May 20 2018

Who’s in charge of the REAL-ID database?

The state of Alaska has sent us a whopper of a “the records you have requested do not exist” response to one of our attempts to find out about government oversight (or lack thereof) of the private contractor operating the national ID database created to implement the REAL-ID Act of 2005.

Here’s what’s happened and why it’s significant:

One of the key goals and consequences of the REAL-ID Act is a national database of information about every drivers license or ID card issued by any of the states and territories that have chosen to “comply” with the (optional for states) Federal law.

This “SPEXS” database includes both compliant ID documents and “noncompliant” IDs issued to people who think they have opted out of being included in the national ID system. There are currently about 50 million records in this national ID database.

The SPEXS database is operated as part of the “S2S” system by a for-profit contractor to AAMVA, a “private” nonprofit corporation whose voting members are the directors of state driver licensing agencies (“DLAs” in AAMVA-speak).

According to AAMVA and officials of participating states, S2S including SPEXS is “governed” by an AAMVA subcommittee created in 2017 and consisting of representatives from DLAs in each state that has added its residents’ ID data to the SPEXS database. We don’t yet know how much actual authority the SPEXS governing body has, or how it exercises that authority.

SPEXS became a focus of attention in Alaska last year after we pointed out in testimony to the state legislature that he Alaska Department of Motor Vehicles had uploaded information about all Alaska drivers’ licenses and state IDs to SPEXS shortly before seeking legislative approval for the state to take actions to comply with the REAL-ID Act.

Members of the legislative committees that oversee the Alaska DMV hadn’t known about the batch upload of Alaskans’ personal information, and weren’t pleased. SPEXS pointer records include the last five digits of each person’s Social Security number, and for many years all Social Security numbers issued in Alaska had the same first three digits. That leaves only one of the nine digits of a social security number for an identity thief or other attacker who got access to SPEXS to guess or determine by trial and error.

In response to questions about SPEXS from state legislators, officials of the Alaska Department of Administration, which includes the DMV, told the chair of the House State Affairs Committee that, “The S2S system is managed by the Governance Board formed by the member states of AAMVA, an organization of state DMV jurisdictions. Alaska’s DMV is on the Governance Board.”

In response to further questions, the Dept. of Administration told the chair of the Senate State Affairs Committee that, “Alaska is a member of the new Governance Board of AAMVA for management of the S2S system. Commissioner Fisher has already drafted  a letter expressing Alaksa’s concerns about the use of 5 digits and requesting the issue be taken up at the first meeting.”

Officials of the DMV and the Department of Administration repeated these claims about their active participation in the S2S governance  body during legislative hearings. They assured legislators that the state of Alaska was trying hard to get the governance body to reduce the number of digits of each Social Security number included in SPEXS.

The Department of Administration also released the contract it signed with AAMVA in March 2017 for participation in S2S including SPEXS, which provides that, “DLA [driver licensing agency, the Alaska DMV] agrees… to comply with the current Enforcement of S2S compliance document as amended by the S2S Governance Committee from time to time. DFLA agrees to develop and maintain a coded interface to S2S that is compliant with the current version of the S2S Specifications.”

To learn more about SPEXS, how it is managed, how much oversight states really exercise over AAMVA and AAMVa’s subcontractor, Clerus Solutions, and what happened to Alaska’s request for changes in SPEXS record content, we made a request in April 2017 under Alaska’s public records law for email messages between the state, AAMVA, and Clerus Solutions.

Despite the deadlines in Alaska state law for disclosing requested records, Alaska officials are still dragging their feet more than a year later, and have produced none of the records we requested.  They have found thousands of relevant email messages, but have told us it will take “many months” more to review them and decide which, if any, to release.

We’re still waiting, but in the meantime we made a second, narrower request for the latest version of the SPEXS specifications and for any agendas, minutes, notes, or other records of the meetings of the S2S/SPEXS governance body that Alaska is part of.

This time we got a prompt, but patently implausible, answer: “Regarding your request for motions, votes, and decisions of the governing bodies of S2S and SPEXS, and for the SPEXS Master Specification, the DMV does not possess these records.”

We can only speculate as to the explanation for this response, but none of the obvious possibilities reflect well on the Alaska DMV:

  1. The Alaska DMV has entered into a contract  which requires it to build and maintain an interface compliant with the SPEXS specifications,  but has no copy of those specifications, and is a member of the S2S/SPEXS governing  body but keeps no record of its meetings. (This seems the least likely of the possibilities, but if true would be indicative of gross negligence and dereliction of official duties.)
  2. The DMV has such records, but conducted a grossly incompetent or otherwise grossly inadequate search for them in response to our request.
  3. The DMV had such records, but destroyed them all (illegally) to evade having to disclose them to us in response to our request.
  4. The DMV has such records and knows where to find them, but is lying to us and illegally withholding the requested records.

5 thoughts on “Who’s in charge of the REAL-ID database?

  1. Pingback: New Citi Credit Card Deal and Aer Lingus Photobombing the Royal Wedding - View from the Wing

  2. Pingback: “Governance” of the REAL-ID database | Papers, Please!

Leave a Reply

Your email address will not be published. Required fields are marked *