Bruce Schneier's Criticisms of the Real I.D. Act:
Instapundit, Eschaton, Dan Solove and others have linked to Bruce Schneier's case against the Real ID Act, an Act that among other things will require the states to meet certain standards for their state drivers' licenses. I am tentatively against the Act, as I don't see exactly what problem it will solve. At the same time, I wasn't terribly impressed with Schneier's criticisms, which struck me as heavy on rhetoric but rather weak on analysis.

  The most controversial aspect of the Real ID act seems to be the list of items that a driver's license must have:
(1) The person's full legal name.
(2) The person's date of birth.
(3) The person's gender.
(4) The person's driver's license or identification card number.
(5) A digital photograph of the person.
(6) The person's address of principle residence.
(7) The person's signature.
(8) Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes.
(9) A common machine-readable technology, with defined minimum data elements.
In particular, the controversial provisions are (6) and (9). Element (6) apparently would require driver's licenses to contain actual addresses, instead of P.O. Boxes or other mail drops, and (9) would apparently require that cards retain data much like your credit card retains its number, so driver's licenses could be "swiped" instead of manually checked.

  Specifically, here are Schneier's three primary arguments against the Real ID Act:
[Element (9)] will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom.
  But why should we assume that? If a bar or other business told me that I had to let them swipe my license to buy something or enter the store, I would go elsewhere. I imagine most other people feel the same way. Perhaps making the information more easily accessible would change information collecting practices, but that's a case that has to be made. (I recognize that invoking ChoicePoint is a good scare tactic, but I would be interested in a careful analysis of why Schneier thinks ID cards would be used this way rather than his inistence that we should just assume it.)
Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver's licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).
  The problem is the law doesn't require the use of RFID. The fact that RFID could be used in lieu of a swipe card doesn't mean that it would have to be used, and I imagine most people would much prefer the use of a familiar swipe card instead of RFID. Schenier doesn't explain why he expects RFID would be used.
REAL ID requires that driver's licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police — even undercover police officers. This seems like a major unnecessary security risk.
  I appreciate Schneier's concern for our nation's judges and police officers, but I don't understand the source of it. Undercover police officers don't carry around their real IDs anyway, and if they do it's a police badge, not a driver's license. And I'm unaware of judges or police officers as a whole being concerned about the security risks of having their home addresses on their licenses. (I would imagine that the overwhelming majority have their home addresses on their licenses now.)

  As I said up front, I am tentatively against the Act. I agree with Dan Solove that it should be debated carefully, not passed as a rider on a military spending bill. But if there is a slam dunk case against the Act, I don't think Bruce Schneier has made it.

  I'm not sure if this is something readers will want to comment on, but I'll enable comments just in case.
Kevin Murphy (mail) (www):
I note that ATM cards are machine-readable, and even carry an encrypted version of the PIN. Countless ATM card readers are installed in all kinds of establishments. Yet PIN theft via card readers is not happening.

My real problem here is that Schneier *KNOWS* all this and also knows a dozen obvious methods to secure these cards' information from electronic harvesting. This could have been very constructive criticism, but instead it's partisan argument.

He's right about RFID and passports, though. Not that it bears one whit on this....
5.10.2005 12:53pm
Kieran (mail) (www):
But why should we assume that? If a bar or other business told me that I had to let them swipe my license to buy something or enter the store, I would go elsewhere. I imagine most other people feel the same way.

I imagine you are wrong. I mean, it's an empirical question, to be sure. But my intuition is that there's a lot of inertia/take-it-as-you-find-it with this sort of thing, once it's in place. People are already asked for ID all the time. They already had their credit cards to strangers all the time. So handing your ID to be swiped isn't going to feel like such a big step. It's similar to the way people threatend to stop going to bars and restaurants in CA and NYC if smoking bans were introduced, but after the fact there was no discernable drop in business. The ChoicePoint example isn't just a scare tactic. Once they're in place, databases like this are always susceptible to abuse in large or small ways. The shocking way that people's credit histories are managed isn't very encouraging.
5.10.2005 1:03pm
Al (mail) (www):
I note that ATM cards are machine-readable, and even carry an encrypted version of the PIN. Countless ATM card readers are installed in all kinds of establishments. Yet PIN theft via card readers is not happening.

Sorry, that's not true. Unregulated ATM's in delis, convenience stores, etc. are becoming a favorite tool for identity thieves. There was a large bust in Boston just yesterday. Here's another case from Long Island a few days ago.
5.10.2005 1:11pm
I can definitely see widespread swiping. Probably under the auspices of preventing ID theft in order to make sure that the ID is legitimate.

Sort of like grocery store POS systems that require the clerk to key in a date of birth for anyone purchasing liquor in order to proceed with the sale -- even if it is a 90 year old lady. Instead of keying in the DOB, just a swipe of the ID. Grandma probably won't even know all the info on her that is being captured.
5.10.2005 1:19pm
John B:
I imagine you are wrong. I mean, it's an empirical question, to be sure. But my intuition is that there's a lot of inertia/take-it-as-you-find-it with this sort of thing, once it's in place.

Based on anecdotal evidence, I'm with Kieran on this one. As a recent college student in upstate NY, I can report that many of the bars that cater to the college crowd have scanning machines which the bouncers use to verify drivers' licences that are given to prove age. This is presumably a response to police pressure to reduce their number of underage customers. Not all bars scan IDs, and I saw no sign that bars which don't become more popular (at least with the >21 crowd).

