With the Department of Homeland Security constantly spinning out new projects and programs (plus re-branded old ones) to investigate you, me, and the kitchen sink, it’s sometimes hard to keep up. But I was intrigued with a report that behvaior detection officers are getting another look from the Transportation Security Administration. Behavior detection is the unproven, and so far highly unsuccessful (Rittgers, Harper), program premised on the idea that telltale cues can reliably and cost-effectively indicate intent to do harm at airports.

But there’s a new behavior detection program already underway. Or is it interrogation?

Due to a bottleneck at the magnetometers in one concourse of the San Francisco airport (no strip-search machines!), I recently had the chance to briefly interview a Transportation Security Administration agent about a new security technique he was implementing. As each passenger reached him, he would begin to examine the traveler’s documentation and simultaneously ask the person’s last name. He confirmed to me that the purpose was to detect people who did not immediately, easily, and accurately respond. In thousands of interactions, he would quickly and naturally learn to detect obfuscation on the part of anyone carrying an ID that does not have the last name they usually use.

As a way of helping to confirm identity, it’s a straightforward and sensible technique. Almost everyone knows his or her last name, and quickly and easily repeats it. The average TSA agent with some level of experience will fluently detect people who do not quickly and easily repeat the name on the identity card they carry. The examination is done quickly. This epistemetric check (of a “something-you-know” identifier—see my book, Identity Crisis) occurs during the brief time that the documents are already getting visual examination.

Some people will not repeat their name consistent with custom, of course. The hard of hearing, speakers of foreign languages, people who are very nervous, people who have speech or other communication impediments, and another group of sufferers—recently married women—may exhibit “suspicious” failure to recite their recently changed surnames. Some of these anomalies TSA agents will quickly and easily dismiss as non-suspicious. Others they won’t, and in marginal cases they might use non-suspicious indicia like ethnicity or rudeness to adjudge someone “suspicious.”

The question whether these false positives are a problem depends on the sanction that attaches to suspicion. If a stutterer gets a gauntlet at the airport each time he or she fails to rattle off a name, the cost of the technique grows compared to the value of catching … not the small number of people who travel on false identification—the extremely small number of people who travel on false identification so as to menace air transportation.

We used this and closely related techniques, such as asking a person’s address or the DMV office where a license was issued, at the bar where I worked in college. It did pretty well to ferret out people carrying their older friends’ IDs. Part of the reason it worked well is because our expert doormen could quickly escalate to further inquiry, dismissing their own suspicions or denying entry to the bar very quickly. The cost of getting it wrong was to deny a person entry to the bar and sometimes possession of a license. These are relatively small costs to college students, unlike the many hours in time-costs to a traveler wrongly held up at the airport. According to my interview, suspicion generated this way at the airport requires a call to a supervisor, but I did not learn if secondary search is standard procedure, or if cases are handled some other way.

TSA agents are not doormen at bars, of course, and the subjects they are examining are not college kids out to get their drink on. These are government agents examining citizens, residents, and visitors to the United States as they travel for business and pleasure, often at high cost in dollars and time. The stakes are higher, and when the government uses a security technique like this, a layer of constitutional considerations joins the practical issues and security analysis.

I see three major legal issues with this new technique: Fourth Amendment search and seizure, the Fifth Amendment right against self-incrimination, and Due Process. When questioning joins an ID check at the airport, it’s a deepening of a search that is already constitutionally suspect. The Fifth Amendment issues are interesting because travelers are being asked to confess through their demeanor whether they are lying or telling the truth. It would seem to cross a Fifth Amendment line and the rule against forced self-incrimination. The Due Process issues are serious and fairly straightforward. When a TSA screener makes his or her judgment that a person is not responding consistent with custom and is therefore “suspicious,” these judgement calls allow the screeners to import their prejudices. Record-keeping about suspicion generated using this technique should determine whether administration of this epistemetric check violates constitutional due process in its application.

In its constant effort to ferret out terrorist attacks on air transportation, the TSA is mustering all its imagination. Its programs raise scores of risk management issues, they create constitutional problems, and they are a challenge to our tradition of constitutionally limited government. The threat that a person will use false identification to access a plane, defeating an otherwise working watch-list sytem, to execute some attack is utterly small. At what cost in dollars and American values do we attack that tiny threat?

The founding problem is the impetuous placement of federal government agents in the role of securing domestic passenger aviation. There are areas where government is integral to securing airports, airlines, and all the rest of the country—foreign intelligence and developing leads about criminal plots, for example—but the day-to-day responsibility for securing infrastructure like airports and airplanes should be the responsibility of its owners.

If the TSA were to go away, air security measures might be similar in many respects, but they would be conducted by organizations who must keep travelers happy and safe for their living. The TSA hasn’t anything like private airports’ and airlines’ incentives to balance security with convenience, privacy, cost-savings, and all other dimensions of a satisfactory travel experience. Asking people their names at airport security checkpoints is an interesting technique, and not an ineffective one, but it should probably be scrapped because it provides so little security at a relatively great cost.

Behavior Detection as Interrogation is a post from Cato @ Liberty - Cato Institute Blog

I’ve emphasized in the past that a national ID requirement—for travel, for work, whatever the case—would exclude the indigent from rungs on the ladder.

If you don’t know the story of the homeless man whose golden radio voice got him a second chance, you should.  But, as the New York Daily News reports, his long-awaited reunion with his mother has been delayed while he proves his identity so he can fly.

A land of freedom doesn’t put paperwork requirements between a man on the rebound and a long-awaited reunion with his mother.

ID Requirements and the Indigent is a post from Cato @ Liberty - Cato Institute Blog

This month at Cato Unbound, political scientist James C. Scott joins us in a discussion of his landmark book Seeing Like a State. His lead essay “The Trouble with the View from Above” gets readers up to speed and reviews some of the key themes of the book. Here’s an excerpt:

State naming practices and local, customary naming practices are strikingly different. Each set of practices is designed to make the human and physical landscape legible, by sharply identifying a unique individual, a household, or a singular geographic feature. Yet they are each devised by very distinct agents for whom the purposes of identification are radically different. Purely local, customary practices, as we shall see, achieve a level of precision and clarity—often with impressive economy—perfectly suited to the needs of knowledgeable locals. State naming practices are, by contrast, constructed to guide an official “stranger” in unambiguously identifying persons and places, not just in a single locality, but in many localities using standardized administrative techniques.

To follow the progress of state-making is, among other things, to trace the elaboration and application of novel systems which name and classify places, roads, people, and, above all, property. These state projects of legibility overlay, and often supersede, local practices. Where local practices persist, they are typically relevant to a narrower and narrower range of interaction within the confines of a face-to-face community.

Local knowledge both empowers and constrains — it allows and/or encourages some social practices, while making others more difficult. The progress of state power, meanwhile, depends on systematized, uniform knowledge of a wide area, with a loss of local particularity and the knowledge that goes with it. Seeing like a state has costs, in other words.

Over the next couple of weeks, we’ll be joined by discussants Donald Boudreaux, Brad DeLong, and Timothy Lee, each of whom will have a chance to ask Scott about his work, discuss its significance, and relate it to their own thinking about states, markets, and societies.

James C. Scott at Cato Unbound is a post from Cato @ Liberty - Cato Institute Blog

I have always regarded standard-setting organizations as serious players who take care to keep slightly boring the work of establishing uniformity in products and protocols. But a press release from the American National Standards Institute (ANSI) may cause me to reassess.

“IDSP Issues Report Calling for National Identity Verification Standard” is the release, and it’s bristling with error and malformed policy assertions. IDSP is the “Identity Theft Prevention and Identity Management Standards Panel,” an ANSI subgroup.

Take this doozy:

[T]he Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and the REAL ID Act of 2005 require verification of identity prior to the issuance of birth certificates and driver’s licenses / ID cards, respectively. However, the IRTPA regulations have not yet been released even in draft form and the REAL ID regulations do not provide practical guidance on how to corroborate a claim of identity under different circumstances.

