Tech.gov: Real ID's Real Problems
Wednesday, October 11, 2006; 11:10 PM
More than a year has passed since the Real ID Act of 2005 became law. And in a little over 18 months, the first new driver's licenses mandated by the legislation are supposed to debut. That may seem like a long time, but given the issues that remain unresolved, it's not. Chief among the questions: Which machine-readable technology will the new IDs use?
The Department of Homeland Security, working with states and with Department of Motor Vehicles agents, was supposed to set up guidelines on this basic but critical topic. DHS Secretary Michael Chertoff testified before Congress in September that the agency was working on the project, but gave no sense of when the guidelines might be done, or what the standards for the technology will be.
Without knowing which technology to use, states can't even begin soliciting bids from firms to produce the cards. They can't finalize deals. They can't get delivery of product, install the new equipment, train their workers, or run trials to ensure that the system is free of glitches. All that takes time, especially considering that they're government processes. And these aren't the only things that need to happen before a national ID can be implemented.
A September report by a coalition of state governors and state legislative groups, along with representatives from the American Association of Motor Vehicle Administrators, confirms that states have no firm guidelines as of yet. The report goes on to cover many aspects of implementation that the Real ID Act itself leaves vague. The report's alarming conclusions include a projected cost for the project of about $11 billion--more than 100 times the $100 million Congress originally envisioned. Even if the new estimate is way off, we're still talking about total costs of an order of magnitude greater than the plan's backers have claimed.
The report makes some recommendations to the federal government, at least one of which seems difficult to contest: States need more time. I hope that the states do get time, and that all parts of our government use it wisely, not only to implement the new ID but to carefully consider its security safeguards. The California state legislature has taken a crack at the latter point, and has delivered a good set of principles that could work nationally.
The states' report focused primarily on the arguably more realistic cost estimates for the Real ID plan, but it also used them as a launching pad for discussions of several related, key issues. One of the most important is whether all states should be required to use the same machine-readable technology for their IDs. The states make some good points in favor of allowing multiple technologies, including the potential for cost savings, the ability to use best-of-breed technology that keeps pace with advances, and concerns that if only one technology is approved, criminals need crack only one system to be able to falsify documents nationwide.
However, part of the point of the legislation is to produce ID documents that can be read and used by agencies anywhere in the United States. If there were no national standard, every federal agency that requires the cards would have to maintain readers that were state-specific. Banks, which also would likely use the IDs, would need state-specific readers, too.
Can you imagine trying to get home from an out-of-state flight and having to wait while security staffers find the right reader for your home state? Or being told that to apply for a job in a new state you must first get that state's driver's license because your prospective employer can't read and verify your info from your current Real ID-compliant card? Or walking into a bank to open a new account because you've moved, and being informed that you can't do so because the bank doesn't support your former state's reader?
Organizations not related to the government could use Real IDs much the way they use driver's licenses now--that is, such organizations would look only at the visible printed information on your card, rather than reading its magnetic strip, RFID, or smart chip. That takes care of the multiple-reader problem for private companies, but does nothing for federal agencies--including those in charge of airport security--and other government groups that almost certainly would need to use the built-in electronic technology.
The cards are also meant to help control immigration and protect us against terrorists by verifying your information so that, for example, motor vehicle bureaus know you are who you say you are, that you don't have another valid license elsewhere, that you're not a wanted criminal, and that you have a right to be in the country. If you're in the United States temporarily, you're supposed to get a driver's license that expires when your visa does, or that must be renewed annually.
The DMV must verify your name, date of birth, social security number, residence, prior licenses, and immigration status before it issues a new license. The problem is, according to the states, only one of the several national databases that would allow state DMVs to check all that information is actually accessible to those DMVs.
Before the system could function, all government entities involved would have to get those other databases securely online, standardize on file formats and authentication procedures, and create the network and server infrastructure to store and shuttle all that data. All of it needs to happen so that, for example, Florida's DMV can ascertain which John Smith is applying for a new license, and can access the proper records in a timely fashion.