REAL ID Final Rules - The Makeup Doesn’t Hide the Pig

As mentioned in the previous post, the Department of Homeland Security (DHS) released its final rules for the REAL ID program on Friday, January 11. Last May USACM submitted comments on the proposed rules released in March 2007, and while some of the comments we submitted have resulted in changes to the rules, the program is still fundamentally flawed. Any improvements to the security of driver’s licenses are - contrary to DHS opinion - outweighed by the risks to privacy and security of people’s personal information. Most of the changes in the final rule address operational concerns and do not go far enough to ensure that this program can be effectively implemented.

The final rule (cut into two parts for no particular reason) can be read online, along with the press release announcing the final rules.

The changes most reported in the press deal with a new schedule for issuing the REAL ID. States were obligated to start issuing REAL ID-compliant licenses and identification cards (which I’ll refer to as REAL IDs) in May of this year. States can apply for exemptions to delay implementation. Under the new schedule, those born in 1964 or later must receive REAL IDs by 2014, and those born earlier than 1964 will have until 2017. The phased implementation is intended to ease the burden on state license bureaus, and the cutoff was determined by an analysis of document fraud at the Transportation Security Administration (TSA). Apparently most of those committing this fraud are 50 years or younger. Whether such age analysis will ever be applied to the TSA watch lists is unclear.

The changes with respect to privacy and security have not received much attention from the press, but they should. While there have been some useful changes, the final rules still lack significant detail, incentive, and sanctions to help ensure behavior consistent with best practices for privacy protection and securing large databases. Given the disappointing track record of DHS in implementing privacy protections, this is a big concern. Representative Bennie Thompson (D-MS), Chair of the House Homeland Security Committee, noted as much in his letter chastising the final rules.

DHS disagreed outright with our arguments that the program actually increases the risk of identity theft. If the documents are made more secure - the gold standard - the reliance on these documents makes them more attractive to thieves, raising identity theft conducted by stealing or compromising the REAL ID.

They did agree with us that the Machine Readable Zone (MRZ) on the REAL ID will not be encrypted, due to the challenges of making an encrypted MRZ accessible to law enforcement across the country. They did allow for revisiting this issue should technology change to the point where encryption would be more feasible.

That said, DHS is very concerned about third-party use of the information in the MRZ - also called skimming. This would take place - hypothetically - if a bar scans and stores the information in a REAL ID MRZ when checking the age of the REAL ID holder. This can be difficult to detect if the third party doesn’t turn around and spam the REAL ID holder with marketing. Unfortunately, the final rule is silent on how such skimming could be controlled.

There are a couple of database choices that are problematic at best. One of the possible templates for the national system to query the state databases about a person’s REAL ID status is the Commerical Driver’s License Information System (CDLIS). The CDLIS is a relatively small database that is national. While meant to check whether drivers have CDLs in other jurisdictions - a natural fit for a similar system for REAL IDs - the system is so much smaller than the comparable national system. Any scaling up of databases leads to problems, as USACM member Peter Neumann testified last June during a hearing on the e-Verify system for verifying employment eligibility.

Speaking of which, DHS has recommended that states utilize e-Verify to verify employment eligibility (a backdoor check on lawful immigration status) for those applying for REAL IDs. As Dr. Neumann testified to at length, there are significant problems with scaling up e-Verify to a national level - additional problems with access control, operability and practicality that would not be found when operated at a smaller scale. To demand e-Verify conduct checks for both employment and REAL ID application will likely overload the system, prompting crashes and making a challenging implementation process a bureaucratic nightmare.

The Department agreed to issue a set of Privacy and Security Best Practices that are built on the Fair Information Principles and Federal Information Security Management Act (FISMA) standards to help guide the States in protecting the information collected, stored, and maintained pursuant to the REAL ID Act. However, the list of elements intended for the set of practices is vague.

Issuing a clear and understandable privacy policy to each card holder
Providing individual access and correction rights for card holders
Specifying the purpose for collecting personally identifiable information in the privacy policy and limitation of the use to those purposes
Limiting the information collected for those purposes
Limiting disclosure of the information except to a governmental agency engaged in the performance of official responsibilities pertaining to law enforcement, the verification of
personal identity, or highway and motor vehicle safety, or a third party as authorized under the Driver’s Privacy Protection Act
Requiring data quality standards and security safeguards to protect against loss or unauthorized access, destruction, misuse, modification, or disclosure
Performing a Privacy Impact Assessment (PIA) to identify and analyze how personally identifiable information related to implementation of the REAL ID Act is collected, used, maintained, and protected
Establishing accountability for compliance with the State’s privacy and security policies to ensure that these best practices are fully implemented
While the nature of this program requires a fair amount of deference to the states, we believe that should not include deferring to weak privacy standards. The REAL ID act does not pre-empt state laws (which is how many states are opting out of the program), which allows for standards to sink to the level of the weakest state.

DHS has also called for states to include security standards and access controls as part of the operational plans for REAL ID. Again, they fail to list specifics, deferring to states for standards, but presenting the REAL ID as obligatory due to the ‘official purposes’ that can only accept a REAL ID (if they require a driver’s license). The changes in the final rule do not redeem the flaws and defects in REAL ID.


http://usacm.acm.org/usacm/weblog/index.php?p=564