Previously unpublished information we’ve recently obtained from the contractor that developed the SPEXS database at the center of state “compliance” with the REAL-ID Act — the national database of drivers license and state ID details that the DHS and supporters of the REAL-ID Act keep claiming doesn’t exist — shed new light on how the system will work.

Unfortunately, these new documents and statements show that SPEXS will replicate many of the worst problems of poor data quality and lack of accountability of the NCIC database used by the FBI to store criminal history “rap sheets” of warrants, arrests, and dispositions of criminal cases: convictions, diversions, withdrawals, dismissals, acquittals, appellate decisions, etc.

Like SPEXS, NCIC aggregates data sourced from agencies in every state, the District of Columbia, and the US territories of Puerto Rico, the U.S. Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands.  The FBI operates the aggregated database, but disclaims any responsibility for the accuracy of the data it stores, indexes, and distributes.

As we noted in our previous post, the FBI has exempted NCIC records from the requirements of the Privacy Act for accuracy, relevance to a lawful purpose, access by data subjects, and correction of errors.  That should mean that NCIC records can’t be relied on, but the Supreme Court has ruled that an entry in NCIC provides sufficient legal basis for an arrest.

NCIC is the poster child for the evil consequences of reliance on “garbage in, garbage out” aggregated and unverified data as a basis for government decision-making. Inevitably, NCIC records are riddled with errors. Law enforcement agencies are quick to report arrests and newly-issued warrants to NCIC, but have nothing to gain by ever reporting when charges are dismissed or a warrant is quashed. Who knows when some other police agency might find it convenient to rely on an NCIC record of a long-since-quashed warrant as a basis for authority to arrest and search someone who they would otherwise have to let walk away?

We know from long and bad experience with NCIC just where this leads. Innocent people are arrested every day in every state on the basis of erroneous NCIC records. SPEXS replicates the “garbage in, garbage out” unverified multi-source data aggregation model of NCIC, and will replicate its data quality and accountability problems along with its architecture.

Like NCIC, SPEXS is intended to be relied on as the basis for government decisions, specifically, enforcement of the requirement of the REAL-ID Act that a person may not have more than one valid REAL-ID Act compliant drivers license or ID at a time. We fail to see any valid purpose to this provision of the law. Given that states have different and independent licensing requirements, what harm is done by a person having independently satisfied the requirements to operate motor vehicles in more than one state, and having independently been issued credentials by these several states attesting to this fact?  But regardless of the rationale for this law, the justification for the existence of SPEXS is to enable states to refuse to issue a drivers license or state ID to a person if SPEXS shows a record of an outstanding license or ID in any other state or territory for a person believed (according to a secret SPEXS matching algorithm) to be the same person as the applicant.

The inevitable outcome is that some people’s applications for new or renewal drivers licenses or state IDs will be denied by state authorities on the basis of erroneous data in SPEXS records. Perhaps they have been mis-matched with a person in another state with the same or a similar name and date of birth. Perhaps an identity thief has used their name, DOB, and Social Security number to get a license or ID in another state. Perhaps they cancelled their license or ID in another state, but that fact wasn’t reported by that state to SPEXS, or the cancellation message wasn’t received by the SPEXS operator or wasn’t properly processed into the SPEXS database. Perhaps the expiration date of their old license or ID was mis-reported or improperly recorded. Perhaps a record was mis-coded, such as by mis-attributing a record to the wrong state. Perhaps a record of a license or ID that has since been cancelled was left in SPEXS by a state or territory that has withdrawn from SPEXS participation.

What recourse will any of these people have? Not much, not easily, and in some cases none at all.

Read More →

[A “complete” response from DHS to a FOIA request, with “no deletions”. Click image for larger version.]

A Freedom of Information Act request we made to the Department of Homeland Security hasn’t told us much about what we asked about, but has given us an object lesson in how the DHS practices “transparency”.

