Tag: PASS ID

EPIC on PASS ID: a National ID Card

The Electronic Privacy Information Center has produced a very thorough analysis of the PASS ID Act, which would revive the REAL ID national ID program.

The EPIC analysis states flatly, “The bill would establish a national ID card,” and, “The intent of this legislation is to facilitate a National ID system.”

That’s quite a contrast to Ari Schwartz at the Center for Democracy and Technology, who alone believes that PASS ID “prevents the creation of a National ID system.”

PASS ID and National ID - Rejoinder to Schwartz

Ari Schwartz responded in characteristic even tones to my critique of his testimony in favor of the PASS ID Act, which would revive the moribund REAL ID law. It’s worth a rejoinder, and I’ll offer him the same again here if he wishes.

Ari clouds matters slightly by suggesting that my “strong biases” obscure certain facts. I readily admit having a strong bias in favor of liberty – it’s why I do what I do. Ari admits several biases, including one in favor of consensus-building, which was what I accused him of prioritizing over principle. Let’s put aside the question of bias.

It’s good to see Ari state that CDT does not support a national ID system. It would be better to see him state that CDT opposes having a national ID system. (I imagine this is just a matter of word choice, but it would be good to have clarity.)

Next, Ari says his testimony “makes it clear that we believe that PASS ID prevents the creation of a National ID system.” I don’t believe this is clear from his testimony. More importantly, this is not a sound assessment of what a national ID is or what PASS ID does.

We need some defined terms, so let’s tease out what he means by “national ID.” (He has told me that there is some distinction between a “national ID,” a “national ID system,” and perhaps a “national ID card,” but the distinction is lost on me. I believe a national ID card is part of a national ID system, both of which are commonly referred to in shorthand as a “national ID.”)

Twice in his testimony, he correctly calls REAL ID a national ID system. The factors that make it so appear to be “the very real possibility that individuals would not be able to function in American society without a REAL ID card” and “giving unfettered discretion to DHS to expand the ‘official purposes’ for which REAL ID cards could be required.”

In my recent post on the subject, I defined a national ID as being a card: 1) nationally uniform in its key elements; 2) the possession of which is either practically or legally required; and 3) that is used for identification.

I think 1) and 3) are both given. Ari’s take on 2) - inability to function without it – and my formulation – practically required – are equivalent, so Ari and I agree on that much.

But is DHS discretion to expand “official purposes” an essential element of a national ID card? I don’t think so.

Let’s say Congress passes a law requiring employers to check a certain card before they hire new workers. What if Congress requires credit issuers to check the card? States require presentation of the card at the voting booth? What if Congress requires pharmacists to check it before selling people cold medicine?

Is this card system saved from being a “national ID system” because someone other than DHS came up with these ideas? Of course not. DHS discretion to expand usage is not what makes an ID system a “national ID system.”

The better definition is what we agree on: A national ID is national, identifying, and practically or legally required, meaning the lack of it disables people from functioning in society.

Do REAL ID and PASS ID differ in ways that make the one a national ID and the other not a national ID? No, and Ari doesn’t say so. He merely says PASS ID would slow national ID mission creep by some margin because it denies DHS some discretion. (PASS ID “[r]emoves from DHS’s authority the ability to unilaterally determine new official purposes for which a PASS ID-compliant card can be required … .”)

This is not central to “national ID-ness,” and PASS ID doesn’t actually deny DHS that authority – it simply removes the specific grant of authority in REAL ID. Removing a grant of authority in one law does not deny an agency authority it has elsewhere. (It’s like the difference between “not supporting” and “opposing” something.) DHS and other agencies almost certainly have power under other law to require the IDs they choose for functions that are plausibly related to security or fraud prevention.

I was wrong to assume that it was lack of principle driving CDT and Ari to endorse the PASS ID Act, which revives our moribund national ID law. Other explanations are no more palatable, though, and no other group that I am aware of missed the true import of PASS ID.

