Hacker and researcher Chris Paget has demonstrated the ability to read the globally unique serial numbers on RFID chips in passport cards and electronic drivers licenses in the purses and pockets of pedestians on the street from a passing car, at least 30 feet (9 m) away, and to make cloned copies that broadcast the same ID numbers, using a laptop computer and commercial surplus hardware bought on eBay for $250.
Maryland’s governor and transportation secretary have announced that they will seek legislation to change the state’s long-standing policy on driver’s license registration and require proof of legal residence before issuing the cards to state residents. Maryland is hoping to make this change as it begins implementing the federal REAL ID national identification system. The governor had rejected a previous proposal for a two-tier system that would have allowed the issuance of a lower-tier license to individuals unwilling to show such proof.
According to the Maryland Motor Vehicle Association’s site, REAL ID implementation means that. “Effective January 1, 2010, individuals applying for a new license will be required to show documentation to prove that they are in the United States legally.” Driver’s license applicants will have to show “Documents such as Social Security Card, U.S. Birth Certificate, U.S. Naturalization of Citizenship, Valid U.S. Passport, Valid Foreign Passport with Visa, U.S. Permanent Residency Card” or other documents to prove their legal presence in the United States.
We have previously detailed the many privacy and security problems that arise from requiring such documentation for a state driver’s license, but let’s focus on the immigration issue that Maryland is attempting to address. Read More
The New York Times has a story today about Arizona Gov. Janet Napolitano’s nomination as Obama’s Secretary of Homeland Security. The story states that in this new position, Napolitano would have to lead the REAL ID program, a national identification scheme that DHS is attempting to foist on the states. As governor of Arizona, Napolitano signed legislation to join 10 other states in rejecting this national ID program.
The substantial civil liberty problems inherent in this scheme to create a national database of the country’s driver’s license and state ID cardholders won’t disappear if Napolitano replaces Michael Chertoff as the head of DHS. Napolitano should stick to her beliefs and reject this system. As governor, Napolitano focused on the high cost of implementing this national ID system to the states, and these costs will remain substantial if the new administration implements the system created under Chertoff.
In The Identity Project’s recommendations to the Obama transition team, we urged the repeal of REAL ID. Besides the civil liberty problems, REAL ID also has security problems. Those of us who have been following the REAL ID issue, as well as other identification-based security programs, know that there is no sure way for an individual to prove his or her identity based merely on documents that can be easily forged. Therefore, REAL ID would create a system that people would trust even though they shouldn’t — because criminals and terrorists can spend the time and money necessary to forge these “trusted” ID cards.
REAL ID is a fundamentally flawed national ID system for which there is no fix. It must be repealed, and Napolitano should halt the implementation when she takes office.
The Obama Administration promises change, and invites suggestions for their agenda.
Since they’ve asked, here are the first things we think the new administration should do to restore our right to travel, and to address the issues of ID requirements and identity-based government surveillance and control of travel and movement.
Some of these can be accomplished with the stroke of a pen on Inauguration Day in January, through Presidential proclamations and directives to Executive staff and agencies. Others can be ordered by the President, but will require a slightly longer process to comply with administrative notice and comment requirements for changes to (and, in many cases, withdrawal of) Federal regulations. Others will require legislation, which we urge the Presidential transition team and members of Congress to begin drafting so they can take action early in the new Congressional session. If asked, we would be available to advise and participate in this process. Finally, Senators should question nominees for Executive appointments —especially those nominated to be the new Secretary of Homeland Security and the Administrator of the TSA – about how they will address specific, important issues from the day they take office. These questions are detailed below (and also available here in PDF format).
Executive Orders:
California Gov. Arnold Schwarzenegger has vetoed SB 60. The legislation would have created a two-tier driver’s license system that would have allowed for the issuance of licenses to undocumented immigrants while at the same time formally adopt the REAL ID Act’s national identification system in California.
Specifically, SB 60 said:
SEC. 2. The Legislature intends by the enactment of this act to accomplish the following:
(a) Meet or exceed the document and issuance standards set forth in the federal Real ID Act of 2005 (Public Law 109-13), to ensure that California has a federally recognized and acceptable driver’s license and identification card.
(b) Provide driver’s licenses that permit driving, but cannot be used for federal identification purposes, consistent with the federal Real ID Act of 2005, to California drivers that cannot meet the minimum identity confirmation requirements necessary to obtain a federally recognized driver’s license or identification card.
In a statement (PDF) accompanying the veto, Gov. Schwarzenegger focused on the immigration implications of the REAL ID Act. He explained, “This bill does not specify how DMV would validate the identity of individuals who do not have documented proof that their presence in the United States is authorized under federal law. I have previously stated that the ability to verify documents used to establish an identity must include a way to determine whether an individual is who he or she purports to be.” Read More
Over the weekend, Congress passed H.R. 2638, a Fiscal Year 2009 Continuing Resolution that includes funding for federal agencies though March. President Bush signed the bill into law earlier this week. H.R. 2638 includes a provision granting $100 million for state implementation of REAL ID. (These funds are in addition to the $79 million in grants DHS gave to states for REAL ID implementation earlier this year.)
H.R. 2638 reads:
SEC. 547. For grants to States pursuant to section 204(a) of the REAL ID Act of 2005 (division B of Public Law 109-13), $50,000,000, to remain available until expended. In addition, for developing an information sharing and verification capability with States to support implementation of the REAL ID Act, $50,000,000, to remain available until expended: Provided, That none of the funds provided in this section for development of the information sharing and verification system shall be available to create any new system of records from the data accessible by such information technology system, or to create any means of access by Federal agencies to such information technology system other than to fulfill responsibilities pursuant to the REAL ID Act of 2005.