Folks, REAL ID repealed the identity security provisions in the Intelligence Reform and Terrorism Prevention Act. (It’s a good bet that regulations for a repealed law aren’t going to move out of draft form for a very long time, eh?) And REAL ID does not require verification of identity prior to issuance of birth certificates. What could that even mean?! “Hey you—little baby—let me see some ID before I issue you your birth certificate.”

The release repeats the tired mantra that 9/11 terrorists got U.S. identity documents—”some by fraud.” The 9/11 Commission dedicated three-quarters of a page to its identity recommendations—out of 400 substantive pages—and neither the commission nor anyone since has shown how denying people U.S. identity documents would prevent terrorism.

Are there needs for identity standards? Of course. And there are a lot of projects in a lot of places working on that. If an organization doesn’t know the law, and doesn’t know how the subject matter it’s dealing with functions in society, I don’t know how it could possibly be relied on to set appropriate standards.

ANSI should take a look at this subgroup and see if its work is actually competent. Judging by this press release, it’s not.

Startling Incompetence at ANSI Standards Group is a post from Cato @ Liberty - Cato Institute Blog

Last night I spoke at “The Little Idea,” a mini-lecture series launched in New York by Ari Melber of The Nation and now starting up here in D.C., on the incredibly civilized premise that, instead of some interminable panel that culminates in a series of audience monologues-disguised-as-questions, it’s much more appealing to have a speaker give a ten-minute spiel, sort of as a prompt for discussion, and then chat with the crowd over drinks.

I’d sketched out a rather longer version of my remarks in advance just to make sure I had my main ideas clear, and so I’ll post them here, as a sort of preview of a rather longer and more formal paper on 21st century surveillance and privacy that I’m working on. Since ten-minute talks don’t accommodate footnotes very well, I should note that I’m drawing for a lot of these ideas on the excellent work of legal scholars Lawrence Lessig and Daniel Solove (relevant papers at the links). Anyway, the expanded version of my talk after the jump:

Since this is supposed to be an event where the drinking is at least as important as the talking, I want to begin with a story about booze—the story of a guy named Roy Olmstead.  Back in the days of Prohibition, Roy Olmstead was the youngest lieutenant on the Seattle police force. He spent a lot of his time busting liquor bootleggers, and in the course of his duties, he had two epiphanies. First, the local rum runners were disorganized—they needed a smart kingpin who’d run the operation like a business. Second, and more importantly, he realized liquor smuggling paid a lot better than police work.

So Roy Olmstead decided to change careers, and it turned out he was a natural. Within a few years he had remarried to a British debutante, bought a big white mansion, and even ran his own radio station—which he used to signal his ships, smuggling hooch down from Canada, via coded messages hidden in broadcasts of children’s bedtime stories. He did retain enough of his old ethos, though, that he forbade his men from carrying guns. The local press called him the Bootleg King of Puget Sound, and his parties were the hottest ticket in town.

Roy’s success did not go unnoticed, of course, and soon enough the feds were after him using their own clever high-tech method: wiretapping. It was so new that they didn’t think they needed to get a court warrant to listen in on phone conversations, and so when the hammer came down, Roy Olmstead challenged those wiretaps in a case that went all the way to the Supreme Court—Olmstead v. U.S.

The court had to decide whether these warrantless wiretaps had violated the Fourth Amendment “right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.” But when the court looked at how a “search” had traditionally been defined, they saw that it was tied to the common law tort of trespass. Originally, that was supposed to be your remedy if you thought your rights had been violated, and a warrant was a kind of shield against a trespass lawsuit. So the majority didn’t see any problem: “There was no search,” they wrote, “there was no seizure.” Because a search was when the cops came on to your property, and a seizure was when they took your stuff. This was no more a search than if the police had walked by on the sidewalk and seen Roy unpacking a crate of whiskey through his living room window: It was just another kind of non-invasive observation.

So Olmstead went to jail, and came out a dedicated evangelist for Christian Science. It wasn’t until the year after Olmstead died, in 1967, that the Court finally changed its mind in a case called Katz v. U.S.: No, they said, the Fourth Amendment protects people and not places, and so instead of looking at property we’re going to look at your reasonable expectation of privacy, and on that understanding, wiretaps are a problem after all.

So that’s a little history lesson—great, so what? Well, we’re having our own debate about surveillance as Congress considers not just reauthorization of some expiring Patriot Act powers, but also reform of the larger post-9/11 surveillance state, including last year’s incredibly broad amendments to the Foreign Intelligence Surveillance Act. And I see legislators and pundits repeating two related types of mistakes—and these are really conceptual mistakes, not legal mistakes—that we can now, with the benefit of hindsight, more easily recognize in the logic of Olmstead: One is a mistake about technology; the other is a mistake about the value of privacy.

First, the technology mistake. The property rule they used in Olmstead was founded on an assumption about the technological constraints on observation. The goal of the Fourth Amendment was to preserve a certain kind of balance between individual autonomy and state power. The mechanism for achieving that goal was a rule that established a particular trigger or tripwire that would, in a sense, activate the courts when that boundary was crossed in order to maintain the balance. Establishing trespass as the trigger made sense when the sphere of intimate communication was coextensive with the boundaries of your private property. But when technology decoupled those two things, keeping the rule the same no longer preserved the balance, the underlying goal, in the same way, because suddenly you could gather information that once required trespass without hitting that property tripwire.

The second and less obvious error has to do with a conception of the value of privacy, and a corresponding idea of what a privacy harm looks like.  You could call the Olmstead court’s theory “Privacy as Seclusion,” where the paradigmatic violation is the jackboot busting down your door and disturbing the peace of your home. Wiretapping didn’t look like that, and so in one sense it was less intrusive—invisible, even. In another sense, it was more intrusive because it was invisible: Police could listen to your private conversations for months at a time, with you none the wiser. The Katz court finally understood this; you could call their theory Privacy as Secrecy, where the harm is not intrusion but disclosure.

But there’s an even less obvious potential harm here. If they didn’t need a warrant, everyone who made a phone call would know that they could whenever they felt like it. Wiretapping is expensive and labor intensive enough that realistically they can only be gathering information about a few people at a time.  But if further technological change were to remove that constraint, then the knowledge of the permanent possibility of surveillance starts having subtle effects on people’s behavior—if you’ve seen the movie The Lives of Others you can see an extreme case of an ecology of constant suspicion—and that persists whether or not you’re actually under surveillance.  To put it in terms familiar to Washingtonians: Imagine if your conversations had to be “on the record” all the time. Borrowing from Michel Foucault, we can say the privacy harm here is not (primarily) invasion or disclosure but discipline. This idea is even embedded in our language: When we say we want to control and discipline these police powers, we talk about the need for over-sight and super-vision, which are etymologically basically the same word as sur-veillance.

Move one more level from the individual and concrete to the abstract and social harms, and you’ve got the problem (or at least the mixed blessing) of what I’ll call legibility. The idea here is that the longer term possibilities of state control—the kinds of power that are even conceivable—are determined in the modern world by the kind and quantity of information the modern state has, not about discrete individuals, but about populations.  So again, to reach back a few decades, the idea that maybe it would be convenient to round up all the Americans of Japanese ancestry—or some other group—and put them in internment camps is just not even on the conceptual menu unless you have a preexisting informational capacity to rapidly filter and locate your population that way.

Now, when we talk about our First Amendment right to free speech, we understand it has a certain dual character: That there’s an individual right grounded in the equal dignity of free citizens that’s violated whenever I’m prohibited from expressing my views. But also a common or collective good that is an important structural precondition of democracy. As a citizen subject to democratic laws, I have a vested interest in the freedom of political discourse whether or not I personally want to say–or even listen to–controversial speech. Looking at the incredible scope of documented intelligence abuses from the 60s and 70s, we can add that I have an interest in knowing whether government officials are trying to silence or intimidate inconvenient journalists, activists, or even legislators. Censorship and arrest are blunt tactics I can see and protest; blackmail or a calculated leak that brings public disgrace are not so obvious. As legal scholar Bill Stuntz has argued, the Founders understood the structural value of the Fourth Amendment as a complement to the First, because it is very hard to make it a crime to pray the wrong way or to discuss radical politics if the police can’t arbitrarily see what people are doing or writing in their homes.