I think this demonstrates that most people don't prioritize privacy concerns over convenience, which is more immediately gratifying. College students may be especially unreflective, one might say -- but of course, those college students will be accustomed to handing over their ID and having it scanned in all sorts of circumstances, which risks becoming an unquestioned norm as time goes on.

To me, this suggests that ordinary consumer preferences are not powerful enough to protect our privacy.
5.10.2005 1:21pm
Joshua Hosseinof:
I note that ATM cards are machine-readable, and even carry an encrypted version of the PIN. Countless ATM card readers are installed in all kinds of establishments. Yet PIN theft via card readers is not happening.

"Sorry, that's not true. Unregulated ATM's in delis, convenience stores, etc. are becoming a favorite tool for identity thieves. "

I believe that what he meant was that merely swiping an ATM card cannot get you the PIN. If you fool the owner into swiping his card and typing in the PIN on the fake ATM machine, then you can get the PIN.

But back to the issue at hand here - in my opinion it is perfectly reasonable to require that all states use a common format for the encoded data on drivers licenses.

How many people go through the airport screening process each day and present their drivers license as proof of identity, and do the screeners ever use the encoded information on the back of the drivers license to verify that the license is authentic? They don't use the encoded data because each state has come up with their own standards. NY and NJ drivers licenses are different - NJ uses a 2D bar code while NY uses a magnetic strip and 2D bar code. There's no way they could handle 50 different encoding standards.
5.10.2005 1:25pm
ggould (mail):
The biggest headache of all of this will be requirement that state DMVs must personall verify by phone call to the issuing authority the four forms of ID that you have to present.

I don't know if I have four forms of ID, and I just know that half these phone calls will go wrong one way or another (misspelt name on the gas bill, tenants with utilities in the landlord's name, long-since-lost birth records, etc.)

And why for driving? What does driving have to do with all of this? I find myself wondering if states will create new "motor vehicle operations certificates" to handle licensing drivers without the trouble of vetting everything for the national ID card.
5.10.2005 1:30pm
Adam W (mail) (www):
To add to Kieran's comment, I think an empirical analysis of department stores show how people would react to having to show their license before entering a business. Most big stores like Nordstroms, Macy's, Marhsall Fields, Saks, etc. all ask for phone numbers with your purchase. I rarely see or overhear anyone deny this request. There may be a bit more annoyance with having to fish out a driver's license, but that's not much different than just being asked for your credit card.

Also, an especially attractive group for advertisers, 18-24-year-olds, are also much more likely to be willing to give up their driver's license if it means getting into a club or bar. Have you ever seen the lines at those places?
5.10.2005 1:31pm
These initiatives will increase convenience and security (at airports, for example) without compromising privacy more than it is already. And they should make police more productive (minimal data entry to issue a citation, fewer errors, better checks for outstanding warrants) while improving accuracy (fewer false arrests due to confusingly similar names).

Finally, in my area at least, nobody obviously over 30 is ever asked for ID for alcohol purchases. For common-sense reasons, clerks can enter an "obviously over 21" code.

State legislatures could (and should and probably will) ban non-governmental scanning of driver license data.
5.10.2005 1:33pm
Seamus (mail):
"Most big stores like Nordstroms, Macy's, Marhsall Fields, Saks, etc. all ask for phone numbers with your purchase. I rarely see or overhear anyone deny this request."

Well, I for one resent being asked, and if I don't object I usually give them the number 202-456-1414 (the main switchboard at the White House).
5.10.2005 1:37pm
I agree with Schneier because once the technology becomes practical, it will be seen by the MADD types as a way to police underage drinking and smoking. Imagine every patron in a bar being automatically carded by an RFID with any underage person's name and picture displayed on a screen behind the bar. I hate the idea, but I hate the 21 drinking age. RFID solves the problems of reading IDs in low light and crowded conditions.
5.10.2005 1:38pm
Seamus (mail):
"And why for driving? What does driving have to do with all of this? I find myself wondering if states will create new "motor vehicle operations certificates" to handle licensing drivers without the trouble of vetting everything for the national ID card."

Exactly! Driver's licenses should be for the purpose of confirming that the holder is qualified to drive a car on the highways of the issuing state. If Uncle Sam wants a national ID, he should have the gumption to do so openly, rather than hijacking the state governments to do it for him. (Remember when the Republicans were the ones opposed to unfunded mandates on state governments?)
5.10.2005 1:39pm
Brian B:
There is no question swiping will happen and people will neither notice nor care. John B is correct about college cars using machines to validate cards -- and since I've seen more than one fake ID rejected by the machine, an effective tool.

Moreover, don't think for a second it will be confined to shady college bars trying to keep the underage kids out. My wife is frequently employed to monitor ID checking compliance at major retailers (fortune 500 grocery and drug stores) . She's under 30 and paid to see if she is asked for an ID when she purchases alcohol (better they fail to ask her for ID than an actual ABC employee). The employee succeeds if they type your information into the keypad or swipes your ID. They choose to swipe the ID about 25% of the time.

If this swipe allowed access to personally-identifying information it would be a goldmine for these retailers. Combined with store discount cards they would have no problem drilling down into you personally, and sharing that data as they see fit. At least you can make up the data on the store discount card...
5.10.2005 1:40pm
The biggest headache of all of this will be requirement that state DMVs must personall verify by phone call to the issuing authority the four forms of ID that you have to present.

