Feb 11 2016

How the REAL-ID Act is creating a national ID database

SPEXS-central-files [The REAL-ID “hub” connects state and Federal agencies, private commercial third parties, and centralized, national database files.  AAMVA SPEXS Master Specification (AMIE), r6.0.8, page 5]

One of the big lies being told by supporters of the REAL-ID Act of 2005 is that, as the DHS says on its official “Rumor Control” page, “Fact: REAL ID does not build a national database nor does it grant the Federal Government or another state access to a state’s driver’s license data.” According to another DHS Web page, “REAL ID Frequently Asked Questions for the Public“:

Q: Is DHS trying to build a national database with all of our information?
No. … REAL ID does not create a federal database of driver license information.

In fact, as we’ve been pointing out and as others have noted, the REAL-ID Act is both building a national database and requiring any state that wants to issue drivers’ licenses or state ID cards that are “compliant” with the REAL-ID Act to grant all other states access to their state’s drivers’ license and ID card data.

Many state legislators and residents of states that are considering whether to start issuing “compliant” driver’s licenses are concerned about (a) whether this would affect residents of those states who “opt out” or choose not to have a gold-starred compliant license (it would, as we’ve discussed previously), (b) whether there would be a central database or list of all drivers or ID cardholders (there would be, as discussed below), and (c) what we mean when we say that the goal of the REAL-ID Act is the creation of a “distributed” national ID database in which a single query routed through the central “hub” can retrieve data from every state ID database.

Here’s what we’ve been able to find out about the centralized national ID database the DHS  claims doesn’t exist, what information it contains, how it works, and who operates it:

The REAL-ID Act requires each state that issues any compliant driver’s licenses or ID cards to, “Provide electronic access to all other States to information contained in the motor vehicle database of the State” including, “at a minimum — (A) all data fields printed on drivers’ licenses and identification cards issued by the State; and (B) motor vehicle drivers’ histories, including motor vehicle violations, suspensions, and points on licenses.”

Both the Federal law and the regulations issued by the DHS to implement the law are silent on how this access is to be provided. In theory, a state could comply with the REAL-ID Act by setting up its own ad hoc database access arrangements with each of the 55 other states and US territories. In practice, that would be prohibitively expensive for any state, especially a small state, as state authorities who have looked into this possibility have concluded.

The only realistic choice for any state that wants to issue licenses or IDs compliant with the REAL-ID Act is to plug its state database into the national data “hub” which has been developed, with Federal funding and in consultation with the DHS and other Federal agencies, to serve this (and possibly other) purposes.

As we’ve reported previously, the national REAL-ID Act “hub” software and central database has been developed by the American Association of Motor Vehicle Administrators (AAMVA) and AAMVA contractors, primarily Clerus Solutions.  Multiple layers of outsourcing and subcontracting serve to evade accountability to government agencies and the public, to evade transparency under the Federal Freedom of Information Act (FOIA) and state public records laws, and to give a thin veneer of plausible deniability about the central role of the Federal government in planning and developing the system.  AAMVA is a “trade association” whose members are officials of state agencies, but which is incorporated as a “private” nonprofit organization not subject to public records laws.

Federal funding for system development was laundered through state agencies and then through AAMVA. According to AAMVA, “In October 2012, AAMVA was awarded a contract from the Mississippi Department of Public Safety under a grant from the US Department of Homeland Security to develop the State to State Verification Service leveraging the modernized CDLIS system architecture.” CDLIS is a centralized database and system for the exchange of information about holders of commercial driver’s license, who are already subject to Federal DOT regulations related to interstate transportation. S2S, as discussed below,  extends the CDLIS architecture and protocols from commercial licenses to all driver’s licenses and state-issued ID cards.