Now consider how we think about our own contemporary innovations in search technology. The marketing copy claims PATRIOT and its offspring “update” investigative powers for the information age—but what we’re trying to do is stretch our traditional rules and oversight mechanisms to accommodate search tools as radically novel now as wiretapping was in the 20s. On the traditional model, you want information about a target’s communications and conduct, so you ask a judge to approve a method of surveillance, using standards that depend on how intrusive the method is and how secret and sensitive the information is. Constrained by legal rulings from a very different technological environment, this model assumes that information held by third parties—like your phone or banking or credit card information—gets very little protection, since it’s not really “secret” anymore. And the sensitivity of all that information is evaluated in isolation, not in terms of the story that might emerge from linking together all the traces we now inevitable leave in the datasphere every day.

The new surveillance typically seeks to observe information about conduct and communications in order to identify targets. That may mean using voiceprint analysis to pull matches for a particular target’s voice or a sufficiently unusual regional dialect in a certain area. It may mean content analysis to flag e-mails or voice conversations containing known terrorist code phrases. It may mean social graph analysis to reidentify targets who have changed venues by their calling patterns.  If you’re on Facebook, and a you and bunch of your friends all decide to use fake names when you sign up for Twitter, I can still reidentify you given sufficient computing power and strong algorithms by mapping the shape of the connections between you—a kind of social fingerprinting. It can involve predictive analysis based on powerful electronic “classifiers” that extract subtle patterns of travel or communication or purchases common to past terrorists in order to write their own algorithms for detecting potential ones.

Bracket for the moment whether we think some or all of these methods are wise.  It should be crystal clear that a method of oversight designed for up front review and authorization of target-based surveillance is going to be totally inadequate as a safeguard for these new methods.  It will either forbid them completely or be absent from the parts of the process where the dangers to privacy exist. In practice what we’ve done is shift the burden of privacy protection to so-called “minimization” procedures that are meant to archive or at least anonymize data about innocent people. But those procedures have themselves been rendered obsolete by technologies of retrieval and reidentification: No sufficiently large data set is truly anonymous.

And realize the size of the data sets we’re talking about. The FBI’s Information Data Warehouse holds at least 1.5 billion records, and growing fast, from an array of private and government sector sources—some presumably obtained using National Security Letters and Patriot 215 orders, some by other means. Those NSLs are issued by the tens of thousands each year, mostly for information about Americans.  As of 2006, we know “some intelligence sources”—probably NSA’s—were  growing at a rate of 4 petabytes, that’s 4 million Gigabytes—each month.  Within about five years, NSA’s archive is expected to be measured in Yottabytes—if you want to picture one Yottabyte, take the sum total of all data on the Internet—every web page, audio file, and video—and multiply it by 2,000. At that point they will have to make up a new word for the next largest unit of data.  As J. Edgar Hoover understood all too well, just having that information is a form of power. He wasn’t the most feared man in Washington for decades because he necessarily had something on everyone—though he had a lot—but because he had so much that you really couldn’t be sure what he had on you.

There is, to be sure, a lot to be said against the expansion of surveillance powers over the past eight years from a more conventional civil liberties perspective.  But we also need to be aware that if we’re not attuned to the way new technologies may avoid our would tripwires, if we only think of privacy in terms of certain familiar, paradigmatic violations—the boot in the door—then like the Olmstead court, we may render ourselves blind to equally serious threats that don’t fit our mental picture of a privacy harm.

If we’re going to avoid this, we need to attune ourselves to the ways modern surveillance is qualitatively different from past search tools, even if words like “wiretap” and “subpoena” remain the same. And we’re going to need to stop thinking only in terms of isolated violations of individual rights, but also consider the systemic and structural effects of the architectures of surveillance we’re constructing.

Some Thoughts on the New Surveillance is a post from Cato @ Liberty - Cato Institute Blog

Constitutional rules often comport with common sense. The Fourth Amendment’s search and seizure clause — so burdensome to law enforcement, some argue — requires officials to look for evidence of crime where they think they’ll find it and not elsewhere. Common sense.

So it is with an Indiana Court of Appeals ruling that the state’s voter ID law violates the equal protection clause of the state’s constitution. The law requires in-person voters to show ID, but makes no attempt to verify the identities of absentee voters. The U.S. Supreme Court upheld the law against a recent challenge, but the Indiana court struck it down based on a broader protection in the state constitution’s equal protection clause.

Think what you will on the legal merits. (I generally appreciate courts breathing independent life into their state constitutions.) What is interesting here is that the result is imbued with constitutional common sense.

Requiring ID at polling stations would have a marginal effect on vote fraud because it makes it harder to impersonate a voter or manufacture a vote-qualified identity. But the risk of in-person voter fraud is very low compared to absentee ballot fraud, which the Indiana law did not touch. The Indiana voter ID law was tantamount to caulking windows to keep out the cold but leaving the front door open. Because of the disproportionate effect on different classes of voters, the court struck it down.

Voter fraud will continue to be a hot issue, and states should continue to tune the balances they strike between voter access and vote integrity. My concern is that the issue might boil over and produce national ID proposals, as we have seen in the past.

Indiana Voter ID Law Struck Down is a post from Cato @ Liberty - Cato Institute Blog

Let’s fisk a DHS press release! It’s the “Statement by DHS Press Secretary Sara Kuban on Markup of the Pass ID Bill by the Senate Homeland Security and Government Affairs Committee.” Here goes:

On the same day that Secretary Napolitano highlighted the Department’s efforts to combat terrorism and keep our country safe during a speech in New York City,

This part is true: Secretary Napolitano was in New York speaking about terrorism.

Congress took a major step forward on the PASS ID secure identification legislation.

There was a markup of PASS ID in the Homeland Security and Governmental Affairs Committee. It’s a step — not sure how major.

PASS ID is critical national security legislation

People who have studied identity-based security know that knowing people’s identities doesn’t secure against serious threats, so this is exaggeration.

that will break a long-standing stalemate with state governments

Thirteen states have barred themselves by law from implementing REAL ID, the national ID law. DHS hopes that changing the name and offering them money will change their minds.

that has prevented the implementation of a critical 9/11 recommendation to establish national standards for driver’s licenses.

The 9/11 Commission devoted three-quarters of a page to identity security — out of 400+ substantive pages. That’s more of a throwaway recommendation or afterthought. False identification wasn’t a modus operandi in the 9/11 attacks, and the 9/11 Commission didn’t explain how identity would defeat future attacks. (Also, using “critical” twice in the same sentence is a stylistic no-no.)

As the 9/11 Commission report noted, fraudulent identification documents are dangerous weapons for terrorists,

No, it said “travel documents are as important as weapons.” It was talking about passports and visas, not drivers’ licenses. Oh — and it was exaggerating.

but progress has stalled towards securing identification documents under the top-down, proscriptive approach of the REAL ID Act

True, rather than following top-down prescription, states have set their own policies to increase driver’s license security. It’s not necessarily needed, but if they want to they can, and they don’t need federal conscription of their DMVs to do it.

– an approach that has led thirteen states to enact legislation prohibiting compliance with the Act.

“. . . which is why we’re trying to get it passed again with a different name!”

Rather than a continuing stalemate with the states,

Non-compliant states stared Secretary Chertoff down when he threatened to disrupt their residents’ air travel, and they can do the same to Secretary Napolitano.

PASS ID provides crucial security gains now by establishing common security standards for driver’s licenses

Weak security gains, possibly in five years. In computer science — to which identification and credentialing is akin — monoculture is regarded as a source of vulnerability.

and a path forward for ensuring that states can electronically verify source documents, including birth certificates.

We’re on the way to that cradle-to-grave biometric tracking system that will give government so much power over every single citizen and resident.

See? That was fun!

Fun With DHS Press Releases! is a post from Cato @ Liberty - Cato Institute Blog

It was good of Ari Schwartz to respond last week to my recent post querying whether the Center for Democracy and Technology outright opposes a national ID or simply “does not support” one.

