‘Has Any of This Made Us Safer?’
In the November 6th Washington Post, Petula Dvorak lamented the effect of REAL ID compliance on women who have changed their names. The Department of Homeland Security is about to give out blanket waivers to states across the country who have not complied with REAL ID requirements — again. But some states have been making it harder to get licenses because of the national ID standards they still think are coming.
“I doubt the most notorious terrorists of our time — the Sept. 11 hijackers, Timothy McVeigh — would have been stopped by these new DMV requirements,” Dvorak writes. ”All these laws have done is make us more harried, more paranoid and more red-faced than ever.”
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
Startling Incompetence at ANSI Standards Group
I have always regarded standard-setting organizations as serious players who take care to keep slightly boring the work of establishing uniformity in products and protocols. But a press release from the American National Standards Institute (ANSI) may cause me to reassess.
“IDSP Issues Report Calling for National Identity Verification Standard” is the release, and it’s bristling with error and malformed policy assertions. IDSP is the “Identity Theft Prevention and Identity Management Standards Panel,” an ANSI subgroup.
Take this doozy:
[T]he Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and the REAL ID Act of 2005 require verification of identity prior to the issuance of birth certificates and driver’s licenses / ID cards, respectively. However, the IRTPA regulations have not yet been released even in draft form and the REAL ID regulations do not provide practical guidance on how to corroborate a claim of identity under different circumstances.
Folks, REAL ID repealed the identity security provisions in the Intelligence Reform and Terrorism Prevention Act. (It’s a good bet that regulations for a repealed law aren’t going to move out of draft form for a very long time, eh?) And REAL ID does not require verification of identity prior to issuance of birth certificates. What could that even mean?! “Hey you—little baby—let me see some ID before I issue you your birth certificate.”
The release repeats the tired mantra that 9/11 terrorists got U.S. identity documents—”some by fraud.” The 9/11 Commission dedicated three-quarters of a page to its identity recommendations—out of 400 substantive pages—and neither the commission nor anyone since has shown how denying people U.S. identity documents would prevent terrorism.
Are there needs for identity standards? Of course. And there are a lot of projects in a lot of places working on that. If an organization doesn’t know the law, and doesn’t know how the subject matter it’s dealing with functions in society, I don’t know how it could possibly be relied on to set appropriate standards.
ANSI should take a look at this subgroup and see if its work is actually competent. Judging by this press release, it’s not.
Recapping the Costs of the REAL ID Revival Bill
In late July, the Senate Homeland Security and Governmental Affairs Committee passed a new version of PASS ID, the REAL ID revival bill. I’ve posted about various dimensions of it: the national ID question, the politics of PASS ID, whether PASS ID protects privacy, a run-down of the Senate hearing on it, and the inexplicable support of the Center for Democracy and Technology for this national ID law.
Three months later, the committee still has not reported the bill, meaning that the public doesn’t get access to the version the committee passed. (A resolution in the House would require committees there to publish amendments to bills within 24 hours.) But the Congressional Budget Office scored the bill this week. That is often a signal that legislation is on the move.
So it’s a good time to look at costs again. The National Governors Association and the National Conference of State Legislatures both premised their support for PASS ID on the idea that it would reduce costs to states to just $2 billion.
But in July I examined the likely costs of PASS ID and NGA’s cost calculations. To save you a burdensome click, here are some highlights:
The REAL ID Deadline Is Fake
Some state governments have claimed that a pending compliance deadline for REAL ID requires them to tighten up their driver’s licensing procedures consistent with the 2005 national ID law. (But see this.)
In fact, REAL ID is dead and the deadline is fake. More than a dozen states have statutorily barred themselves from complying, and in a rule published Monday the Department of Homeland Security extended the deadline again. This is the same thing it did last May and could easily do indefinitely.
The republic survives, and will survive quite nicely without this or any national ID law.
Filed under: Telecom, Internet & Information Policy; Trade and Immigration
Arizona to Feds: No “Enhanced” Drivers License
Last week, the governor of Arizona signed H.B. 2426, which bars the state from implementing the “enhanced” drivers license (EDL) program.
