Friday, February 29, 2008

Government Fails to Enforce Privacy on New IDs

Before I get to a really well done op-ed by Leslie Harris of the Center for Democracy & Technology on the privacy concerns posed by the REAL ID Act let's do a quick review on what's happening in the states.

In 2007, six states -- Maine, Montana, New Hampshire, Oklahoma, South Carolina and Washington -- took the step of passing laws refusing to comply with the federal law because of the costs, federal imposition on state practice and the potential threats to individual privacy.

While the U.S. Department of Homeland Security said it cannot compel states to follow the law, non-compliant driver's licenses cannot be used as ID to board commercial airplanes or enter federal buildings after May 11, when the act takes effect.

Montana, South Carolina and Maine are currently the only three states whose residents won't be able to use their driver's licenses to board aircraft after the May deadline. Those three have failed, so far, to file for an extension giving them another 19 months - until January 2010 - to start verifying the identities of driver’s license applicants.

For a rundown of what's happening in all the states, check out the

Now to the article by Leslie Harris:

The goal of the Real ID Act, to make the driver's license a more reliable form of identity, is a good one. Setting minimum standards to ensure that the process of getting a driver's license is more secure and making it tougher to fake a driver's license isn't unreasonable; however, almost everything else associated with this program is.


Simply put, there are no privacy rules. States are simply encouraged to follow a set of "best practices" for protecting privacy. But there are no consequences if states choose not to do so and thus no guarantees that the personal information collected for Real ID won't be used for a variety of state and even federal uses, populating and repopulating numerous government databases and easily available to businesses and other interests.


While the government disavows the notion that Real ID will quickly become a national ID card, the failure to provide privacy rules and limitations on secondary uses gives lie to that assertion. Indeed the ink is not yet dry on the new regulation, and the department is already speculating on a variety of other government purposes for which a Real ID card may be required, such as buying cold medicines that contain ingredients used to create methamphetamines. And Congress has already thrown around proposals that would require a Real ID for employment or to receive federal housing benefits.

At the end of the day, the Real ID regulations leave open the strong possibility that we will soon have a centralized ID database, one housing a wealth of personal data on virtually every American citizen. While the current DHS rules haven't made a decision one way or the other, DHS makes clear that it strongly supports the use of a centralized database for purposes of Real ID.


If the DHS and states choose to go that route, the security risks are enormous; the potential for abuse by government and business are mind-bending. A central database containing that much information creates an irresistible target for identity thieves, terrorists or other computer criminals, not to mention unscrupulous government employees.

Click here to read the article in its entirety.

No comments: