Will REAL ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties Concerns

Share

Chairman Leahy, Ranking Member Specter, and Members of theCommittee:

It is a pleasure to speak with you today. I am director ofinformation policy studies at the Cato Institute, a non-profitresearch foundation dedicated to preserving the traditionalAmerican principles of limited government, individual liberty, freemarkets, and peace. In that role, I study the unique problems inadapting law and policy to the information age. I also serve as amember of the Department of Homeland Security's Data Privacy andIntegrity Advisory Committee, which advises the DHS Privacy Officeand the Secretary of Homeland Security on privacy issues.

My most recent book is entitled Identity Crisis: HowIdentification Is Overused and Misunderstood. I am also editorof Privacilla.org, a Web-based think tank devoted exclusively toprivacy, and I maintain an online resource about federallegislation and spending called WashingtonWatch.com. I speak onlyfor myself today and not for any of the organizations with which Iam affiliated or for any colleague.

* * * *

Mr. Chairman, the REAL ID Act is a dead letter. All that remainsis for Congress to declare it so.

The proposed regulations issued by the Department of HomelandSecurity on March 9th, on which comments close today, help revealthat REAL ID is a loser. It costs more to implement than it wouldadd to our country's protections.

The regulations "punted" on REAL ID's most important technology,security, and privacy problems. Of utmost importance, the DHSproposal lays the groundwork for systematic tracking of Americansbased on their race.

Though the Department of Homeland Security failed to "fix it inthe regs," this is not the agency's fault. Regulations cannot makethis law work, and neither can delay. The real problem is the REALID law itself.

There are highly meritorious bills pending in the Senate andHouse to repeal the REAL ID Act and restore the identificationsecurity provisions that were passed in the9/11-Commission-inspired Intelligence Reform and TerrorismPrevention Act. Congratulations, Mr. Chairman for being an originalcosponsor of this legislation in the Senate.

These bills would be improved if they were to chart a path togovernment use of emerging digital identity and credentialingsystems that are diverse, competitive, and privacy protective. Wecan have identification and credentialing systems that maximizesecurity and minimize surveillance. REAL ID is the ugly alternativeto getting it right.

REAL ID Does Not Secure the Country

I will begin with security issues, which are the most important.Simply put, the proponents of REAL ID have not borne their burdenof proof. They have not shown that REAL ID would add to ourcountry's protections - because it doesn't.

The Department of Homeland Security has had two years toarticulate how REAL ID would work. But the cost-benefit analysisprovided in the proposed rules issued in March (the notice ofproposed rulemaking or "NPRM") helps show that implementing REAL IDwould impose more costs on our society than it would providesecurity or other benefits. REAL ID would do more harm thangood.

Executive Order 128661requires agencies to assess the costs and benefits of therequirements they propose. In its cost-benefit analysis, theDepartment found that implementing REAL ID would cost over $17billion.2 This is 50% higherthan the $11 billion estimate put forward by the NationalConference of State Legislators.3

The NPRM was the Department's opportunity to show how REAL IDmight add to our country's protections. But on the question ofbenefits, the Department of Homeland Security essentially punted.It said:

It is impossible to quantify or monetize the benefitsof REAL ID using standard economic accounting techniques. However,though difficult to quantify, everyone understands the benefits ofsecure and trusted identification. The proposed minimum standardsseek to improve the security and trustworthiness of a key enablerof public and commercial life - state-used driver's licenses andidentification cards. As detailed below, these standards willimpose additional burdens on individuals, States, and even theFederal government. These costs, however, must be weighed againstthe intangible but no less real benefits to both public andcommercial activities achieved by secure and trustworthyidentification.4

This is not analysis, of course. It is surmise. A few paragraphslater, it continues:

The proposed REAL ID regulation would strengthen thesecurity of personal of identification. Though difficult toquantify, nearly all people understand the benefits of secure andtrusted identification and the economic, social, and personal costsof stolen or fictitious identities. The proposed REAL ID NPRM seeksto improve the security and trustworthiness of a key enabler ofpublic and commercial life - state-issued driver's licenses andidentification cards.

The primary benefit of REAL ID is to improve the security andlessen the vulnerability of federal buildings, nuclear facilities,and aircraft to terrorist attack. The rule would give states, localgovernments, or private sector entities an option to choose torequire the use of REAL IDs for activities beyond the officialpurposes defined in this regulation. To the extent that states,local governments, and private sector entities make this choice,the rule may facilitate processes which depend on licenses andcards for identification and may benefit from the enhanced securityprocedures and characteristics put in place as a result of thisproposed rule.

