Topic: Telecom, Internet & Information Policy

Some Myth-Busting Is Quite Revealing

After DHS Secretary Chertoff’s testimony to the Senate Judiciary Committee this week (at which he was apparently rebuked for “bullying” states on REAL ID compliance) he sat down with a group of bloggers to discuss things.

Congratulations are due the Secretary for making himself available in an open forum like this, especially because it allows us some insight into his thinking. It makes more clear why he and his colleague Stewart Baker feel a need to engage in so much REAL ID “myth-busting.” Though I have assumed their comprehension of the problems with REAL ID, perhaps I have been mistaken, as Secretary Chertoff does not exhibit a good sense of information technology or the information economy.

Here’s the myth that Secretary Chertoff purports to bust:

I had someone say to me today, “Well, when you have these REAL ID licenses with a machine-readable zone … it’s gonna be used to track people. People can skim it. And they can steal it. And then they can use it to follow you around.” Now this is a fantasy. This is just not true.

The Secretary overstates the argument and so shades into attacking a straw man, but the context is conversational. So let’s look at what the real argument is, and then at the Secretary’s responses. I touched on the question of tracking in my testimony to the Senate Homeland Security and Governmental Affairs Committee:

There are machine-readable components like magnetic strips and bar codes on many licenses today. Their types, locations, designs, and the information they carry differs from state to state. For this reason, they are not used very often. If all identification cards and licenses were the same, there would be economies of scale in producing card readers, software, and databases to capture and use this information. Americans would inevitably be asked more and more often to produce a REAL ID card, and share the data from it, when they engaged in various governmental and commercial transactions.

In turn, others will capitalize on the information collected in state databases and harvested using REAL ID cards. Speaking to the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee last week, Anne Collins, the Registrar of Motor Vehicles for the Commonwealth of Massachusetts said, “If you build it they will come.” Massed personal information will be an irresistible attraction to the Department of Homeland Security and many other governmental entities, who will dip into data about us for an endless variety of purposes.

This is not an argument that the currently proposed REAL ID license would be read surreptitiously, as might happen with an RFID-chipped card. (The Secretary says that REAL ID currently does not require RFID, but neglects to mention that the “Enhanced Driver’s License,” which satisfies REAL ID, has one.) The argument is that a great deal more data about us will be collected.

This will include “meta-data” - information about the collection of information, such as time, place, purpose, collecting entity, and so on. Combined identity data and meta-data form footprints about our comings and goings. These footprints, collected in interoperable databases, combine to form tracks.

Perhaps it’s a complicated argument, but it’s a coherent one: REAL ID would lead to tracking of law-abiding Americans.

Nothing the Secretary says conveys that he’s aware of meta-data or actual data collection processes. He says that the machine-readable zone (or MRZ) is “nothing more than the information on the face of the license. I already have a reader for the license - it’s called my eye - and I can read what’s on your license. So therefore there’s nothing I’m going to get out of the MRZ that I can’t get from the face of the license.”

Alas, even this isn’t quite true. The regulation prescribes certain minimum data elements for the MRZ, but doesn’t restrict the use of others, and it doesn’t require states to restrict the content of the MRZ to only what is on the face of the license. The MRZ could lead to tracking of people and their activities based on their race, for example, a data element many states currently include in their MRZs. Despite receiving comments concerned with this during the rulemaking process - oh, and in congressional testimony - DHS declined to prohibit including race in the MRZ of REAL IDs.

Card readers are not just little electric eyeballs. They record information in digital form. This means that identical copies of these records are easy to store, easy to compile, easy to transfer, and easy to reuse. Collecting information in digital form is materially different from collecting information in analog form. Most people who work with technology know that implicitly. To be credible on identification technology issues, one must know this and acknowledge its significance.

Finally, the Secretary says that the DHS is not going to create a lot of databases using REAL ID. That may be his intention, but he’s in office for about ten more months. And whether DHS creates them or not, databases of information harvested using REAL ID would likely be available to DHS.

It is very hard to design information technology systems that do not collect and retain information. The current secretary’s personal opinion about databases just isn’t good evidence of whether or not there will be databases of information about the comings and goings of law-abiding Americans. Chances are very good if REAL ID is implemented that there will be.

