Archive for the ‘REAL ID’ Category

California Dreamin’

Tuesday, September 15th, 2015

Stumbling into the embrace of the homeland-security state, California’s state legislature has sent to Governor Jerry Brown a bill which, unless the Governor vetoes it by October 11th, will require that:

[T]he Department [of Motor Vehicles] shall require an applicant for an original driver’s license or identification card to submit satisfactory proof of California residency and that the applicant’s presence in the United States is authorized under federal law.

A.B. 1465 is unnecessary, would create severe problems for many Californians, and would discourage both immigrants to the US and residents of other states from moving to California.

As our friend Jim Harper of the Cato Institute has noted, the intent of  A.B. 1465 appears to be to make it easier for the DHS to claim that California is making “progress” toward compliance with the REAL-ID Act.

Why would Californians want that?

The DHS has repeatedly threatened that if states don’t comply with the REAL-ID Act, including connecting their state drivers license and ID databases to the outsourced REAL-ID “hub” operated by the AAMVA, residents of those states won’t be allowed through Federal checkpoints at airports and at entrances to Federal facilities.

But as we discussed here and here and in this presentation at Cato earlier this year, these threats are hollow.

The TSA allows people to fly without ID every day, despite false notices in airports that ID is required.

As for access to federal buildings, the DHS says that “REAL-ID does not apply to … applying for or receiving Federal benefits, … accessing hospitals and health clinics…, or constitutionally protected activities.”

We’re not sure why else ordinary people would want to access most Federal facilities.


Will the REAL-ID Act deny you access to Federal facilities?

Monday, June 22nd, 2015

As we’ve noted in our previous commentaries on the REAL-ACT in this blog and in our recent presentation at the Cato Institute, there are two components to the threats against individual residents of “noncompliant” states (and territories and the District of Columbia) that are being used by the DHS to try to induce reluctant state governments to incorporate their state drivers license and ID databases to the distributed national REAL-ID database by connecting them to the contractor-operated REAL-ID hub:

  1. Threatened denial of common carrier airline transportation to individuals who present drivers licenses or other ID credentials issued by noncompliant states; and
  2. Threatened denial of access to (certain) Federal facilities to these individuals.

The first of these threats appears to be hollow. The TSA has consistently argued, when demands for ID from air travelers have been challenged in court, that no ID credentials at all are required to fly.

The TSA claims the right to subject any traveler to more intrusive search and interrogation, without probable cause, and may use this arbitrary power against residents of states that don’t comply with the REAL-ID Act. But the TSA appears to realize that it has no legal authority for outright denial of air travel to people who don’t have, or decline to carry or show to the TSA or its contractors, government-issued ID credentials, REAL-ID Act compliant or not.

With respect to its threat to deny access to Federal facilities, the DHS (in its usual fashion of rulemaking by press release) has posted an announcement on its website that this will be implemented in phases determined by the “Federal Security Level” (FSL) assigned to individual facilities.

But what are the facilities, if any, to which these levels have been assigned, and to which individuals with ID from noncompliant states will therefore be denied access? We’ve filed a series of Freedom of Information Act requests to find out.

The responses to our FOIA requests suggest that this prong of the REAL-ID Act enforcement cattle prod is, to mix metaphors, a paper tiger. We’ve been unable to find any Federal facility to which such an FSL has actually been assigned.


Smile for the camera, citizen!

Monday, March 23rd, 2015

The Department of Homeland Security is extending its photography of travelers at US border crossings, ports, and international airports from foreign nationals to US citizens entering and leaving our own country.

On January 5, 2004, under an “interim final rule” for the “US-VISIT” program effective the same day it was published in the Federal Register, agents of US Customs and Border Protection (CBP) began fingerprinting and photographing foreign visitors on their arrival and again on their departure from the US.

At first, only those foreign citizens who required visas to enter the US were given this treatment.  A few countries. starting with Brazil, took this as a sign of their “least favored nation” status with the US government, and reciprocated by photographing and fingerprinting US citizens arriving in and departing from their countries. Many other countries didn’t take things quite so far, but partially reciprocated to the extent of increasing their visa or entry fees for US visitors, or imposing new fees where entry for US tourists had been free, to match the US$135 minimum fee for a tourist or transit visa to the US for citizens of most other countries.