The assessment goes on to imagine what protection-rates wouldcost-justify the REAL ID Act regulations.5 According to the assessment, if REAL ID lowers by3.6% per year the annual probability of a terrorist attack causingimmediate impacts of $63.9 billion, the rules would have netbenefits. If REAL ID lowers by 0.61% per year the annualprobability of a terrorist attack causing both immediate and longerrun impacts of $374.7 billion, the rules would have netbenefits.

This is an unsound way of judging the anti-terrorism benefits ofREAL ID, and it reflects almost no thinking about how REAL ID mightwork as a security tool. I have attached as Appendix A arudimentary analysis of the REAL ID Act in terms of riskmanagement, using the framework put forward by the Department ofHomeland Security's Data Privacy and Integrity AdvisoryCommittee.6

To summarize, creating a national identification scheme wouldnot just attach a known, accurate identity to everyone. It wouldcause wrongdoers to change their behavior. Sometimes this wouldcontrol risks, sometimes this would shift risks from one place toanother, and sometimes this would create even greater risks.

Rather than being evaluated on its ability to prevent attacksoutright, as the NPRM did, the REAL ID Act should be assessed interms of its ability to delay attacks or change their character.Assuming, for example, that a future attack would be on the scaleof a 9/11 - an exaggerated assumption unless all the rest of oursecurity efforts have done nothing - REAL ID might be assumed(generously) to delay such an attack by six months. The value ofdelaying such an attack, and thus the security value of REAL ID,ranges from $2.24 billion to $13.1 billion.7 REAL ID offers less in benefits than it does costs- even using very generous assumptions.

The NPRM concludes with this:

The potential ancillary benefits of REAL ID arenumerous, as it would be more difficult to fraudulently obtain alegitimate license and would be substantially more costly to createa false license. These other benefits include reducing identitytheft, unqualified driving, and fraudulent activities facilitatedby less secure driver's licenses such as fraudulent access togovernment subsidies and welfare programs, illegal immigration,unlawful employment, unlawful access to firearms, voter fraud, andpossibly underage drinking and smoking. DHS assumes that REAL IDwould bring about changes on the margin that would potentiallyincrease security and reduce illegal behavior. Because the size ofthe economic costs that REAL ID serves to reduce on the margin areso large, however, a relatively small impact of REAL ID may lead tosignificant benefits.

The actual economic analysis produced by DHS and placed in therulemaking docket has some more specific information about"ancillary benefits." It estimates that REAL ID could reduce thecosts of identity theft by merely $1.6 billion during2007-16.8 Relatively littleidentity fraud uses drivers' licenses. No other benefits areestimated.

In summary, implementation of REAL ID would cost over $17billion dollars. Its security benefits, under generous assumptions,might reach about $15 billion. REAL ID promises 88 cents worth ofsecurity and "ancillary benefits" for every national securitydollar we spend. These dollars would be taken from children'shealth care, from American families' food budgets, and fromsecurity programs that actually increase our protections.Implementing REAL ID would harm the country.

If REAL ID did add to our country's protections, it would nothave been passed attached to a military spending bill two yearsago. It would have had hearings, up-or-down votes in both houses,and fanfare at every step of the legislative process.

If REAL ID added to our country's protections, Americans wouldhappily tolerate the expense, inconvenience, and intrusion createdby the REAL ID system. They do not.

Securing the country is not controversial. REAL ID iscontroversial.

DHS Punted on the Hard Issues

The potential security benefit of having a national ID is themost important consideration. As we now see, REAL ID failscost-benefit analysis. But there are additional costs of REAL IDthat are not considered in the NPRM's cost-benefit analysis. Thesecosts are denominated in the privacy and civil liberties of lawabiding Americans.

Many states waited to see what they would find in the Departmentof Homeland Security's REAL ID regulations. Since DHS issued itsregulations, many states have moved forward with anti-REAL IDlegislation. I have attached as Appendix B a list of anti-REAL IDactivity in the states since the regulations came out. On thetoughest technology, security, and privacy issues, states have beenleft holding the bag. They do not want REAL ID, and for goodreason.

Were they to comply with the REAL ID Act, states would have tocross a mine-field of complicated and expensive technologydecisions. They would face enormous, possibly insurmountable,privacy and data security challenges. But the Department ofHomeland Security avoided these issues by carefully observing theconstraints of federalism even though the REAL ID law was craftedspecifically to destroy the distinctions between state and federalresponsibilities.

The Federalism Issue

The Constitution established a federal government with limited,enumerated powers, leaving the powers not delegated to the federalgovernment to the states and people.9 Because direct regulation of the states would beunconstitutional,10 theREAL ID Act conditions federal acceptance of state-issuedidentification cards and drivers' licenses on their meeting certainfederal standards.

