Oct 10 2018

What AAMVA doesn’t want you to know about the national REAL-ID database

Another “deadline” for enforcement of the REAL-ID Act of 2005 passed uneventfully today.

The US Department of Homeland Security had advertised that DHS extensions of time for voluntary compliance with the REAL-ID Act by many states would expire today.

The DHS threatened that starting today it would “enforce” the REAL-ID Act through harassment or denial of the right to travel of airline passengers without ID or with ID issued by states or territories that the DHS, in its standardless administrative discretion, deemed insufficiently compliant with Federal wishes.

Today’s supposed “deadline” was fixed neither by law nor by regulation. Not surprisingly, the DHS blinked in the final days before its self-imposed ultimatum, as it has done again and again.

Every US state and territory subject to the REAL-ID Act was either certified by the DHS as sufficiently compliant to satisfy the DHS (at least for now), or was given a further extension of time to comply without penalty until at least January 10, 2019.

Yesterday, the day before the “deadline”, the DHS quietly posted notices on its website that it had granted further extensions until January 2019 to the last two states, California and New Jersey.

Perhaps the DHS is still unwilling to provoke riots at airports by stopping people without ID, or with ID from disfavored states and territories, from flying. Perhaps it isn’t yet prepared to face, and likely lose, the inevitable lawsuits from would-be flyers.

Even American Samoa, which — because the second-class status of American Samoans as US subjects but not US citizens would make it harder for them to challenge DHS restrictions of their rights — had been the first trial by the DHS of enforcement of the REAL-ID Act, was given an extension until October 10, 2019.

So far as we can tell, REAL-ID Act “enforcement” meant only modestly enhanced harassment of American Samoans at airports. Our FOIA request for records of how many people tried to fly with American Samoa IDs, and what happened to them, remains pending with no response after more than five months.

American Samao isn’t the limit of REAL-ID Act expansion beyond US borders and overseas. H.R. 3398, a bill to extend eligibility for REAL-ID Act compliant drivers licenses and IDs to citizens of several nominally independent de facto US dependencies, has passed the House and is pending in the Senate.

Meanwhile, the real movement toward state compliance with the REAL-ID Act is behind the scenes  — as the DHS, its collaborators among state driver licensing agencies, and AAMVA, the operator of the outsourced and pseudo-privatized national ID database, want it to be.

Since we last reported on the status of REAL-ID Act compliance six months ago, agencies in three more states — Pennsylvania, New Mexico, and most recently Washington in September 2018 — have uploaded information about all licensed drivers and holders of state-issued IDs to the SPEXS national database. That brings to 19 the number of states whose residents’ personal information is included in the aggregated database.

But even as the database grows to include information about more and more US residents, the DHS persists in denying its existence. According to the DHS public FAQ about the REAL-ID Act:

A: Is DHS trying to build a national database with all of our information?

No…. REAL ID does not create a federal database of driver license information.

To the extent that there is any truth at all in this statement, it’s that the SPEXS national database isn’t under direct Federal or state control, but has been handed over to AAMVA and AAMVA’s contractors. (The database is apparently actually hosted by Microsoft.)

For obvious reasons, nobody is more eager than AAMVA to have you pay no attention to the national ID database behind the REAL-ID Act curtain.

In June 2018, we were honored to receive an urgent letter by Fedex from the President  & CEO of AAMVA, demanding that we immediately remove from our website the specifications for the SPEXS database, which we had obtained in 2016 from AAMVA’s own public website. After AAMVA made that whole section of its site “members-only”, we posted a copy of the SPEXS specification to help readers understand the details of the system, and as one of the key sources for our analysis of SPEXS.

SPEXS already includes personal information obtained from government records of drivers licenses and state IDs, including dates of birth and the last five digits of Social Security Numbers, for more than 50 million US residents. We think the people whose data is included in this system are entitled to know what information is being kept about them, who has access to it, and how it is used.

According to the SPEXS specifications,  development of SPEXS was funded by grants from componetns of the DHS and the Department of Transportation. (We’re waiting for responses to our FOIA requests for those agencies’ records about SPEXS.) If SPEXS were being operated directly by a Federal agency, the Privacy Act would require it to provide notice of the types of records in the system, how they are used, and with whom they are shared, as well as procedures for individuals to see the records about themselves and to obtain an “accounting of disclosures” to third parties of information about themselves.