Ari says CDT does oppose a national ID, and I believe that he honestly believes that. But it’s worth taking a look at whether the group’s actions are consistent with opposition to a national ID. I believe CDT’s actions — most recently its support of the PASS ID Act — support the creation of a national ID.

(The title of his post and some of his commentary suggest I have engaged in rhetorical excess and mischaracterized his views. Please do judge for yourself whether I’m being shrill or unfair, which is not my intention.)

First I want to address an unusual claim of Ari’s — that we already have a national ID system. If that is true, his support for PASS ID is more sensible because it is an opportunity to inject federal privacy protections into the existing system (putting aside whether it is a federal responsibility to manage a state system or systems).

Do We Already Have a National ID?

I have heard a few people suggest that we have a national ID in the form of the Social Security Number. I believe the SSN is a national identifier, but it fails the test of a national identification card or system because it is not used for identification. As we know well from the scourge of identity fraud, there is no definitive way to tie an SSN to a person. The SSN is not used for identification (at least not reliably and not alone), which is the third part of my national ID definition. (Senator Schumer might like the SSN to form the basis of a national ID system, of course.)

But Ari says something different. He does not claim any definition of “national ID” or “national ID system.” Instead, he appeals to the authority of a 2003 report from a National Academy of Sciences group entitled “Who Goes There?: Authentication Through the Lens of Privacy.” That report indeed says, “State-issued driver’s licenses are a de facto nationwide identity system” — on the second-to-last substantive page of its second-to-last substantive chapter

But this is a highly selective use of quotation. The year before, that same group issued a report called “IDs — Not That Easy: Questions About Nationwide Identity Systems.” From the beginning and throughout, that report discussed the many issues around proposals to create a “nationwide” identity system. If the NAS panel had already concluded that we have a national ID system, it would not have issued an entire report critiquing that prospect. It would have discussed the existing one as such. Ari’s one quote doesn’t do much to support the notion that we already have a national ID.

What’s more, CDT’s own public comments on the proposed REAL ID Act regulations in May 2007 said that its data-intensive “one person — one license/ID card — one record” policy would ”create a national identification system.”

If a national ID system already existed, the new policy wouldn’t create one. This is another authority at odds with the idea that we have a national ID system already.

Support of PASS ID might be forgiven if we had a national ID system and if PASS ID would improve it. But the claim we already have one is weak.

“Political Reality” and Its Manufacture

But the heart of Ari’s claim is that supporting PASS ID reflects good judgment in light of political reality.

Despite the fact that there are no federal politicians, no governors and no appointed officials from any party publicly supporting repeal of REAL ID today, CDT still says that repeal is an acceptable option. However, PASS ID would get to the same outcome, or better, in practice and has the added benefit of actually being a political possibility. . . . I realize that Harper has invested a lot of time fighting for the word “repeal,” but at some point we have to look at the political reality.

A “Dear Colleague” letter inviting support for a bill to repeal REAL ID circulated on the Hill last week. How many legislators will hesitate to sign on to the bill because they have heard that the PASS ID Act, and not repeal of REAL ID, is CDT’s preferred way forward?

The phrase “political reality” is more often used by advocates to craft the political reality they prefer than to describe anything truly real. Like the observer effect in experimental research, statements about “political reality” change political reality.  Convince enough people that a thing is “political reality” and the sought-after political reality becomes, simply, reality.

I wrote here before about how the National Governors Association, sensing profit, has worked diligently to make REAL ID a “political reality.” And it has certainly made some headway (though not enough). In the last Congress, the only legislation aimed at resolving the REAL ID impasse were bills to repeal REAL ID. Since then, the political reality is that Barack Obama was elected president and an administration far less friendly to a national ID took office. Democrats — who are on average less friendly to a national ID — made gains in both the House and Senate.

But how are political realities crafted? It has often been described as trying to get people on a bus. To pass a bill, you change it to get more people on the bus than get off.

The REAL ID bus was missing some important riders. It had security hawks, the Department of Homeland Security, anti-immigrant groups, DMV bureaucrats, public safety advocates, and the Bush Administration. But it didn’t have: state legislators and governors, privacy and civil liberties groups, and certain religious communities, among others.

PASS ID is for the most part an effort to bring on state legislators and governors. The NGA is hoping to broker the sale of state power to the federal government, locking in its own institutional role as a supplicant in Washington, D.C. for state political leaders.

But look who else was hanging around the bus station looking for rides! — CDT, the nominal civil liberties group. Alone it jumped on the bus, communicating to others less familiar with the issues that PASS ID represented a good way forward.

Happily, few have taken this signal. The authors of PASS ID were unable to escape the name “REAL ID,” which is a far more powerful beacon flashing national ID and all the ills that entails than CDT’s signal to the contrary.

This is not the first time that CDT’s penchant for compromise has assisted the national ID effort, though.

Compromising Toward National ID

The current push for a national ID has a short history that I summarized three years ago in a righteously titled post on the TechLiberationFront blog: “The Markle Foundation: Font of Evil II.”

Briefly, in December 2003, a group called the Markle Foundation Task Force on National Security in the Information Age recommended “both near-term measures and a longer-term research agenda to increase the reliability of identification while protecting privacy.” (Never mind that false identification was not a modus operandi of the 9/11 attacks.)

The 9/11 Commission, citing Markle, found that “[t]he federal government should set standards for the issuance of birth certificates and sources of identification, such as drivers licenses.” In December 2004, Congress passed the Intelligence Reform and Terrorism Prevention Act, implementing the recommendations of the 9/11 Commission, including national standards for drivers’ licenses and identification cards, the national ID system recommended by the Markle Task Force. And in May 2005, Congress passed a strengthened national ID system in the REAL ID Act.

An earlier post, “The Markle Foundation: Font of Evil,” has more — and the text of a PoliTech debate between myself and Stewart Baker. Security hawk Baker was a participant in the Markle Foundation group, as was national ID advocate Amitai Etzioni. So was the Center for Democracy and Technology’s Jim Dempsey.

I had many reservations about the Markle Foundation Task Force and its work product, and in an April 2005 meeting of the DHS Privacy Committee, I asked Dempsey about what qualified people to serve on that task force, whether people were invited, and what might exclude them. A month before REAL ID passed, he said:

I think the Markle Task Force at least sought balance. And people came to the table committed to dialogue. And those who came with a particular point of view, I think, were all committed to listening. And I think people’s minds were changed. . . . What we were committed to in the Markle Task Force was changing our minds and trying to find a common ground and to try to understand each other. And we spent the time at it. And that, I think, is reflected in the product of the task force.

There isn’t a nicer, more genuine person working in public policy than Jim Dempsey. He is the consummate honest broker, and this statement of his intentions for the Markle Foundation I believe to be characteristically truthful and earnest.

But consider the possibility that others participating on the Markle Foundation Task Force did not share Jim’s predilection for honest dialogue and compromise. It is even possible that they mouthed these ideals while working intently to advance their goals, including creation of a national ID.

Stewart Baker, who I personally like, is canny and wily, and he wants to win. I see no evidence that Amitai Etzioni changed his mind about having a national ID when he authored the recommendation in the Markle report that ultimately produced REAL ID.

Other Markle participants I have talked to were unaware of what the report said about identity-based security, national identity standards, or a national ID. They don’t even know (or didn’t at the time) that lending your name to a report also lends it your credibility. Whatever privacy or civil liberties advocates were involved with the Markle Task Force got rolled — big-time — by the pro-national-ID team.

CDT is a sophisticated Washington, D.C. operation. It is supposed to understand these dynamics. I can’t give it the pass that outsiders to Washington might get. By committing to compromise rather than any principle, and by lending its name to the Markle Foundation Task Force report, CDT gave credibility to a bad idea — the creation of a national ID.

CDT helped produce the REAL ID Act, which has taken years of struggle to beat back. And now they are at it again with “pragmatic” support for PASS ID.

CDT has been consistently compromising on national ID issues while proponents of a national ID have been doggedly and persistently pursuing their interests. This is not the behavior of a civil liberties organization. It’s why I asked in the post that precipitated this debate whether there is anything that would cause CDT to push back from the table and say No.

