Understanding the Realities of REAL ID: A Review of Efforts to Secure Drivers’ Licenses and Identification Cards

Share

Chairman Akaka, Ranking Member Voinovich, and Members of theCommittee:

It is a pleasure to speak with you today. I am director ofinformation policy studies at the Cato Institute, a non-profitresearch foundation dedicated to preserving the traditionalAmerican principles of limited government, individual liberty, freemarkets, and peace. In that role, I study the unique problems inadapting law and policy to the information age. I also serve as amember of the Department of Homeland Security's Data Privacy andIntegrity Advisory Committee, which advises the DHS Privacy Officeand the Secretary of Homeland Security.

My most recent book is entitled Identity Crisis: HowIdentification Is Overused and Misunderstood. I am also editorof Privacilla.org, a Web-based think tank devoted exclusively toprivacy, and I maintain an online resource about federallegislation and spending called WashingtonWatch.com. I speak onlyfor myself today and not for any of the organizations with which Iam affiliated or for any colleague.

* * * *

Mr. Chairman, the REAL ID Act is a dead letter. All that remainsis for Congress to declare it so.

The proposed regulations issued by the Department of HomelandSecurity on March 9th "punted" on REAL ID's most importanttechnology, security, and privacy problems. At the same time, theDepartment's own analysis helps reveal that REAL ID is a loser --it would cost more to implement than it would add to our country'sprotections.

Of utmost importance, the DHS proposal lays the groundwork forsystematic tracking of Americans based on their race. Thebar code system standard that DHS calls for in the regulationincludes machine-readable information about race and ethnicity.This is deeply concerning and unwise. Federal law and regulationshould not promote a nationalID system that can track people byrace. History has too many devastating examples of identificationsystems used to divide people based on religion, tribe, andrace.

Though the Department of Homeland Security failed to "fix it inthe regs," this is not the agency's fault. Regulations cannot makethis law work, and neither can delay. The real problem is the REALID law itself.

There are highly meritorious bills pending in the Senate andHouse to repeal the REAL ID Act. They would restore theidentification security provisions that were passed in the9/11-Commission-inspired Intelligence Reform and TerrorismPrevention Act. Congratulations, Mr. Chairman -- and I saluteSenator Sununu as well -- for leading the way on this issue.

These bills would be improved if they were to chart a path togovernment use of emerging digital identity and credentialingsystems that are diverse, competitive, and privacy protective. Wecan have identification and credentialing systems that maximizesecurity and minimize surveillance. REAL ID is the ugly alternativeto getting it right.

DHS Punted on the Hard Issues

Though many states have already voted to refuse the REAL ID Act,some have been waiting to see what they would find in theregulations issued by the Department of Homeland Security. Now thatthe regulations are out, it is clear that the states have been leftholding the bag.

Were they to comply with the REAL ID Act, states would have tocross a mine-field of complicated and expensive technologydecisions. They would face enormous, possibly insurmountableprivacy and data security challenges. But the Department ofHomeland Security avoided these issues by carefully observing theconstraints of federalism even though the REAL ID law was craftedspecifically to destroy the distinctions between state and federalresponsibilities.

The Federalism Issue

The Constitution established a federal government with limited,enumerated powers, leaving the powers not delegated to the federalgovernment to the states and people.1 Because direct regulation of the states would beunconstitutional,2 the REALID Act conditions federal acceptance of state-issued identificationcards and drivers' licenses on their meeting certain federalstandards.

This statutory structure -- using state machinery to implement afederal program -- is unfortunate. It blurs the lines of authorityand obscures the workings of government from citizens andtaxpayers. But it does draw federalism into play as a potentiallimit on the Department's ability to regulate.

As the Notice of Proposed Rulemaking ("NPRM")notes,3 Executive Order 13132says that "issues that are not national in scope or significanceare most appropriately addressed by the level of government closestto the people."4 Laying outthe criteria for policymaking when federalism is implicated, theExecutive Order says, "National action limiting the policymakingdiscretion of the States shall be taken only where there isconstitutional and statutory authority for the action and thenational activity is appropriate in light of the presence of aproblem of national significance."5

In support of a federal function -- national security -- theREAL ID Act conditions federal acceptance of state identificationcards and drivers' licenses on their meeting federal standards fordocumentation, issuance, evidence of lawful status, verification ofdocuments, security practices, and maintenance of driver databases.The federal government has equal power -- and the Department ofHomeland Security had discretion in this rule -- to conditionacceptance of identification cards and drivers' licenses on closelyrelated priorities, including meeting standards for privacy anddata security.