This statutory structure - using state machinery to implement afederal program - is unfortunate. It blurs the lines of authorityand obscures the workings of government from citizens andtaxpayers. But it does draw federalism into play as a potentiallimit on the Department's ability to regulate.

As the Notice of Proposed Rulemaking notes,11 Executive Order 13132 says that "issuesthat are not national in scope or significance are mostappropriately addressed by the level of government closest to thepeople."12 Laying out thecriteria for policymaking when federalism is implicated, theExecutive Order says, "National action limiting the policymakingdiscretion of the States shall be taken only where there isconstitutional and statutory authority for the action and thenational activity is appropriate in light of the presence of aproblem of national significance."13

In support of a federal function - national security - the REALID Act conditions federal acceptance of state identification cardsand drivers' licenses on their meeting federal standards fordocumentation, issuance, evidence of lawful status, verification ofdocuments, security practices, and maintenance of driver databases.The federal government has equal power - and the Department ofHomeland Security had discretion in this rule - to conditionacceptance of identification cards and drivers' licenses on closelyrelated priorities, including meeting standards for privacy anddata security.

The decision not to do this is a policy question that, accordingto the federalism Executive Order, turns on whether there isconstitutional and statutory authority and whether national actionis appropriate. The Department's decision to abandon these issuesto the states is an implicit finding that privacy and data securityare not problems of national significance. That finding is wrong.Privacy is a problem of national significance.

Many different federal laws and policies seek to foster privacyand data security, even in the context of national securityprograms. The Executive Order establishing the President's board onsafeguarding Americans' civil liberties, for example, states in itsvery first section:

The United States Government has a solemn obligation,and shall continue fully, to protect the legal rights of allAmericans, including freedoms, civil liberties, and informationprivacy guaranteed by Federal law, in the effective performance ofnational security and homeland security functions.14

Among the many federal laws that are relevant is the Privacy Actof 1974.15 The Privacy Actrequires federal agencies to undertake a variety of informationpractices, and it accords individuals a number of rights intendedto protect privacy and similar interests. The law requires agenciesto extend these protections to systems of records operated "by oron behalf of the agency . . . to accomplish an agency function"when that is done by contract.16

The Privacy Act did not contemplate that states would maintainsystems of records in furtherance of federal functions. However,Office of Management and Budget guidelines issued after the PrivacyAct's passage say that the Act is intended to cover "de facto aswell as de jure Federal agency systems."17

Another relevant law is FISMA, the Federal Information SecurityManagement Act of 2002.18FISMA seeks to bolster information security within the federalgovernment and for federal government functions by mandating yearlysecurity audits. FISMA makes the head of each agency responsiblefor information security protections with regard to informationsystems and "information collected or maintained by or on behalf ofthe agency."19

REAL ID's Legislative History

The legislative history of the REAL ID Act suggests Congress'intention that the Department should implement REAL ID consistentwith federal government policies on privacy. The Department ofHomeland Security's Privacy Impact Assessment reviews relevantportions of that history:

The House Conference Report for the REAL ID Actincludes several key statements of Congressional intent regardingprivacy. For example, in its discussion of section 202(d)(12) ofthe Act, which requires each state to provide electronic access tothe information in its motor vehicle databases to all of the otherstates, the Conference Report makes clear that Congress recognizedthe need for the regulations to address privacy and security andthat those protections should be at least the equivalent ofexisting federal protections. The Conference Report reads inrelevant part:

DHS will be expected to establish regulations which adequatelyprotect the privacy of the holders of licenses and ID cards whichmeet the standards for federal identification and federalpurposes.

In addition, the Conference Report discussion of Section 202(b)(9)of the Act, which calls for using "a common machine-readabletechnology, with defined minimum data elements," clearly indicatesthat Congress wanted privacy to be a consideration in implementingthe technology. The Conference Report states:

There has been little research on methods to secure the privacyof the data contained on the machine readable strip. Improvementsin the machine readable technology would allow for less data beingpresent on the face of the card in the future, with other datastored securely and only able to be read by law enforcementofficials.20

REAL ID has Formidable Privacy and Data SecurityProblems

The privacy and data security consequences arising from REAL IDare immense, increasingly well understood, and probablyinsurmountable.

The increased data collection and data retention required ofstates is concerning. Requiring states to maintain databases offoundational identity documents will create an incrediblyattractive target to criminal organizations, hackers, and otherwrongdoers. The breach of a state's entire database, containingcopies of birth certificates and various other documents andinformation, could topple the identity system we use in the UnitedStates today. The best data security is avoiding the creation oflarge databases of sensitive and valuable information in the firstplace.

The requirement that states transfer information from theirdatabases to each other is concerning. This exposes the securityweaknesses of each state to the security weaknesses of all theothers. There are ways to limit the consequences of having alogical national database of driver information, but there is noway to ameliorate all the consequences of the REAL ID Actrequirement that information about every American driver be madeavailable to every other state.