Here’s a memorable Bruce Schneier quote to emphasize the importance of opposing a national ID, which so many civil liberties groups are doing:

History will record what we, here in the early decades of the information age, did to foster freedom, liberty and democracy. Did we build information technologies that protected people’s freedoms even during times when society tried to subvert them? Or did we build technologies that could easily be modified to watch and control? It’s bad civic hygiene to build an infrastructure that can be used to facilitate a police state.

No civil liberties group supports PASS ID. CDT can’t claim that mantle while it does.

Review of the Big REAL ID Hearing

The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.

Good News!

Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.

First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.

She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.

Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”

Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.

REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.

A Fake Crisis

Some other issue-framing is worth pointing out. Chairman Lieberman and Secretary Napolitano took pains to point out the importance of acting on PASS ID soon, claiming that the TSA would have to seriously inconvenience travelers with secondary searches at the end of the year if nothing was done.

But this is the same “crisis” that the DHS navigated a little over a year ago. States across the country were refusing to implement REAL ID. The DHS Secretary rattled his saber about inconveniencing travelers. And the DHS Secretary ended up giving all states a deadline extension. Secretary Napolitano will do the same thing if PASS ID fails - saber-rattling included. There is no crisis.

Vermont Governor Jim Douglas Supports a National ID

As I noted above, PASS ID is a national ID, just like REAL ID.

By testifying in support of PASS ID, Vermont governor Jim Douglas (R) put himself on record as supporting a U.S. national ID. He can pretend it’s not a national ID, of course, and he did his best to paper over the issue when Senator Burris asked about it. But Governor Douglas supports a national ID.

There was a time when Republicans stood for resisting federal incursions on state power. In the 104th Congress, the Senate Judiciary Committee had a subcommittee that focused on federalism and the preservation of state power (the Subcommittee on the Constitution, Federalism, and Property Rights). But the National Governors Association, with Douglas at the helm, is now in the process of negotiating the sale of state power over driver licensing and identification policy to the federal government.

Rampant Security Ignorance

The reason why he supports this national ID law, Governor Douglas said, is that he, like every governor, “is a security governor.”

With so many Senators and panelists conjuring security and the 9/11 Commission report, it would be a delight if someone actually examined the security benefits of a national ID. The information is there for them. Again, my testimony to the committee two years ago supplied at least some. Then, I said, “Implementation of REAL ID would impose more costs on our society than it would provide in security or other benefits,” and I articulated how and why a national ID fails to secure.

But Senator Lieberman said he “assumes” REAL ID provides national security benefits. Assumes? He and his staff apparently haven’t familiarized themselves with the level of national security that a national ID would create, taking into account the counterattacks and complications of such a system.

Five years after the vaunted 9/11 Commission report - and the three-quarters of a page it devoted to identity security - Senator Lieberman, the chairman of a committee dealing with domestic security, has yet to look into the merits.

In case Senator Lieberman needs some help …

I’m So Sick of the 9/11 Commission Report!

Speaking of the 9/11 Commission, it has been five years since that report came out, and people continue to parrot the line that REAL ID was a “key 9/11 Commission recommendation.”

The 9/11 Commission dedicated three-quarters of a page to the question of identity security, out of 400+ substantive pages. Its entire treatment of the subject is on page 390.

The 9/11 Commission did not articulate how a national ID system would defeat future terror attacks. It did not even articulate how a national ID would have defeated the 9/11 attacks had it been in place. A minor shift in behavior by the 9/11 attackers, such as using their passports to board planes, would have defeated REAL ID and PASS ID, were we somehow allowed “do-overs.”

We are not allowed “do-overs,” and the problem we face is not 9/11, but securing against current and future threats - including people who might shift their behavior in light of security measures we take.

These shifts in behavior might include taking a few extra steps to get the documentation they need, for access to the country or targets. These shifts in behavior might include attacking targets that do not require documentation. Identity-based security is a Maginot Line.