But because the SPEXS database has been outsourced to a nominally private contractor, AAMVA, both Federal and state agencies can disclaim any responsibility for it. That leaves the SPEXS specifications as the best available evidence of what the system is and does.

In a later message to our Web hosting provider, a lawyer for AAMVA claimed that, “The information contained in this work is sensitive and its unauthorized publication could jeopardize the security of the governmental program to which this document relates.” This is nonsense. AAMVA waived any claim of sensitivity by making the specifications public.

When it was still struggling to sell the first states on buying into SPEXS, AAMVA posted the SPEXS specification on its website for anyone to download. More than two years after we called attention to what this document reveals, AAMVA is trying to suppress it. Not because it contains any secrets — it’s been publicly available for years — but because it conclusively disproves the DHS big lie that there is no national REAL-ID database, and shows the essential role that AAMVA itself is playing in this surveillance system.

We encourage you to pay close attention to the AAMVA man behind the REAL-ID Act curtain. And if you have questions about SPEXS or the SPEXS specifications, feel free to contact us.

Jul 18 2018

California DMV lies about the REAL-ID Act

We’ve heard that the California Department of Motor Vehicles has posted scary new signs in DMV offices around the state misinforming motorists and holders of DMV-issued non-driver state ID cards about the Federal REAL-ID Act of 2005.

We assume that these public disinformation messages are similar in content to the false answers to frequently asked questions and other propaganda about REAL-ID on the DMV website.

We’ve been through all this before with similar false claims about the REAL-ID Act by the California DMV and the Federal Department of Homeland Security. But lest anyone be misled by seemingly authoritative statements from government agencies, here are some of the real facts about REAL-ID that are contradicted, denied, or ignored in DMV press releases. Read More

Jun 08 2018

“Governance” of the REAL-ID database

Attendance at the most recent face-to-face (F2F) meeting of the AAMVA S2S Governance Committee, Milwaukee, WI, March 22, 2018

We’ve been trying for years to find out who is really in charge of the national ID database being created to enable states that choose to do so to comply with the  Federal REAL-ID Act of 2005.

The national ID records system includes the SPEXS database and the S2S data network and system of central-site applications. S2S, including SPEXS, is operated by AAMVA (a non-governmental non-profit organization whose members are the directors of state driver licensing agencies) and Clerus Solutions (a for-profit  private contractor most of whose executives are revolving-door former staff of AAMVA).

But who is setting policy? Who decides what information from state drivers’ license and ID records is included in the central “pointer” database? Who decides what other entities are able to retrieve, mine, or otherwise obtain or use these records?

Are state governments really in control of their residents’ data once it is uploaded to the central site (outsourced to Microsoft as a cloud hosting provider)? Or is Is the US Department of Homeland Security, AAMVA, or Clerus Solutions in the driver’s seat?

Documents we’ve recently received in response to a request to the state of Alaska under that state’s public records law don’t answer many of our questions, but shed more light on on this little-known, aggregated, privately-held database of personally identifying information obtained from state records that already contains data about roughly 50 million US citizens and residents.

We also received explicit confirmation from the minutes of a June 2017 meeting (p. 64 of this PDF file) that AAMVA staff and state driver licensing officials expect that participation in S2S and SPEXS will be added to the criteria used by the DHS to determine whether to certify or re-certify states as “compliant” with the REAL-ID Act: The latest batch of records we received (see related records released to us earlier here) is a disordered jumble bundled into a single PDF file. Below are some of the other noteworthy details, with references to page numbers in this PDF file:

Read More

May 20 2018

Who’s in charge of the REAL-ID database?

The state of Alaska has sent us a whopper of a “the records you have requested do not exist” response to one of our attempts to find out about government oversight (or lack thereof) of the private contractor operating the national ID database created to implement the REAL-ID Act of 2005.

Here’s what’s happened and why it’s significant:

One of the key goals and consequences of the REAL-ID Act is a national database of information about every drivers license or ID card issued by any of the states and territories that have chosen to “comply” with the (optional for states) Federal law.

This “SPEXS” database includes both compliant ID documents and “noncompliant” IDs issued to people who think they have opted out of being included in the national ID system. There are currently about 50 million records in this national ID database.

The SPEXS database is operated as part of the “S2S” system by a for-profit contractor to AAMVA, a “private” nonprofit corporation whose voting members are the directors of state driver licensing agencies (“DLAs” in AAMVA-speak).