The decision not to do this is a policy question that, accordingto the federalism Executive Order, turns on whether there isconstitutional and statutory authority and whether national actionis appropriate. The Department's decision to abandon these issuesto the states is an implicit finding that privacy and data securityare not problems of national significance. That finding is wrong.Privacy is a problem of national significance.

Many different federal laws and policies seek to foster privacyand data security, even in the context of national securityprograms. The Executive Order establishing the President's board onsafeguarding Americans' civil liberties, for example, states in itsvery first section:

The United States Government has a solemn obligation,and shall continue fully, to protect the legal rights of allAmericans, including freedoms, civil liberties, and informationprivacy guaranteed by Federal law, in the effective performance ofnational security and homeland security functions.6

Among the many federal laws that are relevant is the Privacy Actof 1974.7 The Privacy Actrequires federal agencies to undertake a variety of informationpractices, and it accords individuals a number of rights intendedto protect privacy and similar interests. The law requires agenciesto extend these protections to systems of records operated "by oron behalf of the agency . . . to accomplish an agency function"when that is done by contract.8

The Privacy Act apparently did not contemplate that states wouldmaintain systems of records in furtherance of federal functions.However, Office of Management and Budget guidelines issued afterthe Privacy Act's passage say that the Act is intended to cover "defacto as well as de jure Federal agency systems."9

Another relevant law is FISMA, the Federal Information SecurityManagement Act of 2002.10FISMA seeks to bolster information security within the federalgovernment and for federal government functions by mandating yearlysecurity audits. FISMA makes the head of each agency responsiblefor information security protections with regard to informationsystems and "information collected or maintained by or on behalf ofthe agency."11

REAL ID's Legislative History

The legislative history of the REAL ID Act suggests Congress'intention that the Department should implement REAL ID consistentwith federal government policies on privacy. The Department ofHomeland Security's Privacy Impact Assessment reviews relevantportions of that history:

The House Conference Report for the REAL ID Actincludes several key statements of Congressional intent regardingprivacy. For example, in its discussion of section 202(d)(12) ofthe Act, which requires each state to provide electronic access tothe information in its motor vehicle databases to all of the otherstates, the Conference Report makes clear that Congress recognizedthe need for the regulations to address privacy and security andthat those protections should be at least the equivalent ofexisting federal protections. The Conference Report reads inrelevant part:

DHS will be expected to establish regulations which adequatelyprotect the privacy of the holders of licenses and ID cards whichmeet the standards for federal identification and federalpurposes.

In addition, the Conference Report discussion of Section 202(b)(9)of the Act, which calls for using "a common machine-readabletechnology, with defined minimum data elements," clearly indicatesthat Congress wanted privacy to be a consideration in implementingthe technology. The Conference Report states:

There has been little research on methods to secure the privacyof the data contained on the machine readable strip. Improvementsin the machine readable technology would allow for less data beingpresent on the face of the card in the future, with other datastored securely and only able to be read by law enforcementofficials.12

REAL ID has Formidable Privacy and Data SecurityProblems

The privacy and data security consequences arising from REAL IDare immense, increasingly well understood, and probablyinsurmountable.

The increased data collection and data retention required ofstates is concerning. Requiring states to maintain databases offoundational identity documents will create an incrediblyattractive target to criminal organizations, hackers, and otherwrongdoers. The breach of a state's entire database, containingcopies of birth certificates and various other documents andinformation, could topple the identity system we use in the UnitedStates today. The best data security is not creating largedatabases of sensitive and valuable information in the firstplace.

The requirement that states transfer information from theirdatabases to each other is concerning. This exposes the securityweaknesses of each state to the security weaknesses of all theothers. There are ways to limit the consequences of having alogical national database of driver information, but there is noway to ameliorate all the consequences of the REAL ID Actrequirement that information about every American driver be madeavailable to every other state.

There are serious concerns with the creation of a nationallyuniform identity system. Converting from a system of many similarcards to a system of uniform cards is a major change. It is notjust another in a series of small steps.

Economists know well that standards create efficiencies andeconomies of scale. When all the railroad tracks in the UnitedStates were converted to the same gauge, for example rail became amore efficient method of transportation. Because the same train carcould travel on tracks anywhere in the country, more goods andpeople traveled by rail. Uniform ID cards would have the sameinfluence on the uses of ID cards.