Mississippi subcontracted portions of the project to DL/ID Verification Systems, Inc. (DIVS), “a not-for-profit corporation formed by the State of Mississippi to organize, implement, and coordinate the electronic systems states need to verify identification information provided by driver license and identification card applicants.” AAMVA and DIVS then subcontracted with Clerus Solutions (a private for-profit corporation full of former AAMVA and government personnel, like many companies in the revolving-door homeland security industrial complex) to manage and carry out portions of the actual work, using primarily commercially available off-the-shelf software, which potentially involves additional layers of outsourcing. It remains unclear who actually hosts or operates the central data stores or host site applications, or where they are located.

To obscure the total cost and true source of funds for the project, and the leading role of the DHS, additional money for the REAL-ID Act hub was buried in block grants to states for “highway safety data” and “traffic records” systems from the National Highway Transportation Safety Administration (NHTSA) of the Department of Transportation (DOT). According to AAMVA, “NHTSA has acknowledged that … grant monies can be used to fund a state’s implementation activities and operational costs for the State-to-State Verification Service (S2S).” Money is trickled down from DOT, divided among states and commingled in block grants categorized as highway safety funding, passed on to AAMVA and DIVS, and then reassembled to pay the contractors doing the work. There’s no single line item in the Federal budget or contract with a Federal agency disclosable through FOIA that reveals the total price and scope of the work.

The REAL-ID Act hub system is described as consisting of “State to State (S2S) Verification Services” and “State Pointer Exchange Services (SPEXS)“.  The terminology of “state to state” and “exchange” is used to mislead those who don’t read the 2000+ pages of SPEXS specifications into thinking that the “hub” is merely a “switch” that connects states to each other, and doesn’t itself hold or process state data.

The S2S hub could work that way, but it doesn’t, as the SPEXS specifications illustrate on page 6 in their introduction to the system architecture.  An inquiry from one state (or another system user such as a Federal agency or commercial third party, as shown in the illustration at the start of this article from page 5 of the SPEXS specifications) could simply be passed on by the hub for a response from whichever state(s) has/have responsive records:

SPEXS-inquiry

But if the requester doesn’t know which state(s) has/have records — for example, if they want to know if the person with a particular name and date of birth, or Social Security number, has or has ever had a driver’s license in any state(s), and if so which one(s) — this system would necessitate sending the inquiry to each of the 56 states, the District of Columbia, and US territories.  Each state would need to search its database for responsive records.  The consequence would be a large and potentially burdensome (especially for small states) volume of queries and searches for each state to have to process.

To reduce the load on each state —  at the expense of greatly increasing the potential for misuse of the system —  S2S was instead set up to incorporate a central database of “pointers”. In effect, this “pointer file” is a consolidated list and index of all the licenses and IDs issued by all participating states, like a card catalog or directory at a central site that includes a card or listing for each book held by any of the branch libraries in a city or regional library system. The central master catalog doesn’t include the full text of every book, but does have all of the fields of information (title, author, ISBN, etc.) by which you might want to search for books. If you want a particular book, or all books by a certain author, you first look in the index to see which branch(es) has/have the book(s) you want, and then request each book of interest from the branch that has it.  SPEXS uses a central “pointer file” to enable this sort of two-step search for license and ID records:

SPEXS-pointer-inquiry

The “pointer file” at the “SPEXS Central Site” is the national ID database created by the REAL-ID Act: a single, aggregated master list and index, held by a private contractor at a single, central site, of every driver’s license or ID card issued by any state that chooses to issue any gold-starred licenses or cards compliant with the  REAL-ID Act.

Defenders of the REAL-ID Act will no doubt say that the pointer file is “just an index, not a database”. But an index file is itself a database, although a smaller one than the larger database it indexes. The only question is how large and how significant a portion of the data in each state record is included in the pointer file. The pointer fields currently required for participation in S2S (and thus for issuance of REAL-ID compliant licenses, unless a state can implement an alternative to S2S) are listed on page 28 of the SPEXS specifications, as follows:

SPEXS-master-pointer-resaved [Fields included in the “index pointer” record uploaded to the SPEXS Central Site for each driver’s license or state ID card. SPEXS Master Specification (AMIE) r6.08, page 28]

The most significant of these fields is obviously the Social Security number, since that’s the single piece of data that makes it easiest to correlate or merge these records with the largest number of other government and commercial databases.