Superlative REAL ID Editorial

The Orange County Register has an editorial on the REAL ID Act this morning that captures the issues magnificently. Among other gems:

The big trouble is that there’s no evidence that this Draconian act, even if fully implemented, would be more than a minor inconvenience for a determined terrorist. But having all that information – including copies of birth certificates and Social Security cards – available in one database would make an irresistible target for identity thieves. And it would be a major inconvenience for millions of innocent Americans and a major expense for state governments – meaning taxpayers.

The Register’s conclusion? Congress should “bite the bullet and repeal this useless, intrusive, money-wasting law.”

Failed, Self-Contradictory REAL ID Myth-Busting

Today finds another post on the DHS Leadership blog attempting to defend the REAL ID Act. Despite never having made the affirmative case for REAL ID, Assistant Secretary for Policy Stewart Baker is attempting to defeat the arguments against it.

The “myth” he purports to dispell this time is that REAL ID creates a national ID:

REAL ID is simple. The regulation requires that states meet minimum security standards when they issue driver’s licenses and identification cards necessary for “official purposes,” like getting on a plane or entering federal buildings. That’s it. The federal government’s role is to make sure that states meet minimum standards of security, so that banks and airports in one state can count on the quality of licenses issued in another.

Once again, I believe savvy Stewart Baker is playing at the role of ingenue. He’s pretending to lack the common knowledge that government programs grow in size and power.

It’s true that REAL ID allows states to issue driver’s licenses and identification cards that don’t meet the federal standards. They won’t be acceptable for “official purposes,” which are defined as follows in the statute:

The term “official purpose” includes but is not limited to accessing Federal facilities, boarding federally regulated commercial aircraft, entering nuclear power plants, and any other purposes that the Secretary shall determine.

(emphasis added)

Once REAL ID is in place, the secretary of homeland security has the power to require it for any purpose beyond the ones listed in the statute. What might those be? The immigration bill debated in Congress last summer would have required possession of a REAL ID–compliant card in order to work in the United States. If Congress doesn’t do it, perhaps the DHS secretary would do it on his own once REAL ID is at his disposal.

Baker himself recently proposed that REAL ID could be required for buying cold medicine. Wherever the federal government requires the use of identification, it could require possession of a REAL ID. In the very post where he seeks to debunk the fact that REAL ID is a national ID, he mentions the use of REAL ID by banks. The USA-PATRIOT Act extended “know your customer” regulations deep into the financial services sector. The DHS and Treasury could require possession of a REAL ID to access banking.

Strangely, Baker’s post says, “the federal government does not have the authority to regulate how or whether a bank, grocery store, retailer, or school requires REAL ID.” This directly contradicts a premise of his proposal to require REAL ID for cold medicine. It’s unfortunate that the federal government has this power — it shouldn’t — but Baker knows darn well that it does.

It’s technically true that you wouldn’t have to have a REAL ID–compliant national ID card under current law, but refusing one may not be too practical. You’d have to live in a state that gives you that option and then be willing to do without air travel, legal employment, financial services, medicine, and whatever else the Department of Homeland Security decides.

What looks like a duck, walks like a duck, and quacks like a duck, tends to be a duck. REAL ID is a national ID.

“New Hampshire Joins Montana in Real ID Victory”

So reports Wired’s “Threat Level” blog as the Department of Homeland Security capitulates in the face of New Hampshire’s rejection of REAL ID. The same thing happened with Montana.

The key? The renegade states send a nice letter that is not a request for an extension of a looming deadline but touts the security of their driver’s licenses, which the Department of Homeland Security accepts as an official extension request. That lets DHS save face, even as it backs down from repeated threats to punish the citizens of rogue states.

New Hampshire wins.

Passport Snooping Is Just the Beginning

Following up on the story earlier this week that the passport files of all three major presidential candidates had been snooped on, Brian Bennett writes in the April 7 issue of Time about plans to distribute passport information very widely indeed, such as to the Department of Homeland Security, IRS, employers, and foreign governments.

Meanwhile, the State Department has a video interview up on its website about passport privacy. Addressing the issue in a long format on a widely accessible medium is a good thing, so congratulations are due State for addressing the issue.

However, the lead question asked of Under Secretary for Management Patrick Kennedy is a big waste of time: “Does every State Department employee have access to personal data that’s given us for passports or other reasons?” That pitch is so slow it doesn’t even reach the plate. But there is some interesting information about the State Department’s data security practices later in the video.

Unaddressed is Brian Bennett’s reporting on the proposal for wholesale sharing of passport information.