There are machine-readable components like magnetic strips andbar codes on many licenses today. Their types, locations, designs,and the information they carry differs from state to state. Forthis reason, they are not used very often. If all identificationcards and licenses were the same, there would be economies of scalein producing card readers, software, and databases to capture anduse this information. Americans would inevitably be asked more andmore often to produce a REAL ID card, and share the data from it,when they engaged in various governmental and commercialtransactions.

In turn, others will capitalize on the information collected instate databases and harvested using REAL ID cards. Speaking to theDepartment of Homeland Security's Data Privacy and IntegrityAdvisory Committee last week, Anne Collins, the Registrar of MotorVehicles for the Commonwealth of Massachusetts said, "If you buildit they will come." Massed personal information will be anirresistible attraction to the Department of Homeland Security andmany other governmental entities, who will dip into data about usfor an endless variety of purposes.

Sure enough, the NPRM cites some other uses that governments arelikely to make of REAL ID, including controlling "unlawfulemployment," gun ownership, drinking, and smoking. Uniform IDsystems are a powerful tool. If we build it, they will come. REALID will be used for many purposes beyond what are contemplatedtoday.

But the NPRM "punts" on even small steps to control theseprivacy concerns. It says for example that it "does not create anational database, because it leaves the decision of how to conductthe exchanges in the hands of the States."13 My car didn't hit you -- the bumper did!

As to security and privacy of the information in statedatabases, the NPRM proposes paperwork. Under the proposed rules,states must prepare a "comprehensive security plan" coveringinformation collected, disseminated, or stored in connection withthe issuance of REAL ID licenses from unauthorized access, misuse,fraud, and identity theft. Requiring production of a plan is notnothing, and the NPRM refers to various "fair informationpractices." However, preparing a plan is not a standard. The NPRMdoes not even condition federal acceptance of state cards onmeeting the low standards of the federal Privacy Act or FISMA.

The REAL ID Act provided the Department of Homeland Securitywith very little opportunity to "fix it in the regs." And DHS didnot fix it in the regs.

REAL ID Fails Cost-BenefitAnalysis

The privacy and dollar costs of REAL ID would be easy to bear ifthis national ID system would add significantly to our country'sprotections. But the cost-benefit analysis provided in the NPRMhelps show that it does not. Implementation of REAL ID would imposemore costs on our society than it would provide in security orother benefits.

Executive Order 1286614requires agencies to assess the costs and benefits of therequirements they propose. The Department found that implementingREAL ID would cost over $17 billion.15 This is 50% higher than the $11 billion estimateput forward by the National Conference of State Legislators. Again,these costs would be worth it -- if the REAL ID Act had netbenefits. It does not.

On the question of benefits, the regulatory analysis in the NPRMessentially punts:16

It is impossible to quantify or monetize the benefitsof REAL ID using standard economic accounting techniques. However,though difficult to quantify, everyone understands the benefits ofsecure and trusted identification. The proposed minimum standardsseek to improve the security and trustworthiness of a key enablerof public and commercial life -- state-used driver's licenses andidentification cards. As detailed below, these standards willimpose additional burdens on individuals, States, and even theFederal government. These costs, however, must be weighed againstthe intangible but no less real benefits to both public andcommercial activities achieved by secure and trustworthyidentification.

This is not analysis, of course. It is surmise. A few paragraphslater:

The proposed REAL ID regulation would strengthen thesecurity of personal identification. Though difficult to quantify,nearly all people understand the benefits of secure and trustedidentification and the economic, social, and personal costs ofstolen or fictitious identities. The proposed REAL ID NPRM seeks toimprove the security and trustworthiness of a key enabler of publicand commercial life -- state-issued driver's licenses andidentification cards.

The primary benefit of REAL ID is to improve the security andlessen the vulnerability of federal buildings, nuclear facilities,and aircraft to terrorist attack. The rule would give states, localgovernments, or private sector entities an option to choose torequire the use of REAL IDs for activities beyond the officialpurposes defined in this regulation. To the extent that states,local governments, and private sector entities make this choice,the rule may facilitate processes which depend on licenses andcards for identification and may benefit from the enhanced securityprocedures and characteristics put in place as a result of thisproposed rule.