Statements like these are among the biggest problem with the debate over REAL ID. There is nothing in the bill that requires verification to be make via telephone call. In fact, the bill is silent as to the method of verification, it merely states that verification is required to be performed prior to issuing a license or ID card.

Another point that is often overlooked, though not by people here, is that this bill, based on a plain reading of its text, will eventually apply to everyone, regardless of "immigration" status. There is no grandfather clause or any waiver available. So even if you have had a license in the same state for 50 years you will still have to present documents to the MVA/DMV in your state at least once prior to renewing your license. Currently there are several state, 10 or so I think, that permit renewal by mail or other "speedy" renewals. Not anymore, those laws would appear to be inconsistent with the requirements of REAL ID, thus, states that have had reduced loads due to renewal by mail or internet will have to deal with all of those people if this law is enacted.

Finally of potential legal signifigance, where is the 10th amendment discussion in all of this. Reading New York v. US and Printz v. US, one can't help but wonder if this law does't conscript or commandeer state legislative and executive powers in a manner inconsistent with the 10th Amendment's protections of state soveregnity.
5.10.2005 2:10pm
Al Maviva (mail):
Nothing in REAL ID differs substantially from a similar measure enacted in the Intel Reform Bill, with the exception of section 202(c)(2)(b), which states that such driver's licenses may only be issued to persons legally in the United States, or pending adjustment of status to a legal status. The initial legislation provided for a handful of elements to be included on all licenses, but REAL ID adopts around 12 -- elements that probably would have been adopted via rulemaking, given that the state motor vehicle administrators association was advocating those more detailed elements as part of a model driver's license program anyhow. The difference w/r/t elements, is that the elements are being spelled out in legislation, rather than being left to the judgment of the Executive Branch.

Where was Atrios when the Intel Reform Bill was passed? Probably shouting that the government wasn't enacting the 9/11 Commission recommendations fast enough, I'd guess. I'd submit that the only reason the leftosphere is upset about REAL ID, is that it prevents illegal aliens from getting driver's licenses.

One other thing. This isn't exactly a heavy-handed federal commandeering of state interests. REAL ID doesn't mandate that the states comply -- it says only that the licenses from states that do not comply, will not be valid for federal identification purposes. That makes it an interesting end run around Printz, and it does take it out of the category of laws that clearly violate federalism principles.
5.10.2005 2:15pm
Gary Imhoff (mail) (www):
It's a reasonable and valid assumption that if the card is available its presentation will be widely demanded and used. In Washington, DC, I must sign in and show my driver's license at almost all large buildings, both governmental and commercial, to get entrance. My cable company (Comcast) has demanded that I provide my Social Security number before it will discuss a billing problem over the telephone -- and when I have refused to provide it they have refused to continue the conversation. What are my options, if I need to get to an office in a building or need cable Internet or television service?

The use of Social Security numbers as identification is roughly equivalent to the use of a secure Real ID card. Nobody should do it -- but unless it is explicitly forbidden by law it will be done. And the convenience of swiping a machine readable card means that its use will be widespread -- to make a purchase, to get a drink in a bar, or to get into an office building.
5.10.2005 3:05pm
Duncan Frissell (mail):
Since there are several hundred thousand people in the US at any given time who are ineligible for drivers licenses or state IDs (because they are non-residents), I doubt that people can be forced to use DLs for other ID purposes. I've never had my passport rejected as ID.

Foreign tourists and visiting US expats will continue to be welcome in the bars and restaurants of the US and anyone concerned with their privacy can claim membership in that group.

As for resident addresses; between "roommates", "relatives", "the Homeless", temporary residents of motels, and residents of rural areas without home delivery of mail anyone who cares to can dodge the address requirement.
5.10.2005 3:19pm
Ed Felten (mail):
If "swipe card" means a standard credit-card type of magnetic stripe, that won't work. Credit-card magstripes hold about 130 bytes of data, which isn't nearly enough for the required textual information plus digitized photo.

To hold enough data, states will probably have to use 2D barcodes, or smartcards, or RFID. Each has its disadvantages.

Storing the data in digital form allows the state to digitally sign the stored data, which prevents some types of forgery. Private organizations can take advantage of these anti-forgery benefits only if they scan or swipe the card. So even private organizations that don't want to gather databases will have an incentive to read licenses digitally rather than by eye.

There is a decent slippery-slope argument that RealID will lower the cost of license-scanning technology, thereby fostering the collection and storage by private parties of information about citizens. That is probably one source of Schneier's worry.
5.10.2005 3:28pm
Thanks, Ed. Is it required that the card have the digital photo available for swiping? I'm not sure the statute as written requires that; if the photo isn't required, then I gather it can fit on a magstripe.

Can you explain the forgery concern a bit more?
5.10.2005 3:50pm
Two unrelated comments: First, you don't have to be an undercover policeman to want your home address to remain private. For example, my sister is a physician, and she has to be extremely careful about giving out information that might give away her home address or telephone number. Otherwise, she's opening herself up to daily harassment from disgruntled, mentally ill or substance-addicted patients. That would also mark her home as a likely place that thieves could find a (genuine) prescription pad, which would be worth a significant sum to someone who had an addiction to painkillers, etc. In my own experience, I had a young man stalking me for a period of about six months; he got my address by pilfering my personnel file from work, but an ID card would have done as well. Coming home to find my place vandalized repeatedly for half a year made me much more cautious about who gets my personal info— even if I'm not an undercover cop.

