National REAL-ID database replicates problems with FBI rap sheets
Previously unpublished information we’ve recently obtained from the contractor that developed the SPEXS database at the center of state “compliance” with the REAL-ID Act — the national database of drivers license and state ID details that the DHS and supporters of the REAL-ID Act keep claiming doesn’t exist — shed new light on how the system will work.
Unfortunately, these new documents and statements show that SPEXS will replicate many of the worst problems of poor data quality and lack of accountability of the NCIC database used by the FBI to store criminal history “rap sheets” of warrants, arrests, and dispositions of criminal cases: convictions, diversions, withdrawals, dismissals, acquittals, appellate decisions, etc.
Like SPEXS, NCIC aggregates data sourced from agencies in every state, the District of Columbia, and the US territories of Puerto Rico, the U.S. Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands. The FBI operates the aggregated database, but disclaims any responsibility for the accuracy of the data it stores, indexes, and distributes.
As we noted in our previous post, the FBI has exempted NCIC records from the requirements of the Privacy Act for accuracy, relevance to a lawful purpose, access by data subjects, and correction of errors. That should mean that NCIC records can’t be relied on, but the Supreme Court has ruled that an entry in NCIC provides sufficient legal basis for an arrest.
NCIC is the poster child for the evil consequences of reliance on “garbage in, garbage out” aggregated and unverified data as a basis for government decision-making. Inevitably, NCIC records are riddled with errors. Law enforcement agencies are quick to report arrests and newly-issued warrants to NCIC, but have nothing to gain by ever reporting when charges are dismissed or a warrant is quashed. Who knows when some other police agency might find it convenient to rely on an NCIC record of a long-since-quashed warrant as a basis for authority to arrest and search someone who they would otherwise have to let walk away?
We know from long and bad experience with NCIC just where this leads. Innocent people are arrested every day in every state on the basis of erroneous NCIC records. SPEXS replicates the “garbage in, garbage out” unverified multi-source data aggregation model of NCIC, and will replicate its data quality and accountability problems along with its architecture.
Like NCIC, SPEXS is intended to be relied on as the basis for government decisions, specifically, enforcement of the requirement of the REAL-ID Act that a person may not have more than one valid REAL-ID Act compliant drivers license or ID at a time. We fail to see any valid purpose to this provision of the law. Given that states have different and independent licensing requirements, what harm is done by a person having independently satisfied the requirements to operate motor vehicles in more than one state, and having independently been issued credentials by these several states attesting to this fact? But regardless of the rationale for this law, the justification for the existence of SPEXS is to enable states to refuse to issue a drivers license or state ID to a person if SPEXS shows a record of an outstanding license or ID in any other state or territory for a person believed (according to a secret SPEXS matching algorithm) to be the same person as the applicant.
The inevitable outcome is that some people’s applications for new or renewal drivers licenses or state IDs will be denied by state authorities on the basis of erroneous data in SPEXS records. Perhaps they have been mis-matched with a person in another state with the same or a similar name and date of birth. Perhaps an identity thief has used their name, DOB, and Social Security number to get a license or ID in another state. Perhaps they cancelled their license or ID in another state, but that fact wasn’t reported by that state to SPEXS, or the cancellation message wasn’t received by the SPEXS operator or wasn’t properly processed into the SPEXS database. Perhaps the expiration date of their old license or ID was mis-reported or improperly recorded. Perhaps a record was mis-coded, such as by mis-attributing a record to the wrong state. Perhaps a record of a license or ID that has since been cancelled was left in SPEXS by a state or territory that has withdrawn from SPEXS participation.
What recourse will any of these people have? Not much, not easily, and in some cases none at all.
According to a statement that we were told is “fully supported by the involved states”, erroneous data can only be corrected by the state that posted the erroneous data. “AMVA does not have the unilateral authority to change pointer index data. It can do so only at the direction of the state that posted the pointer.”
AAMVA may be confident of its infallibility, but we aren’t. If no state actually posted the erroneous data in a SPEXS record, and it originated within AAMVA or AAMVA’s subcontractors or in a data transmission error, or if a SPEXS record is mis-attributed to the wrong state, neither any state nor AAMVA itself can correct it. Catch 22.
In other cases — for example, what is likely to be the common case of an innocent person whose application for a license or ID is denied because an identity thief has already used their personal information to get an ID in another state — the victim will first have to identify the other state where this happened, and then get that state, where they may never have lived and whose bureaucracy and licensing procedures may be completely unfamiliar, to send SPEXS a correction.
Or suppose that you are one of the millions of people each year who receive notifications that personal information about you may have been disclosed to, or obtained by, unauthorized third parties, and as part of your response to the notice you want to find out whether someone has obtained a license or ID in your name. Or that you are living in a state that doesn’t participate in SPEXS, and are offered a job in a SPEXS particpant state. How can you find out, before you accept the job and relocate, whether you will be able to get a license or ID — on which your job may depend — in the new state?
How are you supposed to do any of these things? We don’t know. SPEXS is already in operation, but we’ve been unable to find any privacy or redress policy or point of contact posted on any of the websites of participating states, the SPEXS prime contractor (AAMVA) or the subcontractor that developed SPEXS (Clerus Solutions).
