The national ID records system includes the SPEXS database and the S2S data network and system of central-site applications. S2S, including SPEXS, is operated by AAMVA (a non-governmental non-profit organization whose members are the directors of state driver licensing agencies) and Clerus Solutions (a for-profit private contractor most of whose executives are revolving-door former staff of AAMVA).
But who is setting policy? Who decides what information from state drivers’ license and ID records is included in the central “pointer” database? Who decides what other entities are able to retrieve, mine, or otherwise obtain or use these records?
Are state governments really in control of their residents’ data once it is uploaded to the central site (outsourced to Microsoft as a cloud hosting provider)? Or is Is the US Department of Homeland Security, AAMVA, or Clerus Solutions in the driver’s seat?
Documents we’ve recently received in response to a request to the state of Alaska under that state’s public records law don’t answer many of our questions, but shed more light on on this little-known, aggregated, privately-held database of personally identifying information obtained from state records that already contains data about roughly 50 million US citizens and residents.
We also received explicit confirmation from the minutes of a June 2017 meeting (p. 64 of this PDF file) that AAMVA staff and state driver licensing officials expect that participation in S2S and SPEXS will be added to the criteria used by the DHS to determine whether to certify or re-certify states as “compliant” with the REAL-ID Act: The latest batch of records we received (see related records released to us earlier here) is a disordered jumble bundled into a single PDF file. Below are some of the other noteworthy details, with references to page numbers in this PDF file:
- AAMVA and Clerus Solutions are active participants in the governance process for the REAL-ID database, not just implementation contractors. Some boards of directors are largely rubber-stamps for staff recommendations, and the S2S (and SPEXS) Governance Committee of AAMVA appears to be one of them.
- The SPEXS database includes a “pointer” record for every driver’s license issued by a REAL-ID compliant state, including “non-compliant” or “ordinary” licenses without the REAL-ID gold star marking (pp. 37-38). Nobody who has a driver’s license from a compliant state can opt out of having their personal information included in the national database, even if they request a “noncompliant” license. This is consistent with the compliance criteria in the REAL-ID statute. For reasons not explained in the records we have received, states are not yet being required to upload pointers to “noncompliant” non-driver state ID cards. But this is recognized as a problem, and the upload requirements could be changed.
- Automated facial recognition could be added to the national ID system (p. 88). One of the priorities for use of future DHS funding for S2S and SPEXS is a “Pilot project using Digital Image Access and Facial Recognition for duplicate resolution. This project will provide a grant … facilitate a multi-state effort to develop a best practice method for states to … determine if two pointers … are for the same identity set and the same person. The best practice method would focus on combined use of tools such as Digital Image Access or one-to-one facial recognition.” Drivers license and ID photos aren’t currently included in SPEXS records, but could be added — the data elements required to be uploaded by each participating state are determined by, and could be changed at any time by, AAMVA’s S2S Governance Committee.
- The national ID database will be hosted by Microsoft (p. 38-39). The records we have received don’t say how or by whom the database is or was being hosted, but it is being migrated to the Microsoft Azure cloud platform during FY2018 and FY2019.
- All records in the national ID database still must include the last 5 digits of the Social Security number, and the full Social Security Number must be provided to any other state on request. This became an issue during debate in the Alaska legislature on whether Alaska should comply with the REAL-ID Act, because every Social Security Number issued in Alaska until 2011 has the sane first three digits. under pressure from state legislators, Alaska asked the S2S Governance Committee to consider changing this, but there is no indication in the minutes we received that this request was ever put to a vote (pp. 44,54,65). Staff told the S2S Governance Committee that a pilot project to assess the cost of reducing the number of digits of each Social Security number uploaded to the central database would cost $145,000 (p. 76). Rather than pursue that option, the committee voted to develop more explanatory materials about how securely SPEXS data is stored
- Non-state US territories won’t be able to comply with the REAL-ID Act for at least another two years (pp. 39, 58-59, 74). As we’ve reported, the DHS is currently focusing its REAL-ID threats on the US “territory” of American Samoa, which isn’t a state and whose residents aren’t birthright US citizens but which is subject to the REAL-ID Act. But the minutes we received show that AAMVA and the state officials participating in the S2S governance committee have known since 2017 that the differences in the legal status of states and territories weren’t taken into consideration in the S2S and SPEXS architecture. Changes to enable territories to participate in the system won’t be complete until after 2020. It’s unclear when or if territorial officials got this news. An AAMVA staff person told the committee that, “DHS has the same requirement for the US Territories regarding their participation in S2S than for the US jurisdictions. The US Territories do not have to be using S2S before October 2020 to become REAL ID compliant. They do however need to commit to participate and work with AAMVA to establish an implementation plan.”
- Massachusetts was worried about the stress on the system of trying to upload records on all its drivers’ licenses and IDs over a single weekend (p. 75). The S2S governance committee declined to change its systems of uploading all of each new state’s records over a single weekend. Massachusetts reluctantly went through with the upload over a single weekend in March 2018, with hours-long waits for licenses and IDs the next week. The fiasco suggests that the system may not be ready for the load generated by adding records from larger states.
- More states are participating in S2S ands SPEXS planning than have publicly disclosed plans to upload state residents’ data to SPEXS. California, for example, has For example, the California Department of Motor vehicles claimed in December 2017, in response to our objections to its plans comply with the REAL-ID Act, that, “The federal REAL ID regulations do not address the creation of a federal database.” California is not listed on the latest S2S/SPEXS participation map as actively preparing to join the national system. But just a month earlier, the S2S Governance Committee was told that, “California (CA) has requested to only load pointers that have SSN(s) associated with them.” (p.75) And the Director of the California DMV traveled to Milwaukee to attend the latest S2S Governance Committee face-to-face meeting (p. 10). Presumably she attended as a non-voting observer, but that isn’t clear.
Other states’ participation in S2S and uploading of residents’ data to SPEXS may have violated state public records and/or personal data laws. Records released by the state of Wisconsin in response to a request similar to the one we made to the state of Alaska suggest that the Wisconsin DMV may have failed to provide required notice and obtain required approvals from the state Public Records Board for data matching and sharing.
If you obtain records about S2S or SPEXS participation or REAL-ID Act compliance from other states under their public records laws, please let us know.