Second, as far as "what does driving have to do with this?"... if a driver's license (the card) is not tightly bound to the identity of the human being presenting it, then it's useless as proof of approval to drive (or anything else). It would be only a piece of plastic showing that "somebody" is authorized by the state of (wherever) to drive. Every state requires photos, which are a simple form of human-readable biometric, if you will. Whether that should be augmented, and by what means if so, is the question.
5.10.2005 4:02pm
Teresa (mail) (www):
In the "why driver's license" question. The first reason is that most people in this country have a driver's license therefore you have a built in database already established by each state. Secondly, people who don't have a driver's license would be obliged to get themselves a state id card with the same identifying information as the driver's license possesses. So, even if you don't drive, you would need an id card of some sort. It's thought that the REAL ID would then be used for many more things than currently require an id.

My question is - will they consolidate the databases into one? I am and have been against that - completely. Having all the info in one place just makes things easier for hackers to steal the information. And considering how poorly the government seems to perform in the area of computer security (last time I heard the department of Homeland Security had gotten an F for their computer security) it makes me even more uncomfortable to think it would all be gathered together for easier pickings.

Also, someone mentioned people over 30 not being carded... WRONG! I will admit my age as over the mid 40's mark and I was carded at a downtown Chicago bar just a few weeks ago. Nothing personal... I don't look 21 (for that matter my daughter is 25!!!) they just card everyone. So, yes there are places who will card everyone - at some point I assume a swipe card or RFID would be the method of giving them all my information...

No - in the long run, I realize that most of the information about me is out there for anyone to gather who wants to work at it... the point is making them work to get it all - not putting it all in one place to make it easy.
5.10.2005 5:26pm
What information would be on this ID that is so "private"? Name, height, weight, DOB. My question: Who cares if that information is "harvested"?
5.10.2005 5:39pm
There are dry counties/precincts in Texas (my state) where a "club membership" is required to drink in that establishment (yea Texas liquor laws!). These places have been swiping Texas driver's licenses for at least 5 years to verify age and then print out a "membership application." Once signed, that person is on file as a "member of the club," and a swipe of the card is then all that's required to gain admittance. Fortunately, Austin is wet so I don't have to swipe my DL everywhere I go. You'll also note that bars in Austin don't tend to have the machines for reading the cards even though they could use them to verfiy age. I guess the cost is just too high.

I'm not sure where this info goes in the RealID debate. It's just FYI.
5.10.2005 5:42pm
Bill Harshaw (mail) (www):
Unfortunately the U.S. doesn't have a rational debate about identification, security, and data privacy. Since we don't and won't, I say:

* we should be doing away with the social security number, not further embedding it into our systems (Unlike other data it often serves both to identify and authenticate the person, which violates good security logic.)
* the implementation of Real ID should be flexible. The Federal govt. has guidelines for e-authentication that agencies are in the process of implementing, but that seems to be a separate line of discussion/development from Real ID. It's going to be expensive to implement both; we ought to be doing them logically.
* RealID ought to include restrictions on the state databases, including provisions for audit trails and transaction logs, encryption of data, provision for review and access.
5.10.2005 6:14pm
Michelle Dulak Thomson (mail):
Speaking as one who hasn't had a driver's licence for well over a decade (nor a CA ID — never got around to getting one), and who has used her passport for all ID purposes ever since, I do wonder why this is being dumped on the states at all. We already have a national ID, available to all citizens who can prove they are citizens. Why not just use that for hiring, security, &c. purposes?

(Though, unlike Duncan, I have had retailers occasionally balk at my passport when they asked for ID, mostly because they were running cash registers on which the clerk has to enter the DL number. Having sat on the non-customer side of the counter at some of those machines, I sympathize. The worst are the ones that only gine you a set number of spaces to fill in — the length of a CA DL number. The passport number is, obviously, rather longer . . . )
5.10.2005 6:44pm
As the ID offers convenience to proprieters, its use will become more accepted by consumers, and eventually ubiquitous. At that point, the ID becomes a way of tracking the day-to-day and moment-to-moment movement of individuals.

Like credit cards, what begins as a convenience quickly becomes mandatory for those wishing to participate in society.

The idea that this will not happen is, frankly, and with all due respect to Mr. Kerr who I greatly admire, ignorant of history, business, and human nature.

It is the natural inclination of commercial proprietors to accumulate information, to impose "security" restrictions, and to co-mingle the two.

This is why websites at which I am required to register ask for my birthday and zipcode and oodles of other information not necessary to verify my credit card. They ask for a phone number even if they swear both never to call and never to sell the information.

Colleges and office buildings are replacing metal keys with electronic key cards, of lower cost and greater convenience to all involved. And why not keep track of who's sleeping in who's dorm and taking what breaks while they're at it; if the information exists, why not collect it?

Search bags on entry to baseball stadiums; even if its pointless to deter terrorism, it at least ends that pesky problem of people paying $1.75 instead of $6 for Pepsi.

Swipe-on-entry will begin, I suspect, in five places. Bars, of course. (At the moment, those scanners verify only that the ID is real, they cannot read its contents - but who'll notice the change?) Jewelery stores and other retail establishments that already have very high entry security. And retail establishments that serve the poor, where pilferage it high and the clientelle is used to terrible treatment. (Check out the Fulton St. Mall in Brooklyn sometime.) Government buildings. And firearms sellers, as more efficient mandated enforcement of federal background check laws. (Not that I'm against that; I'm not.)

