interminable panel that culminates in a series of audience monologues-disguised-as-questions, it’s much more appealing to have a speaker give a ten-minute spiel, sort of as a prompt for discussion, and then chat with the crowd over drinks.
I’d sketched out a rather longer version of my remarks in advance just to make sure I had my main ideas clear, and so I’ll post them here, as a sort of preview of a rather longer and more formal paper on 21st century surveillance and privacy that I’m working on. Since ten-minute talks don’t accommodate footnotes very well, I should note that I’m drawing for a lot of these ideas on the excellent work of legal scholars Lawrence Lessig and Daniel Solove (relevant papers at the links). Anyway, the expanded version of my talk after the jump:
Indiana Voter ID Law Struck Down
Constitutional rules often comport with common sense. The Fourth Amendment’s search and seizure clause — so burdensome to law enforcement, some argue — requires officials to look for evidence of crime where they think they’ll find it and not elsewhere. Common sense.
So it is with an Indiana Court of Appeals ruling that the state’s voter ID law violates the equal protection clause of the state’s constitution. The law requires in-person voters to show ID, but makes no attempt to verify the identities of absentee voters. The U.S. Supreme Court upheld the law against a recent challenge, but the Indiana court struck it down based on a broader protection in the state constitution’s equal protection clause.
Think what you will on the legal merits. (I generally appreciate courts breathing independent life into their state constitutions.) What is interesting here is that the result is imbued with constitutional common sense.
Requiring ID at polling stations would have a marginal effect on vote fraud because it makes it harder to impersonate a voter or manufacture a vote-qualified identity. But the risk of in-person voter fraud is very low compared to absentee ballot fraud, which the Indiana law did not touch. The Indiana voter ID law was tantamount to caulking windows to keep out the cold but leaving the front door open. Because of the disproportionate effect on different classes of voters, the court struck it down.
Voter fraud will continue to be a hot issue, and states should continue to tune the balances they strike between voter access and vote integrity. My concern is that the issue might boil over and produce national ID proposals, as we have seen in the past.
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Fun With DHS Press Releases!
Let’s fisk a DHS press release! It’s the “Statement by DHS Press Secretary Sara Kuban on Markup of the Pass ID Bill by the Senate Homeland Security and Government Affairs Committee.” Here goes:
On the same day that Secretary Napolitano highlighted the Department’s efforts to combat terrorism and keep our country safe during a speech in New York City,
This part is true: Secretary Napolitano was in New York speaking about terrorism.
Congress took a major step forward on the PASS ID secure identification legislation.
There was a markup of PASS ID in the Homeland Security and Governmental Affairs Committee. It’s a step — not sure how major.
PASS ID is critical national security legislation
People who have studied identity-based security know that knowing people’s identities doesn’t secure against serious threats, so this is exaggeration.
that will break a long-standing stalemate with state governments
Thirteen states have barred themselves by law from implementing REAL ID, the national ID law. DHS hopes that changing the name and offering them money will change their minds.
that has prevented the implementation of a critical 9/11 recommendation to establish national standards for driver’s licenses.
The 9/11 Commission devoted three-quarters of a page to identity security — out of 400+ substantive pages. That’s more of a throwaway recommendation or afterthought. False identification wasn’t a modus operandi in the 9/11 attacks, and the 9/11 Commission didn’t explain how identity would defeat future attacks. (Also, using “critical” twice in the same sentence is a stylistic no-no.)
As the 9/11 Commission report noted, fraudulent identification documents are dangerous weapons for terrorists,
No, it said “travel documents are as important as weapons.” It was talking about passports and visas, not drivers’ licenses. Oh — and it was exaggerating.
but progress has stalled towards securing identification documents under the top-down, proscriptive approach of the REAL ID Act
True, rather than following top-down prescription, states have set their own policies to increase driver’s license security. It’s not necessarily needed, but if they want to they can, and they don’t need federal conscription of their DMVs to do it.
– an approach that has led thirteen states to enact legislation prohibiting compliance with the Act.
“. . . which is why we’re trying to get it passed again with a different name!”
Rather than a continuing stalemate with the states,
Non-compliant states stared Secretary Chertoff down when he threatened to disrupt their residents’ air travel, and they can do the same to Secretary Napolitano.
PASS ID provides crucial security gains now by establishing common security standards for driver’s licenses
Weak security gains, possibly in five years. In computer science — to which identification and credentialing is akin — monoculture is regarded as a source of vulnerability.
and a path forward for ensuring that states can electronically verify source documents, including birth certificates.
We’re on the way to that cradle-to-grave biometric tracking system that will give government so much power over every single citizen and resident.
See? That was fun!
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Assessing the Claim that CDT Opposes a National ID
It was good of Ari Schwartz to respond last week to my recent post querying whether the Center for Democracy and Technology outright opposes a national ID or simply “does not support” one.
