Tag: dhs

Does the PASS ID Act Protect Privacy?

I’ve written about PASS ID here a couple of times before - first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.

The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.

“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.

Interstate Data Sharing?

First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.

Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.

How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.

Just like REAL ID, PASS ID would require states to share driver data on a very large scale. It just doesn’t say so. As with REAL ID, the security weaknesses of any one state’s operations would accrue to the harm of all others.

Mission Creep?

Second, CDT says that PASS ID “[l]imits the ‘official purposes’ for which federal agencies can demand a PASS ID driver’s license, thereby helping prevent ‘mission creep.’” Again, it’s technically true, but materially false.

REAL ID had an open-ended list of “official purposes” - things that the homeland security secretary could require a REAL ID for. PASS ID is not so open-ended, but that is a small impediment to only one form of mission creep.

PASS ID places no limits on how the DHS, other agencies, and states could use the national ID to regulate the population. It simply requires the DHS to use PASS ID for certain purposes. A simple law change or amendment to existing regulation would expand those uses to give the federal government control over access to employment, access to credit cards, voting - CDT’s own PolicyBeta blog called a plan to use REAL ID to control cold medicine a “terrifying” example of mission creep. And these are just the ideas that have already been floated.

When I testified before the Senate Judiciary Committee on REAL ID in May 2007, I spoke about what we had recently heard in a meeting of the DHS Privacy Committee:

Ann Collins, the Registrar of Motor Vehicles from the State of Massachusetts, … said, “If you build it, they will come.” What she meant by that is that if you compile deep data bases of information about every driver, uses for it will be found. The Department of Homeland Security will find uses for it. Every agency that wants to control, manipulate, and affect people’s lives will say, “There is our easiest place to go. That is our path of least resistance.”

PASS ID is the same medium for mission creep that REAL ID is. The problem is with having a national ID at all - not with what its enabling legislation says.

Privacy Protections?

Next, CDT says that PASS ID requires “privacy and security protections for PII stored in back-end motor vehicle databases.” (“PII” means “personally identifiable information.”)

A glaring oversight of REAL ID - and the competition for glaring oversights was fierce - was to omit any requirement for privacy and security of the databases states would maintain and share on behalf of the federal government. The DHS took pains in the REAL ID rulemaking to drain this swamp. It tried to require minimal information collection for identity verification and minimal information display on the card and in the machine readable zone. (It failed in important ways, as I will discuss below.) The REAL ID regulation required states to file security plans that would explain how the state would protect personally identifiable information. And it said it would produce a set of “Privacy and Security Best Practices.” None of this mollified REAL ID opponents, and the privacy bromides in the PASS ID Act won’t either.

One of the more interesting privacy “protections” in the PASS ID Act is a requirement that individuals may access, amend, and correct their own personally identifiable information. This is a new and different security/identity fraud challenge not found in REAL ID, and the states have no idea what they’re getting themselves into if they try to implement such a thing. A May 2000 report from a panel of experts convened by the Federal Trade Commission was bowled over by the complexity of trying to secure information while giving people access to it. Nowhere is that tension more acute than in giving the public access to basic identity information.

The privacy language in the PASS ID Act is a welcome change to REAL ID’s gross error on that score. At least there’s privacy language! But creating a national identity system that is privacy protective is like trying to make water that isn’t wet.

Limits on Use of Card Data?

CDT’s final defense of PASS ID is the presence of meager limits on how data collected from national ID cards will be used. Much like with mission creep, the statutory language is beside the point, but CDT points out that PASS ID “prohibits states from including the cardholder’s social security number in the MRZ and places limits on the storage, use, and re-disclosure of that information.”

“MRZ” stands for “machine-readable zone.” In the PASS Act and REAL ID Act, this is referred to as “machine-readable technology,” and in the REAL ID rulemaking, the DHS selected a 2D barcode standard for the back of REAL ID licenses and IDs. Think of government officials scanning your license the way grocery clerks scan your toilet paper and canned peaches.

It’s true that the PASS ID Act bars states from including the Social Security number in that easily scanable data, but it doesn’t prohibit anything else from being scanned - including race, which was included in DHS’ standard for REAL ID.