If the federal REAL ID revival bill (PASS ID) becomes law, it will give congressional approval to EDLs, which up to now have been simply a creation of the federal security and state driver licensing bureaucracies.
As governor of Arizona, the current Secretary of Homeland Security signed a memorandum of understanding with the DHS to implement EDLs, and she backs PASS ID even though she signed an anti-REAL ID bill as governor. As I said before, Secretary Napolitano seems to be taking the national ID tar baby in a loving embrace.
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
Fun With DHS Press Releases!
Let’s fisk a DHS press release! It’s the “Statement by DHS Press Secretary Sara Kuban on Markup of the Pass ID Bill by the Senate Homeland Security and Government Affairs Committee.” Here goes:
On the same day that Secretary Napolitano highlighted the Department’s efforts to combat terrorism and keep our country safe during a speech in New York City,
This part is true: Secretary Napolitano was in New York speaking about terrorism.
Congress took a major step forward on the PASS ID secure identification legislation.
There was a markup of PASS ID in the Homeland Security and Governmental Affairs Committee. It’s a step — not sure how major.
PASS ID is critical national security legislation
People who have studied identity-based security know that knowing people’s identities doesn’t secure against serious threats, so this is exaggeration.
that will break a long-standing stalemate with state governments
Thirteen states have barred themselves by law from implementing REAL ID, the national ID law. DHS hopes that changing the name and offering them money will change their minds.
that has prevented the implementation of a critical 9/11 recommendation to establish national standards for driver’s licenses.
The 9/11 Commission devoted three-quarters of a page to identity security — out of 400+ substantive pages. That’s more of a throwaway recommendation or afterthought. False identification wasn’t a modus operandi in the 9/11 attacks, and the 9/11 Commission didn’t explain how identity would defeat future attacks. (Also, using “critical” twice in the same sentence is a stylistic no-no.)
As the 9/11 Commission report noted, fraudulent identification documents are dangerous weapons for terrorists,
No, it said “travel documents are as important as weapons.” It was talking about passports and visas, not drivers’ licenses. Oh — and it was exaggerating.
but progress has stalled towards securing identification documents under the top-down, proscriptive approach of the REAL ID Act
True, rather than following top-down prescription, states have set their own policies to increase driver’s license security. It’s not necessarily needed, but if they want to they can, and they don’t need federal conscription of their DMVs to do it.
– an approach that has led thirteen states to enact legislation prohibiting compliance with the Act.
“. . . which is why we’re trying to get it passed again with a different name!”
Rather than a continuing stalemate with the states,
Non-compliant states stared Secretary Chertoff down when he threatened to disrupt their residents’ air travel, and they can do the same to Secretary Napolitano.
PASS ID provides crucial security gains now by establishing common security standards for driver’s licenses
Weak security gains, possibly in five years. In computer science — to which identification and credentialing is akin — monoculture is regarded as a source of vulnerability.
and a path forward for ensuring that states can electronically verify source documents, including birth certificates.
We’re on the way to that cradle-to-grave biometric tracking system that will give government so much power over every single citizen and resident.
See? That was fun!
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Assessing the Claim that CDT Opposes a National ID
It was good of Ari Schwartz to respond last week to my recent post querying whether the Center for Democracy and Technology outright opposes a national ID or simply “does not support” one.
Ari says CDT does oppose a national ID, and I believe that he honestly believes that. But it’s worth taking a look at whether the group’s actions are consistent with opposition to a national ID. I believe CDT’s actions — most recently its support of the PASS ID Act — support the creation of a national ID.
(The title of his post and some of his commentary suggest I have engaged in rhetorical excess and mischaracterized his views. Please do judge for yourself whether I’m being shrill or unfair, which is not my intention.)
First I want to address an unusual claim of Ari’s — that we already have a national ID system. If that is true, his support for PASS ID is more sensible because it is an opportunity to inject federal privacy protections into the existing system (putting aside whether it is a federal responsibility to manage a state system or systems).
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Would PASS ID Really Save States Money?
The proposed PASS ID Act is a national ID just like REAL ID, and it threatens privacy just as much. Some argue that a national ID under PASS ID should be palatable, though, because it reduces costs to states.
But savings to states under PASS ID are not at all clear. Let’s take a look at the costs of creating a U.S. national ID.
The REAL ID Act, passed in May 2005, required states to begin implementing a national ID system within three years. In regulations it proposed in March 2007, the Department of Homeland Security extended that draconian deadline. States would have five years, starting in May 2008, to move all driver’s license and ID card holders into REAL ID-compliant cards.
The Department of Homeland Security estimated the costs for this project at $17.2 billion dollars (net present value, 7% discount). Costs to individuals came it at nearly $6 billion – mostly in wasted time. Americans would spend more than 250 million hours filling out forms, finding birth certificates and Social Security cards, and waiting in line at the DMV.
The bulk of the costs fell on state governments, though: nearly $11 billion dollars. The top three expenditures were $5.25 billion for customer service at DMVs, $4 billion for card production, and $1.1 billion for data systems and IT. Getting hundreds of millions of people through DMVs and issuing them new cards in such a short time was the bulk of the cost.
To drive down the cost estimate, DHS pushed the implementation schedule way back. In its final rule of January 2008, it allowed states a deadline extension to December 31, 2009 just for the asking, and a second extension to May 2011 for meeting certain milestones. Then states would have until the end of 2017 to replace all cards with the national ID card. That’s just under ten years.
Then the DHS decided to assume that only 75% of people would actually get the national ID. (Never mind that whatever benefits from having a national ID drop to near zero if it is not actually “national.”)
The result was a total cost estimate of about $6.85 billion (net present value, 7% discount). Individual citizens would still spend $5.2 billion worth of their time (in undiscounted dollars) on paperwork and waiting at the DMV. But states would spend just $1.5 billion on data and interconnectivity systems; $970 million on customer service; and $953 million on card production and issuance—a total of about $2.4 billion. (All undiscounted—DHS didn’t publish estimates for the final rule the same way it published their estimates for the proposed rule.)
Maybe these cost estimates were still too high. Maybe they weren’t believable. Or maybe Americans’ love of privacy and hatred of a national ID explains it. But the lower cost estimate did not slow the “REAL ID Rebellion.” Given the costs, the complexity, the privacy consequences, and the dubious benefits, states rejected REAL ID.
Enter PASS ID, which supposedly alleviates the costs to states of REAL ID. But would it?
At a Senate hearing last week, not one, but two representatives of the National Governors Association testified in favor of PASS ID, citing their internal estimate that implementing PASS ID would cost states just $2 billion.
But there is reason to doubt that figure. PASS ID is a lot more like REAL ID – the original REAL ID – in the way that most affects costs: the implementation schedule.
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
EPIC on PASS ID: a National ID Card
The Electronic Privacy Information Center has produced a very thorough analysis of the PASS ID Act, which would revive the REAL ID national ID program.
The EPIC analysis states flatly, “The bill would establish a national ID card,” and, “The intent of this legislation is to facilitate a National ID system.”
That’s quite a contrast to Ari Schwartz at the Center for Democracy and Technology, who alone believes that PASS ID “prevents the creation of a National ID system.”
PASS ID and National ID – Rejoinder to Schwartz
Ari Schwartz responded in characteristic even tones to my critique of his testimony in favor of the PASS ID Act, which would revive the moribund REAL ID law. It’s worth a rejoinder, and I’ll offer him the same again here if he wishes.
Ari clouds matters slightly by suggesting that my “strong biases” obscure certain facts. I readily admit having a strong bias in favor of liberty — it’s why I do what I do. Ari admits several biases, including one in favor of consensus-building, which was what I accused him of prioritizing over principle. Let’s put aside the question of bias.
It’s good to see Ari state that CDT does not support a national ID system. It would be better to see him state that CDT opposes having a national ID system. (I imagine this is just a matter of word choice, but it would be good to have clarity.)
Next, Ari says his testimony “makes it clear that we believe that PASS ID prevents the creation of a National ID system.” I don’t believe this is clear from his testimony. More importantly, this is not a sound assessment of what a national ID is or what PASS ID does.
We need some defined terms, so let’s tease out what he means by “national ID.” (He has told me that there is some distinction between a “national ID,” a “national ID system,” and perhaps a “national ID card,” but the distinction is lost on me. I believe a national ID card is part of a national ID system, both of which are commonly referred to in shorthand as a “national ID.”)