Despite words to the contrary, I don’t see evidence that CDT opposes having a national ID. It certainly works around the edges to improve privacy in the context of having a national ID — reducing the wetness of the water, as it were — but at key junctures, CDT’s actions have tended to support having a U.S. national ID. I remain open to seeing contrary evidence.

Assessing the Claim that CDT Opposes a National ID is a post from Cato @ Liberty - Cato Institute Blog

The proposed PASS ID Act is a national ID just like REAL ID, and it threatens privacy just as much. Some argue that a national ID under PASS ID should be palatable, though, because it reduces costs to states.

But savings to states under PASS ID are not at all clear. Let’s take a look at the costs of creating a U.S. national ID.

The REAL ID Act, passed in May 2005, required states to begin implementing a national ID system within three years. In regulations it proposed in March 2007, the Department of Homeland Security extended that draconian deadline. States would have five years, starting in May 2008, to move all driver’s license and ID card holders into REAL ID-compliant cards.

The Department of Homeland Security estimated the costs for this project at $17.2 billion dollars (net present value, 7% discount). Costs to individuals came it at nearly $6 billion – mostly in wasted time. Americans would spend more than 250 million hours filling out forms, finding birth certificates and Social Security cards, and waiting in line at the DMV.

The bulk of the costs fell on state governments, though: nearly $11 billion dollars. The top three expenditures were $5.25 billion for customer service at DMVs, $4 billion for card production, and $1.1 billion for data systems and IT. Getting hundreds of millions of people through DMVs and issuing them new cards in such a short time was the bulk of the cost.

To drive down the cost estimate, DHS pushed the implementation schedule way back. In its final rule of January 2008, it allowed states a deadline extension to December 31, 2009 just for the asking, and a second extension to May 2011 for meeting certain milestones. Then states would have until the end of 2017 to replace all cards with the national ID card. That’s just under ten years.

Then the DHS decided to assume that only 75% of people would actually get the national ID. (Never mind that whatever benefits from having a national ID drop to near zero if it is not actually “national.”)

The result was a total cost estimate of about $6.85 billion (net present value, 7% discount). Individual citizens would still spend $5.2 billion worth of their time (in undiscounted dollars) on paperwork and waiting at the DMV. But states would spend just $1.5 billion on data and interconnectivity systems; $970 million on customer service; and $953 million on card production and issuance—a total of about $2.4 billion. (All undiscounted—DHS didn’t publish estimates for the final rule the same way it published their estimates for the proposed rule.)

Maybe these cost estimates were still too high. Maybe they weren’t believable. Or maybe Americans’ love of privacy and hatred of a national ID explains it. But the lower cost estimate did not slow the “REAL ID Rebellion.” Given the costs, the complexity, the privacy consequences, and the dubious benefits, states rejected REAL ID.

Enter PASS ID, which supposedly alleviates the costs to states of REAL ID. But would it?

At a Senate hearing last week, not one, but two representatives of the National Governors Association testified in favor of PASS ID, citing their internal estimate that implementing PASS ID would cost states just $2 billion.

But there is reason to doubt that figure. PASS ID is a lot more like REAL ID – the original REAL ID – in the way that most affects costs: the implementation schedule.

Under PASS ID, the DHS would have to come up with regulations in just nine months. States would then have just one year to begin complying. All drivers’ licenses would have to be replaced in the five years after that. That’s a total of six years to review the documents of every driver and ID holder, and issue them new cards.

How did the NGA come up with $2 billion? Maybe they took the extended, watered-down, 75%-over-ten-years estimate and subtracted some for reduced IT costs. (The NGA is free to publish its methodology, of course.)

But the costs of implementing PASS ID to states are more likely to be closer to $11 billion than the $2 billion figure that the NGA puts forward. In just six years, PASS ID would send some 245 million people into DMV offices around the country demanding new cards. States will have to hire and train new employees to handle the workload. They will have to acquire new computer systems, documents scanners, data storage facilities, and so on.

There is another source for cost estimates that draws the $2 billion figure into question: the National Governors Association itself. In September 2006, it issued a report with the National Conference of State Legislatures and the American Association of Motor Vehicle Administrators finding that the costs to re-enroll drivers and ID holders over a 5-year period would cost states $8.45 billion (not discounted).

Just as with REAL ID, re-enrollment under PASS ID would undo the cost-savings and convenience that states have gained by allowing online re-issuance for good drivers and long-time residents. As the NGA said:

Efficiencies from alternative renewal processes such as Internet and mail will be lost during the re-enrollment period, and states will face increased costs from the need to hire more employees and expand business hours to meet the five year re-enrollment deadline.

Angry citizens will ask their representatives why they are being investigated like criminals just so they can exercise their right to drive.

PASS ID does reduce some of the information technology costs of REAL ID, such as requirements to use systems that still do not exist, and requirements to pay for driver background checks through the Systematic Alien Verification for Entitlements system and the Social Security Online Verification system.

But PASS ID still requires states to “[e]stablish an effective procedure to confirm that a person [applying] for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued under PASS ID by any other state. How do you do that? By sharing driver information. The language requiring states to provide all other states electronic access to their databases is gone, but the need to share that information is still there.

A last hope for states is that the federal government will come up with money to handle all this. But the federal government is in even tougher financial straights than many states. The federal deficit for this fiscal year is projected to reach $1.84 trillion.

Experienced state leaders recognize that the promise of federal money may not be fulfilled. The weakly funded PASS ID mandate will likely become a fully unfunded mandate.

So, does PASS ID really save states money? I wouldn’t put any money on it . . . .

Would PASS ID Really Save States Money? is a post from Cato @ Liberty - Cato Institute Blog

Speaking of the Center for Democracy and Technology, Leslie Harris gave a terrific quote to Forbes.com for an article on cybersecurity:

The Rockefeller-Snowe Bill represents just the sort of heavy-handed regulation that could stifle innovation and hurt the economy, argues Leslie Harris, president and chief executive of the Center for Democracy and Technology. “If you lock things down too tight and try to centralize and federalize all kinds of standards, you’re on a collision course with the innovators who may be making the next great tech product in their backyard,” she says.

The question is why CDT doesn’t apply this thinking to the field of identification and credentialing.

Lock It Down, Centralize It, Federalize It is a post from Cato @ Liberty - Cato Institute Blog

Ari Schwartz responded in characteristic even tones to my critique of his testimony in favor of the PASS ID Act, which would revive the moribund REAL ID law. It’s worth a rejoinder, and I’ll offer him the same again here if he wishes.

Ari clouds matters slightly by suggesting that my “strong biases” obscure certain facts. I readily admit having a strong bias in favor of liberty — it’s why I do what I do. Ari admits several biases, including one in favor of consensus-building, which was what I accused him of prioritizing over principle. Let’s put aside the question of bias.

It’s good to see Ari state that CDT does not support a national ID system. It would be better to see him state that CDT opposes having a national ID system. (I imagine this is just a matter of word choice, but it would be good to have clarity.)

Next, Ari says his testimony “makes it clear that we believe that PASS ID prevents the creation of a National ID system.” I don’t believe this is clear from his testimony. More importantly, this is not a sound assessment of what a national ID is or what PASS ID does.

We need some defined terms, so let’s tease out what he means by “national ID.” (He has told me that there is some distinction between a “national ID,” a “national ID system,” and perhaps a “national ID card,” but the distinction is lost on me. I believe a national ID card is part of a national ID system, both of which are commonly referred to in shorthand as a “national ID.”)

Twice in his testimony, he correctly calls REAL ID a national ID system. The factors that make it so appear to be “the very real possibility that individuals would not be able to function in American society without a REAL ID card” and “giving unfettered discretion to DHS to expand the ‘official purposes’ for which REAL ID cards could be required.”

In my recent post on the subject, I defined a national ID as being a card: 1) nationally uniform in its key elements; 2) the possession of which is either practically or legally required; and 3) that is used for identification.

I think 1) and 3) are both given. Ari’s take on 2) – inability to function without it — and my formulation — practically required — are equivalent, so Ari and I agree on that much.