An August 2015 document posted on the DHS.gov website revealed that the DHS is systematically collecting data on how many people have been denied access to Federal facilities because they were unable or unwilling to show ID credentials deemed to “comply” with the REAL-ID Act:

Your agency should also have a process for recording the number of encounters of individuals presenting driver’s licenses from noncompliant states for purpose of accessing Federal facilities. This data should be sent monthly to DHS (OSIIS@hq.dhs.gov) for collection no later than the tenth day of each month. DHS will use this data to evaluate the impact of REAL ID enforcement on the public. See Appendix E for a sample report template.

In January of 2016, we submitted a FOIA request to the DHS to the DHS for these reports.  Five months later, after repeated follow-up inquiries, we finally received this mockery of a “response”. It was dated in May, but we didn’t receive it until June, because it was sent to a mis-typed email address and our repeated email and voicemail messages requesting information on the status of the request were ignored. Our request was submitted by email, so it’s not clear why the address on the response was retyped rather than being sent as a “reply” to our message.  But that’s the least of the problems with the DHS response to our request.

Read More →

[As of February 2016, only the 4 states colored green on the map above are compliant with the REAL-ID Act. Map courtesy of Clerus Solutions, contractor for S2S.]

How many states have actually complied with the REAL-ID Act of 2005? Only four out of fifty-six states and US territories, we’ve recently learned.

The US Department of Homeland Security is trying hard to convince reluctant state governments that resistance to the REAL-ID Act is futile, because most of the other states and US territories have already complied or agreed to do so.

A DHS map shows only five “noncompliant” states that are the target of current DHS threats, while the DHS list of the Current Status of States/Territories alleges that 22 states and the District of Columbia “are compliant with the REAL ID Act.”

Are any of these DHS claims true? No.

The REAL-ID Act requires any state or territory that wants to issue driver’s licenses or state ID cards acceptable for “Federal purposes” to, “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”  A state that does not give other states full access to its database of drivers and ID cardholders is not “compliant” with the Federal law.

As we’ve previously reported, the only system currently available (or likely to be made available, given the cost and complexity of developing an alternative) for states to make their driver’s license and ID databases accessible to other states is the S2S system operated by the AAMVA. This included the SPEXS “pointer” database — the centrally-located national ID database the DHS keeps claiming doesn’t exist — with information about all REAL-ID compliant licenses, ID cards, drivers, and cardholders.

How many states actually participate in S2S and SPEXS?  Unable to find any published information about this, we asked Chrissy Nizer (Maryland’s Motor Vehicle Administrator) and Nancy Carlson (Senior Business Analyst for Clerus Solutions, the prime contractor to AAMVA for the development of the S2S and SPEXS system), who were until recently identified publicly as points of contact for S2S and SPEXS.

In response to our last blog post about REAL-ID, which included diagrams and the list of the fields in the national REAL-ID database from the SPEXS specifications, AAMVA moved the SPEXS specifications and the entire “State-to-State” section of its website behind a login firewall. AAMVA also blocked the S2S software download directory of their website from Web crawlers.

But we did, somewhat to our surprise, eventually receive a polite response from Ms. Carlson, providing us with the S2S status map at the top of this article and some additional information about the national “pointer” database. To quote Ms. Carlson:

• In August 2015, Wisconsin was the first state to participate in S2S.  North Dakota joined in November 2015. Maryland joined in early February 2016 and Indiana joined in February 2016. We have a total of 15 states that have signed Letters of Intent to participate in S2S. All 15 pilot states plan to implement the service by December of 2016.
• The map [above] shows the current status of the states with respect to S2S.
• The S2S pointer index is operated by the American Association of Motor Vehicle Administrators (AAMVA) at a datacenter located in Virginia.  AAMVA is providing these services under contract to the Mississippi Department of Public Safety (MSDPS).

States and territories that aren’t compliant with the REAL-ID Act are in good company, and should stand firm.  Fifty-two of the total of 56 states, US territories, and the District of Columbia are not yet making their state databases available to other states, as will eventually be required if they choose to comply.