The 9/11 Commission report was written at a time when little research on identity-based security had been done. It was written by fallible humans who knew little about identity-based security, and who got it wrong. The report is not a religious text.

The report did say something important, though: “For terrorists, travel documents are as important as weapons”! (page 384) It’s a terrific turn of phrase because it shuts down the logic centers in the brain - eek, terrorists! - and ends the discussion.

The “travel documents” the report was talking about, though, were passports and visas, not drivers’ licenses and birth certificates - the things foreign terrorists use to get into the country. If we’re going to turn the driver’s license into an internal passport - and TSA checkpoints are the beginning of such a policy - then perhaps these are travel documents. Just, please, Secretary Napolitano, train your TSA agents to not say, “Your papers, please.”

Even as to international travel documents, though, the 9/11 Commission got it wrong. Weapons are the only things as important as weapons. And the 9/11 terrorists didn’t actually use weapons any more substantial than box cutters. They “weaponized” a non-weapon. (Security is complicated, you see.)

Denying terrorists travel documents, drivers’ licenses, and IDs simply presents them some inconveniences - such as using people with no record of terrorism. Seventeen of nineteen 9/11 attackers were unknown to U.S. officials as threats, so it’s obviously not that much of an inconvenience.

Evading identity-based security is so easy. People do it all the time. And it won’t stop under anyone’s version of a national ID. But the 9/11 Commission said … !

Something New to Worry About

Much of the national ID battle happens at the federal level with these national ID laws, of course, but it’s important to realize that federal officials, state officials, companies, and non-profit groups are working to knit together a cradle-to-grave national ID system no matter what happens with REAL ID and PASS ID.

Here’s one worth highlighting: Thirteen states apparently are already scanning, or have scanned, their birth certificates into databases for use in the national ID system. The effort is being led by the National Association for Public Health Statistics and Information Systems in Silver Spring, Maryland. This group will undoubtedly have access to your private health information should federal e-health records be implemented, so you might want to familiarize yourself with them.

Is your state one of them? How many copies of your birth certificate can be found in how many places around the country? You might want to ask your state legislators about that. The future of this effort is to collect biometrics at birth, of course. This is a privacy problem.

But maybe all the privacy concerns have been taken care of. The proponents of REAL/PASS ID found themselves a fig leaf on that score.

Token Cover on Privacy Issues

Ari Schwartz from the Center for Democracy and Technology testified in favor of PASS ID. (Senator Akaka noted in his opening statement that CDT endorses PASS ID.)

He characterized opponents of REAL/PASS ID as wanting to “do nothing.” It’s a classic ploy - but cheaper than we’re used to seeing from Ari and CDT - to mischaracterize opponents as wanting to “do nothing.” As Ari knows well, I have advocated endlessly for a diverse and competitive identification and credentialing system that would provide all the security ID systems can, without government surveillance.

But Ari testified imaginatively about how PASS ID makes a national ID okay. He has concerns with it, of course, yadda yadda yadda - the privacy fig leaf obliged to wear a fig leaf himself.

And this is the unexpected bad news from the hearing. The Center for Democracy and Technology supports having a national ID in the United States.

Many would find this inexplicable, but it’s not. Though the people who work at CDT personally want very much to do the right thing, there are no principles to the organization beside compromise and having a seat at the table (neither of which are actually principles, of course).

CDT plays a wonderful convening role on many issues, and the name of the organization implies that it reconciles technology programs with fundamental societal values. But here it has given political cover to the push for a national ID in the United States. One can’t help wondering if there is anything that would cause CDT to push back from the table and say No.

Does the PASS ID Act Protect Privacy?

I’ve written about PASS ID here a couple of times before - first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.

The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.

“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.

Interstate Data Sharing?

First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.

Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.

How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.