But is DHS discretion to expand “official purposes” an essential element of a national ID card? I don’t think so.

Let’s say Congress passes a law requiring employers to check a certain card before they hire new workers. What if Congress requires credit issuers to check the card? States require presentation of the card at the voting booth? What if Congress requires pharmacists to check it before selling people cold medicine?

Is this card system saved from being a “national ID system” because someone other than DHS came up with these ideas? Of course not. DHS discretion to expand usage is not what makes an ID system a “national ID system.”

The better definition is what we agree on: A national ID is national, identifying, and practically or legally required, meaning the lack of it disables people from functioning in society.

Do REAL ID and PASS ID differ in ways that make the one a national ID and the other not a national ID? No, and Ari doesn’t say so. He merely says PASS ID would slow national ID mission creep by some margin because it denies DHS some discretion. (PASS ID “[r]emoves from DHS’s authority the ability to unilaterally determine new official purposes for which a PASS ID-compliant card can be required . . . .”)

This is not central to “national ID-ness,” and PASS ID doesn’t actually deny DHS that authority — it simply removes the specific grant of authority in REAL ID. Removing a grant of authority in one law does not deny an agency authority it has elsewhere. (It’s like the difference between “not supporting” and “opposing” something.) DHS and other agencies almost certainly have power under other law to require the IDs they choose for functions that are plausibly related to security or fraud prevention.

I was wrong to assume that it was lack of principle driving CDT and Ari to endorse the PASS ID Act, which revives our moribund national ID law. Other explanations are no more palatable, though, and no other group that I am aware of missed the true import of PASS ID.

Here’s a memorable Bruce Schneier quote to emphasize the importance of opposing a national ID, which so many civil liberties groups are doing:

History will record what we, here in the early decades of the information age, did to foster freedom, liberty and democracy. Did we build information technologies that protected people’s freedoms even during times when society tried to subvert them? Or did we build technologies that could easily be modified to watch and control? It’s bad civic hygiene to build an infrastructure that can be used to facilitate a police state.

No civil liberties group supports PASS ID. CDT can’t claim that mantle while it does.

PASS ID and National ID – Rejoinder to Schwartz is a post from Cato @ Liberty - Cato Institute Blog

The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.

Good News!

Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.

First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.

She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.

Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”

Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.

REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.

A Fake Crisis

Some other issue-framing is worth pointing out. Chairman Lieberman and Secretary Napolitano took pains to point out the importance of acting on PASS ID soon, claiming that the TSA would have to seriously inconvenience travelers with secondary searches at the end of the year if nothing was done.

But this is the same “crisis” that the DHS navigated a little over a year ago. States across the country were refusing to implement REAL ID. The DHS Secretary rattled his saber about inconveniencing travelers. And the DHS Secretary ended up giving all states a deadline extension. Secretary Napolitano will do the same thing if PASS ID fails – saber-rattling included. There is no crisis.

Vermont Governor Jim Douglas Supports a National ID

As I noted above, PASS ID is a national ID, just like REAL ID.

By testifying in support of PASS ID, Vermont governor Jim Douglas (R) put himself on record as supporting a U.S. national ID. He can pretend it’s not a national ID, of course, and he did his best to paper over the issue when Senator Burris asked about it. But Governor Douglas supports a national ID.

There was a time when Republicans stood for resisting federal incursions on state power. In the 104th Congress, the Senate Judiciary Committee had a subcommittee that focused on federalism and the preservation of state power (the Subcommittee on the Constitution, Federalism, and Property Rights). But the National Governors Association, with Douglas at the helm, is now in the process of negotiating the sale of state power over driver licensing and identification policy to the federal government.

Rampant Security Ignorance

The reason why he supports this national ID law, Governor Douglas said, is that he, like every governor, “is a security governor.”

With so many Senators and panelists conjuring security and the 9/11 Commission report, it would be a delight if someone actually examined the security benefits of a national ID. The information is there for them. Again, my testimony to the committee two years ago supplied at least some. Then, I said, “Implementation of REAL ID would impose more costs on our society than it would provide in security or other benefits,” and I articulated how and why a national ID fails to secure.

But Senator Lieberman said he “assumes” REAL ID provides national security benefits. Assumes? He and his staff apparently haven’t familiarized themselves with the level of national security that a national ID would create, taking into account the counterattacks and complications of such a system.

Five years after the vaunted 9/11 Commission report – and the three-quarters of a page it devoted to identity security – Senator Lieberman, the chairman of a committee dealing with domestic security, has yet to look into the merits.

In case Senator Lieberman needs some help . . .

I’m So Sick of the 9/11 Commission Report!

Speaking of the 9/11 Commission, it has been five years since that report came out, and people continue to parrot the line that REAL ID was a “key 9/11 Commission recommendation.”

The 9/11 Commission dedicated three-quarters of a page to the question of identity security, out of 400+ substantive pages. Its entire treatment of the subject is on page 390.

The 9/11 Commission did not articulate how a national ID system would defeat future terror attacks. It did not even articulate how a national ID would have defeated the 9/11 attacks had it been in place. A minor shift in behavior by the 9/11 attackers, such as using their passports to board planes, would have defeated REAL ID and PASS ID, were we somehow allowed “do-overs.”

We are not allowed “do-overs,” and the problem we face is not 9/11, but securing against current and future threats – including people who might shift their behavior in light of security measures we take.

These shifts in behavior might include taking a few extra steps to get the documentation they need, for access to the country or targets. These shifts in behavior might include attacking targets that do not require documentation. Identity-based security is a Maginot Line.

The 9/11 Commission report was written at a time when little research on identity-based security had been done. It was written by fallible humans who knew little about identity-based security, and who got it wrong. The report is not a religious text.

The report did say something important, though: “For terrorists, travel documents are as important as weapons”! (page 384) It’s a terrific turn of phrase because it shuts down the logic centers in the brain – eek, terrorists! – and ends the discussion.

The “travel documents” the report was talking about, though, were passports and visas, not drivers’ licenses and birth certificates – the things foreign terrorists use to get into the country. If we’re going to turn the driver’s license into an internal passport – and TSA checkpoints are the beginning of such a policy – then perhaps these are travel documents. Just, please, Secretary Napolitano, train your TSA agents to not say, “Your papers, please.”

Even as to international travel documents, though, the 9/11 Commission got it wrong. Weapons are the only things as important as weapons. And the 9/11 terrorists didn’t actually use weapons any more substantial than box cutters. They “weaponized” a non-weapon. (Security is complicated, you see.)

Denying terrorists travel documents, drivers’ licenses, and IDs simply presents them some inconveniences – such as using people with no record of terrorism. Seventeen of nineteen 9/11 attackers were unknown to U.S. officials as threats, so it’s obviously not that much of an inconvenience.

Evading identity-based security is so easy. People do it all the time. And it won’t stop under anyone’s version of a national ID. But the 9/11 Commission said . . . !

Something New to Worry About

Much of the national ID battle happens at the federal level with these national ID laws, of course, but it’s important to realize that federal officials, state officials, companies, and non-profit groups are working to knit together a cradle-to-grave national ID system no matter what happens with REAL ID and PASS ID.

Here’s one worth highlighting: Thirteen states apparently are already scanning, or have scanned, their birth certificates into databases for use in the national ID system. The effort is being led by the National Association for Public Health Statistics and Information Systems in Silver Spring, Maryland. This group will undoubtedly have access to your private health information should federal e-health records be implemented, so you might want to familiarize yourself with them.

Is your state one of them? How many copies of your birth certificate can be found in how many places around the country? You might want to ask your state legislators about that. The future of this effort is to collect biometrics at birth, of course. This is a privacy problem.

But maybe all the privacy concerns have been taken care of. The proponents of REAL/PASS ID found themselves a fig leaf on that score.

Token Cover on Privacy Issues

Ari Schwartz from the Center for Democracy and Technology testified in favor of PASS ID. (Senator Akaka noted in his opening statement that CDT endorses PASS ID.)