On August 31, 2004, under yet another “interim” rule effective the same day it was published, fingerprinting and photography at US airports and borders was extended to citizens of countries in the US “visa waiver program”.

For the third phase of expansion of US-VISIT fingerprinting and photography of border crossers, the DHS published a notice of proposed rulemaking in 2006, giving organizations and individuals a chance to object before the rules were finalized. But the numerous objections, including ours, were ignored. In December 2008, the DHS promulgated a final rule extending the fingerprinting and photography of visitors to all non-US citizens, including permanent US residents (green-card holders).

Now, without bothering to propose or finalize any new regulations, DHS has announced through a non-binding “Privacy Impact Assessment” (PIA) posted on its website that CBP is already conducting a “Facial Recognition Air Entry Pilot” program under which some unspecified fraction of US citizens entering the US by air are being required to submit to facial photography by CBP agents:

U.S. citizens with U.S. e-passports arriving at air ports of entry testing the technology may be selected to participate in the pilot at port discretion. Individuals that are selected do not have the option to opt out of this process.

Facial recognition software is being used to compare the photos to the digital photos stored on the RFID chips in US citizens’ passports, and to assign a score indicating the robot’s “confidence” that the photo in the passport and the photo taken at the airport depict the same person. “The facial recognition system is a tool to assist CBPOs [CBP officers] in the inspection process.”

The selection is supposedly random, but there is no specified limit on how large the percentage of US citizens subjected to this requirement might be:

Supervisory CBPOs (SCBPO) will set the standard for the random selection criteria and have discretion to change the criteria as needed. For example, the SCBPO may choose to select every fifth traveler but may change to every third or every seventh traveler at his or her discretion.

DHS has a history of prolonging and expanding “tests” as cover for de facto full implementation of controversial requirements. There’s nothing in this PIA to rule out the extension of the “pilot” program to nine out of ten arriving US citizens, or 99 out of 100.

Disturbingly but characteristically, DHS suggests that US citizens returning to our own country can be required to do whatever is necessary to “satisfy” CBP officers:

A person claiming U.S. citizenship must establish that fact to the examining [CBP] officer’s satisfaction [emphasis added] and must present a U.S. passport or alternative documentation as required by 22 CFR part 53. If such applicant for admission fails to satisfy the examining immigration officer that he or she is a U.S. citizen, he or she shall thereafter be inspected as an alien.


REAL-ID Act implementation, enforcement, and resistance

Monday, February 23rd, 2015

Is gradual implementation of the REAL-ID Act cooking us slowly, like frogs who, if the temperature of the water is increased gradually enough, don’t realize that they need to jump out of the pot until it’s too late?

Last month was another of the deadlines set by the Department of Homeland Security for “implementation” and “enforcement” of the REAL-ID Act.  That also makes it time for stepped-up resistance to REAL-ID.

Understanding the meaning of this deadline, and the remaining deadlines to come, requires some background. Below is an overview of what the REAL-ID Act is, how and by whom it will be implemented and enforced, what it means to “comply” with the REAL-ID Act, what we can expect to happen next, and — perphaps most importantly — what we can do, now, to resist it.

The REAL-ID Act of 2005 is a Federal law intended to mandate the creation of a distributed but integrated national database of personal identity records (including birth certificates or alternative “breeder documents” [sic]) linked to state-issued identity credentials. The REAL-ID Act also includes Federal standards for the physical ID cards, including drivers’ licenses or alternative non-driver ID cards, issued by US states and territories. But the real focus is on the database: what data will be included and how it will be normalized and made accessible through a single user query interface.

The Federal government can, and often does, bribe states with Federal funding to do things the way the Feds want. But the REAL-ID Act didn’t include funding for state-level implementation, and was based (like many other DHS programs, such as its multi-billion dollar mandates for modifications to airline IT systems to support surveillance and control of air travelers) on gross underestimates of its cost. In any event, some states strongly opposed the whole idea of a national ID scheme, and would probably have declined to participate even if the Feds had been willing to foot the bill.

The states already manage the issuance of drivers’ licenses and non-driver ID cards, which are most US citizens’ primary government-issued identity credentials.  Setting up a Federally-administered ID credential system would have been vastly more expensive and politically controversial than leaving it to the states.

