New Regulations Fail to Address Security, Privacy

New ID regulations will change driver’s licenses while putting millions of Americans’ personal information at risk.

It’s been nearly three years since Congress passed the REAL ID Act, which established federal standards for the issuance of state driver’s licenses and identification cards. Two weeks ago, the Department of Homeland Security finally published regulations to implement the law.

The government claims that the driver’s license “reform” measures required by the statute and regulations will help combat illegal immigration and generally protect national security, but it fails to acknowledge that the REAL ID Act seriously threatens privacy and civil liberties on a national scale.

Of particular concern is the Department’s flirtation with a central ID database. The final regulations, released Jan. 11, strongly support leveraging existing technology by expanding the central database for commercial drivers to include all drivers and state ID card holders—that is, virtually every American.

Following this path of least resistance fails to acknowledge the enormous security risks and potential for government and business abuse of a central ID database. Security experts agree that creating a “one stop shop” of highly sensitive personal information on millions of Americans, not just a relatively small pool of commercial drivers, is a bad idea. It would be an irresistible treasure trove for identity thieves, terrorists, and other computer criminals.

The law’s basic goal of making the driver’s license a more reliable assertion of identity is a good one. Setting minimum federal standards to make the issuance process more secure so that it’s tougher to get fake driver’s licenses or hold multiple licenses from different states is not unreasonable.

The ostensible purpose of a centralized repository of ID information is to enable states to more easily check whether new applicants already have a driver’s license from another jurisdiction, thereby ensuring “one driver, one license.” But this can be achieved without creating a central ID database that puts Americans’ privacy and civil liberties at risk.

Building a distributed system that stores ID information in different locations, such as state motor vehicle databases, makes more sense. Each state could check with other states for possible existing driver’s licenses without having to ping a central database, while also maintaining control over its residents’ data. This is technologically possible, especially if states have adequate funding to scale up their systems to handle the new incoming traffic.

Regardless of whether ID information is stored centrally or in separate databases that are accessible via a central portal, two equally important questions have yet to be addressed: Who would have access to the ID data and for what purposes?

Existing federal privacy and security laws would place some limitations on the federal government if the system were run by DHS or otherwise deemed a “federal” system. But these laws may still need to be bolstered in light of REAL ID.

If run by a private organization, as is the current commercial driver’s license database, federal privacy and security laws may not apply, nor would the much-touted, though still weak, Driver’s Privacy Protection Act, which only regulates how state motor vehicle departments disclose personal data to government agencies and commercial entities.

Thus no robust legal framework exists to protect the personal information that would be held in the centralized ID system envisioned by DHS from misuse by government and business. Allegedly, the Department of Transportation and other federal agencies already regularly access the privately managed commercial driver’s license database with virtually no oversight.

Neither the REAL ID Act nor the final regulations prohibit the recording of individuals’ transactions in the central ID database or the skimming of personal data from the card itself, both of which would facilitate intrusive tracking by the government and unsolicited marketing by commercial entities.

The law mandates that ID information be digitally stored on the card in a standardized format, but neither the law nor the final rules include encryption or other security requirements. There have been news reports in recent years that some businesses are already collecting personal data from driver’s licenses without patrons’ consent using commonly available readers. A national standard would make this even easier.

Supporters of the REAL ID Act shamelessly exploit contentious illegal immigration and homeland security issues as political cover for what could evolve into much darker and more invasive government uses. Legislation has already been introduced in the Senate and House to address some of these concerns.

State legislatures are also speaking out against REAL ID. Seventeen states have passed legislation rejecting REAL ID, and in 22 other states such legislation has either been introduced or has passed one chamber.

Ideally Congress should revisit the fundamentally flawed REAL ID Act. But if Congress doesn’t act to repeal the law or otherwise attempt a fix, DHS has a responsibility—and the statutory flexibility—to build strong privacy and civil liberties protections into future regulations to ensure that the implementation of REAL ID doesn’t do more harm than good.

The positions of American Progress, and our policy experts, are independent, and the findings and conclusions presented are those of American Progress alone. A full list of supporters is available here. American Progress would like to acknowledge the many generous supporters who make our work possible.

Just released!

Interactive: Mapping access to abortion by congressional district

Click here