According to AAMVA and officials of participating states, S2S including SPEXS is “governed” by an AAMVA subcommittee created in 2017 and consisting of representatives from DLAs in each state that has added its residents’ ID data to the SPEXS database. We don’t yet know how much actual authority the SPEXS governing body has, or how it exercises that authority.

SPEXS became a focus of attention in Alaska last year after we pointed out in testimony to the state legislature that he Alaska Department of Motor Vehicles had uploaded information about all Alaska drivers’ licenses and state IDs to SPEXS shortly before seeking legislative approval for the state to take actions to comply with the REAL-ID Act.

Read More

Apr 30 2018

Is your drivers license or state ID in the national REAL-ID database?

One of the major goals of the REAL-ID Act of 2005 was to create, and to pressure state governments to participate in, a national database of drivers’ licenses and state-issued ID cards.

The REAL-ID Act requires that, “To meet the requirements of this section, a State shall … Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

In practice, the only available or affordable way for a state to comply with this part of the REAL-ID Act is to participate in the “State-to-State” (S2S) data sharing system operated by AAMVA and built by an AAMVA contractor, Clerus Solutions. AAMVA says that, “For those states … choosing to comply with REAL ID… the Department of Homeland Security has indicated that participation in S2S will be required for the state to be REAL ID compliant. This is because… the law and regulations governing REAL ID include requirements for state licensing agencies to connect their databases.”

Despite its name, which might be taken as implying that it is merely a messaging system, S2S relies on a centralized national database, “SPEXS”, which contains a record for each  drivers’ license  or ID card issued by any participating state or territory.

The DHS has been certifying states and territories as “compliant” with the REAL-ID Act, without regard for whether they have complied with this provision of the Federal law.

But that begs the question of how many states have uploaded information about how many of their residents to the national database in order to comply with the REAL-ID Act.

Are records of drivers’ licenses and ID cards issued by your state or territory already included in the national database? If not, when will they be?

Read More

Apr 27 2018

DHS still using American Samoans as “REAL-ID” guinea pigs

When last we checked in on the status of DHS threats to harass residents of states and territories that haven’t been sufficiently “compliant” with the REAL-ID Act of 2005, the focus was on the territory of American Samoa.

The REAL-ID Act applies to the District of Columbia and five US territories as well as to the fifty US states. American Samoa is the most distant from the US mainland and one of the smallest in population of these US territories, and is the only place subject to the REAL-ID Act whose native-born residents are not US citizens. There are only two scheduled airline flights a week between American Samoa and any other US state or territory.

Perhaps for these reasons, the DHS in its infinite wisdom unreviewable discretion chose to make American Samoa the test of its threats to “enforce” the REAL-ID Act.

Every other state or territory was either certified as sufficiently compliant with the REAL-ID Act (even though few of them are) or given an extension of time to show a more compliant attitude. But the DHS invoked its REAL-ID “nuclear option” on American Samoa, announcing that  effective February 5, 2018, “a driver’s license or ID issued by American Samoa (AS) will no longer be an acceptable document to board a federally-regulated commercial aircraft.” Air travelers showing ID cards issued by the government of American Samoa are subject to additional “ID verification” and/or “screening” (searches).

So how has the DHS effort to make an example out of American Samoa fared? And what can other states and territories learn from this example?

Basically, (1) the sky didn’t fall, and (2) the DHS blinked (again). The message to other states is that they shouldn’t be panicked into “compliance” by empty DHS threats.

Read More

Jan 31 2018

DHS threatens to harass American Samoan travelers

In the latest installment of the game of chicken between the Department of Homeland Security and US states and territories over the REAL-ID Act of 2005, the DHS has announced that drivers licenses and IDS issued by American Samoa won’t be accepted at TSA checkpoints for “domestic” flights beginning next Monday, February 5, 2018 — unless the DHS, in its standardless discretion, backs down again as it has so many times before, and gives American Samoan travelers a last-minute reprieve.

Why American Samoa? And what will this actually mean?

Read More

Jan 20 2018

All the fake news that’s fit to print about REAL-ID and ID to fly

We’ve been spending a lot of our time lately writing letters to the editor pointing out errors and requesting corrections of news stories reporting DHS propaganda as fact.