Ari says CDT does oppose a national ID, and I believe that he honestly believes that. But it’s worth taking a look at whether the group’s actions are consistent with opposition to a national ID. I believe CDT’s actions — most recently its support of the PASS ID Act — support the creation of a national ID.
(The title of his post and some of his commentary suggest I have engaged in rhetorical excess and mischaracterized his views. Please do judge for yourself whether I’m being shrill or unfair, which is not my intention.)
First I want to address an unusual claim of Ari’s — that we already have a national ID system. If that is true, his support for PASS ID is more sensible because it is an opportunity to inject federal privacy protections into the existing system (putting aside whether it is a federal responsibility to manage a state system or systems).
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Would PASS ID Really Save States Money?
The proposed PASS ID Act is a national ID just like REAL ID, and it threatens privacy just as much. Some argue that a national ID under PASS ID should be palatable, though, because it reduces costs to states.
But savings to states under PASS ID are not at all clear. Let’s take a look at the costs of creating a U.S. national ID.
The REAL ID Act, passed in May 2005, required states to begin implementing a national ID system within three years. In regulations it proposed in March 2007, the Department of Homeland Security extended that draconian deadline. States would have five years, starting in May 2008, to move all driver’s license and ID card holders into REAL ID-compliant cards.
The Department of Homeland Security estimated the costs for this project at $17.2 billion dollars (net present value, 7% discount). Costs to individuals came it at nearly $6 billion – mostly in wasted time. Americans would spend more than 250 million hours filling out forms, finding birth certificates and Social Security cards, and waiting in line at the DMV.
The bulk of the costs fell on state governments, though: nearly $11 billion dollars. The top three expenditures were $5.25 billion for customer service at DMVs, $4 billion for card production, and $1.1 billion for data systems and IT. Getting hundreds of millions of people through DMVs and issuing them new cards in such a short time was the bulk of the cost.
To drive down the cost estimate, DHS pushed the implementation schedule way back. In its final rule of January 2008, it allowed states a deadline extension to December 31, 2009 just for the asking, and a second extension to May 2011 for meeting certain milestones. Then states would have until the end of 2017 to replace all cards with the national ID card. That’s just under ten years.
Then the DHS decided to assume that only 75% of people would actually get the national ID. (Never mind that whatever benefits from having a national ID drop to near zero if it is not actually “national.”)
The result was a total cost estimate of about $6.85 billion (net present value, 7% discount). Individual citizens would still spend $5.2 billion worth of their time (in undiscounted dollars) on paperwork and waiting at the DMV. But states would spend just $1.5 billion on data and interconnectivity systems; $970 million on customer service; and $953 million on card production and issuance—a total of about $2.4 billion. (All undiscounted—DHS didn’t publish estimates for the final rule the same way it published their estimates for the proposed rule.)
Maybe these cost estimates were still too high. Maybe they weren’t believable. Or maybe Americans’ love of privacy and hatred of a national ID explains it. But the lower cost estimate did not slow the “REAL ID Rebellion.” Given the costs, the complexity, the privacy consequences, and the dubious benefits, states rejected REAL ID.
Enter PASS ID, which supposedly alleviates the costs to states of REAL ID. But would it?
At a Senate hearing last week, not one, but two representatives of the National Governors Association testified in favor of PASS ID, citing their internal estimate that implementing PASS ID would cost states just $2 billion.
But there is reason to doubt that figure. PASS ID is a lot more like REAL ID – the original REAL ID – in the way that most affects costs: the implementation schedule.
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Lock It Down, Centralize It, Federalize It
Speaking of the Center for Democracy and Technology, Leslie Harris gave a terrific quote to Forbes.com for an article on cybersecurity:
The Rockefeller-Snowe Bill represents just the sort of heavy-handed regulation that could stifle innovation and hurt the economy, argues Leslie Harris, president and chief executive of the Center for Democracy and Technology. “If you lock things down too tight and try to centralize and federalize all kinds of standards, you’re on a collision course with the innovators who may be making the next great tech product in their backyard,” she says.
The question is why CDT doesn’t apply this thinking to the field of identification and credentialing.
PASS ID and National ID – Rejoinder to Schwartz
Ari Schwartz responded in characteristic even tones to my critique of his testimony in favor of the PASS ID Act, which would revive the moribund REAL ID law. It’s worth a rejoinder, and I’ll offer him the same again here if he wishes.
Ari clouds matters slightly by suggesting that my “strong biases” obscure certain facts. I readily admit having a strong bias in favor of liberty — it’s why I do what I do. Ari admits several biases, including one in favor of consensus-building, which was what I accused him of prioritizing over principle. Let’s put aside the question of bias.