There are serious concerns with the creation of a nationallyuniform identity system. Converting from a system of many similarcards to a system of uniform cards is a major change. It is notjust another in a series of small steps.

Economists know well that standards create efficiencies andeconomies of scale. When all the railroad tracks in the UnitedStates were converted to the same gauge, for example rail became amore efficient method of transportation. Because the same train carcould travel on tracks anywhere in the country, more goods andpeople traveled by rail. Uniform ID cards would have the sameinfluence on the uses of ID cards.

There are machine-readable components like magnetic strips andbar codes on many licenses today. Their types, locations, designs,and the information they carry differ from state to state. For thisreason, they are not used very often. If all identification cardsand licenses were the same, there would be economies of scale inproducing card readers, software, and databases to capture and usethis information. Americans would inevitably be asked more and moreoften to produce a REAL ID card, and share the data from it, whenthey engaged in various governmental and commercialtransactions.

In turn, others would capitalize on the information collected instate databases and harvested using REAL ID cards. Speaking to theDepartment of Homeland Security's Data Privacy and IntegrityAdvisory Committee in March last week, Anne Collins, the Registrarof Motor Vehicles for the Commonwealth of Massachusetts said, "Ifyou build it they will come." Massed personal information will bean irresistible attraction to the Department of Homeland Securityand many other governmental entities, who will dip into data aboutus for an endless variety of purposes.

Sure enough, the NPRM cites some other uses that governments arelikely to make of REAL ID, including controlling "unlawfulemployment," gun ownership, drinking, and smoking. Uniform IDsystems are a powerful tool. If we build it, they will come. REALID will be used for many purposes beyond what are contemplatedtoday.

But the NPRM "punts" on even small steps to control theseprivacy concerns. It says for example that it "does not create anational database, because it leaves the decision of how to conductthe exchanges in the hands of the States."21 My car didn't hit you - the bumper did!

As to security and privacy of the information in statedatabases, the NPRM proposes paperwork. Under the proposed rules,states must prepare a "comprehensive security plan" coveringinformation collected, disseminated, or stored in connection withthe issuance of REAL ID licenses from unauthorized access, misuse,fraud, and identity theft.

Requiring production of a plan is not nothing, and the NPRMrefers to various "fair information practices." However, preparinga plan is not a standard. The NPRM does not even condition federalacceptance of state cards on meeting the low standards of thefederal Privacy Act or FISMA.

The REAL ID Act provided the Department of Homeland Securitywith very little opportunity to "fix it in the regs." And DHS didnot fix it in the regs. In fact, DHS created new concerns, such asthe possibility of tracking by race.

REAL ID: The Race Card

The "machine-readable technology" required for every REALID-compliant card has been a subject of much worry and speculation.This is not without reason. A nationally uniform ID card will makeit very likely that cards will be requested, and the data on themcollected and used, by governments and corporations alike. DHS waswise to resist the use of radio frequency identification tags inREAL ID.22

But even more significant issues have been created by the DHS'schoice of technical standards. The standard for the 2D barcodeselected by the Department includes the cardholder's race as one ofthe data elements.

If the REAL ID card is implemented, Americans transactingbusiness using the REAL ID card may well be filling government andcorporate databases with information that ties their race torecords of their transactions and movements.

For the machine readable portion of the card, the technologystandard proposed by DHS in the NPRM is the PDF-417 two-dimensionalbar code. According to DHS, the PDF-417 barcode can be read by astandard 2D barcode scanner.23 This is a more highly developed version of thebarcode scanning that is done in grocery stores across thecountry.

The version selected by DHS is the 2005 AAMVA Driver'sLicense/Identification Card Design Specifications, Annex D. This isa standardized format for putting information in the bar code.

A summary of the data elements from the standard is attached asAppendix C, but briefly, white people would carry the designation"W"; black people would carry the designation "BK"; people ofHispanic origin would be designated "H"; Asian or Pacific Islanderswould be "AP"; and Alaskan or American Indians would be "AI."

DHS does not require all the data elements from the standard,and it does not require the "race/ethnicity" data element, but thestandard it has chosen will likely be adopted in its entirety bymany state driver licensing bureaus. The DHS has done nothing toprevent or even discourage the placement of race and ethnicity inthe machine readable zones of this national ID card.

Avoiding race- and ethnicity-based identification systems is anessential bulwark of protection for civil liberties, given ouralways-uncertain future. In Nazi Germany, in apartheid SouthAfrica, and in the recent genocide in Rwanda, horrible deeds wereadministered using identification cards that included informationabout religion, about tribe, and about race. It took 60 years forthe originally benign inclusion of ethnicity in the Rwandannational ID card to become a tool of genocide, but it happened allthe same. Implementation of the REAL ID Act, which would permitrace to be a part of the national identification card scheme, wouldbe a grave error.

