Computer security specialist Bruce Schneier has several useful and important things to say about this legislation. But first...
Note the sloppy, off-target and destructive actions the US has taken -- internally and externally -- as part of its *War on Terror*: rounding up thousands of Arab men on suspicion of...something, creating mostly cosmetic security changes at airports, passing laws that expand the power of government to, when you remove the bullshit justifications, harass already harassed people (mostly immigrants), launching two invasions that have created even greater mayhem than previously existed and now, close to passing from fevered dream to law, a de facto national ID card that will only make millions of lives tougher while failing to perform the security function (or anti-illegal immigrant defense shield effect) clueless legislators claim.
As Chris Doss reminds us from time to time, Jihadis are bad dudes so counter measures are obviously needed. But in this, as in all things, there are smart ways of proceeding and dumb ass ways. So far, all I've seen is mega-sized dumb-assedness.
Are we all now (and I'm addressing the non US based list members now) completely over the myth of US super competence and polished modernity?
.d.
....
[URL references from the original hypertext links are numbered and posted at the bottom.]
Schneier on Security
May 09, 2005
REAL ID
The United States is getting a national ID card. The REAL ID Act (text [1.] of the bill and the Congressional Research Services analysis [2.] of the bill) establishes uniform standards for state driver's licenses, effectively creating a national ID card. It's a bad idea, and is going to make us all less safe. It's also very expensive. And it's all happening without any serious debate in Congress.
I've already written about national IDs. [3.] I've written about the fallacies [4.] of identification as a security tool. I'm not going to repeat myself here, and I urge everyone who is interested to read those two essays (and even this [5.] older essay). A national ID is a lousy security trade-off, and everyone needs to understand why.
Aside from those generalities, there are specifics about REAL ID that make for bad security.
The REAL ID Act requires driver's licenses to include a "common machine-readable technology." This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn't matter how well the states and federal government protect the data on driver's licenses, as there will be parallel commercial databases with the same information.
Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver's licenses. I expect the federal government will require states to do this, with all of the associated security problems [6.] (e.g., surreptitious access).
REAL ID requires that driver's licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police -- even undercover police officers. This seems like a major unnecessary security risk.
REAL ID also prohibits states from issuing driver's licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses -- which isn't going to help anyone's security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)
REAL ID is expensive. It's an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I've seen estimates that the cost to the states of complying with REAL ID will be $120 million. That's $120 million that can't be spent on actual security.
And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver's licenses, the security measures recommended by the 9/11 Commission Report. That's already done. It's already law.
REAL ID goes way beyond that. It's a huge power-grab by the federal government over the states' systems for issuing driver's licenses.
REAL ID doesn't go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver's license will bring a new level of "show me your papers" checks by the government. Already you can't fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written [7.] about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I've already heard rumblings about requiring states to check identities against "government databases" before issuing driver's licenses. I'm sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.
Is there anyone who would feel safer under this kind of police state?
Americans overwhelmingly reject national IDs in general, and there's an enormous amount of opposition to the REAL ID Act. This is from the EPIC page [8.] on REAL ID and National IDs:
More than 600 [9.] organizations have expressed opposition to the Real ID Act. Only two groups--Coalition for a Secure Driver's License [10.] and Numbers USA [11.] --support the controversial national ID plan. Organizations such as the American Association of Motor Vehicle Administrators, National Association of Evangelicals, American Library Association, Association for Computing Machinery (pdf), National Council of State Legislatures, American Immigration Lawyers Association (pdf), and National Governors Association are among those against the legislation.
And this site [12.] is trying to coordinate individual action against the REAL ID Act, although time is running short. It's already passed in the House, and the Senate votes tomorrow.
If you haven't heard much about REAL ID in the newspapers, that's not an accident. The politics of REAL ID is almost surreal. It was voted down last fall, but has been reintroduced and attached to legislation that funds military actions in Iraq. This is a "must-pass" piece of legislation, which means that there has been no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing.
Near as I can tell, this whole thing is being pushed by Wisconsin Rep. Sensenbrenner primarily as an anti-immigration measure. The huge insecurities this will cause to everyone else in the United States seem to be collateral damage.
Unfortunately, I think this is a done deal. The legislation REAL ID is attached to must pass, and it will pass. Which means REAL ID will become law. But it can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event [13.] in Washington, DC, on the topic on June 6th. I'll be there.
source -- <http://www.schneier.com/blog/archives/2005/05/real_id.html >
URL References.
1. http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.418:
2. http://www.eff.org/Activism/realid/analysis.pdf
3. http://www.schneier.com/crypto-gram-0404.html#1
4. http://www.schneier.com/crypto-gram-0402.html#6
5. http://www.schneier.com/crypto-gram-0112.html#1
6. http://www.schneier.com/crypto-gram-0410.html#3
7. http://www.schneier.com/crypto-gram-0502.html#1
8. http://www.epic.org/privacy/id_cards/
9. http://www.aila.org/contentViewer.aspx?bc=10,911,1002,9166
10. http://www.securelicense.org/site/PageServer
11. http://www.numbersusa.com/hottopic/0125sensenbrenner.htm
13. http://www.epic.org/events/id/savethedate.html