Tech.gov: Real ID's Real Problems
As the deadline for national identification cards approaches, questions about their true costs, privacy, and security remain unanswered.

Anush Yegyazarian, PC World
PC World
Wednesday, October 11, 2006 11:10 PM

More than a year has passed since the Real ID Act of 2005 became law. And in a little over 18 months, the first new driver's licenses mandated by the legislation are supposed to debut. That may seem like a long time, but given the issues that remain unresolved, it's not. Chief among the questions: Which machine-readable technology will the new IDs use?

The Department of Homeland Security, working with states and with Department of Motor Vehicles agents, was supposed to set up guidelines on this basic but critical topic. DHS Secretary Michael Chertoff testified before Congress in September that the agency was working on the project, but gave no sense of when the guidelines might be done, or what the standards for the technology will be.

Without knowing which technology to use, states can't even begin soliciting bids from firms to produce the cards. They can't finalize deals. They can't get delivery of product, install the new equipment, train their workers, or run trials to ensure that the system is free of glitches. All that takes time, especially considering that they're government processes. And these aren't the only things that need to happen before a national ID can be implemented.

A September report by a coalition of state governors and state legislative groups, along with representatives from the American Association of Motor Vehicle Administrators, confirms that states have no firm guidelines as of yet. The report goes on to cover many aspects of implementation that the Real ID Act itself leaves vague. The report's alarming conclusions include a projected cost for the project of about $11 billion--more than 100 times the $100 million Congress originally envisioned. Even if the new estimate is way off, we're still talking about total costs of an order of magnitude greater than the plan's backers have claimed.

The report makes some recommendations to the federal government, at least one of which seems difficult to contest: States need more time. I hope that the states do get time, and that all parts of our government use it wisely, not only to implement the new ID but to carefully consider its security safeguards. The California state legislature has taken a crack at the latter point, and has delivered a good set of principles that could work nationally.

The states' report focused primarily on the arguably more realistic cost estimates for the Real ID plan, but it also used them as a launching pad for discussions of several related, key issues. One of the most important is whether all states should be required to use the same machine-readable technology for their IDs. The states make some good points in favor of allowing multiple technologies, including the potential for cost savings, the ability to use best-of-breed technology that keeps pace with advances, and concerns that if only one technology is approved, criminals need crack only one system to be able to falsify documents nationwide.

However, part of the point of the legislation is to produce ID documents that can be read and used by agencies anywhere in the United States. If there were no national standard, every federal agency that requires the cards would have to maintain readers that were state-specific. Banks, which also would likely use the IDs, would need state-specific readers, too.

Can you imagine trying to get home from an out-of-state flight and having to wait while security staffers find the right reader for your home state? Or being told that to apply for a job in a new state you must first get that state's driver's license because your prospective employer can't read and verify your info from your current Real ID-compliant card? Or walking into a bank to open a new account because you've moved, and being informed that you can't do so because the bank doesn't support your former state's reader?

Organizations not related to the government could use Real IDs much the way they use driver's licenses now--that is, such organizations would look only at the visible printed information on your card, rather than reading its magnetic strip, RFID, or smart chip. That takes care of the multiple-reader problem for private companies, but does nothing for federal agencies--including those in charge of airport security--and other government groups that almost certainly would need to use the built-in electronic technology.

The cards are also meant to help control immigration and protect us against terrorists by verifying your information so that, for example, motor vehicle bureaus know you are who you say you are, that you don't have another valid license elsewhere, that you're not a wanted criminal, and that you have a right to be in the country. If you're in the United States temporarily, you're supposed to get a driver's license that expires when your visa does, or that must be renewed annually.

The DMV must verify your name, date of birth, social security number, residence, prior licenses, and immigration status before it issues a new license. The problem is, according to the states, only one of the several national databases that would allow state DMVs to check all that information is actually accessible to those DMVs.

Before the system could function, all government entities involved would have to get those other databases securely online, standardize on file formats and authentication procedures, and create the network and server infrastructure to store and shuttle all that data. All of it needs to happen so that, for example, Florida's DMV can ascertain which John Smith is applying for a new license, and can access the proper records in a timely fashion.

Not unreasonably, the states want to be responsible for verifying only tje information they can access. If, for instance, they can't electronically connect with the immigration database when the IDs launch, the states shouldn't have to verify immigration information. Given the added time and cost required to verify the information via fax or, heaven forbid, snail mail, such an exemption seems to make sense. You could argue, though, that we'd be better off, and the Real ID program's goals better met, if agencies simply waited for all the pieces to fall into place before launching the new IDs.

Guidelines in the Real ID Act set up requirements for background checks on employees, and the physical security standards at DMV facilities, for example (see my prior column on this topic for more detail.). But the more crucial issue of security standards for the ID cards themselves is left vague and therefore up to the DHS, to DMVs, and to states to figure out.

Knowing that RFID is one of the technologies in strong contention for the cards (and is also set to be used in e-passports), and that the technology has raised security concerns , the California legislature in August passed the Identity Information Protection Act . Sponsored and supported by a variety of consumer advocacy groups, the bill laid out security standards for any state RFID-equipped card.

The mandated safeguards included making the cards tamper-resistant, encrypting the data, and requiring authentication of both the card and reader so that authorities could be sure a card was genuine and cardholders could be sure unauthorized people were not reading their information. Also required: mechanisms that let cardholders allow or block the wireless transmission of their ID's information in order to prevent tech-savvy snoops from tracking cardholders or gaining access to card information being broadcast. Another provision stated that cardholders had to be informed about how the agency issuing the card intended to use it, what information was being collected and stored any time the card was read, what the basic risks of the technology were, and which precautions were available to keep the card from being read remotely (either with or without the holder's knowledge).

California Governor Arnold Schwarzenegger vetoed the legislation at the end of September, saying he didn't want to put something on the state's books that might contradict the forthcoming national standards. He also expressed concern that the law would apply to an overbroad set of cards and that it imposed too many restrictions on state agencies, among other things. However, the bill could easily serve as a model for national IDs, since most of its provisions would apply to many different technologies that could be adopted.

Whichever technology is chosen, however the data gets verified, and no matter which methods are used to safeguard it, two things are sure: You and I will have to wait longer to get our driver's license, and it will cost us more--whether in federal or state taxes or in fees paid directly to the DMV.

The current plan dictated by the Real ID Act requires that states replace all IDs during a five year period starting in May 2008. As the report by the states points out, because new documentation and verification will be required, the process will be like obtaining a new license all over again--no Internet or mail-based renewals will be allowed. All those in-person visits will take time, as will all the double-checking that the motor vehicle bureaus have to do before they issue new licenses.

Regardless of whose estimates are more realistic, the new systems, new training, and new cards will increase costs, not just for the DMV but for any agency that has to read the cards. It's obvious that you and I will foot that bill, one way or another.

© 2006 PC World Communications, Inc. All rights reserved