Akaka-Sununu is Essential - and it Needs a Vision of theFuture

Congratulations again, Mr. Chairman on your leadership incosponsoring legislation to repeal REAL ID and restore the IDsecurity provisions from the 9/11-Commission-inspired IntelligenceReform and Terrorism Prevention Act.

REAL ID is often touted as a direct response to a strongrecommendation of the 9/11 Commission. This is untrue on a numberof levels.

The recent push for national ID cards is in reaction to theterrorist attacks of September 11, 2001, of course. An appendix toa report by the Markle Foundation Task Force on National Securityin the Information Age recommended various governmental measures tomake identification "more reliable."24 This report was cited by the 9/11 Commission asit recommended "federal government . . . standards for the issuanceof birth certificates and forms of identification, such as driverslicenses."25 But it isimportant to know that the 9/11 Commission devoted about ¾of a page in its 400-page report to identification issues.Identification security was not a "key finding" of theCommission.

Nonetheless, a provision of the Intelligence Reform andTerrorism Prevention Act of 2004, passed in response to the 9/11Commission Report, established a negotiated rulemaking process fordetermining minimum standards for federally acceptable driver'slicenses and identification cards.26 This provision - the result of the 9/11Commission report - was repealed and replaced by the REAL ID Act.Restoring the earlier, more careful provisions would be a step inthe right direction.

But the Congress should examine our country's identificationpolicies and practices even more carefully. Identification systemshave many benefits but, as we know from REAL ID, they also carrymany threats. We should have a much more careful nationaldiscussion about the design of the identity systems we will use inthe future.

There are identification systems being devised today by thecountries' brightest technologists that would provide all thesecurity that identification can provide, but that would resisttracking and surveillance. Meanwhile, hundreds of millions - if notbillions - of taxpayer dollars are already being spent ongovernment ID systems with little regard for their interoperabilitywith emerging open standards, to say nothing of privacy.

It would be unfortunate of the federal government spent so muchtime and money to build systems that lead in a few decades to avery costly dead end. Even worse would be for government systems topredominate, making it a practical requirement that Americans dohave to carry a national ID card in order to function.

As it moves forward, I recommend that the Akaka-Sununulegislation include consideration of emerging open standards forgovernment IDs and credentials. Rather than being locked into theunwieldy federal systems now being created, federal agencies shouldhave the flexibility to accept any identification card orcredential that meets or exceeds government standards for dataaccuracy, security, and verifiability.

In Akaka-Sununu, Congress should recognize the emergence ofidentity and credentialing systems that are diverse, competitive,and - most importantly - privacy protective. These systems canmaximize security while minimizing surveillance. REAL ID is theugly alternative to getting it right.

APPENDIX A

Rudimentary Analysis of REAL ID Act in Terms of RiskManagement

Assessing how, and how well, the REAL ID Act regulations benefitthe homeland security mission in terms of risk management requiresanswers to the following questions. Answers available in the NPRMare critiqued here, and sensible or assumed answers aresupplied:

  • What are you trying to protect? The NPRM identifiesfederal buildings, nuclear facilities, and aircraft as the primarybeneficiaries of the REAL ID rules, as well as other infrastructureshould access to it be conditioned on showing ID. "Ancillary"beneficiaries would be the many segments of the public who wouldbenefit from various types of fraud reduction, public safety lawenforcement, and various forms of personal regulation.
  • What are you trying to protect it from? The primarythreat articulated by the rule's brief benefit statement is"terrorist attack," which can take any number of forms. Theassessment does not describe with particularity any vulnerabilityor the way any of these assets may be harmed, much less how REAL IDwould prevent or diminish such harm. As to ancillary beneficiaries,it is well known that fraud, unsafe behavior, and unwise personalchoices have a variety of costs. The assessment does not describehow the REAL ID regulations would prevent these ills, though aspart of an expanded police and regulatory state, they undoubtedlywould.
  • What is the likelihood of each threat occurring and theconsequence if it does? The rule's benefit statement makes noattempt at terrorism risk assessment, positing instead twodifferent "9/11" scenarios, the avoidance of which wouldcost-justify the rules. The ancillary harms the assessment claimsto effect vary widely across the landscape of human action, andhave a variety of likelihoods and consequences.
  • What kind of action does the program take in response tothe threat -- acceptance, prevention, interdiction, ormitigation? The NPRM does not go into this kind of detail, butthe REAL ID rules are best characterized as interdiction: a form ofconfrontation with, or influence exerted on, an attacker toeliminate or limit its movement toward causing harm. A moreaccurate and secure identification system may interfere withterrorists in a variety of ways.