The assessment goes on to imagine what protection-rates wouldcost-justify the REAL ID Act regulations.17 According to the assessment, if REAL ID lowersby 3.6% per year the annual probability of a terrorist attackcausing immediate impacts of $63.9 billion, the rules would havenet benefits. If REAL ID lowers by 0.61% per year the annualprobability of a terrorist attack causing both immediate and longerrun impacts of $374.7 billion, the rules would have netbenefits.

This is an unsound way of judging the anti-terrorism benefits ofREAL ID, and it reflects almost no thinking about how REAL ID mightwork as a security tool. I have attached as Appendix A arudimentary analysis of the REAL ID Act in terms of riskmanagement, using the framework put forward by the Department ofHomeland Security's Data Privacy and Integrity AdvisoryCommittee.18

Creating a national identification scheme does not just attach aknown, accurate identity to everyone. It causes wrongdoers tochange their behavior. Sometimes this controls risks, sometimesthis shifts risks from one place to another, and sometimes thiscreates even greater risks. Rather than being evaluated on itsability to prevent attacks outright, as the NPRM did, the REAL IDAct should be assessed in terms of its ability to delay attacks orchange their character.

Assuming, for example, that a future attack would be on thescale of a 9/11 -- probably an exaggerated assumption -- REAL IDmight be assumed (generously) to delay such an attack by sixmonths. The value of delaying such an attack, and thus the securityvalue of REAL ID, ranges from $2.24 billion to $13.1billion.19 REAL ID offersless in benefits than it does at costs -- even using very generousassumptions.

The information published NPRM concludes with this:

The potential ancillary benefits of REAL ID arenumerous, as it would be more difficult to fraudulently obtain alegitimate license and would be substantially more costly to createa false license. These other benefits include reducing identitytheft, unqualified driving, and fraudulent activities facilitatedby less secure driver's licenses such as fraudulent access togovernment subsidies and welfare programs, illegal immigration,unlawful employment, unlawful access to firearms, voter fraud, andpossibly underage drinking and smoking. DHS assumes that REAL IDwould bring about changes on the margin that would potentiallyincrease security and reduce illegal behavior. Because the size ofthe economic costs that REAL ID serves to reduce on the margin areso large, however, a relatively small impact of REAL ID may lead tosignificant benefits.

The actual economic analysis produced by DHS and placed in therulemaking docket has some more specific information about"ancillary benefits." It estimates that REAL ID could reduce thecosts of identity theft by merely $1.6 billion during 2007-16. Noother benefits are estimated.

In summary, implementation of REAL ID would cost over $17billion dollars. Its security benefits, under generous assumptions,might reach about $15 billion. REAL ID promises 88 cents worth ofnational security for every national security dollar we spend.These dollars would be taken from children's health care, fromAmerican families' food budgets, and from security programs thatactually work. Implementing REAL ID would harm the country.

These practical considerations are very important, but there arelong-term, principled reasons why Congress should reconsider theREAL ID Act immediately.

REAL ID: The Race Card

The "machine-readable technology" required for every REALID-compliant card has been a subject of much worry and speculation.This is not without reason. A nationally uniform ID card will makeit very likely that cards will be requested, and the data on themcollected and used, by governments and corporations alike. DHS waswise to resist the use of radio frequency identification tags inREAL ID.20

But even more significant issues have been created by the DHS'schoice of technical standards. The standard for the 2D barcodeselected by the Department includes the cardholder's race as one ofthe data elements.

If the REAL ID card is implemented, Americans transactingbusiness using the REAL ID card may well be filling government andcorporate databases with information that ties their race torecords of their transactions and movements. Students of historyshould find the prospect sickening.

For the machine readable portion of the card, the technologystandard proposed by DHS in the NPRM is the PDF-417 two-dimensionalbar code. According to DHS, the PDF-417 barcode can be read by astandard 2D barcode scanner.21 This is a more highly developed version of thebarcode scanning that is done in grocery stores across thecountry.

The version selected by DHS is the 2005 AAMVA Driver'sLicense/Identification Card Design Specifications, Annex D. This isa standardized format for putting information in the bar code.

A summary of the data elements from the standard is attached asAppendix B, but briefly, white people would carry the designation"W"; black people would carry the designation "BK"; people ofHispanic origin would be designated "H"; Asian or Pacific Islanderswould be "AP"; and Alaskan or American Indians would be "AI."

DHS does not require all the data elements from the standard,and it does not require the "race/ethnicity" data element, but thestandard it has chosen will likely be adopted in its entirety bystate driver licensing bureaus. The DHS has done nothing to preventor even discourage the placement of race and ethnicity in themachine readable zones of this national ID card.