Just like REAL ID, PASS ID would require states to share driver data on a very large scale. It just doesn’t say so. As with REAL ID, the security weaknesses of any one state’s operations would accrue to the harm of all others.

Mission Creep?

Second, CDT says that PASS ID “[l]imits the ‘official purposes’ for which federal agencies can demand a PASS ID driver’s license, thereby helping prevent ‘mission creep.’” Again, it’s technically true, but materially false.

REAL ID had an open-ended list of “official purposes” - things that the homeland security secretary could require a REAL ID for. PASS ID is not so open-ended, but that is a small impediment to only one form of mission creep.

PASS ID places no limits on how the DHS, other agencies, and states could use the national ID to regulate the population. It simply requires the DHS to use PASS ID for certain purposes. A simple law change or amendment to existing regulation would expand those uses to give the federal government control over access to employment, access to credit cards, voting - CDT’s own PolicyBeta blog called a plan to use REAL ID to control cold medicine a “terrifying” example of mission creep. And these are just the ideas that have already been floated.

When I testified before the Senate Judiciary Committee on REAL ID in May 2007, I spoke about what we had recently heard in a meeting of the DHS Privacy Committee:

Ann Collins, the Registrar of Motor Vehicles from the State of Massachusetts, … said, “If you build it, they will come.” What she meant by that is that if you compile deep data bases of information about every driver, uses for it will be found. The Department of Homeland Security will find uses for it. Every agency that wants to control, manipulate, and affect people’s lives will say, “There is our easiest place to go. That is our path of least resistance.”

PASS ID is the same medium for mission creep that REAL ID is. The problem is with having a national ID at all - not with what its enabling legislation says.

Privacy Protections?

Next, CDT says that PASS ID requires “privacy and security protections for PII stored in back-end motor vehicle databases.” (“PII” means “personally identifiable information.”)

A glaring oversight of REAL ID - and the competition for glaring oversights was fierce - was to omit any requirement for privacy and security of the databases states would maintain and share on behalf of the federal government. The DHS took pains in the REAL ID rulemaking to drain this swamp. It tried to require minimal information collection for identity verification and minimal information display on the card and in the machine readable zone. (It failed in important ways, as I will discuss below.) The REAL ID regulation required states to file security plans that would explain how the state would protect personally identifiable information. And it said it would produce a set of “Privacy and Security Best Practices.” None of this mollified REAL ID opponents, and the privacy bromides in the PASS ID Act won’t either.

One of the more interesting privacy “protections” in the PASS ID Act is a requirement that individuals may access, amend, and correct their own personally identifiable information. This is a new and different security/identity fraud challenge not found in REAL ID, and the states have no idea what they’re getting themselves into if they try to implement such a thing. A May 2000 report from a panel of experts convened by the Federal Trade Commission was bowled over by the complexity of trying to secure information while giving people access to it. Nowhere is that tension more acute than in giving the public access to basic identity information.

The privacy language in the PASS ID Act is a welcome change to REAL ID’s gross error on that score. At least there’s privacy language! But creating a national identity system that is privacy protective is like trying to make water that isn’t wet.

Limits on Use of Card Data?

CDT’s final defense of PASS ID is the presence of meager limits on how data collected from national ID cards will be used. Much like with mission creep, the statutory language is beside the point, but CDT points out that PASS ID “prohibits states from including the cardholder’s social security number in the MRZ and places limits on the storage, use, and re-disclosure of that information.”

“MRZ” stands for “machine-readable zone.” In the PASS Act and REAL ID Act, this is referred to as “machine-readable technology,” and in the REAL ID rulemaking, the DHS selected a 2D barcode standard for the back of REAL ID licenses and IDs. Think of government officials scanning your license the way grocery clerks scan your toilet paper and canned peaches.

It’s true that the PASS ID Act bars states from including the Social Security number in that easily scanable data, but it doesn’t prohibit anything else from being scanned - including race, which was included in DHS’ standard for REAL ID.

