Commentary

What’s Wrong With A One-Size Fits All Identity?

The REAL ID Act is a federal law passed in May 2005 under which the federal government seeks to standardize state-issue ID cards and drivers’ licenses. The bill says that as of May 11, 2008, “a Federal agency may not accept, for any official purpose, a driver’s license or identification card issued by a state to any person unless the state is meeting the requirements” of the law.

But opposition to the law at the state level is strong and growing. Three state legislatures have already passed resolutions declining to participate in the REAL ID system (which the law says they are free to do, at some inconvenience to their citizens, who may need other forms of identification, such as a passport or birth certificate, for federal purposes). More than half the states have legislation in the works to reject this unfunded surveillance mandate. It may turn out that no state will comply with REAL ID by the law’s May 2008 deadline.

Opposition to REAL ID is well founded. The Department of Homeland Security estimates at least $17 billion in costs to get REAL ID up and running. There are huge, and probably incurable, privacy and data security problems with the nationally accessible databases of sensitive personal information, and with the nationally uniform card system, called for by the law.

The nominal purpose of REAL ID was protecting national security, but this justification continues to fade as people learn the weaknesses of identity-based security. The remaining support for REAL ID comes from anti-immigrant groups who have yet to realize what a small margin of immigrant control they would get for the price they would pay. REAL ID would exact a heavy toll in dollars, convenience, privacy, and liberty from law-abiding, native-born American citizens.

Granted, something must change with identification. The growth of large institutions over the last century and the explosion of remote commerce in the last few decades have overwhelmed the identification systems we have. The Social Security number and the driver’s license were not designed for the purposes we now put them to. They are accidental identifiers, and it shows: They fail to provide institutions sufficient proof of identity, and they fail individuals by depriving us of information control.

So what is the way forward? We should start by actually devising some identification polices, rather than stumbling forward on our current path merely because it’s the path we’re on.

If a variety of private identification providers were to compete in terms of price, quality, ease-of-use, and even privacy, we’d get a lot better than we’re getting from the DMV.Think of identification as an economic service like payments or telecommunications. There are a plethora of payment systems, each with strengths along certain dimensions and weaknesses along others. Most of us choose among cash, checks, credit cards, and other methods as they fit our purposes. So it is with telecommunications: mobile phones, instant messaging, email, landlines—each meets the different needs we have in different communications.

What about identity and credentialing? Proving who someone is, or proving a particular qualification, are essential parts of transacting that are somewhat difficult over long distances or with strangers. But here’s how we deal with it: Need to prove your age? Show government-issued ID. Need to prove that credit card is yours? Show government-issued ID. Need to prove you’re not a security risk? Show government-issued ID. The list goes on.

Identification has long been assumed a government function, but that’s only because, at some point, government assumed that function. Alternatives to government-issued ID are needed—and they’re coming.

At the Orlando, Florida airport, for example, the U.S. Transportation Security Administration accepts the Clear Card issued by New York’s Verified Identity Pass as proof that a person is part of the TSA’s Registered Traveler program. The Clear Card comes with a key anti-surveillance feature: Users aren’t identified to the government and their uses of the cards aren’t recorded and stored. Biometric data stored on the Clear Card (but not in a database) ensure that only the owner can use it, and the proof that a person is a Registered Traveler is enough information for the TSA. That’s all the information TSA gets. No database of Americans’ travels is created.

Future identification cards and credentials could act as proof of age when that is needed, as movie tickets or other bearer documents when that is needed, or as payment cards when that is needed. They could provide identity information only when identity is actually relevant, which is not as often as people often think. This would bring information about us under our control—privacy protection by design. If a variety of private identification providers were to compete in terms of price, quality, ease-of-use, and even privacy, we’d get a lot better than we’re getting from the DMV.

Government isn’t always part of the problem. It can be part of the solution. Governments should accept, and permit businesses to accept, identification cards and credentials that meet sufficient standards. They should stop requiring “government-issued ID” by rote.

There is an alternative to the REAL ID Act and the national ID on our near horizon. It’s identification systems and credentials that are high in quality, easy to use, and privacy protective. This idea isn’t just a feel-good. These systems will be huge enablers of secure but private commerce. Identification and credentialing is a multi-billion dollar market if governments can be made to relinquish control of it.

Jim Harper is director of Information Policy Studies and the author of Identity Crisis: How Identification is Overused and Misunderstood.