From there it will spread generally to retail establishments with significant "shrinkage" problems. Department stores and clothing retailers and so forth.

It will become a convenience-card replacing others to thin bulging wallets. Why should Duane Reade pay the 10 cents to manufacture its own reward cards when they can just use the ID? At the same time, buildings (schools, businesses, apartment complexes) that would be switching to their own RFID cards will instead switch to the Real ID cards. Why should the customer have to carry an extra card?

From there, ubiquity. Perhaps we use the cards to identify credit and bank account holders rather than separate credit cards. All of the information in all of the databases is now easily linked on the Real ID number. And we're no longer a civil or free society.

Some number of parole jumpers or sex offenders will be caught through their use of the cards. Some state or town or county will mandate its use at all points of entry, the better to protect the good citizens within from ne'er do wells from without. Perhaps regions will go on lockdown, requiring use of the cards at ports of entry only after Amber Alerts?

I think people who aren't deathly afraid of this are misunderstanding the impact that its had in places that have done it. It reaks of the Russian internal passport system.
5.10.2005 6:46pm
Schneier's primary argument against the Real ID act is that it "effectively creat[es] a national ID card." He has "written about the fallacies of identification as a security tool" in the past. Read the links he provided.

WRT Ed Felten's comment on forgery:
Encoding information in a digital format on the license and then cryptographically signing it makes it more difficult for people to manipulate the information on their license without detection. So I can peel open my license, and change my date of birth to make it appear that I am 22 instead of 16. You may not be able to detect this change just by looking at the license, but when you scan/swipe it you will be able to determine my age from the bar code(which I was not able to manipulate becuase of the cryptographic protection). Hence, if you are concerned about forgery(or if you want to appear concerned) you will scan/swipe the license.

Note that different states have different combinations of magstripe, 1D, and 2D barcodes with varying information. Some of this information is cryptographically protected, and some isn't. Here's a site with more detailed information:
5.10.2005 8:12pm
Greg TD (mail):
Prosecutors who have done cases with nasty people often get a non-home address put on their Driver's Licenses.
5.10.2005 8:59pm
Robert West (mail):
Duncan - I *have* had my passport rejected as ID. By a grocery store when I was trying to buy beer.

They claimed they couldn't take passports as ID because they had no way to verify that it was a real passport.
5.10.2005 9:01pm
There's no real-world guarantee that people will keep living at whatever address they submit when they apply for a D.L., so there's no good reason to demand anything but a legitimate mailing address--so that the D.L. authority will know where to send the new card. Used in that way, the address would be self-validating--anyone applying for a card would have to give an address good for a few weeks at least--long enough to check out their other credentials like birth certificate. I propose a simple but effective test for the true need for a residence address: why not let a citizen put just a mailing address on his/her D.L., with the "residence" address held in confidence by the DMV retrievable only by a search warrant (not an administrative subpoena or national-security-letter)? The residence address could be used for fraud checks at D.L. issuance, the police could get it by showing probable cause to a judge, but casual license inspectors would not get it. We all know that the bureaucrats driving this thing consider that unacceptable, but why?

This "real residence address" part of the requirements is the subtle but really dangerous part of the bill. The half-smart anti-fraud wonks want it to check whether it correlates with the other info you give, to assess the probability that your application is fraudulent. In the real world of millions of applications processed by dullwitted DMV clerks that simply won't work. The police want that address so they can go there at 3:00 AM to arrest you, and if you aren't there, they can add "felony D.L. fraud" to the charges against you. But the likes of ChoicePoint want it the most--they will use that address for cluster analysis. It really screws up the statistical models they use for targeted marketing when your D.L. address (which they get either from the DMV or from one of those taverns swiping your license) says you live in "Yuppie Heaven" when you really live in "Below Dirtbag." I would bet money that the cluster-analysis people are driving the address requirement with the security and police folks just along for the ride. But as people keep pointing out, it's dangerous to the D.L. holder to give out his residence address to everyone who sees that card or accesses that record. Who wants a visit from any stalker who can bribe a convenience-store clerk?
5.10.2005 9:21pm
Bruce Hayden (mail):
I was first made aware of the information that is found on most drivers' licenses today when I was living in Austin almost a decade ago. A friend was trying to sell bars on equipment that could be used to swipe drivers' licenses from most states that included name, birthdate, and address. Turns out that some of the clients also used this later for mailing.

My last 3 or 4 driver's licenses have had personal information encoded on them. My current Colo. license has it both magnetically and optically. It appears to have pretty much everything that the Real Id Act requires. When I moved back to CO three years ago, and reacquired a CO driver's license, I was surprised when they required a street address. In the past, I had only needed a mailing address - which is more important there anyway, as they don't have mail delivery. Indeed, as the street address is a condominium in a town full of condos where they are identified by name, and not address, I didn't know the street address. Worse, I got it out of the phone book, and got it wrong. Close enought that they could find me if they needed to, but still technically wrong. So, my driver's license now has both - a p.o. box and a street address.
5.10.2005 11:23pm
Charlie (Colorado) (mail):

[Element (9)] will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom.
But why should we assume that?

Because unless we assume that, we can't assume there will be any greater security in the use of these licenses than in the standard ones. The greater authentication strength of the license lies entirely in its ability to be verified in real time.
5.11.2005 12:11am
George Turner (mail) (www):
I wouldn't mind the secure ID, but see no need for it to directly encode an address, which often change rather rapidly anyway. I think just encoding the city and state would be sufficient for most purposes, with the driver's license number allowing police to pull up the detailed address, if need be.