A state that wants to use participation in S2S as part of the basis for DHS certification that it is making progress toward compliance with the REAL-ID Act will have to upload “pointer” data for each compliant license to the SPEXS Central Site. According to page 1127 of the SPEXS specifications:

The Bulk Load process [is] necessary when a State of Record (SOR) is implementing SPEXS. It allows a participant to comply with SPEXS requirement that it must add pointers at the Central Site for all Real ID cards it has previously issued prior to SPEXS implementation. While all pointers for REAL ID credentials must be added as a part of Bulk Add, pointers for Non-Real ID cards may be added at a later date or may be added during initial Bulk Add.

States aren’t (yet) required to upload pointers for noncompliant licenses or ID cards. There’s been no explicit announcement of the full live launch of S2S, but it appears that the first states are only beginning to use S2S (other than as a pilot project) this month. The DHS isn’t (yet) considering whether states have complied with the database access provisions of the REAL-ID Act when it makes its discretionary decisions whether to certify “material” compliance or “progress” toward compliance. But AAMVA, which determines the SPEXS standards, could add a requirement for upload of pointers for all licenses and IDs, not just “compliant” ones, to its specifications for system participation at any time. And the DHS will eventually have to assess actual compliance with the REAL-ID Act, not mere progress toward it. At that point, any state that wants to use S2S and SPEXS as the basis for a compliance finding will have to upload pointer records for all licenses and ID cards it has issued — even noncompliant or “opt-out” licenses or IDs.

Several things are wrong with this picture.

First, the amount of data about each driver or ID cardholder that a state has to include in the SPEXS pointer record it uploads is determined solely by AAMVA, a nominally “private” entity whose decision-making is completely opaque and which is not directly accountable to any single government agency, much less to due-process requirements such as those of the Federal Administrative Procedure Act. By requiring more and more of the information in state records to be included in the uploaded “pointers”, the index could be made to swallow as much of the state databases as its controllers desire, while still being represented as, “just an index” and not the actual database. As long as there is no affordable or available alternative to SPEXS to satisfy the data access requirements for compliance with the REAL-ID Act, any new or additional criteria established by AAMVA for participation in S2S and/or SPEXS will be de facto requirements for state compliance with the REAL-ID Act. A state that refuses to comply with AAMVA conditions for continued participation in SPEXS will cease to be compliant with the REAL-ID Act, and will have to revoke all compliant licenses or ID cards it has issued, or have Federal agencies cease to recognize them.

Second, data mining, data matching, profiling, targeting, and the identification of records or persons of interest, on the basis of any or all of the “pointers” or any other data that can be linked to them (e.g. through Social Security numbers), can be carried out entirely within the Central Site. States have no way to know whether this is happening, what criteria are being used, or the purposes or end users for which records or individuals are being identified in this way:

SPEXS-architecture [States have no way to know what software applications are running at the central site, or how they are making use of the “central site data stores” of indexed pointers for all state driver’s licenses and ID cards. AAMVA SPEXS Master Specification (AMIE), r6.0.8, page 18.]

There’s no procedure for a state, much less an individual, to obtain an “accounting of disclosures” to find out who has retrieved what information from their records in  the “pointer” file at the SPEXS Central Site.  It’s not clear whether any access logs for the files at the central site are created or retained.

Third, once “pointer” data about state residents is uploaded to the “Central Site Data Stores,” it’s out of the state’s control. The state that uploaded the data has no way to know what information from the “pointer” database is being passed on to Federal agencies or other third parties, for what purposes, or even whether any data has been accessed by Federal or other non-state entities. AAMVA is a private entity, and a Federal agency could order AAMVA to hand over the entire contents of the “pointer” database while forbidding AAMVA from revealing the Federal data demand to participating states or members of the public.  This may already have happened. There’s no way for us or any state to tell.

States are right to resist playing this game, and to opt out completely from REAL-ID Act compliance or participation in the SPEXS national ID database.