He characterized opponents of REAL/PASS ID as wanting to “do nothing.” It’s a classic ploy – but cheaper than we’re used to seeing from Ari and CDT – to mischaracterize opponents as wanting to “do nothing.” As Ari knows well, I have advocated endlessly for a diverse and competitive identification and credentialing system that would provide all the security ID systems can, without government surveillance.

But Ari testified imaginatively about how PASS ID makes a national ID okay. He has concerns with it, of course, yadda yadda yadda – the privacy fig leaf obliged to wear a fig leaf himself.

And this is the unexpected bad news from the hearing. The Center for Democracy and Technology supports having a national ID in the United States.

Many would find this inexplicable, but it’s not. Though the people who work at CDT personally want very much to do the right thing, there are no principles to the organization beside compromise and having a seat at the table (neither of which are actually principles, of course).

CDT plays a wonderful convening role on many issues, and the name of the organization implies that it reconciles technology programs with fundamental societal values. But here it has given political cover to the push for a national ID in the United States. One can’t help wondering if there is anything that would cause CDT to push back from the table and say No.

Review of the Big REAL ID Hearing is a post from Cato @ Liberty - Cato Institute Blog

I’ve written about PASS ID here a couple of times before – first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.

The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.

“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.

Interstate Data Sharing?

First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.

Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.

How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.

Just like REAL ID, PASS ID would require states to share driver data on a very large scale. It just doesn’t say so. As with REAL ID, the security weaknesses of any one state’s operations would accrue to the harm of all others.

Mission Creep?

Second, CDT says that PASS ID “[l]imits the ‘official purposes’ for which federal agencies can demand a PASS ID driver’s license, thereby helping prevent ‘mission creep.’” Again, it’s technically true, but materially false.

REAL ID had an open-ended list of “official purposes” – things that the homeland security secretary could require a REAL ID for. PASS ID is not so open-ended, but that is a small impediment to only one form of mission creep.

PASS ID places no limits on how the DHS, other agencies, and states could use the national ID to regulate the population. It simply requires the DHS to use PASS ID for certain purposes. A simple law change or amendment to existing regulation would expand those uses to give the federal government control over access to employment, access to credit cards, voting – CDT’s own PolicyBeta blog called a plan to use REAL ID to control cold medicine a “terrifying” example of mission creep. And these are just the ideas that have already been floated.

When I testified before the Senate Judiciary Committee on REAL ID in May 2007, I spoke about what we had recently heard in a meeting of the DHS Privacy Committee:

Ann Collins, the Registrar of Motor Vehicles from the State of Massachusetts, . . . said, “If you build it, they will come.” What she meant by that is that if you compile deep data bases of information about every driver, uses for it will be found. The Department of Homeland Security will find uses for it. Every agency that wants to control, manipulate, and affect people’s lives will say, “There is our easiest place to go. That is our path of least resistance.”

PASS ID is the same medium for mission creep that REAL ID is. The problem is with having a national ID at all – not with what its enabling legislation says.

Privacy Protections?

Next, CDT says that PASS ID requires “privacy and security protections for PII stored in back-end motor vehicle databases.” (“PII” means “personally identifiable information.”)

A glaring oversight of REAL ID – and the competition for glaring oversights was fierce – was to omit any requirement for privacy and security of the databases states would maintain and share on behalf of the federal government. The DHS took pains in the REAL ID rulemaking to drain this swamp. It tried to require minimal information collection for identity verification and minimal information display on the card and in the machine readable zone. (It failed in important ways, as I will discuss below.) The REAL ID regulation required states to file security plans that would explain how the state would protect personally identifiable information. And it said it would produce a set of “Privacy and Security Best Practices.” None of this mollified REAL ID opponents, and the privacy bromides in the PASS ID Act won’t either.

One of the more interesting privacy “protections” in the PASS ID Act is a requirement that individuals may access, amend, and correct their own personally identifiable information. This is a new and different security/identity fraud challenge not found in REAL ID, and the states have no idea what they’re getting themselves into if they try to implement such a thing. A May 2000 report from a panel of experts convened by the Federal Trade Commission was bowled over by the complexity of trying to secure information while giving people access to it. Nowhere is that tension more acute than in giving the public access to basic identity information.

The privacy language in the PASS ID Act is a welcome change to REAL ID’s gross error on that score. At least there’s privacy language! But creating a national identity system that is privacy protective is like trying to make water that isn’t wet.

Limits on Use of Card Data?

CDT’s final defense of PASS ID is the presence of meager limits on how data collected from national ID cards will be used. Much like with mission creep, the statutory language is beside the point, but CDT points out that PASS ID “prohibits states from including the cardholder’s social security number in the MRZ and places limits on the storage, use, and re-disclosure of that information.”

“MRZ” stands for “machine-readable zone.” In the PASS Act and REAL ID Act, this is referred to as “machine-readable technology,” and in the REAL ID rulemaking, the DHS selected a 2D barcode standard for the back of REAL ID licenses and IDs. Think of government officials scanning your license the way grocery clerks scan your toilet paper and canned peaches.

It’s true that the PASS ID Act bars states from including the Social Security number in that easily scanable data, but it doesn’t prohibit anything else from being scanned – including race, which was included in DHS’ standard for REAL ID.

And don’t think that limits on the storage, use, and re-disclosure of card information would have any teeth. It would create a new crime: scanning licenses, reselling or trading information from them, or tracking holders of them “without lawful authority,” but it’s not clear what “without lawful authority” means. It would probably allow people to give implied permission for all this data-collection and -sharing by handing their cards to someone else. It would certainly allow governments to authorize themselves to collect and trade data from cards en masse.

Not that we should want this “protection.” The last thing we need is another obtusely defined federal crime. Nearly as bad as being required to carry a national ID is making it illegal for people to collect information from it when you want them to!

And in Some Ways PASS ID is Worse

But let’s talk some more about that machine-readable zone. When Congress passed REAL ID, suspicion was strong that the “MRZ” would be an RFID chip – a tiny computer chip that can be read remotely by radio.

Recognizing the insecurity of such devices – and the strong public opposition to it – DHS declined to adopt RFID for the REAL ID Act. It did, however, work with a few states and the U.S. State Department to develop an RFID-chipped license that it calls the “enhanced driver’s license.” This has a long read-range chip that will signal its presence to readers as much as fifteen or twenty feet away. The convenience gain DHS and State sought for themselves at the border would be a privacy loss, as scanning cards could become commonplace in doorways and other bottlenecks throughout the country – your whereabouts recorded regularly, as a matter of course, by public and private entities.

Why do we care about “enhanced drivers licenses”? Because the PASS ID Act would ratify them for use as national IDs. States could push their residents into using these chipped cards if they didn’t want to implement every last detail of PASS ID.

Needless to say, ID cards with long-distance (including surreptitious) tracking are a step backward for privacy. This is one sense in which PASS ID is worse than REAL ID.

Consider more carefully also what PASS ID and REAL ID are about in terms of biometrics. Both require states to “[s]ubject each person applying for a driver’s license or identification card to mandatory facial image capture.”

States across the country are using driver license photos to implement facial-recognition software that will ultimately be able to track people directly – nevermind whether you have an RFID-chipped license or show your card to a government official. They are aiming at preventing identity fraud, of course, but with advancing technology, before too long you will be subject to biometric tracking simply because you posed for an unsmiling digital photo at the DMV. REAL ID and PASS ID are part and parcel of promoting that.

Does PASS ID address “most of the major privacy and security concerns with REAL ID”? Not even close. PASS ID is a national ID, with all the privacy consequences that go with that.

Changing the name of REAL ID to something else is not an alternative to scrapping it. Scrapping REAL ID is something Senator Akaka (D-HI) proposed in the last Congress. Fixing REAL ID is an impossibility, and PASS ID does not do that.

Does the PASS ID Act Protect Privacy? is a post from Cato @ Liberty - Cato Institute Blog

Department of Homeland Security Secretary Janet Napolitano has been all over the map on national ID issues. As governor of Arizona, she signed a memorandum of understanding with the Bush DHS to implement “enhanced driver’s licenses” in her state. These are licenses with long-range RFID chips built into them. But then she turned around and signed legislation barring implementation of the REAL ID Act in Arizona.