Avoiding race- and ethnicity-based identification systems is anessential bulwark of protection for civil liberties, given ouralways-uncertain future. In Nazi Germany, in apartheid SouthAfrica, and in the recent genocide in Rwanda, horrible deeds wereadministered using identification cards that included informationabout religion, about tribe, and about race. Implementation of theREAL ID Act, which would permit race to be a part of the nationalidentification card scheme, would be a grave error.

Akaka-Sununu is Essential -- and it Needs a Vision ofthe Future

Congratulations again, Mr. Chairman -- and I salute SenatorSununu, as well -- on your leadership in introducing, for thesecond Congress in a row, legislation to repeal REAL ID and restorethe ID security provisions from the 9/11-Commission-inspiredIntelligence Reform and Terrorism Prevention Act.

REAL ID is often touted as a direct response to a strongrecommendation of the 9/11 Commission. This is untrue on a numberof levels.

The recent push for national ID cards is in reaction to theterrorist attacks of September 11, 2001, of course. An appendix toa report by the Markle Foundation Task Force on National Securityin the Information Age recommended various governmental measures tomake identification "more reliable."22 This report was cited by the 9/11 Commission asit recommended "federal government . . . standards for the issuanceof birth certificates and forms of identification, such as driverslicenses."23 But it isimportant to know that the 9/11 Commission devoted about ¾of a page in its 400-page report to identification issues.Identification security was not a "key finding" of theCommission.

Nonetheless, a provision of the Intelligence Reform andTerrorism Prevention Act of 2004, passed in response to the 9/11Commission Report, established a negotiated rulemaking process fordetermining minimum standards for federally acceptable driver'slicenses and identification cards.24 This provision -- the result of the 9/11Commission report -- was repealed and replaced by the REAL ID Act.Restoring the earlier, more careful provisions would be a step inthe right direction.

But the Congress should examine our country's identificationpolicies and practices even more carefully. Identification systemshave many benefits but, as we know from REAL ID, they also carrymany threats. We should have a much more careful nationaldiscussion about the design of the identity systems we will use inthe future.

There are identification systems being devised today by thecountries' brightest technologists that would provide all thesecurity that identification can provide, but that would resisttracking and surveillance. Meanwhile, hundreds of millions -- ifnot billions -- of taxpayer dollars are already being spent on IDsystems with little regard for their interoperability with emergingopen standards, to say nothing of privacy.

It would be unfortunate of the federal government spent so muchtime and money to build systems that lead in a few decades to verycostly dead end. Even worse would be for government systems topredominate, making it a practical requirement that Americans dohave to carry a national ID card in order to function.

As it moves forward, I recommend that the Akaka-Sununulegislation include consideration of emerging open standards forgovernment IDs and credentials. Rather than being locked into theunwieldy federal systems now being created, federal agencies shouldhave the flexibility to accept any identification card orcredential that meets or exceeds government standards for dataaccuracy, security, and verifiability.

In Akaka-Sununu, Congress should recognize the emergence ofidentity and credentialing systems that are diverse, competitive,and -- most importantly -- privacy protective. These systems canmaximize security while minimizing surveillance. REAL ID is theugly alternative to getting it right.

APPENDIX A

Rudimentary Analysis of REAL ID Act in Terms of RiskManagement

Assessing how, and how well, the REAL ID Act regulations benefitthe homeland security mission in terms of risk management requiresanswers to the following questions. Answers available in the NPRMare critiqued here, and sensible or assumed answers aresupplied:

  • What are you trying to protect? The NPRM identifiesfederal buildings, nuclear facilities, and aircraft as the primarybeneficiaries of the REAL ID rules, as well as other infrastructureshould access to it be conditioned on showing ID. "Ancillary"beneficiaries would be the many segments of the public who wouldbenefit from various types of fraud reduction, public safety lawenforcement, and various forms of personal regulation.
  • What are you trying to protect it from? The primarythreat articulated by the rule's brief benefit statement is"terrorist attack," which can take any number of forms. Theassessment does not describe with particularity any vulnerabilityor the way any of these assets may be harmed, much less how REAL IDwould prevent or diminish such harm. As to ancillary beneficiaries,it is well known that fraud, unsafe behavior, and unwise personalchoices have a variety of costs. The assessment does not describehow the REAL ID regulations would prevent these ills, though aspart of an expanded police and regulatory state, they undoubtedlywould.
  • What is the likelihood of each threat occurring and theconsequence if it does? The rule's benefit statement makes noattempt at terrorism risk assessment, positing instead twodifferent "9/11" scenarios, the avoidance of which wouldcost-justify the rules. The ancillary harms the assessment claimsto effect vary widely across the landscape of human action, andhave a variety of likelihoods and consequences.
  • What kind of action does the program take in response tothe threat -- acceptance, prevention, interdiction, ormitigation? The NPRM does not go into this kind of detail, butthe REAL ID rules are best characterized as interdiction: a form ofconfrontation with, or influence exerted on, an attacker toeliminate or limit its movement toward causing harm. A moreaccurate and secure identification system may interfere withterrorists in a variety of ways.