    Requiring REAL ID-compliant identification cards for access tosecured areas would limit the field of potential attackers on thoseareas to only those people that are able to prove their identityand lawful presence in the United States. This would inconvenienceforeign terrorist organizations, likely changing their behavior ina number of ways. The REAL ID Act might cause foreign terroristorganizations to target infrastructure that is not secured byidentification requirements. It might cause them to selectindividual attackers who can lawfully enter the U.S. and acquireidentification.27 It mightcause them to ally with domestic criminals or criminalorganizations.

    They may attack the REAL ID system in various ways. The REAL IDregulations might induce foreign terrorist organizations to procureREAL ID-compliant cards through corrupt Department of MotorVehicles employees. It might cause them to seek counterfeitdocuments that can fool DMV employees into issuing REALID-compliant cards. It might cause them to seek counterfeit REALID-compliant cards good enough to fool verifiers at checkpoints. Itmight cause them to corrupt verifiers at checkpoints.

    Whatever the case, the REAL ID regulations would cause someinconvenience to foreign terrorist organizations seeking to mountan attack on infrastructure secured behind checkpoints.

    A second form of interdiction, also not discussed in the NPRM, isthe use of REAL ID in conjunction with watch lists. Again puttingaside attacks on the REAL ID system, requiring REAL ID-compliantidentification cards for access to secured areas would limit thefield of potential attackers on those areas to only those peoplethat are not known to be terrorists by the authorities. Coupledwith watch lists, the REAL ID regulations might cause terroristorganizations, foreign and domestic, to target infrastructure thatis not secured by identification requirements. It might cause themto select attackers who are not known to have contacts withterrorists.28 It also mightcause them to attack the REAL ID system in the ways discussedabove.

    Similar to the joining of REAL ID to watch lists in terrorisminterdiction, REAL ID may be joined to a variety of commercial, lawenforcement, and regulatory programs aimed at reducing fraud,promoting public safety, law enforcement, and various forms ofpersonal regulation. Each of these multitudinous potential uses ofREAL ID would alter the behavior of "attackers" in various ways. Itwould improve their behavior in some cases, inspire avoidance inothers, and also in some cases prompt attacks on the REAL ID systemlike those discussed above, such as by college students seeking agood fake ID.

  • Does the response create new risks to the asset or others? Someof the avoidance behaviors listed above would transfer risks orcreate new risks. Terrorists may shift from REAL-ID-secured targetsto non-REAL-ID-secured targets.29 Foreign terrorist organizations allyingthemselves with domestic criminal organizations to avoid REALID-based security might form more dangerous hybrid organizations.As noted above, there would certainly be attacks on the REAL IDsystem, in terms of technical security, corruption, fraud, and soon. The techniques developed by "casual" attackers such as collegestudents would accrue to the benefit of the serious threats such ascriminal or terrorist organizations. These are just some of therisk transfers and new risks that would result from implementingthe REAL ID regulations.

APPENDIX B

Real ID Activity in the States Since Release of DHSRegulations

  • March 1: Department of Homeland Securityissues regulations, announces intention to extend deadline andacknowledges that Real ID will cost $23 billion.
  • March 5: New anti-Real ID legislationintroduced in Arkansas; Washington Senate approves anti-Real IDlegislation.
  • March 6: New anti-Real ID legislationintroduced in Pennsylvania; following a unanimous vote by theHouse, Idaho passes anti-Real ID legislation out of Senatecommittee.
  • March 7: Illinois, South Carolina, Missouriand Hawaii all pass anti-Real ID legislation out of committee;Arkansas Senate passes a resolution calling on Congress to repealReal ID; Utah sends anti-Real ID legislation passed in the Senateto the Governor's desk; Nevada introduces anti-Real IDlegislation.
  • March 8: Idaho Senate completes legislature'sapproval of resolution opting out of Real ID; Arizona Senate votesto opt out of Real ID.
  • March 9: Texas introduces anti-Real IDlegislation.
  • March 13: Oklahoma House passes anti-Real IDresolution; Hawaii Senate passes anti-Real ID legislation.
  • March 14: Oklahoma Senate passes anti-Real IDstatute unanimously.
  • March 15: Missouri House passes anti-Real IDlegislation.
  • March 19: Arkansas Senate passes additionalanti-Real ID legislation.
  • March 20: New Hampshire passes anti-Real IDlegislation out of committee; Rhode Island introduces anti-Real IDlegislation.
  • March 26: Arizona House passes anti-Real IDlegislation out of committee.
  • March 28: Arkansas adopts two resolutionscalling on Congress to repeal Real ID; Nevada Assembly passesanti-Real ID legislation.
  • April 3: South Carolina Senate passesanti-Real ID statute.

APPENDIX C

From: Personal Identification -- AAMVA InternationalSpecification -- DL/ID Card Design, Annex D: "Mandatory PDF417 BarCode"

MINIMUM MANDATORY DATA ELEMENTS

Jurisdiction-Specific VehicleClass Jurisdiction-specific vehicle class / group code,designating the type of vehicle the cardholder has privilege todrive.
Jurisdiction-Specific RestrictionCodes Jurisdiction-specific codes that representrestrictions to driving privileges (such as airbrakes, automatictransmission, daylight only, etc.).
Jurisdiction-Specific EndorsementCodes Jurisdiction-specific codes that representadditional privileges granted to the cardholder beyond the vehicleclass (such as transportation of passengers, hazardous materials,operation of motorcycles, etc.).
Document Expiration Date Date on which the driving and identificationprivileges granted by the document are no longer valid. (MMDDCCYYfor U.S., CCYYMMDD for Canada)
Customer Family Name Family name of the cardholder. (Family name issometimes also called "last name" or "surname.") Collect full namefor record, print as many characters as possible on front ofDL/ID.
Customer Given Names Given names of the cardholder. (Given namesinclude all names other than the Family Name. This includes allthose names sometimes also called "first" and "middle" names.)Collect full name for record, print as many characters as possibleon front of DL/ID.
Document Issue Date Date on which the document was first issued.(MMDDCCYY for U.S., CCYYMMDD for Canada)
Date of Birth Date on which the cardholder was born. (MMDDCCYYfor U.S., CCYYMMDD for Canada)
Physical Description -- Sex Gender of the cardholder. 1 = male, 2=female.
Physical Description -- EyeColor Color of cardholder's eyes. (ANSI D-20codes)
Physical Description --Height Height of cardholder. Inches (in): number ofinches followed by " in" ex. 6'1'' = " 73 in" Centimeters (cm):number of centimeters followed by " cm" ex. 181 centimeters="181cm"
Address -- Street 1 Street portion of the cardholder address.
Address -- City City portion of the cardholder address.
Address -- Jurisdiction Code State portion of the cardholder address.
Address -- Postal Code Postal code portion of the cardholder address inthe U.S. and Canada. If the trailing portion of the postal code inthe U.S. is not known, zeros will be used to fill the trailing setof numbers.
Customer ID Number The number assigned or calculated by the issuingauthority.
Document Discriminator Number must uniquely identify a particulardocument issued to that customer from others that may have beenissued in the past. This number may serve multiple purposes ofdocument discrimination, audit information number, and/or inventorycontrol.
Country Identification Country in which DL/ID is issued. U.S. = USA,Canada = CAN.
Federal Commercial VehicleCodes Federally established codes for vehiclecategories, endorsements, and restrictions that are generallyapplicable to commercial motor vehicles. If the vehicle is not acommercial vehicle, "NONE" is to be entered.

OPTIONAL DATA ELEMENTS

Address - Street 2 Second line of street portion of the cardholderaddress.
Hair color Brown, black, blonde, gray, red/auburn, sandy,white
Place of birth Country and municipality and/orstate/province
Audit information A string of letters and/or numbers thatidentifies when, where, and by whom a driver license/ID card wasmade. If audit information is not used on the card or the MRT, itmust be included in the driver record.
Inventory control number A string of letters and/or numbers that isaffixed to the raw materials (card stock, laminate, etc.) used inproducing driver licenses and ID cards.
Alias / AKA Family Name Other family name by which cardholder isknown.
Alias / AKA Given Name Other given name by which cardholder isknown
Alias / AKA Suffix Name Other suffix by which cardholder is known
Name Suffix Name Suffix (If jurisdiction participates insystems requiring name suffix (PDPS, CDLIS, etc.), the suffix mustbe collected and displayed on the DL/ID and in the MRT). Collectfull name for record, print as many characters as possible on frontof DL/ID.
Physical Description - WeightRange Indicates the approximate weight range of thecardholder:
0 = up to 31 kg (up to 70 lbs)
1 = 32 - 45 kg (71 - 100 lbs)
2 = 46 - 59 kg (101 - 130 lbs)
3 = 60 - 70 kg (131 - 160 lbs)
4 = 71 - 86 kg (161 - 190 lbs)
5 = 87 - 100 kg (191 - 220 lbs)
6 = 101 - 113 kg (221 - 250 lbs)
7 = 114 - 127 kg (251 - 280 lbs)
8 = 128 - 145 kg (281 - 320 lbs)
9 = 146+ kg (321+ lbs)
Race / ethnicity Codes for race or ethnicity of the cardholder, asdefined in ANSI D20.
Standard vehicleclassification Standard vehicle classification code(s) forcardholder. This data element is a placeholder for future effortsto standardize vehicle classifications.
Standard endorsement code Standard endorsement code(s) for cardholder. Thisdata element is a placeholder for future efforts to standardizeendorsement codes.
Standard restriction code Standard restriction code(s) for cardholder. Thisdata element is a placeholder for future efforts to standardizerestriction codes.
Jurisdiction specific vehicleclassification description Text that explains the jurisdiction-specificcode(s) for types of vehicles cardholder is authorized todrive.
Jurisdiction specific endorsement codedescription Text that explains the jurisdiction-specificcode(s) that indicates additional driving privileges granted to thecardholder beyond the vehicle class.
Jurisdiction specific restriction codedescription Text describing the jurisdiction-specificrestriction code(s) that curtail driving privileges.