So the problem for the architects of “REAL-ID” was how to induce all the states and territories to “comply” with goals and standards that would neither be officially binding on the states, nor financed by the Feds.

The workaround for indirect coercion of state governments was to threaten Federal sanctions against individual residents of states that don’t comply with the REAL-ID Act. The sponsors of REAL-ID hoped that these threats would scare voters into lobbying their state legislators’ to bring their states into line with the Feds’ desires.

The REAL-ID Act doesn’t officially “require” states or individuals to do anything.  Its “enforcement” mechanism is a prohibition on acceptance for “Federal purposes” of drivers’ licenses or other ID credentials issued by states or territories that don’t comply with the requirements in the Federal law and the implementing regulations issued by the DHS.

There was still a problem for the DHS and the other backers of REAL-ID, however: How to make the threat of sanctions against residents of “noncompliant” states sufficiently harsh and sufficiently credible to get them to pressure their state governments to comply, without catalyzing a mass movement of grassroots resistance by outraged victims (or potential victims, or their supporters) of those sanctions.

The strategy adopted by the DHS has been to phase in the sanctions very gradually, over a period of many years, starting with those which would have the least significant consequences.  The problem for the DHS is that those threats which are most intimidating are those which would be most likely to provoke blowback against the Feds, and lead to more pressure on Congress to repeal the REAL-ID Act. The result has been a decade-long game of chicken between the DHS and reluctant or resistant state governments.

The DHS won’t (and politically can’t) admit the possibility that states won’t kowtow to its demands. State legislators can’t believe that the DHS would really be able to get away with denying access to Federally-controlled facilities and programs (more on that below) to all residents of noncompliant states, as well as residents of compliant states who are unable and/or unwilling to satisfy the documentary prerequisites for issuance of a REAL-ID compliant ID card.

When states haven’t complied — because they didn’t want to, or because they couldnt’t afford to, or because it was taking longer than expected to develop the infrastructure for the distributed database  — the DHS postponed the deadlines.

It’s been a decade since the REAL-ID act of 2005 was enacted, and most residents of “noncompliant” states have yet to be subjected to any Federal consequences for not having a REAL-ID card.  The criterion for “compliance” is political obeisance and stated or inferred intent, not action. All states that said they intended eventually to comply were deemed to be “compliant”, and given extensions of time to get with the program in practice. Even some states which enacted state laws prohibiting state agencies from implementing REAL-ID procedures have been “certified” by the DHS to be in “constructive compliance” with the required intent to comply.

Is this DHS certiification wishful thinking? What will these states do as the deadlines approach? That remains to be seen, and depends primarily on what individual residents of those states do.


“I don’t want a unitary, unfakeable identity.”

Wednesday, August 27th, 2014

Dan Geer’s keynote speech at the Blackhat security conference earlier this month (video, transcript) included an important discussion of the often-misunderstood “right to be forgotten” and the larger context of why it matters: the threat posed by compelled identification, and how we can defend ourselves against that threat:

Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified.  No more — what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative?  If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control.  If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself…

The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace [NSTIC] is a case in point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.”  If you can trust a digital identity, that is because it can’t be faked…. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government?  Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul, by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions?  Assuming this spreads well beyond the public sector, which is its designers’ intent, do you want this everywhere?…

I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one.  I want to choose whether to misrepresent myself.  I may rarely use that, but it is my right to do so.  If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing. In that regard, and acknowledging that it is a baby step, I conclude that the EU’s “Right to be Forgotten” is both appropriate and advantageous though it does not go far enough.  Being forgotten is consistent with moving to a new town to start over, to changing your name, to a definition of privacy that turns on whether you do or do not retain the effective capacity to misrepresent yourself…. A right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now, observability that changes the very quality of what “in public” means….

There’s more: video, transcript.

Mr. Geer’s comments help answer one of the questions we are most frequently asked: What’s Wrong With Showing ID?


Another brick in the (falling) REAL-ID wall

Wednesday, August 13th, 2014

July 21, 2014 marked “Phase 2″ of implementation of the REAL-ID Act.

What does this mean, and does it matter?