And don’t think that limits on the storage, use, and re-disclosure of card information would have any teeth. It would create a new crime: scanning licenses, reselling or trading information from them, or tracking holders of them “without lawful authority,” but it’s not clear what “without lawful authority” means. It would probably allow people to give implied permission for all this data-collection and -sharing by handing their cards to someone else. It would certainly allow governments to authorize themselves to collect and trade data from cards en masse.

Not that we should want this “protection.” The last thing we need is another obtusely defined federal crime. Nearly as bad as being required to carry a national ID is making it illegal for people to collect information from it when you want them to!

And in Some Ways PASS ID is Worse

But let’s talk some more about that machine-readable zone. When Congress passed REAL ID, suspicion was strong that the “MRZ” would be an RFID chip - a tiny computer chip that can be read remotely by radio.

Recognizing the insecurity of such devices - and the strong public opposition to it - DHS declined to adopt RFID for the REAL ID Act. It did, however, work with a few states and the U.S. State Department to develop an RFID-chipped license that it calls the “enhanced driver’s license.” This has a long read-range chip that will signal its presence to readers as much as fifteen or twenty feet away. The convenience gain DHS and State sought for themselves at the border would be a privacy loss, as scanning cards could become commonplace in doorways and other bottlenecks throughout the country - your whereabouts recorded regularly, as a matter of course, by public and private entities.

Why do we care about “enhanced drivers licenses”? Because the PASS ID Act would ratify them for use as national IDs. States could push their residents into using these chipped cards if they didn’t want to implement every last detail of PASS ID.

Needless to say, ID cards with long-distance (including surreptitious) tracking are a step backward for privacy. This is one sense in which PASS ID is worse than REAL ID.

Consider more carefully also what PASS ID and REAL ID are about in terms of biometrics. Both require states to “[s]ubject each person applying for a driver’s license or identification card to mandatory facial image capture.”

States across the country are using driver license photos to implement facial-recognition software that will ultimately be able to track people directly - nevermind whether you have an RFID-chipped license or show your card to a government official. They are aiming at preventing identity fraud, of course, but with advancing technology, before too long you will be subject to biometric tracking simply because you posed for an unsmiling digital photo at the DMV. REAL ID and PASS ID are part and parcel of promoting that.

Does PASS ID address “most of the major privacy and security concerns with REAL ID”? Not even close. PASS ID is a national ID, with all the privacy consequences that go with that.

Changing the name of REAL ID to something else is not an alternative to scrapping it. Scrapping REAL ID is something Senator Akaka (D-HI) proposed in the last Congress. Fixing REAL ID is an impossibility, and PASS ID does not do that.

UK Home Secretary Abandons National ID

The UK has been operating in parallel to the United States on the national ID question, and rumors about the collapse of the UK national ID have been circulating for a couple of years.

Now comes word that Home Secretary Alan Johnson will scrap the national ID card system, making it voluntary. When volunteers fail to materialize, it is easy to anticipate that it will disappear entirely.

This is another thing U.S. Homeland Security secretary Janet Napolitano might want to note as she struggles with with national ID issue here.

Calling Secretary Napolitano: Arizona to Reject EDLs

Department of Homeland Security Secretary Janet Napolitano has been all over the map on national ID issues. As governor of Arizona, she signed a memorandum of understanding with the Bush DHS to implement “enhanced driver’s licenses” in her state. These are licenses with long-range RFID chips built into them. But then she turned around and signed legislation barring implementation of the REAL ID Act in Arizona.

Now, having taken federal office, she again favors REAL ID – or at least under its new name: PASS ID. (Her efforts to put distance between REAL ID and PASS ID have not borne fruit.)

In some respects, PASS ID is worse than REAL ID. It would give congressional approval to the “enhanced driver’s license” program – invented by DHS and State Department bureaucrats to do long-range (and potentially surreptitious) identification of people holding this type of card. Back home, the Arizona legislature has just passed a bill to prohibit the state from implementing EDLs.

So the former governor of Arizona, who has both supported and rejected national ID programs, now supports a bill to approve the national ID program her home state rejects. Napolitano seems to be taking the national ID tar baby in a loving embrace.

Cyber Security “Facts”

National Journal’s “Expert Blog” on National Security asked me late last week to comment on the question, “How Can Cyberspace Be Defended?” My comment and others went up yesterday.

My response was a fun jaunt through issues on which there are no experts. But the highlight is the response I drew out of Michael Jackson, the former #2 man at the Department of Homeland Security.