That would mostly eliminate worries about companies using the information for mailings and databases.

As for the worries about RFID technology on passports, I think any type of RFID chip should remain electrically shorted (dead) until the cover of the passport is opened.
If it's still in your pocket, it can't be read by eye or RF reader.
5.11.2005 12:35am
anonymous (mail):
The best argument on why having more swipe-IDs leads to worse security is this:

It makes people feel like they've got security. But in reality, they'll do even less than they do now to check that you MATCH your id. All they will do is test if the ID is valid--id valid, good. Whether or not you LOOK like your ID will be unaddressed. This is already what happens at department stores, convenience stores, etc. IDs are swiped for validity for buying cigs/alcohol in CA, MN, and many other states already.

Every time we increase the amount of ways that information is kept in data bases, we increase the amount of ways that that information can be stolen by people. We see this all of the time with dbs that contain SSNs, medical records, billing records, etc. There will be no way to prevent that information from being collected, stored, sold; no way to stop it from being ILLEGALLY collected, stored, and sold.

What problem does this solve? That's the real issue. I don't mind a national ID--I've already got two. But I mind identity theft and mechanisms that simplify it.
5.11.2005 1:00am
Ben Coates:
A standard, machine-readable ID card will make forgery vastly easier. Creating an altered ID card that will fool someone who looks closely takes a lot of work, but once an ID can be authenticated by scanning a magstripe or barcode, all you need to do is fool the machine--the clerk or bouncer will assume that the ID is fine if he hears the beep.

Forging a barcode is trivial, magstripes are almost as easy, and even if the Real ID system uses a cryptographic signature system to prevent altering the data, you can just copy a valid number verbatim off someone else's ID.
5.11.2005 1:10am
Guido (mail):
I think there are more important provisions in Section 102 of the Real ID Act (H.R. 418) that need airtime.

First, the section allows the Secretary of Homeland Security to waive any law if it is deemed necessary for the expeditious construction of border barriers.

Second, and more importantly, it prohibits judicial review of such waivers and bars judicially-ordered compensation, injunction, or other remedy for damages as a result of a waiver.

Isn't anyone concerned that judicial review is at stake here?
5.11.2005 8:27am
Mad Anthony (mail) (www):
REAL ID requires that driver's licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police — even undercover police officers. This seems like a major unnecessary security risk.

So if everyone had to use their home address, except for an exception for undercover cops, wouldn't one automatically know that someone with a PO Box on their driver's license was an undercover cop?
5.11.2005 8:54am
Al Maviva (mail):
Guido, Congress is allowed to restrict the scope of judicial review. Moreover, in policy questions regarding border integrity or immigration enforcement, the courts generally defer to Congress and the Executive Branch's judgment. How exactly do you see the restriction on judicial review of border enforcement policy, as a threat to judicial review at large?
5.11.2005 9:32am
Guido (mail):
Hello Al Maviva.

I might not be as concerned with Congress restricting the scope of judicial review if they'd likewise restrict the powers of the Secretary of Homeland Security.

Abuse and manipulation by government becomes a real concern when any law can be waived without recourse.
5.11.2005 10:04am
Mark Draughn (mail) (www):
What information would be on this ID that is so "private"? Name, height, weight, DOB. My question: Who cares if that information is "harvested"?

In that case, pleas post your full legal name, date of birth, gender, driver's license or identification card number, address of principle residence, and links to digitized versions of your photograph and signature. Thanks.
5.11.2005 11:22am
TomCS (mail):
This is a fascinating discussion, seen from the UK, where we expect the re-elected government to have another go at enforcing a national ID card (and more significantly a database behind it) for the first time, because post 9/11, the police and security services would like it. We are not even required to carry DLs and insurance documents when we drive, and our SSN equivalent is issued with little or no effort to establish identity, leading to massive multiple registration fraud.

The big fallacy is however that securer ID formats increase certainty that the holder is entitled to that identity. That doesn't matter much if all you need are documents to support daily life, to drive, get employment, pay taxes, and access social and medical services. If you live coherently as John Doe, address, biodata, etc will be enough, and it does not matter if you were previously AN Other, or Jane Doe (or have been relocated under witness protection). The ID supports a real identity.

Verifying entitlement to that identity is a very different issue. The quality of the ID itself is irrelevant: the issue is the standard of verification, and the quality of the original documents produced to justify it. If one of the objectives is to deny ID to anyone not a legal resident, that would at first sight mean production of the original "family history" documents, such as birth, and marriage certficates, migration status documents, etc. How easy are these to falsify? Or to fraudulently acquire legitimate copies of (some may recall the scenario in Frederick Forsyth's Day of the Jackal)? Will the issuing staff be competent to assess the validity of a dog-eared manuscript certificate from some rural parish?

If not, the process will only serve to grandfather many false identities, and as noted in other posts generate whole new profitable areas of fraud and deception.
5.11.2005 12:19pm
David Nishimura (mail) (www):
On a more mundane note, what would happen if the magnetic strip on your license wore out? I routinely wear out the strip on my most-used credit cards before they expire; I rather doubt that one could get a new driver's license with the same ease as a replacement credit card.

I also discovered a while back that cards can be demagnetized by sitting in the same pocket as a ringing cell phone. And many are aware that cards can be similarly zapped by being laid down on the counter above the electromagnets that deactivate theft alert tags.