[The REAL-ID “hub” connects state and Federal agencies, private commercial third parties, and centralized, national database files.  AAMVA SPEXS Master Specification (AMIE), r6.0.8, page 5]

One of the big lies being told by supporters of the REAL-ID Act of 2005 is that, as the DHS says on its official “Rumor Control” page, “Fact: REAL ID does not build a national database nor does it grant the Federal Government or another state access to a state’s driver’s license data.” According to another DHS Web page, “REAL ID Frequently Asked Questions for the Public“:

Q: Is DHS trying to build a national database with all of our information?
No. … REAL ID does not create a federal database of driver license information.

In fact, as we’ve been pointing out and as others have noted, the REAL-ID Act is both building a national database and requiring any state that wants to issue drivers’ licenses or state ID cards that are “compliant” with the REAL-ID Act to grant all other states access to their state’s drivers’ license and ID card data.

Many state legislators and residents of states that are considering whether to start issuing “compliant” driver’s licenses are concerned about (a) whether this would affect residents of those states who “opt out” or choose not to have a gold-starred compliant license (it would, as we’ve discussed previously), (b) whether there would be a central database or list of all drivers or ID cardholders (there would be, as discussed below), and (c) what we mean when we say that the goal of the REAL-ID Act is the creation of a “distributed” national ID database in which a single query routed through the central “hub” can retrieve data from every state ID database.

Here’s what we’ve been able to find out about the centralized national ID database the DHS  claims doesn’t exist, what information it contains, how it works, and who operates it:

Read More →

Under the pressure of empty (but scary) threats by the Federal government to harass residents of states whose governments the DHS doesn’t deem sufficiently “compliant” with the REAL-ID Act of 2005, many state governments are trying to find ways to “comply” with DHS desires without selling out their residents’ rights.

State legislatures in New Hampshire, New Mexico, Minnesota, Oklahoma, and Missouri, among others, are currently considering bills that would create “two-tier” systems of compliant and noncompliant driver’s licenses and state ID cards in, and would allow individual residents of those states to “opt out” of having driver’s licenses or state IUD cards that comply with the REAL-ID Act.

Some of the sponsors of these bills mean well, but what they are proposing — whether or not they realize it — is capitulation, not compromise.  Worse, these”two-tier” systems would give state residents who “opt out” of having a compliant license an illusion of security, while their personal information from state records would in fact be included in the nationally distributed ID database.

In order to put a gold star for REAL-ID Act compliance on anyone’s driver’s license or state ID card, the REAL-ID Act requires each state to make its entire database of information about all holders of driver’s licenses and state ID cards accessible to all other states and territories.  States can choose to issue noncompliant ID cards without the gold star to individuals who opt out of providing birth certificates and other documents or complying with other provisions of the REAL-ID Act. But the Federal law doesn’t let states give individuals a choice about having their information in the database.

In order for anyone in a state to get a compliant license or state ID card, information about everyone with any sort of driver’s license or state-issued ID card must be included in the database made available to all other states and territories.

As soon as a state issues its first gold-starred license or ID, it is committed to share its entire database of information about everyone with any sort of state-issued ID card. The only way for a state to opt-out of the REAL-ID Act distributed national ID database is not to issue any compliant licenses or ID cards.

The DHS hasn’t included compliance with the database access provisions of the REAL-ID Act in its discretionary criteria for granting states temporary transitional certifications of “material progress” toward compliance, or extensions of time to comply fully. But eventually, once the DHS deems the transitional period over and begins to base its decisions on full compliance, the Federal law leaves it no more discretion. States will then have to decide either to not to comply and to invalidate all the gold-star licenses they have issues during the transition period, or to comply and give all other states access to information about all state license or ID holders, including those with noncompliant cards who think they have “opted out” of national database access.

Many of the sponsors of these “opt-out” bills say they oppose the REAL-ID Act, but want to provide a “choice” for residents who “need” a REAl-ID Act compliant ID. Who exactly are these people, and why do they “need” compliant state-issued ID cards? Read More →