Stewart Baker Should Start at the Beginning

Department of Homeland Security Assistant Secretary for Policy Stewart Baker has posted the second in a series on the REAL ID Act at the DHS Leaderhip blog. I assessed his first try here.

This one raises the privacy issues with REAL ID, and it claims that privacy advocates “can’t and won’t tell you precisely how REAL ID threatens privacy.” Knowing his smarts and savvy, I’m confident that Stewart is feigning unawareness of my book Identity Crisis and the hearings in Congress that have exposed the many threats to privacy from REAL ID specifically, and national ID systems generally. He has also had the opportunity to read the DHS Privacy Committee’s report, which cited and discussed “serious risks” to privacy from the REAL ID program.

It’s true that privacy is a complex subject, and the complexity is preserved by the fact that a number of different interests are often lumped together under the “privacy” heading. But Stewart has certainly had the opportunity to read the Privacy Committee’s “framework document,” which articulates each of these interests. For a more thorough study of privacy in its strongest sense (control over personal information), he could re-read (or perhaps just read) my 2004 study “Understanding Privacy—and the Real Threats to It.”

The claim that privacy advocates won’t articulate the privacy problems with REAL ID is a shift from earlier public comments where Baker reportedly expressed puzzlement about privacy concerns with REAL ID, or his failure to understand them. One can’t be puzzled by the privacy concerns with REAL ID at one point in time and later claim that privacy concerns haven’t been articulated. There’s something else afoot.

I suspect it’s the fact that Baker gives higher priority to implementing REAL ID than to protecting Americans’ privacy. He just can’t bring himself to say so because it wouldn’t be popular or politic. (To be clear: He makes claims that REAL ID will protect privacy, but they do not pass muster.)

Baker should address the privacy consequences of REAL ID in a way that is not feigned ignorance or dismissiveness, but he should do something else first: Tell us what REAL ID is good for. The burden of proof in the debate over REAL ID is not on privacy advocates to say why not, but on proponents of the national ID law to say why.

No proponent of REAL ID, including Stewart Baker, has ever articulated how the program will cost-effectively secure the country against any threat. In fact, the Department of Homeland Security declined to articulate how REAL ID works to benefit the country in its analysis of the REAL ID regulations it issued. This is something I discussed, along with the privacy concerns, in my May 2007 testimony to the Senate Judiciary Committee:

The Department of Homeland Security has had two years to articulate how REAL ID would work. But the cost-benefit analysis provided in the proposed rules issued in March … helps show that implementing REAL ID would impose more costs on our society than it would provide security or other benefits. REAL ID would do more harm than good.

This is true if you assign no value to privacy at all. Americans do value their privacy and civil liberties, but the conversation should start at the beginning–with an articulation from Stewart Baker of how REAL ID provides cost-effective security.

Newseum Opens April 11th - Will it Keep Up?

The new Newseum opens April 11th, and its an impressive project in many respects.

It’s a striking but tasteful modern building, with the text of the First Amendment inscribed on its front. The location on Pennsylvania Avenue close to the Capitol has a defiant quality that I admire.

As I walked past yesterday, I observed its display along the sidewalk of current front pages from newspapers around the country and world. It’s a tribute to the importance and vibrancy of the newsgathering enterprise and free speech. Tourists were gathered along the front of the building taking in the headlines.

But I don’t read newspapers. I get my news from a wide array of sources almost entirely online. Sooner or later, I thought as I walked, some state is going to punch a hole in the Newseum’s display, as the state will no longer have a newspaper. Soon enough, most people will get their news in new formats - as I do - from sources and in media of all kinds: blogs, email, traditional news outlets’ online editions, and so on.

Will the decline of the newspaper mislead people into thinking that our vibrant tradition of newsgathering and reporting is on the wane? It’s something to think about.

The “founding partners” of the Newseum are some of the oldest of the old-school establishment media figures. (Good for them, by the way, for supporting this worthy venture.) They and the Newseum’s leadership may think that things are changing for the worse when they’re changing for the better - when news is all around us, in dozens of different formats, provided by tens of thousands of subject-matter experts and on-scene reporters with true local knowledge.

The Newseum’s planned exhibits include room for new media, but by and large they lean toward exalting the newsgathering industry. That industry has had an important role, no question, but I think it is a role that will diminish over time. I hope the Newseum will actively pursue reporting on all the news, not just the news that’s fit to print.