As of July 21, drivers’ licenses and other state ID credentials issued by US states or territories that haven’t been certified by the DHS to comply with the REAL-ID Act cannot be accepted by Federal agencies for access to ID-controlled “restricted” areas of Federal facilities (”i.e., areas accessible by agency personnel, contractors, and their guests”).

Because Federal agencies typically issue their own ID credentials to their own employees and regular contractors, this will mostly affect occasional visitors to Federal facilities. NASA, for example, which has facilities in states that have not been certified by DHS as sufficiently compliant, has issued this advice to would-be visitors:

Effective July 21, 2014, the implementation of Phase II of the Real-ID Act (2005) restricts the use of state ID from non-compliant states (including New York) as an acceptable form of identification for federal facilities (including NASA GISS). If you are intending to visit GISS and only have a standard drivers license from a non-compliant state, please ensure that you have a second form of ID (passport, military ID, etc.) to avoid unnecessary complications.

It isn’t clear from this notice, or others we’ve seen, what these “unnecessary complications” will amount to. Visitors with ID credentials from non-compliant states will, presumably, be treated as visitors without “valid” state ID credentials, but that begs the questions of whether or on what basis they will be allowed entry after additional scrutiny or some form of alternate ID verification, allowed entry but only if escorted by staff and not allowed unescorted, or denied entry entirely.

In its eseence, the REAL-ID Act was intended to mandate the creation of a distributed national identity card system. The key “compliance” requirement for states and territories is participation in a linked, distributed database of ID-card and biometric information about all ID cardholders nationwide.

The intent of the Federal law is to force states to particpate in (and absorb the cost of) this scheme, sparing the Feds the costs and hassle of issuing national ID cards and providing (implausible) deniability as to whether it’s a “national ID” at all: “See, it’s not a ‘national’ ID card. It’s still issued by your state.”

But since the Feds probably don’t have jurisdiction over state issuance of drivers’ licenses or state ID cards, the REAL-ID Act relies on threats, rather than direct orders, to extort compliance by states resistant to registering their citizens and residents in a national ID database.


California considers “enhancing” drivers licenses with radio tracking beacons

Thursday, August 22nd, 2013

California’s legislature is considering a bill to authorize adding radio tracking beacons to drivers licenses and state non-driver ID cards.

Each such card would broadcast a unique tracking number which could legally be intercepted by anyone with a suitable radio transceiver within range, and which would be linked to a national DHS database of drivers license, state ID card, and citizenship information.

The tracking beacons are designed to allow the tracking numbers on ID cards carried by travelers in motor vehicles to be read from outside their vehicles as they approach or pass through checkpoints.

Independent academic studies of actual ID cards issued by other states, using the same standards proposed for use in California, have found that they can sometimes be read from more than 50 yards away.

S.B. 397 has already been approved by the California Senate, and is now under consideration in the Assembly. Because it has been amended by the Assembly, it will need to be reconsidered by the Senate (to decide whether to accept the Assembly amendments) if and when it is approved by the Assembly.

To date, S.B. 397 has been largely unopposed in the California legislature, and it is likely to be approved unless legislators start hearing a groundswell of opposition from their constituents.

What excuse is being offered for this scheme? And what’s its real purpose?


The facts on the ground in Arizona

Friday, November 16th, 2012

Don’t trust, and don’t verify“, would seem to be the motto of authorities in Arizona when it comes to demands for documents and “proof” of citizenship and status — if your skin is brown.

Arizona’s SB1070 requires police, in certain circumstances, to “attempt” to determine your immigration status. But that obligation on the police does not create any obligation on individuals. In its initial decision on SB1070, the Supreme Court made clear that this provision of the law cannot Constitutionally be used as the basis to detain people without some other lawful basis.

Actions on the ground in Arizona, however, suggest that in practice the burden of proof is being placed on (brown-skinned) Arizonans to prove that they are “not illegal”, on pain of prolonged detention on the basis of mere suspicion (and regardless of the weight of the actual evidence).

The Phoenix New Times has been following the case of Briseira Torres.  She was born (at her mother’s home, which the Department of State seems to find inherently suspicious) in Arizona, and her birth was registered (albeit late, as is common for home births) with the Arizona Office of Vital Records.