    Requiring REAL ID-compliant identification cards for access tosecured areas would limit the field of potential attackers on thoseareas to only those people that are able to prove their identityand lawful presence in the United States. This would inconvenienceforeign terrorist organizations, likely changing their behavior ina number of ways. The REAL ID Act might cause foreign terroristorganizations to target infrastructure that is not secured byidentification requirements. It might cause them to selectindividual attackers who can lawfully enter the U.S. and acquireidentification.25 It mightcause them to ally with domestic criminals or criminalorganizations.

    They may attack the REAL ID system in various ways. The REAL IDregulations might induce foreign terrorist organizations to procureREAL ID-compliant cards through corrupt Department of MotorVehicles employees. It might cause them to seek counterfeitdocuments that can fool DMV employees into issuing REALID-compliant cards. It might cause them to seek counterfeit REALID-compliant cards good enough to fool verifiers at checkpoints. Itmight cause them to corrupt verifiers at checkpoints.

    Whatever the case, the REAL ID regulations would cause someinconvenience to foreign terrorist organizations seeking to mountan attack on infrastructure secured behind checkpoints.

    A second form of interdiction, also not discussed in the NPRM, isthe use of REAL ID in conjunction with watch lists. Again puttingaside attacks on the REAL ID system, requiring REAL ID-compliantidentification cards for access to secured areas would limit thefield of potential attackers on those areas to only those peoplethat are not known to be terrorists by the authorities. Coupledwith watch lists, the REAL ID regulations might cause terroristorganizations, foreign and domestic, to target infrastructure thatis not secured by identification requirements. It might cause themto select attackers who are not known to have contacts withterrorists.26 It also mightcause them to attack the REAL ID system in the ways discussedabove.

    Similar to the joining of REAL ID to watch lists in terrorisminterdiction, REAL ID may be joined to a variety of commercial, lawenforcement, and regulatory programs aimed at reducing fraud,promoting public safety, law enforcement, and various forms ofpersonal regulation. Each of these multitudinous potential uses ofREAL ID would alter the behavior of "attackers" in various ways. Itwould improve their behavior in some cases, inspire avoidance inothers, and also in some cases prompt attacks on the REAL ID systemlike those discussed above, such as by college students seeking agood fake ID.

  • Does the response create new risks to the asset orothers? Some of the avoidance behaviors listed above wouldtransfer risks or create new risks. Terrorists may shift fromREAL-ID-secured targets to non-REAL-ID-securedtargets.27 Foreignterrorist organizations allying themselves with domestic criminalorganizations to avoid REAL ID-based security might form moredangerous hybrid organizations. As noted above, there wouldcertainly be attacks on the REAL ID system, in terms of technicalsecurity, corruption, fraud, and so on. The techniques developed by"casual" attackers such as college students would accrue to thebenefit of the serious threats such as criminal or terroristorganizations. These are just some of the risk transfers and newrisks that would result from implementing the REAL IDregulations.

APPENDIX B

From: Personal Identification -- AAMVA InternationalSpecification -- DL/ID Card Design, Annex D: "Mandatory PDF417 BarCode"