Would a license with a worn-out or demagnetized strip still be considered valid? That is, would bars etc have the right to reject it as proof of identification? Considering what a pain it is to replace a lost license as is, I don't like how this might be shaping up . . . .
5.11.2005 12:31pm
Eric Wilner (mail) (www):
I've had some further thoughts regarding digital signing:
First of all, any public-key crypto system needs some provision for revoking a public key if the private key may have been compromised.
For digitally-signed transient messages, any message signed with a given private key, and received after the corresponding public key has been revoked, is treated as a forgery. Simple enough, and receipt of the message provides a reasonably good time stamp.
What do you do about durable messages? Suppose the DMV's private key is, or may have been, compromised. OK, the DMV needs a new key pair for future licenses, and any license signed with the old key and bearing a date after the key change is clearly a forgery.
But how do you keep forgers from backdating forged licenses? Seems to me, you'd have to revoke the old public key entirely, and re-issue every freakin' license that was signed with it!
This opens up new possibilities for disruption: any time there may have been a leak at the DMV, everyone needs a new license. Fun, fun, fun!
5.11.2005 2:13pm
jacob (mail):
Don't all you "good people" ( I just love to borrow phrases from our president, such a way with words) this is the mark of the beast. Says so in the "good book". That's why I'm agin it.
5.11.2005 2:26pm
Opher (www):
Orin wrote: "I am tentatively against the Act, as I don't see exactly what problem it will solve." The fact is there is one major problem this solves - that homeland security is no better than the weakest point in any system.

The 19 hijackers of 9/11 had over 50 valid drivers' licenses among them. Multiple aliases, multiple states, etc. That is how terrorists have been able to move around this country with little or no fear of being caught.

Is the bill perfect? No, there is plenty of room for improvement. Are there other security issues that need to be addressed? Yes, hundreds of miles of them along our borders. But this all had to start with the first step.

Also, keep in mind what happened in Florida this past election cycle, when it was reported that many 'snow birds' were registered to vote in Florida and received absentee ballots from their home state. With any luck, the Real ID Act will cut down on these double-dippers by allowing them to have only one drivers' license.
5.11.2005 5:15pm
fling93 (www):
I'll second all the concerns about swiping becoming the norm. All of these could be addressed while still achieving the security aspects of a national ID by merely designing the card to verify instead of identify. In other words, the card would not contain any personal information of you other than the minimum required to verify that you are who you say you are. Last year, Wired discussed an example of how this could be done.

Basically, the card could use something similar to private/public key encryption. The card would contain your public key, and your fingerprint would be the private key. Swiping the card would cause it to create a digital signature that could be verified against your thumbprint, proving that the card is yours and that it's valid. This would protect privacy as long as the fingerprints weren't stored in a central database, but I'm not sure how that would be ensured. Maybe by making all of the card-reading terminals open-source or something.

I might be wrong on this interpretation, but that was my understanding.
5.11.2005 5:20pm

If the card is using something analogous to public key encryption (I'm not sure quite how that would work, but whatever) then:

1. There's no need for a central database. The fingerprint authenticates the data on the card, which is matched to something human-readable on the face of the card.


2. You haven't gained _any_ defense against the tracking issue whatsoever. Why? Because whatever is stored on the card is _still_ a number that can be recorded and used to tie together mutliples uses of the card. Then, all that would be needed is a single database that has recorded a card swipe as well as separately collected personal info, and you're back at the same place.

Its important to segregate out the numerous privacy issues implicated by Real ID.

One is that it requires disclosure of "personally identifying information", i.e., one's real mailing address.

But the other - and I think it is the vastly more serious one (at least for us lawyers whose addresses are public record anyway) is that by retaining the card swipe information and combining databases, it is possible, first, to track an individual's physical movements, and second, to tie those movements in with other personal data such as spending habits.

There's a multiplier effect of personal information. It's one thing to know that I live in zipcode 10282. (This tells you that I'm either a banker, a lawyer, a child or a domestic employee). And it's one thing to know I work downtown, or get my haircut in Chelsea. It's a completely different thing to know, with some gaps, where I've been at each moment of the day over the past year and how much I've spent at each location, what bars I frequent and for how long, and how often I pick up a package at the post office.

The location data and the ability to merge those databases with each other and other regularly collected personal information - that's the threat.
5.11.2005 9:01pm
Sarah Lai Stirland (mail) (www):
In my mind, the question is why a new law is needed when a process to create better drivers licenses was already underway at the Department of Transportation, in which all the stakeholders had a say in the development of the id.
5.11.2005 9:16pm
fling93 (www):
2. You haven't gained _any_ defense against the tracking issue whatsoever. Why? Because whatever is stored on the card is _still_ a number that can be recorded and used to tie together mutliples uses of the card. Then, all that would be needed is a single database that has recorded a card swipe as well as separately collected personal info, and you're back at the same place.

As I understood it, the swipe wouldn't get the key, but just ask the card to encrypt a short message. The card would use its key to encrypt the message and the card reader would only get the encrypted message back, not the key itself. And then if your fingerprint/private key successfully decrypted the message, you've been verified without giving up your identity.

That you don't need a central database is one of the plusses, as I see it. Again, I'm not sure how to prevent the reader from keeping a history of all the fingerprints, but as long as there's no database of fingerprints (and there doesn't need to be one for this to work), maybe that won't matter.
5.11.2005 9:54pm
Robert Schwartz (mail):
I suppose that some of you worrywarts don't have listed telephone numbers, conduct all your transactions in cash, move every year or two, buy pre-paid cellphones from different providers and post to this blog from anonymous sites. I don't.