And don’t think that limits on the storage, use, and re-disclosure of card information would have any teeth. It would create a new crime: scanning licenses, reselling or trading information from them, or tracking holders of them “without lawful authority,” but it’s not clear what “without lawful authority” means. It would probably allow people to give implied permission for all this data-collection and -sharing by handing their cards to someone else. It would certainly allow governments to authorize themselves to collect and trade data from cards en masse.

Not that we should want this “protection.” The last thing we need is another obtusely defined federal crime. Nearly as bad as being required to carry a national ID is making it illegal for people to collect information from it when you want them to!

And in Some Ways PASS ID is Worse

But let’s talk some more about that machine-readable zone. When Congress passed REAL ID, suspicion was strong that the “MRZ” would be an RFID chip - a tiny computer chip that can be read remotely by radio.

Recognizing the insecurity of such devices - and the strong public opposition to it - DHS declined to adopt RFID for the REAL ID Act. It did, however, work with a few states and the U.S. State Department to develop an RFID-chipped license that it calls the “enhanced driver’s license.” This has a long read-range chip that will signal its presence to readers as much as fifteen or twenty feet away. The convenience gain DHS and State sought for themselves at the border would be a privacy loss, as scanning cards could become commonplace in doorways and other bottlenecks throughout the country - your whereabouts recorded regularly, as a matter of course, by public and private entities.

Why do we care about “enhanced drivers licenses”? Because the PASS ID Act would ratify them for use as national IDs. States could push their residents into using these chipped cards if they didn’t want to implement every last detail of PASS ID.

Needless to say, ID cards with long-distance (including surreptitious) tracking are a step backward for privacy. This is one sense in which PASS ID is worse than REAL ID.

Consider more carefully also what PASS ID and REAL ID are about in terms of biometrics. Both require states to “[s]ubject each person applying for a driver’s license or identification card to mandatory facial image capture.”

States across the country are using driver license photos to implement facial-recognition software that will ultimately be able to track people directly - nevermind whether you have an RFID-chipped license or show your card to a government official. They are aiming at preventing identity fraud, of course, but with advancing technology, before too long you will be subject to biometric tracking simply because you posed for an unsmiling digital photo at the DMV. REAL ID and PASS ID are part and parcel of promoting that.

Does PASS ID address “most of the major privacy and security concerns with REAL ID”? Not even close. PASS ID is a national ID, with all the privacy consequences that go with that.

Changing the name of REAL ID to something else is not an alternative to scrapping it. Scrapping REAL ID is something Senator Akaka (D-HI) proposed in the last Congress. Fixing REAL ID is an impossibility, and PASS ID does not do that.

Calling Secretary Napolitano: Arizona to Reject EDLs

Department of Homeland Security Secretary Janet Napolitano has been all over the map on national ID issues. As governor of Arizona, she signed a memorandum of understanding with the Bush DHS to implement “enhanced driver’s licenses” in her state. These are licenses with long-range RFID chips built into them. But then she turned around and signed legislation barring implementation of the REAL ID Act in Arizona.

Now, having taken federal office, she again favors REAL ID – or at least under its new name: PASS ID. (Her efforts to put distance between REAL ID and PASS ID have not borne fruit.)

In some respects, PASS ID is worse than REAL ID. It would give congressional approval to the “enhanced driver’s license” program – invented by DHS and State Department bureaucrats to do long-range (and potentially surreptitious) identification of people holding this type of card. Back home, the Arizona legislature has just passed a bill to prohibit the state from implementing EDLs.

So the former governor of Arizona, who has both supported and rejected national ID programs, now supports a bill to approve the national ID program her home state rejects. Napolitano seems to be taking the national ID tar baby in a loving embrace.

Is the REAL ID Revival Bill, “PASS ID,” a National ID?