MINIMUM MANDATORY DATA ELEMENTS

Jurisdiction-Specific VehicleClass Jurisdiction-specific vehicle class / group code,designating the type of vehicle the cardholder has privilege todrive.
Jurisdiction-Specific RestrictionCodes Jurisdiction-specific codes that representrestrictions to driving privileges (such as airbrakes, automatictransmission, daylight only, etc.).
Jurisdiction-Specific EndorsementCodes Jurisdiction-specific codes that representadditional privileges granted to the cardholder beyond the vehicleclass (such as transportation of passengers, hazardous materials,operation of motorcycles, etc.).
Document Expiration Date Date on which the driving and identificationprivileges granted by the document are no longer valid. (MMDDCCYYfor U.S., CCYYMMDD for Canada)
Customer Family Name Family name of the cardholder. (Family name issometimes also called "last name" or "surname.") Collect full namefor record, print as many characters as possible on front ofDL/ID.
Customer Given Names Given names of the cardholder. (Given namesinclude all names other than the Family Name. This includes allthose names sometimes also called "first" and "middle" names.)Collect full name for record, print as many characters as possibleon front of DL/ID.
Document Issue Date Date on which the document was first issued.(MMDDCCYY for U.S., CCYYMMDD for Canada)
Date of Birth Date on which the cardholder was born. (MMDDCCYYfor U.S., CCYYMMDD for Canada)
Physical Description -- Sex Gender of the cardholder. 1 = male, 2=female.
Physical Description -- EyeColor Color of cardholder's eyes. (ANSI D-20codes)
Physical Description --Height Height of cardholder. Inches (in): number ofinches followed by " in" ex. 6'1'' = " 73 in" Centimeters (cm):number of centimeters followed by " cm" ex. 181 centimeters="181cm"
Address -- Street 1 Street portion of the cardholder address.
Address -- City City portion of the cardholder address.
Address -- Jurisdiction Code State portion of the cardholder address.
Address -- Postal Code Postal code portion of the cardholder address inthe U.S. and Canada. If the trailing portion of the postal code inthe U.S. is not known, zeros will be used to fill the trailing setof numbers.
Customer ID Number The number assigned or calculated by the issuingauthority.
Document Discriminator Number must uniquely identify a particulardocument issued to that customer from others that may have beenissued in the past. This number may serve multiple purposes ofdocument discrimination, audit information number, and/or inventorycontrol.
Country Identification Country in which DL/ID is issued. U.S. = USA,Canada = CAN.
Federal Commercial VehicleCodes Federally established codes for vehiclecategories, endorsements, and restrictions that are generallyapplicable to commercial motor vehicles. If the vehicle is not acommercial vehicle, "NONE" is to be entered.

OPTIONAL DATA ELEMENTS

Address - Street 2 Second line of street portion of the cardholderaddress.
Hair color Brown, black, blonde, gray, red/auburn, sandy,white
Place of birth Country and municipality and/orstate/province
Audit information A string of letters and/or numbers thatidentifies when, where, and by whom a driver license/ID card wasmade. If audit information is not used on the card or the MRT, itmust be included in the driver record.
Inventory control number A string of letters and/or numbers that isaffixed to the raw materials (card stock, laminate, etc.) used inproducing driver licenses and ID cards.
Alias / AKA Family Name Other family name by which cardholder isknown.
Alias / AKA Given Name Other given name by which cardholder isknown
Alias / AKA Suffix Name Other suffix by which cardholder is known
Name Suffix Name Suffix (If jurisdiction participates insystems requiring name suffix (PDPS, CDLIS, etc.), the suffix mustbe collected and displayed on the DL/ID and in the MRT). Collectfull name for record, print as many characters as possible on frontof DL/ID.
Physical Description - WeightRange Indicates the approximate weight range of thecardholder:
0 = up to 31 kg (up to 70 lbs)
1 = 32 - 45 kg (71 - 100 lbs)
2 = 46 - 59 kg (101 - 130 lbs)
3 = 60 - 70 kg (131 - 160 lbs)
4 = 71 - 86 kg (161 - 190 lbs)
5 = 87 - 100 kg (191 - 220 lbs)
6 = 101 - 113 kg (221 - 250 lbs)
7 = 114 - 127 kg (251 - 280 lbs)
8 = 128 - 145 kg (281 - 320 lbs)
9 = 146+ kg (321+ lbs)
Race / ethnicity Codes for race or ethnicity of the cardholder, asdefined in ANSI D20.
Standard vehicleclassification Standard vehicle classification code(s) forcardholder. This data element is a placeholder for future effortsto standardize vehicle classifications.
Standard endorsement code Standard endorsement code(s) for cardholder. Thisdata element is a placeholder for future efforts to standardizeendorsement codes.
Standard restriction code Standard restriction code(s) for cardholder. Thisdata element is a placeholder for future efforts to standardizerestriction codes.
Jurisdiction specific vehicleclassification description Text that explains the jurisdiction-specificcode(s) for types of vehicles cardholder is authorized todrive.
Jurisdiction specific endorsement codedescription Text that explains the jurisdiction-specificcode(s) that indicates additional driving privileges granted to thecardholder beyond the vehicle class.
Jurisdiction specific restriction codedescription Text describing the jurisdiction-specificrestriction code(s) that curtail driving privileges.