Twice in his testimony, he correctly calls REAL ID a national ID system. The factors that make it so appear to be “the very real possibility that individuals would not be able to function in American society without a REAL ID card” and “giving unfettered discretion to DHS to expand the ‘official purposes’ for which REAL ID cards could be required.”
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Review of the Big REAL ID Hearing
The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.
Good News!
Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.
First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.
She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.
Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”
Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.
REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.
Does the PASS ID Act Protect Privacy?
I’ve written about PASS ID here a couple of times before – first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.
The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.
“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.
Interstate Data Sharing?
First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.
Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.
How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.
UK Home Secretary Abandons National ID
The UK has been operating in parallel to the United States on the national ID question, and rumors about the collapse of the UK national ID have been circulating for a couple of years.
Now comes word that Home Secretary Alan Johnson will scrap the national ID card system, making it voluntary. When volunteers fail to materialize, it is easy to anticipate that it will disappear entirely.
This is another thing U.S. Homeland Security secretary Janet Napolitano might want to note as she struggles with with national ID issue here.
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
Calling Secretary Napolitano: Arizona to Reject EDLs
Department of Homeland Security Secretary Janet Napolitano has been all over the map on national ID issues. As governor of Arizona, she signed a memorandum of understanding with the Bush DHS to implement “enhanced driver’s licenses” in her state. These are licenses with long-range RFID chips built into them. But then she turned around and signed legislation barring implementation of the REAL ID Act in Arizona.
Now, having taken federal office, she again favors REAL ID — or at least under its new name: PASS ID. (Her efforts to put distance between REAL ID and PASS ID have not borne fruit.)
In some respects, PASS ID is worse than REAL ID. It would give congressional approval to the “enhanced driver’s license” program — invented by DHS and State Department bureaucrats to do long-range (and potentially surreptitious) identification of people holding this type of card. Back home, the Arizona legislature has just passed a bill to prohibit the state from implementing EDLs.
So the former governor of Arizona, who has both supported and rejected national ID programs, now supports a bill to approve the national ID program her home state rejects. Napolitano seems to be taking the national ID tar baby in a loving embrace.
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
“PASS ID: A Real ID Revival in Disguise”
So says Mary Bonventre from the ACLU’s Technology & Liberty Program on the ACLU blog.
Is the REAL ID Revival Bill, “PASS ID,” a National ID?
With the move in the Senate to revive our moribund national ID law, the REAL ID Act, under the name “PASS ID,” it’s important to look at whether we’re still dealing with a national ID law. My assessment is that we are.
First, PASS ID is modeled directly on REAL ID. The structure and major provisions of the two bills are the same. Just like REAL ID, PASS ID sets national standards for identity cards and drivers’ licenses, withholding federal recognition if they are not met.
There is no precise definition of a national identification card or system, of course, but its elements are relatively easy to identify.
First, it is national. That is, it is intended to be used throughout the country, and to be nationally uniform in its key elements. REAL ID and PASS ID have the exact same purpose – to create a nationally uniform identity system.
Second, its possession or use is either practically or legally required. A card or system that is one of many options for proving identity or other information is not a national ID if people can decline to use it and still easily access goods, services, or infrastructure. But if law or regulation make it very difficult to avoid carrying or using a card, this presses it into the national ID category.
Neither REAL ID nor PASS ID directly mandate carrying a card. Doing so would be too obviously a national ID system, and politically unpalatable. But both seek to take advantage of the state driver licensing system, and they do that for a reason: Carrying a driver’s license is a practical requirement in most parts of the country, where the automobile reigns supreme as the mode of travel.
But maybe states would decline to participate. Nothing in the PASS ID Act directly requires states to implement the system, and they are entirely free to issue non-compliant licenses and ID cards. But this was also true of REAL ID – because of the constitutional rule that the federal government cannot commandeer the organs of state government. (The case is New York v. United States.)
What both REAL ID and PASS ID do is make it difficult for state residents to function without their nationally standardized ID. They both require the nationally standardized ID to enter federal facilities (perhaps fewer of them under PASS ID), to access nuclear power plants, and to board aircraft.