With the move in the Senate to revive our moribund national ID law, the REAL ID Act, under the name “PASS ID,” it’s important to look at whether we’re still dealing with a national ID law. My assessment is that we are.

First, PASS ID is modeled directly on REAL ID. The structure and major provisions of the two bills are the same. Just like REAL ID, PASS ID sets national standards for identity cards and drivers’ licenses, withholding federal recognition if they are not met.

There is no precise definition of a national identification card or system, of course, but its elements are relatively easy to identify.

First, it is national. That is, it is intended to be used throughout the country, and to be nationally uniform in its key elements. REAL ID and PASS ID have the exact same purpose - to create a nationally uniform identity system.

Second, its possession or use is either practically or legally required. A card or system that is one of many options for proving identity or other information is not a national ID if people can decline to use it and still easily access goods, services, or infrastructure. But if law or regulation make it very difficult to avoid carrying or using a card, this presses it into the national ID category.

Neither REAL ID nor PASS ID directly mandate carrying a card. Doing so would be too obviously a national ID system, and politically unpalatable. But both seek to take advantage of the state driver licensing system, and they do that for a reason: Carrying a driver’s license is a practical requirement in most parts of the country, where the automobile reigns supreme as the mode of travel.

But maybe states would decline to participate. Nothing in the PASS ID Act directly requires states to implement the system, and they are entirely free to issue non-compliant licenses and ID cards. But this was also true of REAL ID - because of the constitutional rule that the federal government cannot commandeer the organs of state government. (The case is New York v. United States.)

What both REAL ID and PASS ID do is make it difficult for state residents to function without their nationally standardized ID. They both require the nationally standardized ID to enter federal facilities (perhaps fewer of them under PASS ID), to access nuclear power plants, and to board aircraft.

But the PASS ID bill has specific language saying that a person can’t be denied boarding because they don’t have a national ID. Isn’t that an improvement? It sounds like it, but that language simply restates the rules that exist under REAL ID.

The TSA has never been able to deny people boarding because they don’t have an ID. (Many people have traveled without ID to prove the point.)

What the Department of Homeland Security does is make it really inconvenient to travel without showing ID. Not having your national ID can put you into a long secondary-search delay. And a year ago, the Transportation Security Administration created a new rule allowing them to turn travelers away if they “willingly” refuse to show ID and don’t “assist transportation security officers in ascertaining their identity.”

What this means is that people not showing ID have to answer questions about themselves for a TSA background check - a background check that has included political party affiliation. In other words, you either participate in the national ID system run by states, or you participate in the cardless national ID system that the TSA runs. (The TSA was storing information about who traveled without ID until it got caught.)

The rules are no different between REAL ID and the REAL ID revival bill, PASS ID. You don’t have to carry a national ID to get through the airport, but woe to the person who tries to exercise that freedom.

In addition, the plan under PASS ID is for the federal government to pay states a lot more money for implementation. Cost concerns were a real impediment to REAL ID, and the (false) promise of federal funds is designed to draw states into issuing nationally standard IDs for all their residents.

On balance, REAL ID and PASS ID are peas in a pod. They are both aimed at being practically required. The plan under both is for everyone who has a driver’s license to have a nationally standardized, REAL-ID-type license.

The final “element” of a national ID is that it is used for identification. A national ID card or system shows that a physical person identified previously to a government is the one presenting him- or herself on later occasions. (A Social Security Number is a national identifier, but it is not a national identifiction system because there is no biometric tie between the number and a person.)

REAL ID and PASS ID both subject every applicant for a license to “mandatory facial image capture.” They both put a “digital photograph of the person” on the card. They are most definitely about identification.

Are we still talking about a national ID? REAL ID and the REAL ID revival bill, “PASS ID,” are structured the same. They have no differences in terms of their aim - to create a national ID.

It’s certainly unusual that members of the Senate who formerly appeared to oppose a national ID would reverse course. I’ll spend more time on the politics, of course, and delve into many other issues in future posts.