It does little to promote serious discourse about the truly grave topic of cyber security threats to begin by ridiculing DHS and DOD as “grasping for power” or to suggest that President Obama has somehow been duped into basing his sensible cyber strategy on “a lame and corny threat model called ‘weapons of mass disruption.’” It shows ignorance of the facts to deny that cyber vulnerabilities do indeed present the possibility of “paralyzing results.”

Jackson neglects to link to a source proving the factual existence of “paralyzing” threats to the Internet – he’d have to defeat the Internet’s basic resilient design to do it. (Or he has collapsed the Internet, the specific way of networking I was talking about, with “cyber” – a meaningless referent to everything.) But the need for tight argument or proof is almost always forgiven in homeland security and cyber security, where the Washington, D.C. echo-chamber relentlessly conjures problems that only an elite bureaucracy can solve.

In another comment – not taking umbrage at mine, but culturally similar to Jackson’s – Ron Marks, Senior Vice President for Government Relations at Oxford-Analytica, says, “Cyberterrorism is here to stay and will grow bigger.” The same can be said of the bogeyman, but the bogeyman isn’t real either.

(To all interlocutors: Claiming secrecy will be taken as confessing you have no evidence.)

Jackson’s close is the tour de force though: “Good people are working hard on these matters, and they deserve our unwavering financial and personal support. For now and for the long-term.”

A permanent tap on America’s wallets, and respect on command? Sounds like “grasping for power” to me.

And Your Freedom to Travel Takes Another Step Back

Yesterday, the Department of Homeland Security announced that it would begin a further attempt to implement the Western Hemisphere Travel (Restriction) Initiative.

WHTI is a congressionally mandated program to increase the documentation required for travel to and from neighboring countries. It’s a classic example of self-injurious overreaction to terrorism. The costs we incur for this program vastly outstrip the harms it averts. I have blogged about it here before. In a turn of phrase Orwell would love, a DHS blog post on the topic characterized the goings-on as “Boosting Border Security and Efficiency.”

In January 2008, I wrote about the border bedlam that would ensue when the DHS implemented WHTI as it had threatened to do, but the DHS was bluffing. A post on the Identity Project has a bevy of links and information, and an interesting take on things. It’s called “Today We’re All Prisoners in the USA.”

Questions for Heritage: REAL ID

The Heritage Foundation’s “The Foundry” blog has a post up called “Questions for Secretary Napolitano: Real ID.”

Honest advocates on two sides of an issue can come to almost perfectly opposite views, and this provides an example, because I find the post confused, wrong, or misleading in nearly every respect.

Let’s give it a brief fisking. Below, the language from the post is in italics, and my comments are in roman text:

Does the Obama Administration support the implementation of the Real ID Act?

(Hope not … .)

Congress has passed two bills that set Real ID standards for driver’s licenses in all U.S. jurisdictions.

REAL ID was a federal law that Congress passed in haste as an attachment to a military spending bill in early 2005. To me, “REAL ID standards” are the standards in the REAL ID Act. I’m not sure what other bill the post refers to.

Given the legitimate fear of REAL ID creating a federal national ID database, section 547 of the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009 barred the creation of a new federal database or federal access to state databases with the funds in that bill. (Thus, these things will be done with other funds later.)

The Court Security Improvement Act allowed federal judges and Supreme Court Justices to withhold their addresses from the REAL ID database system, evidently because the courts don’t believe the databases would be secure.

And in the last Congress, bills were introduced to repeal REAL ID in both the House and Senate. Congress has been backing away from REAL ID since it was rammed through, with Senators like Joe Lieberman (I-CT) calling REAL ID unworkable.

It’s unclear what the import of the sentence is, but if it’s trying to convey that there is a settled consensus around the REAL ID law, that is not supported by its treatment in Congress.

The Real ID legislation does not create a federal identification card, but it does set minimum security standards for driver’s licenses.

This sentence is correct, but deceptive.

REAL ID sets federal standards for state identification cards and drivers’ licenses, refusing them federal acceptance if they don’t meet these standards. Among those standards is uniformity in the data elements and a nationally standardized machine readable technology. Interoperable databases and easily scanned cards mean that state-issued cards would be the functional equivalent of a federally issued card.

People won’t be fooled if their national ID cards have the flags of their home states on them. When I testified to the Michigan legislature in 2007, I parodied the argument that a state-issued card is not a national ID card: “My car didn’t hit you — the bumper did!”