But the PASS ID bill has specific language saying that a person can’t be denied boarding because they don’t have a national ID. Isn’t that an improvement? It sounds like it, but that language simply restates the rules that exist under REAL ID.
REAL ID Revival Bill Introduced in Senate
Though it’s not yet available, word has it that a bill to revive the REAL ID Act has been introduced in the Senate.
Its sponsors are an unlikely group: Senators Akaka (D-HI), Tester (D-MT), Baucus (D-MT), Carper (D-CT), Leahy (D-VT), and Voinovich (R-OH). REAL ID was dead in the water, but with a name change and a few burrs taken off, these five senators may just give it life once again.
Watch this space for posts as I analyze the bill and the politics. I’ll examine closely the substance of the “PASS ID Act.” I’ll try to figure out how both Senators from Montana – a state that rejected REAL ID flat out – became leaders in the fight to revive it.
More on the politics: As the stars lined up for repealing REAL ID outright, the Senate negotiated a compromise . . . with nobody. And I’ll look at something everyone is studiously ignoring – whether a national ID (by any name!) would actually do any good for the country!
Trouble With Your National ID? Change the Name!
L-1 Identity Solutions is a leading biometric technology company, and with its acquisition of Digimarc ID Systems it has become the nation’s number one manufacturer of state identity cards and drivers’ licenses. Such a company would benefit massively from implementation of the REAL ID Act, the nation’s moribund national ID law.
But REAL ID is in trouble. No state was in compliance by the May 2008 deadline, and the Department of Homeland Security had to give deadline extensions even to states that flatly refused to participate in the national ID scheme.
So what does the primary beneficiary of the failing REAL ID Act do? Change the name. On a recent earnings call, L-1’s Chairman, President, and Chief Executive Officer, Robert V. LaPenta, was a little too transparent in expressing his optimism about the government ID card buisiness:
We’re well-positioned in all of these opportunities and we’re seeing increased sell prices for those states that are incorporating and I won’t call it real ID, I’ll call it enhanced or higher security drivers license.
“I won’t call it real ID, I’ll call it enhanced or higher security drivers license.”
Enhanced driver’s licenses are a project at the Department of Homeland Security – with no congressional mandate – to move state driver’s licenses toward serving as national ID cards.
So it is with the “PASS Act,” a bill that would revive REAL ID under a different name.
Senator Daniel Akaka (D-HI), formerly an opponent of having a national ID, has been working with the National Governors Association to round down the sharpest corners of REAL ID and give the national ID law a new name.
A news report says the new bill “explicitly prevents the creation of a national identification card.” It might also prevent things that walk like ducks, quack like ducks, and swim like ducks from being called “ducks.”
The only way to resolve the problems with REAL ID is to repeal REAL ID. Reviving the national ID program under another name is not a solution.
National ID Mission Creep
It’s a given that, once in place, a national ID would be used for additional purposes.
In case you needed proof, on Wednesday, Senator David Vitter (R-LA) offered an amendment to H.R. 627, the Credit Cardholders’ Bill of Rights Act of 2009, requiring the Federal Reserve to impose federal identification standards on the opening of new credit accounts. Among the limited forms of ID credit issuers could accept are REAL ID cards, produced under the moribund national ID law. (Vitter may not realize that REAL ID is in collapse.)
To compound things, his amendment would require credit issuers to run new credit card applicants past terrorist watch-lists. The sense of normalcy, efficiency, and common sense that makes airports so pleasurable to visit today would infect our financial services system. Oh joy.
Filed under: Finance, Banking & Monetary Policy; Telecom, Internet & Information Policy
Questions for Heritage: REAL ID
The Heritage Foundation’s “The Foundry” blog has a post up called “Questions for Secretary Napolitano: Real ID.”
Honest advocates on two sides of an issue can come to almost perfectly opposite views, and this provides an example, because I find the post confused, wrong, or misleading in nearly every respect.
Let’s give it a brief fisking. Below, the language from the post is in italics, and my comments are in roman text:
Cato on Facebook
Cato on Twitter
Cato on YouTube
Cato Tweets