One doesn’t have to be registered with the government to be born, or to be a US citizen. But that didn’t stand in the way of Arizona and US authorities.  When Torres went to the Federal Building to apply for a passport for her daughter, after submitting a copy of her own birth certificate as evidence of her daughter’s US citizenship by birth, the State Department employees at the passport office called in Arizona state law enforcement officers to help interrogate Ms. Torres.

Eventually, on the theory that the original registration of Ms. Torres’ home birth had been falsified, the Feds turned her over to state authorities, who had her indicted (withholding from the grand jury the state’s official record of her valid birth certificate, and falsely claiming to the grand jury that her birth registration had been “cancelled”)  for fraud.  She was jailed for 4 1/2 months, during which time she was separated from her child and lost her home and car because she couldn’t make the payments on them, before she got a lawyer and the state withdrew the charges.

Now, to try to retroactively justify their deprivation of Ms. Torres’ rights, state officials have initiated a newly-created administrative process to revoke the registration of her birth.

In other words, the state of Arizona wants to “un-birth” Ms. Torres — at age 31.

We’re glad Ms. Torres has a lawyer, and we hope she collects substantial damages from both Arizona state and county officials and the State Department “special agent” who initially detained her, called in the state cops, and eventually turned her over to their custody.

This incident began with Ms. Torres being called in to answer questions about her passport application for her daughter. The role of the Passport Office and other State Department employees shows exactly why we are so concerned about the State Department’s proposed new questionnaire for passport applicants.

Government “un-birthing” of citizens isn’t the only strange thing going on in Arizona, unfortunately.

At the Deconcini border crossing between the central business districts of Nogales, Arizona, and Nogales, Sonora, US Customs and Border protection is requiring some “trusted travelers” to submit to interrogation by allegedly lie-detecting robots developed (with DHS grant money, we presume) by the National Center for Border Security and Immigration at the University of Arizona.

If the robot thinks you are lying, “a more through interview would follow”, according to news reports.

But Ms. Torres’ example shows that if a human Fed in Arizona thinks you are lying about your papers, they will detain you and turn you over to the state of Arizona to be locked up without bail for months, without bothering even to look at your actual papers (not that you have to have any “papers” in the first place to be born or have rights).

In that light, we hope courts will look skeptically at the legality of prolonging the detention of a border crosser based on the statement of a semi-anthropomorphic animated robot that, “I think you are lying.”

A real story about REAL-ID

Saturday, October 1st, 2011

From the Identity Project mailbag:

My life has been basically destroyed because I don’t have a valid state-issued photo ID.

Thanks to terrorists, it is illegal for any employer in my state to hire me.

I am a natural-born citizen of the United States, born and raised in the State of New Jersey. I have lived here most of my life. I have never been convicted of a felony nor even a misdemeanor. I have never been arrested, nor even ever received so much as a parking ticket. I do not receive any funds from Welfare, Social Security, or any other government program. I am not a terrorist.

Yet, in the State of New Jersey, it is illegal for any employer to hire me, and has been for about the last 6 years.


How would REAL-ID affect the right to travel?

Friday, September 30th, 2011

In the latest step in the implementation of the REAL-ID Act and the establishment of a de facto national ID card and database, the Department of Homeland Security has requested OMB approval for the collection of additional information from states and individuals.

The public response to the DHS request, particularly these comments submitted by the Electronic Privacy Information Center (EPIC), highlight the important unanswered questions about how REAL-ID Act implementation will affect the right to travel:

EPIC’s comments focus on the widely-publicized recent case of  Lewis Brown, a former high school and college basketball star who died on a street in Southern California homeless, earlier this month:

EPIC writes today to draw the agency’s attention to the death of Lewis Brown, a former college basketball prodigy, who died on the streets of Los Angeles because he could not scrape together the money to obtain a state-issued identity document…. According to the New York Times, Brown, a basketball legend at the University of Nevada at Las Vegas, planned to fly to visit his family in New York and could not. Homeless and destitute, living on the sidewalks of Hollywood, Brown had developed cancer and planned to go to the hospital. Brown’s mother learned about his condition and stated that she wanted to see him “before he died.” Brown’s sister, Anita, told him to visit New York. Brown told confidants that he lacked funds to qualify for a California identification card, and was taking donations and borrowing money.