All states have either agreed to comply with these standards or have applied for an extension of the deadline.

It’s true that all states have either moved toward complying or not, but that’s not very informative. What matters is that a dozen states have passed legislation barring their own participation in the national ID plan. A couple of states received deadline extensions from the Department of Homeland Security despite refusing to ask for them. Things are not going well for REAL ID.

Secure identification cards will make fraudulent documents more difficult to obtain and will also simplify employers’ efforts to check documents when verifying employer eligibility.

It’s true that REAL ID would make it a little bit harder to get - or actually to use - fraudulent documents, because it would add some very expensive checks into the processes states use when they issue cards.

It’s not secure identification cards that make fraudulent documents harder to obtain - the author of this post has the security problems jumbled. But, worse, he or she excludes mentioning that a national ID makes it more valuable to use fraudulent documents. When a thing is made harder to do, but proportionally more valuable to do, you’ll see more of it. REAL ID is not a recipe for a secure identity system; it’s a recipe for a more expensive and invasive, but less secure identity system.

Speaking of invasive, this sentence is a confession that REAL ID is meant to facilitate background checks on American workers before they can work. This is a process I wrote about in a paper subtitled “Franz Kafka’s Solution to Illegal Immigration.” The dream of easy federal background checks on all American workers will never materialize, and we wouldn’t want that power in the hands of the federal government even if we could have it.

Real ID is a sensible protection against identify fraud.

The Department of Homeland Security’s own economic analysis of REAL ID noted that only 28% of all reported incidents of identity theft in 2005 required the presentation of an identification document like a driver’s license. And it said REAL ID would reduce those frauds “only to the extent that the [REAL ID] rulemaking leads to incidental and required use of REAL ID documents in everyday transactions, which is an impact that also depends on decisions made by State and local governments and the private sector.”

Translation: REAL ID would have a small, but speculative effect on identity fraud.

Congress is set to introduce legislation next week that could largely repeal the Real ID.

The bill I’ve seen is structured just like REAL ID was, and it requires states to create a national ID just like REAL ID did. REAL ID is dying, but the bill would revive REAL ID, trying to give it a different name.

Some groups oppose this version of REAL ID because it takes longer to drive all Americans into a national ID system and frustrates their plans to do background checks on all American workers. But it’s still the REAL ID Act’s basic plan for a national ID.

The Administration should put pressure on Congress to ensure that this legislation does not effectively eliminate the Real ID standards.

Why the administration would pressure Congress to maintain the national ID law in place - by any name - is beyond me. REAL ID is unworkable, unwanted, and unfixable.

Homeland Security Secretary Janet Napolitano signed legislation as Arizona’s governor to reject the REAL ID Act. Her predecessor at DHS, Michael Chertoff, talked tough about implementing the law but came up just shy of lighting the paper bag in which he left it on Napolitano’s doorstep.

The REAL ID revival bill that is being so widely discussed is likely to be both the national ID plan that so many states have already rejected and deeply unsatisfying to the anti-immigrant crowd. Congress rarely fails to grasp a lose-lose opportunity like this, so I expect it will be introduced and to see it’s sponsors award themselves a great deal of self-congratulations for their courageous work. You can expect that to receive a fisking here too.

“… and Replace It with REAL ID”

CNN wrote an exciting headline on Wednesday: “Homeland Security Chief Seeks to Repeal Real ID Act.” What they left out was that the replacement would be … the REAL ID Act.

Intentionally or not, Secretary of Homeland Security Janet Napolitano has created the impression that the national ID law might go away. But simply renaming the Department of Homeland Security’s national ID program is not a repeal of REAL ID.

The REAL ID revival bill that has been circulating is the same national identification and tracking system with a few of the sharpest corners taken off and the hope of federal money held out to up-to-now recalcitrant states. The REAL ID revival bill would corral every American citizen into the national ID system to try and attack illegal immigrants.

Bills to repeal REAL ID were introduced in the previous Congress, but they did not move because the Bush administration and Chertoff DHS would have eagerly demagogued the issue. Those political conditions no longer hold. And just 10 months ago, Secretary Chertoff delayed the implementation of REAL ID without bringing any political repercussions to the Bush administration whatsoever. Secretary Napolitano can do the same if Congress fails to truly repeal REAL ID, as it should.