It’s good to see Ari state that CDT does not support a national ID system. It would be better to see him state that CDT opposes having a national ID system. (I imagine this is just a matter of word choice, but it would be good to have clarity.)
Next, Ari says his testimony “makes it clear that we believe that PASS ID prevents the creation of a National ID system.” I don’t believe this is clear from his testimony. More importantly, this is not a sound assessment of what a national ID is or what PASS ID does.
We need some defined terms, so let’s tease out what he means by “national ID.” (He has told me that there is some distinction between a “national ID,” a “national ID system,” and perhaps a “national ID card,” but the distinction is lost on me. I believe a national ID card is part of a national ID system, both of which are commonly referred to in shorthand as a “national ID.”)
Twice in his testimony, he correctly calls REAL ID a national ID system. The factors that make it so appear to be “the very real possibility that individuals would not be able to function in American society without a REAL ID card” and “giving unfettered discretion to DHS to expand the ‘official purposes’ for which REAL ID cards could be required.”
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Review of the Big REAL ID Hearing
The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.
Good News!
Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.
First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.
She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.
Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”
Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.
REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.
Does the PASS ID Act Protect Privacy?
I’ve written about PASS ID here a couple of times before – first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.
The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.
“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.
Interstate Data Sharing?
First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.
Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.
How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.
Calling Secretary Napolitano: Arizona to Reject EDLs
Department of Homeland Security Secretary Janet Napolitano has been all over the map on national ID issues. As governor of Arizona, she signed a memorandum of understanding with the Bush DHS to implement “enhanced driver’s licenses” in her state. These are licenses with long-range RFID chips built into them. But then she turned around and signed legislation barring implementation of the REAL ID Act in Arizona.
Now, having taken federal office, she again favors REAL ID — or at least under its new name: PASS ID. (Her efforts to put distance between REAL ID and PASS ID have not borne fruit.)
In some respects, PASS ID is worse than REAL ID. It would give congressional approval to the “enhanced driver’s license” program — invented by DHS and State Department bureaucrats to do long-range (and potentially surreptitious) identification of people holding this type of card. Back home, the Arizona legislature has just passed a bill to prohibit the state from implementing EDLs.
So the former governor of Arizona, who has both supported and rejected national ID programs, now supports a bill to approve the national ID program her home state rejects. Napolitano seems to be taking the national ID tar baby in a loving embrace.
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
National ID Mission Creep
It’s a given that, once in place, a national ID would be used for additional purposes.
In case you needed proof, on Wednesday, Senator David Vitter (R-LA) offered an amendment to H.R. 627, the Credit Cardholders’ Bill of Rights Act of 2009, requiring the Federal Reserve to impose federal identification standards on the opening of new credit accounts. Among the limited forms of ID credit issuers could accept are REAL ID cards, produced under the moribund national ID law. (Vitter may not realize that REAL ID is in collapse.)
To compound things, his amendment would require credit issuers to run new credit card applicants past terrorist watch-lists. The sense of normalcy, efficiency, and common sense that makes airports so pleasurable to visit today would infect our financial services system. Oh joy.
Filed under: Finance, Banking & Monetary Policy; Telecom, Internet & Information Policy
Questions for Heritage: REAL ID
The Heritage Foundation’s “The Foundry” blog has a post up called “Questions for Secretary Napolitano: Real ID.”
Honest advocates on two sides of an issue can come to almost perfectly opposite views, and this provides an example, because I find the post confused, wrong, or misleading in nearly every respect.
Let’s give it a brief fisking. Below, the language from the post is in italics, and my comments are in roman text:
Filed under: Telecom, Internet & Information Policy; Trade and Immigration
“. . . and Replace It with REAL ID”
CNN wrote an exciting headline on Wednesday: “Homeland Security Chief Seeks to Repeal Real ID Act.” What they left out was that the replacement would be . . . the REAL ID Act.
Intentionally or not, Secretary of Homeland Security Janet Napolitano has created the impression that the national ID law might go away. But simply renaming the Department of Homeland Security’s national ID program is not a repeal of REAL ID.
The REAL ID revival bill that has been circulating is the same national identification and tracking system with a few of the sharpest corners taken off and the hope of federal money held out to up-to-now recalcitrant states. The REAL ID revival bill would corral every American citizen into the national ID system to try and attack illegal immigrants.
Bills to repeal REAL ID were introduced in the previous Congress, but they did not move because the Bush administration and Chertoff DHS would have eagerly demagogued the issue. Those political conditions no longer hold. And just 10 months ago, Secretary Chertoff delayed the implementation of REAL ID without bringing any political repercussions to the Bush administration whatsoever. Secretary Napolitano can do the same if Congress fails to truly repeal REAL ID, as it should.
Cato on Facebook
Cato on Twitter
Cato on YouTube
Cato Tweets