Earlier this month, the DHS postponed from January 22, 2018, to October 10, 2018, the date on which it had threatened to have the TSA begin (illegally) interfering with air travel by residents of certain states.  Since neither the January 22, 2018, date nor the choice of which states to threaten was set by law or regulation, but solely by DHS press release, the DHS could and did withdraw its threat merely by issuing another press release.

The DHS had little choice, after its bluff was called by reality (compliance with the REAL-ID Act would require more money, more time, and changes to state laws and in some states incluidng California, changes to state constitutions) and the likelihood of resistance by the flying public (any attempt to prevent residents of certain states from flying without ID would lead to protests at airports and lawsuits that the TSA and DHS would likely lose).

But we are not surprised, given the long history of DHS lies about the REAL-ID Act and ID to fly, that the DHS press release withdrawing the threat of a January 22, 2018, crackdown on air travel without ID by residents of certain states was immediately followed by a renewed DHS public relations campaign of lies about the law and the facts.

DHS press releases should no more be published as “facts” without fact-checking or acknowledgment that they contain contested (and readily refuted) factual and legal claims than should President Trump’s,  President Obama’s, or anyone else’s Tweets.

The New York Times is the latest news outlet to have been taken in, yet again, by this DHS “fake news” campaign, with an article this week on the Times’ website and in the travel section, “Is Your ID Approved for Travel? These Are the Latest Rules“. Many of the DHS falsehoods in this article were reported as facts in an earlier story in the Times in November, 2017, by the same reporter, Shivani Vora. We wrote to Ms. Vora at that time to correct the errors in that story, but received no reply.

To be clear, DHS claims are worthy of reporting as news. It is newsworthy that the DHS has engaged in a decade-long campaign, through both Democratic and Republican Administrations,  of brazen public lies about the REAL-ID Act and ID to fly.

It is equally newsworthy, however, that a “newspaper of record” appears to have made no attempt to fact-check the claims made by DHS spokespeople or to include any other points of view, and repeats demonstrably false DHS claims as undisputed facts even after their falsehood was pointed out to the reporter on the story.

Specifically, the latest article in the New York Times reports the following DHS “fake news” as fact: Read More

Jan 08 2018

DHS postpones threats of REAL-ID Act enforcement

Again postponing its threats to interfere with air travel by residents of “noncompliant” states, the Department of Homeland Security announced today that it has given the last three remaining states either certifications of “compliance” with the REAL-ID Act of 2005, or extensions of time to comply until at least October 10, 2018.

Travelers in all 50 states can continue to ignore the false signs at airports, the false claims being made by state authorities collaborating with the Feds in the national ID scheme, and the blizzard of confused  and error-filled news stories (largely based on unverified and misleading DHS and state government press releases) claiming that U.S. citizens will need to obtain, carry, or show passports or other government-issued ID in order to travel by air.

This does not mean that all or most states have actually complied with the REAL-ID Act or are planning to do so. At most 14 states are arguably compliant with the Federal law.

The plain language of the Federal law requires that, “To meet the requirements of this section, a State shall … Provide electronic access to all other States to information contained in the motor vehicle database of the State.”  Only 14 states are participating in the outsourced SPEXS national ID database set up to enable this nationwide data access:

In addition to the 14 current SPEXS particpants, the contractor managing the national ID database optimistically lists 4 other states as “actively working on implementation.” But none of these states are listed as having signed letters of intent  to join the SPEXS national ID database.

The other 32 states are not compliant with the data-sharing provision of the REAL-ID Act, and have given no indication of intent to comply.

What will happen next?

Read More

Jan 05 2018

A REAL-ID Christmas present from the California DMV

On the Friday before Christmas Monday, when state officials hoped that everyone who might object would be sleeping, the California Department of Motor Vehicles finalized its regulations for partial compliance by the state with the Federal REAL-ID Act of 2005.

The final regulations and a statement of responses to public testimony and comments were posted on the DMV website on December 22, 2017, and went into effect the same day.

The final regulations are essentially unchanged from those the DMV proposed in September 2017, and that we objected to in written comments and in-person testimony at the DMV’s one hearing on the proposal in Sacramento in October.

The DMV’s response to public testimony and comments brushes off our objections, and the objections by other commenters and witnesses, on the basis of repeated invocation of patently false and/or irrelevant and unresponsive legal and factual claims.

Read More