The state of Mississippi and other states, using mainly pass-through funding from DHS/FEMA and DOT/NHTSA, have contracted with AAMVA, the nominally-private non-profit organization of state drivers licensing agency officials, to develop SPEXS for use by all states and territories. AAMVA has subcontracted most or all of this work to Clerus Solutions, a private for-profit company.To complicate this shell game, the contract between Mississippi and AAMVA says (Section 18.8) that, “upon thr completion of the Agreement, Customer [i.e. Mississippi] plans to complete a governance process whereby management and oversight of the System … will be transferred to a new entity that meets the criteria of Customer, DIVS, and the federal agencies who directed and funded this Project.” (Note the admission that it is federal agencies that have both funded and “directed” the SPEXS project, even though the funding has been indirect and laundered by states.)
AAMVA’s SPEXS Privacy Impact Assessment acknowledges this problem of how to identify who is responsible:
The main privacy risk associated with the SPEXS pointer index redress process relates to the fact that individuals may attempt to contact AAMVA instead of the SDLA that issued their credentials. The risk is mitigated by having well defined procedures allowing the AAMVA personnel to handle such requests in a very efficient manner, and by maintaining the contact list of all SDLAs, including the official Website or 800 number.
We visited the AAMVA website, but found no relevant information. We called AAMVA at the phone number listed for its “Privacy Officer” in the SPEXS Privacy Policy, 703-522-4200. That proved to be the main AAMVA switchboard. The receptionist seemed to want to help us, but was unable to identify any “Privacy Officer” or “Privacy Office” in their internal company directory.
So much for “well defined procedures allowing the AAMVA personnel to handle such requests in a very efficient manner.”
State legislators need to realize that if they vote to have their state “comply” with the REAL-ID Act, the inevitable consequence is that some innocent residents of their state will have their drivers license or ID applications or renewals wrongly denied, as a result of identity theft or errors by AAMVA or other states. Their own state agencies will be powerless to correct these errors or redress their consequences. The innocent victims will be sentenced to a Kafkaesque and probably prolonged struggle to get some bureaucrats in another state they know nothing about, or at AAMVA, to correct the error before their own state of residence is allowed to issue or renew their license or ID.
We asked the public contacts for SPEXS how errors are supposed to be corrected, through what points of contact, and what (if any) privacy, data accuracy, data access, and data correction policies apply to SPEXS data used to enforce the REAL-ID Act or for other purposes.
We were told that, “Our process for responding to these types of inquiries involves a collaborative effort with the fifteen states that have signed up to participate in the S2S pilot. We want to make sure that a response to any outside entity is fully supported by the involved states.” After two months, we received the statement below from Nancy Carlson, Senior Business Analyst with Clerus Solutions.
Because this information isn’t available anywhere else, including on the websites of AAMVA, Clerus Solutions, or the state agencies that are already relying on SPEXS data as the basis for license and ID application denials, we are posting Ms. Carlson’s response and the documents she attached in full below:
“The [contract between AAMVA and the Mississippi DPS] does not provide details regarding the privacy and security requirements imposed on AAMVA. Those details are provided in the … DIVS Privacy & Security Framework for Vendors and the DIVS Privacy Policy for Vendors:
- SPEXS Privacy Impact Assessment by AAMVA (r2.0, June 2016)
- AAMVA Privacy Policy (v1.4, April 15, 2016)
- AAMVA Applications & Services Privacy Principles (April 2015)
- DIVS Privacy Policy for Vendors (v1.4, April 17, 2014)
- DIVS Privacy & Security Program Framework for Vendors (v1.6, December 21, 2015)
- AAMVA contract with Mississippi DPS for S2S development (MDPS Project #38394, October 15, 2012)
“A pointer index can only be added to S2S by participating states. The list of participating states and related contact information will be posted soon on AAMVA’s public-facing website. We will let you know when that information is posted.
“If a person is licensed, or holds an ID card, in a state that participates in S2S, they can go to the driver licensing agency in that state to find out if there is a pointer index regarding them, what the pointer index contains and, if the contents are found to be in error, work with the state to correct the contents.
“If a person held a credential in a participating state and then moved and was re-credentialed by a non-participating state, the person would need to contact their previous credentialing state to address pointer index questions, since the non-participating state, by definition, would not have access to S2S.
“If a person has never been credentialed in a participating state but wants to see if there is a pointer index related to them, they would need to contact one of the participating states listed on AAMVA’s website for assistance. A participating state would be able to tell the person if a pointer index exists and which state put it in the index. The person can then contact that state directly to address pointer index questions. Each participating state has the ability to change their own pointer index data. If pointer data is determined to be incorrect, for any reason including through an error introduced by a state or by AAMVA, an individual can work with the state that posted the pointer to correct it. AAMVA does not have the unilateral authority to change pointer index data. It can do so only at the direction of the state that posted the pointer.”
Pingback: National REAL-ID database replicates problems with FBI rap sheets | Media Unveiled
Pingback: Papers, Please! » Blog Archive » California DMV proposes to “comply” with the REAL-ID Act
Pingback: REAL-ID database still lacks basic protections | Papers, Please!
Pingback: “Put them on the no-fly list!” – Papers, Please!
Pingback: A blacklist is not a basis for search or seizure – Papers, Please!