1 Executive Order 12866,Regulatory Planning and Review (Sept. 30, 1993), requires"significant regulatory actions," such as those costing over $100million annually, to be assessed in terms of benefits, costs, andalternatives.

2Id. at 10,845 (2006dollars discounted at 7%).

3National Conference ofState Legislators, NCSL News: REAL ID Will Cost States Morethan $11 Billion (Sept. 21, 2006) <>.</>

4See 72 Fed. Reg. 10844-46(Mar. 9, 2007).

5This is permitted by OMBCircular A-4 when it is difficult to quantify and monetize thebenefits of a rulemaking.

6Data Privacy andIntegrity Advisory Committee, U.S. Department of Homeland Security,Framework for Privacy Analysis of Programs, Technologies, andApplications, Report No. 2006-01 (Mar. 1, 2006) .

7Assumed delay from todayuntil 6 months into the future. (Net present value at 3.5%/6 monthsinterest.)

8Department of HomelandSecurity, Regulatory Evaluation, Notice of Proposed Rulemaking,REAL ID at 130 (Feb. 28, 2007)

9U.S. Const. amend. X.

10New York v. UnitedStates, 505 U.S. 144 (1992).

1172 Fed. Reg. 10,820(Mar. 9, 2007).

12E.O. 13132, Federalism(Aug. 4, 1999).

13Id.

14E.O. 13353,Establishing the President's Board on Safeguarding Americans' CivilLiberties (Aug 27, 2004).

155 U.S.C.§552a.

16Id. at§552a(m).

17Office of Managementand Budget, Privacy Act Implementation: Guidelines andResponsibilities.

1844 U.S.C. § 3541et seq. (enacted as Title III of the E-Government Act of 2002,Pub.L. 107-347).

1944 U.S.C. §3544(a)(1)(A).

20U.S. Department ofHomeland Security, Privacy Impact Assessment for the REAL ID Act(Mar. 1, 2007) (footnotes and italics omitted)<>.</>

2172 Fed. Reg. 10,825(Mar. 9, 2007).

22The NPRM left the doorfor putting RFID chips in our identification cards in the future.See 72 Fed. Reg. 10,841-2 (Mar. 9, 2007). The DHS Data Privacy andIntegrity Advisory Committee concluded recently that RFID is notwell suited to the task of identifying people, at least at thisstage in the technology's development. Department of HomelandSecurity, Data Privacy & Integrity Advisory Committee, TheUse of RFID for Human Identify Verification, Report No.2006-02 (Dec. 6, 2006). The Department has recently cancelledRFID-related projects. See Alice Lipowicz, DHS Tunes OutRFID, Washington Technology (Feb. 12, 2007).

2372 Fed. Reg. 10,837-8(Mar. 9, 2007).

24Markle Foundation TaskForce on National Security in the Information Age, Creating aTrusted Network for Homeland Security (Dec. 2, 2003)<></>. The main body of the report endorsed the findingof the Appendix unconditionally. See id. at 36.

25National Commission onTerrorist Attacks Upon the United States (9-11 Commission), The9/11 Commission Report (2004) at 390.

26Intelligence Reformand Terrorism Prevention Act, Pub. L. No. 108-458, §7212.

27In general, this wasthe modus operandi of al Qaeda in the 9/11 attack.

28As demonstrated by the"Carnival Booth" study, relevant information from watch lists isrelatively easy to reverse-engineer. One must simply send anattacker through a checkpoint on a few "dry runs" to determinewhether he or she is subject to different treatment. See SamidhChakrabarti and Aaron Strauss, Carnival Booth: An Algorithm forDefeating the Computer-Assisted Passenger Screening System,6.806: Law and Ethics on the Electronic Frontier (May 16, 2002)<>.</>

29In general, this wasthe modus operandi of al Qaeda in the 9/11 attack.

Jim Harper

Committee on the Judiciary
United States Senate