“Verification hub” is just the latest euphemism for the national identification system DHS seeks to create by linking the motor vehicle databases of all 56 states and territories. This massive national database could contain data on all 240 million driver’s license and cardholders nationwide, if all the states and territories agree to implement the national ID system. Read More
The state of New York has begun issuing (pdf) so-called “enhanced” driver’s licenses (or EDLs). These licenses contain RFID tags and include the individual’s citizenship status on the face of the cards. They are issued under the Department of Homeland Security’s “Western Hemisphere Travel Initiative” and will be used as alternatives to passports for crossing the US border.
According to DHS, the “long-range” RFID tag would include a unique number that Customs and Border Protection would “read” as you drove up to the checkpoint and use that unique number to link to your individual name and file. (Such long-range tags can be read from a distance of 70 feet or more.) There are numerous privacy and civil liberty problems connected with using RFID tags in identification documents. Some EDL critics would surprise you: the RFID industry, the Government Accountability Office, and the DHS’s own Data Privacy and Integrity Advisory Committee.
The DHS Data Privacy and Integrity Advisory Committee urged (pdf) that long-range RFID only be used in ID documents if RFID is the “least intrusive means,” because there are significant privacy and security drawbacks.
The Government Accountability Office also has urged (pdf) against the use of RFID to track people, testifying that: Read More
A report from the Colorado State Auditor reveals that the state DMV’s data security system is so flawed that it puts the personal information of 3.4 million driver’s license and state ID cardholders at risk of identity theft or fraud. The State Auditor told the Colorado legislature that, among other things, the Colorado DMV “does not have adequate processes for mitigating the risk of employee-perpetrated fraud or measuring the effectiveness of its improvements to the issuance system” and “the Department’s management of information security is fragmented, disorganized, and poorly planned.”
The State Auditor explained that the DMV transmitted large batches of personally identifiable data unencrypted. “These batch transmissions could be intercepted by unscrupulous individuals and expose Colorado residents to identity theft and other criminal activity.” A significant problem is that “the Department lacks a tracking mechanism for collecting and analyzing statistics on the effectiveness of its controls for preventing fraudulent issuances [of licenses or ID cards]. As such, the Department cannot determine whether additional controls or system enhancements are needed.”
Under the REAL ID national identification system being pushed by the US Department of Homeland Security, the databases of 56 states and territories would be linked, allowing any individual state to access all of the others’ information. This massive, centralized system would include the personal data of 245 million license and ID cardholders nationwide. It would be a tempting target for identity thieves, because if a criminal could break just one state’s data security system, then he would have access to the sensitive data retained by all 56 states and territories.
George Hulme at InformationWeek has an interesting story about a Target store scanning his driver’s license when he went to buy Nicorette gum:
Now, during checkout, the cashier asks to “see” my driver’s license. Alright, since I’ve been carded before buying controlled substances, I figure she needs to check my age.
Before I have a chance to realize exactly what’s going on, the cashier swipes my driver’s license through the register. The machine then kicks and spasms out my receipt. Whoa!
I inquire, “What information, if any, was captured from my license?”
I get that deer-in-the-headlights what-ya-talk’n-bout glaze. She’d never thought about, or was apparently never asked, why she was physically scanning driver’s licenses.
“You asked to ‘see’ my license, but you swiped it. Big difference,” I say.
The cashier has no idea how to answer his question. Hulme leaves a message at Target’s press office asking for information as to whether his data was merely scanned to verify age or if all of his license data was downloaded by Target; if so what was the reason for this data capture and how long were they going to keep his data. No answer. He also e-mailed Target customer service and got a response. But it was a non-response. Read his full story.
Note that the final regulations for the REAL ID national identification system includes an unencrypted machine-readable zone. This means that anyone with an off-the-shelf card reader could swipe and download your personal data. And DHS Secretary Chertoff wants everyone to use this national ID card to “cash a check, hire a baby sitter, board a plane or engage in countless other activities,” so all of those situations could lead to your data being downloaded and retained.
Has your license or ID card data been swiped and retained by a store, bank, bar, club or other business? Tell us about it. E-mail jph AT papersplease.org
DHS recently announced $79 million in grants to states for REAL ID implementation. DHS said it “awarded $17 million to Missouri to lead the development of the verification hub. Four other states – Florida, Indiana, Nevada, and Wisconsin – will each receive $1.2 million to partner with Missouri for verification hub testing and implementation.”
Homeland Security Today investigated the details of the grants, and it’s clear that AAMVA is the big winner. The site reveals, “The breakdown of awards, obtained by HSToday.us, signifies that AAMVA effectively gains a no-bid contract under the awards, as DHS designates it the sole national centralized database of driver’s license information under REAL ID through a grant award to the state of Missouri.” (emphasis ours).
DHS sources told Homeland Security Today, “A competitive grant process could have resulted in multiple hub awards instead of a sole-source contract to AAMVA, sources argue, decentralizing REAL ID information somewhat and encouraging the rise of the most effective database solution between competing vendors.”
It is not surprising that DHS would ensure there would be a single database system. Currently, the states all have their own databases. The point of the REAL ID national identification system is to meld the information from 56 states and territories and create a single database filled with the personal data of all 240 million license and ID cardholders nationwide.