Now, having taken federal office, she again favors REAL ID — or at least under its new name: PASS ID. (Her efforts to put distance between REAL ID and PASS ID have not borne fruit.)

In some respects, PASS ID is worse than REAL ID. It would give congressional approval to the “enhanced driver’s license” program — invented by DHS and State Department bureaucrats to do long-range (and potentially surreptitious) identification of people holding this type of card. Back home, the Arizona legislature has just passed a bill to prohibit the state from implementing EDLs.

So the former governor of Arizona, who has both supported and rejected national ID programs, now supports a bill to approve the national ID program her home state rejects. Napolitano seems to be taking the national ID tar baby in a loving embrace.

Calling Secretary Napolitano: Arizona to Reject EDLs is a post from Cato @ Liberty - Cato Institute Blog

It’s a given that, once in place, a national ID would be used for additional purposes.

In case you needed proof, on Wednesday, Senator David Vitter (R-LA) offered an amendment to H.R. 627, the Credit Cardholders’ Bill of Rights Act of 2009, requiring the Federal Reserve to impose federal identification standards on the opening of new credit accounts. Among the limited forms of ID credit issuers could accept are REAL ID cards, produced under the moribund national ID law. (Vitter may not realize that REAL ID is in collapse.)

To compound things, his amendment would require credit issuers to run new credit card applicants past terrorist watch-lists. The sense of normalcy, efficiency, and common sense that makes airports so pleasurable to visit today would infect our financial services system. Oh joy.

National ID Mission Creep is a post from Cato @ Liberty - Cato Institute Blog

The Heritage Foundation’s “The Foundry” blog has a post up called “Questions for Secretary Napolitano: Real ID.”

Honest advocates on two sides of an issue can come to almost perfectly opposite views, and this provides an example, because I find the post confused, wrong, or misleading in nearly every respect.

Let’s give it a brief fisking. Below, the language from the post is in italics, and my comments are in roman text:

Does the Obama Administration support the implementation of the Real ID Act?

(Hope not . . . .)

Congress has passed two bills that set Real ID standards for driver’s licenses in all U.S. jurisdictions.

REAL ID was a federal law that Congress passed in haste as an attachment to a military spending bill in early 2005. To me, “REAL ID standards” are the standards in the REAL ID Act. I’m not sure what other bill the post refers to.

Given the legitimate fear of REAL ID creating a federal national ID database, section 547 of the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009 barred the creation of a new federal database or federal access to state databases with the funds in that bill. (Thus, these things will be done with other funds later.)

The Court Security Improvement Act allowed federal judges and Supreme Court Justices to withhold their addresses from the REAL ID database system, evidently because the courts don’t believe the databases would be secure.

And in the last Congress, bills were introduced to repeal REAL ID in both the House and Senate. Congress has been backing away from REAL ID since it was rammed through, with Senators like Joe Lieberman (I-CT) calling REAL ID unworkable.

It’s unclear what the import of the sentence is, but if it’s trying to convey that there is a settled consensus around the REAL ID law, that is not supported by its treatment in Congress.

The Real ID legislation does not create a federal identification card, but it does set minimum security standards for driver’s licenses.

This sentence is correct, but deceptive.

REAL ID sets federal standards for state identification cards and drivers’ licenses, refusing them federal acceptance if they don’t meet these standards. Among those standards is uniformity in the data elements and a nationally standardized machine readable technology. Interoperable databases and easily scanned cards mean that state-issued cards would be the functional equivalent of a federally issued card.

People won’t be fooled if their national ID cards have the flags of their home states on them. When I testified to the Michigan legislature in 2007, I parodied the argument that a state-issued card is not a national ID card: “My car didn’t hit you — the bumper did!”

All states have either agreed to comply with these standards or have applied for an extension of the deadline.

It’s true that all states have either moved toward complying or not, but that’s not very informative. What matters is that a dozen states have passed legislation barring their own participation in the national ID plan. A couple of states received deadline extensions from the Department of Homeland Security despite refusing to ask for them. Things are not going well for REAL ID.

Secure identification cards will make fraudulent documents more difficult to obtain and will also simplify employers’ efforts to check documents when verifying employer eligibility.

It’s true that REAL ID would make it a little bit harder to get – or actually to use – fraudulent documents, because it would add some very expensive checks into the processes states use when they issue cards.

It’s not secure identification cards that make fraudulent documents harder to obtain – the author of this post has the security problems jumbled. But, worse, he or she excludes mentioning that a national ID makes it more valuable to use fraudulent documents. When a thing is made harder to do, but proportionally more valuable to do, you’ll see more of it. REAL ID is not a recipe for a secure identity system; it’s a recipe for a more expensive and invasive, but less secure identity system.

Speaking of invasive, this sentence is a confession that REAL ID is meant to facilitate background checks on American workers before they can work. This is a process I wrote about in a paper subtitled “Franz Kafka’s Solution to Illegal Immigration.” The dream of easy federal background checks on all American workers will never materialize, and we wouldn’t want that power in the hands of the federal government even if we could have it.

Real ID is a sensible protection against identify fraud.

The Department of Homeland Security’s own economic analysis of REAL ID noted that only 28% of all reported incidents of identity theft in 2005 required the presentation of an identification document like a driver’s license. And it said REAL ID would reduce those frauds “only to the extent that the [REAL ID] rulemaking leads to incidental and required use of REAL ID documents in everyday transactions, which is an impact that also depends on decisions made by State and local governments and the private sector.”

Translation: REAL ID would have a small, but speculative effect on identity fraud.

Congress is set to introduce legislation next week that could largely repeal the Real ID.

The bill I’ve seen is structured just like REAL ID was, and it requires states to create a national ID just like REAL ID did. REAL ID is dying, but the bill would revive REAL ID, trying to give it a different name.

Some groups oppose this version of REAL ID because it takes longer to drive all Americans into a national ID system and frustrates their plans to do background checks on all American workers. But it’s still the REAL ID Act’s basic plan for a national ID.

The Administration should put pressure on Congress to ensure that this legislation does not effectively eliminate the Real ID standards.

Why the administration would pressure Congress to maintain the national ID law in place – by any name – is beyond me. REAL ID is unworkable, unwanted, and unfixable.

Homeland Security Secretary Janet Napolitano signed legislation as Arizona’s governor to reject the REAL ID Act. Her predecessor at DHS, Michael Chertoff, talked tough about implementing the law but came up just shy of lighting the paper bag in which he left it on Napolitano’s doorstep.

The REAL ID revival bill that is being so widely discussed is likely to be both the national ID plan that so many states have already rejected and deeply unsatisfying to the anti-immigrant crowd. Congress rarely fails to grasp a lose-lose opportunity like this, so I expect it will be introduced and to see it’s sponsors award themselves a great deal of self-congratulations for their courageous work. You can expect that to receive a fisking here too.

Questions for Heritage: REAL ID is a post from Cato @ Liberty - Cato Institute Blog

CNN wrote an exciting headline on Wednesday: “Homeland Security Chief Seeks to Repeal Real ID Act.” What they left out was that the replacement would be . . . the REAL ID Act.

Intentionally or not, Secretary of Homeland Security Janet Napolitano has created the impression that the national ID law might go away. But simply renaming the Department of Homeland Security’s national ID program is not a repeal of REAL ID.

The REAL ID revival bill that has been circulating is the same national identification and tracking system with a few of the sharpest corners taken off and the hope of federal money held out to up-to-now recalcitrant states. The REAL ID revival bill would corral every American citizen into the national ID system to try and attack illegal immigrants.

Bills to repeal REAL ID were introduced in the previous Congress, but they did not move because the Bush administration and Chertoff DHS would have eagerly demagogued the issue. Those political conditions no longer hold. And just 10 months ago, Secretary Chertoff delayed the implementation of REAL ID without bringing any political repercussions to the Bush administration whatsoever. Secretary Napolitano can do the same if Congress fails to truly repeal REAL ID, as it should.

“. . . and Replace It with REAL ID” is a post from Cato @ Liberty - Cato Institute Blog