My current Ohio Drivers License has all of the elements required by the new law, except the machine readable portion (it has a magnetic strip, but I don't think it works). It doesn't bother me, indeed it is a real convience to have and I would want it or something like it even if it were not required to drive.

In any event, I do not think that this law creates a real problem because it does not invande privacy it only limits anonymity.

I think there is a useful distinction to make between privacy (the right to not walk around naked and to not be observed at home, the 4th amentment and similar concepts) and anonymity. I am very skeptical that the concepts are the same or overlap.

I think that privacy should be protected, but that anonymity is a historical anomaly that does not deserve protection. My heuristic for distinguishing between privacy and anonymity is to imagine a pre modern village. In the middle of the village is a marketplace where old ladies sat, sold vegetables and gossiped betimes.

You were born in the village, lived there and probably never went more than a few miles away. The old ladies in the marketplace knew who you were, where you lived and the identities of all of your ancestors and kin. They also knew whether you liked brocolli, whether you paid your bills on time and if you were charitable to the poor. You were not anonymous, but they had no way of knowing what you did in private.

In the 19th century, cities began to grow so large that most people began to live in places where they were anonymous. This was a historical anomaly.

Now, anonymity has its uses, especially if you want to comit a fraud or a crime or overthrough the government. And many people began to enjoy anonymity, especially among radical political groups who dreamed of the "Revolution," that final redemtion from history.

In the 21st century, the electronic data processing revolution has begun to dispell the fog of the 20th century city that engendered anonymity and create a new global version of that ancient village square. It is not of itself evil, it is merely a return to the common condition of mankind. Revolutionaries and their sympathisers are deprived of a usefull tool and the world is not yet redeemed, but for most of us life will go on as it always had.
5.11.2005 10:48pm
Ed Felten (mail):
The forgery issue I mentioned above is, as Sean says, that traditional licenses can be forged by manipulating paper, ink, and plastic; but digitally information, digitally signed by the state, can only be forged by somehow compromising the state's cryptographic key.

Orin asks whether the statutory language requires the photo to be stored digitally. I'm not sure how to interpret the language on this point. It doesn't say explicitly that the photo must be stored digitally, but the list of required elements on the license includes "a digital photograph of the person". (None of the other required elements says "digital".) Perhaps "digital photograph" means a photo taken on a digital camera. But why would anyone care what kind of camera was used to take the photo, if it only ends up printed out on a paper license? The alternative interpretation, that "digital photograph" means a photo stored in digital form on the license, seems just as plausible.

In any case, there are good security reasons to make the photo digital. If the photo is only printed on the license, then old-fashioned forgers can put Bob Badguy's photo onto Ike Innocent's license, and Bob can impersonate Ike with impunity. Verifying the state's digital signature on Ike's license information doesn't help, since the forger only modified the photo, which by assumption isn't covered by the digital signature. Having a single digital signature that covers the photo and the other information serves to tie the photo to the other information.

Regarding the discussion of cryptographic alternatives, verify-but-don't-identify schemes, and so on: There are many complicated tradeoffs in designing a national ID system. There's a very nice National Academy report on this, at pub_nationwideidentity.html.
5.12.2005 4:52pm
A couple of points, one technical and one anecdotal:

1) Any tricky authentication scheme that allows verification without tracking requires a SMART CARD, namely a card with a microprocessor that can perform mathmatical functions on demand. With a smart card, an ID could be created to mathmatically enforce different public policy goals such as giving up all information (only to government) and verifying age (to anybody) without giving up a signature that can be tracked. That is not the case with the REAL ID act, which only requires dumb storage (for now) and demonstrates one of the benefits given up by not having a real discussion on the bill. In addition, it doesn't look like there is any legal enforcement of the uses of this information in the bill, so we're kinda screwed on both ends.

2) The swiping of IDs into private databases is a real problem here in San Francisco, and has caused me to stop frequenting several bars. Unfortunately, those bars still seem to be quite busy to me. Privacy is exactly the kind of situation where the market does not properly protect the individual, especially when there is no legal requirement to inform individuals how there information will be used. Perhaps, in a situation where the bouncer (for example) had to inform each patron "I am going to enter this information into our database, and it can be sold, and we'll spam you, etc..." the market would react properly, but it is much more likely that a lack of understanding and the decoupling between the decision (giving your ID to the clerk) and the downside (recieving junk mail a month later) will cause most people to shrug whenever asked for their "papers".

If only there was a mechanism where people could band together to make rules to protect individuals who do not always have sufficient information to make an informed choice. Hmm, I would call that "representative government"...
5.13.2005 3:24am
Half Sigma (www):
"Driver's licenses should be for the purpose of confirming that the holder is qualified to drive a car on the highways of the issuing state."

And I thought the REAL purpose of the driver's license was to make it easy for the police to give you a traffic ticket.
5.13.2005 4:00pm
Pete (mail):
I repoed cars during the 1990's and as a courtesy to the police, so they wouldn't file stolen car reports, we would check in with them and let them know when we had snatched a particular vehicle. Invariably, they would take a photocopy of my driver's license to document who had physically taken the car. A lot of times in small towns the police are quite friendly with the locals, including deadbeats, and because of that I used a PO Box on my license. No sense in giving out my home address to irate ex-car owners.
5.13.2005 9:14pm