1 U.S. Const. amend.X.

2New York v. UnitedStates, 505 U.S. 144 (1992).

372 Fed. Reg. 10,820 (Mar.9, 2007).

4E.O. 13132, Federalism(Aug. 4, 1999).

5Id.

6E.O. 13353, Establishingthe President's Board on Safeguarding Americans' Civil Liberties(Aug 27, 2004).

75 U.S.C. §552a.

8Id. at §552a(m).

9Office of Management andBudget, Privacy Act Implementation: Guidelines andResponsibilities.

1044 U.S.C. § 3541et seq. (enacted as Title III of the E-Government Act of 2002,Pub.L. 107-347).

1144 U.S.C. §3544(a)(1)(A).

12U.S. Department ofHomeland Security, Privacy Impact Assessment for the REAL ID Act(Mar. 1, 2007) (footnotes and italics omitted)<>.</>

1372 Fed. Reg. 10,825(Mar. 9, 2007).

14Executive Order 12866,Regulatory Planning and Review (Sept. 30, 1993), requires"significant regulatory actions," such as those costing over $100million annually, to be assessed in terms of benefits, costs, andalternatives.

15Id. at 10,845(2006 dollars discounted at 7%).

16See 72 Fed.Reg. 10844-46 (Mar. 9, 2007).

17This is permitted byOMB Circular A-4 when it is difficult to quantify and monetize thebenefits of a rulemaking.

18Data Privacy andIntegrity Advisory Committee, U.S. Department of Homeland Security,Framework for Privacy Analysis of Programs, Technologies, andApplications, Report No. 2006-01 (Mar. 1, 2006)<>.</>

19Assumed delay fromtoday until 6 months into the future. (Net present value at 3.5%/6months interest.)

20The NPRM left the doorfor putting RFID chips in our identification cards in the future.See 72 Fed. Reg. 10,841-2 (Mar. 9, 2007). The DHS DataPrivacy and Integrity Advisory Committee concluded recently thatRFID is not well suited to the task of identifying people, at leastat this stage in the technology's development. Department ofHomeland Security, Data Privacy & Integrity Advisory Committee,The Use of RFID for Human Identify Verification, ReportNo. 2006-02 (Dec. 6, 2006) <>. The Department has recentlycancelled RFID-related projects. See Alice Lipowicz, DHS TunesOut RFID, Washington Technology (Feb. 12, 2007)<>.</></>

2172 Fed. Reg. 10,837-8(Mar. 9, 2007).

22Markle Foundation TaskForce on National Security in the Information Age, Creating aTrusted Network for Homeland Security (Dec. 2, 2003) . The mainbody of the report endorsed the finding of the Appendixunconditionally. See id. at 36.

23National Commission onTerrorist Attacks Upon the United States (9-11 Commission), The9/11 Commission Report (2004) at 390.

24Intelligence Reformand Terrorism Prevention Act, Pub. L. No. 108-458, §7212.

25In general, this wasthe modus operandi of al Qaeda in the 9/11 attacks.

26As demonstrated by the"Carnival Booth" study, relevant information from watch lists isrelatively easy to reverse-engineer. One must simply send anattacker through a checkpoint on a few "dry runs" to determinewhether he or she is subject to different treatment. See SamidhChakrabarti and Aaron Strauss, Carnival Booth: An Algorithm forDefeating the Computer-Assisted Passenger Screening System,6.806: Law and Ethics on the Electronic Frontier (May 16, 2002).

27Assuming terroristsaim to sap the economy and vitality of the United States, theycould do very well by serially attacking non-ID-controlled targetsif that would induce the U.S. to secure them through ID checks. Ifeach of the 240 million licensed drivers in the U.S. wereinconvenienced by just one minute per week to show ID at malls,subway stations, bus depots, office buildings, and other publicinfrastructure, the cost to society in lost time alone (assumedvalue: $20/hr.) would be over $4 billion per year - a net presentcost of $57 billion (assumed 7% interest).

Jim Harper

Subcommittee on Oversight of Government Management,
the Federal Workforce, and the District of Columbia
Committee on Homeland Security and Governmental Affairs
United States Senate