Thread: Support H.R.220 - Common Sense About Identity Theft & RE

Real I.D. is a Real pain says Alabama
Tuesday, August 5, 2008, 8:54 pm, by AxXiom

The fact that Alabama is complying with this is sad. Now 10 states have refused with LA being the latest to join the Real ID Rebellion.

Gov. Schweitzer of Montana brought Chertoff up short months ago by inviting him to go on 60 Minutes to discuss the issue further. Cherty is shy and took a pass on the invitation.

AxXiom

Real ID may cost Alabama $16.3 million

http://www.montgomeryadvertise...

Complying with a federal law that creates national security standards for state-issued identification might leave Alabama with a bad case of sticker shock.

It's estimated it will cost the state more than $16.3 million to reach full compliance with the federal Real ID Act and maintain it for five years, according to a special report from the Department of Examiners of Public Accounts.

Alabama, like every other state, has until Dec. 31, 2009, to meet 18 initial milestones, which include requiring people to prove where they live, and verifying their legal status and Social Security numbers. To be in full compliance by May 2011, they must meet 21 additional milestones.

About $10 million is needed to cover the cost of issuing IDs, creating a data management system and maintenance, according to the report. The Department of Public Safety would need another $6.6 million for more staff, additional facilities and security upgrades. But where that money would come from is a mystery.

State Sen. Wendell Mitchell, a member of the executive committee of the Southern Legislative Conference, said Real ID was a hot topic at a recent National Conference of State Legislatures summit he attended.

The more than $130 million that the federal government has appropriated since Real ID was passed "is only a drop in the bucket for what it will cost all 50 states to comply," said Mitchell, a Democrat from Luverne. "I think the figure to comply is so unrealistic for most states, particularly Alabama, with the crisis we're in."

Nine states have taken formal steps to reject Real ID. Alabama isn't one of them, and Gov. Bob Riley has made it clear that the state won't become one of them. To that end, the state has applied for more than $8 million in federal grant money. It has received less than $1 million.

Martha Earnhardt, a Department of Public Safety spokeswoman, said the lack of specific funding isn't going to stop the state from producing secure state-issued IDs. It might, however, make it difficult to comply with the law.

"We can't anticipate what might be available, so we will continue to pursue any and all sources of funding for implementing Real ID," she said. "Certainly there are some questions that the state is going to have to answer in terms of funding this program."

State Rep. Cam Ward, R-Alabaster, said if the answer includes making states scrape together money for an unfunded mandate, Alabama should say "no."

"This is a typical example of the federal government issuing an unfunded mandate with all these punishment provisions," said Ward, who sponsored a joint resolution opposing the federal act. "It's easy for them because the federal government can run a deficit. State governments have to have a balanced budget."


http://www.freeople.com/blog/real-id-a- ... abama/1096

Real ID: Montana’s Rebellion

August 5th, 2008 12:02 pm | by Mike Miller | Published in Activism, Big Government, Civil Liberties, Constitution, DownsizeDC.org, Liberty, Politics, REAL ID, law | Comment

D o w n s i z e r - D i s p a t c h
Quote of the Day:

“Do you want our government to have the ability to track where you went, how you went, how you got there and when you got home? It would be naïve for someone to think this information will not be abused in the future. Virtually every decade these kinds of files have been used to violate people’s privacy.â€

Ban biometric data collection by DMV

I want to express my thanks to the North Carolina lawmakers who introduced legislation to oppose the unfunded federal mandate known as the Real ID Act. Most are not aware that North Carolina is already fully compliant with Real ID and even bragged about it this February at a Transportation Oversight Committee meeting.

Our legislators, however, need to take a careful look at the bill introduced and need to stop the DMV from collecting and storing our personal data and biometric images.

I have worked in the information technology field for more than 10 years and I don’t care how “safeâ€

August 8, 2008
DMV license photo won't be required for religious group
Stored image is 'mark of the beast' to religious leader
A handful of people who believe digitized photos on state driver's licenses could be the beginning of the biblical "mark of the beast" will receive special licenses from the Division of Motor Vehicles today.
By Tom Searls
Staff writer

A handful of people who believe digitized photos on state driver's licenses could be the beginning of the biblical "mark of the beast" will receive special licenses from the Division of Motor Vehicles today.

Phil Hudok, a Randolph County teacher who previously refused to enforce school rules requiring students to wear bar-coded identification badges because it violated his religious beliefs, will be one of the first.

"We're a Christian, nondenominational scripture-believing group," Hudok said.

Hudok, pastor Butch Paugh and 12 others met with DMV Commissioner Joseph Cicchirillo in 2006 about the perceived problem. At the time, state officials were getting ready to comply with the federal Real ID Act of 2005, which would have forced states to share information about licensed drivers with other states.

Under the plan Cicchirillo established, Hudok and other followers of Paugh will be allowed to have their license photos taken at the Capitol DMV office and then removed from the computer system. DMV will maintain a hard copy of the pictures at the main office.

"What these people objected to was the digital image," Cicchirillo said.

The federal act also requires personal information, such as birth dates and driving records, in the system. "All the other information stays there," the commissioner said.

He said there has been no outpouring of people objecting to the digital photos.

"Right now, I have three or four people who have requested it for religious reasons," he said. "I think what they told me was it had to do with the mark of the beast."

He called the effort a "pilot project" and said the DMV has committed only one camera in the state for it. There has been no cost to the state.

"The only reason we're trying it is these people's religious beliefs and they don't want their pictures stored," he said.

Hudok, who was fired by the Randolph County Board of Education and then ordered reinstated with back pay by the courts, is a physics teacher who now teaches at Pickens School. His religion has no church and members meet in Summersville and Huttonsville each week for Bible study.

The Bible's book of Revelation describes the beast system and "mark of the beast," warning that numbering people signals the arrival of the Antichrist.

He calls it a battle between "states' rights" and "the federal dictatorial government."

"We see us getting closer and closer to the mark of the beast," he said.

If the Real ID program continues in the future, Hudok believes not only will it affect a person's ability to legally drive, but to be able to catch a plane or open a bank account.

"They haven't defined what the limits will be on the Real ID," he said.

Cicchirillo said those limits might never be known, since a number of states objected - many on the basis of costs - and Congress changed the implementation date to 2010.

"[Congress] may change it, adjust it or implement it," he said.

The Real ID Act would establish national standards for state-issued driver's licenses and ID cards. Some call the new driver's licenses national ID cards because they require the approval of the secretary of Homeland Security. The secretary would have the power to require additional details on state driver's licenses.

Each license or ID card would include a person's name, address, signature, date of birth, gender and a digital photograph of the person's face. Applicants also must submit more documentation for identification purposes than most states now require.

Each state also must share its database with all other states. Some groups, including the American Civil Liberties Union, have opposed the idea.

Hudok contends that the digital photos give people's "unique facial" qualities and will do more to identify people than fingerprints.

He also objects to school photos, saying companies that take the pictures are sending them to the national database of the Amber Alert program, which deals with finding missing children.

"My children won't even have yearbook pictures taken," he said.

He said the Randolph County photos were sent to Morgantown and entered into the national database. Federal officials are trying to "ease this on" people and plan to begin taking side views of children, too.

That, he said, is being done quietly "because they don't want to alarm the people."

Reach Tom Searls at tomsea...@wvgazette.com

or 348-5198.

http://sundaygazettemail.com/News/200808071407

Real ID: Speed pass to slavery
Posted: August 30, 2008
1:00 am Eastern

© 2008

Shortly after the year ends, credit card companies send out a summary of all the charges made against an account for the entire year, neatly divided into various types of charges to help customers with their income tax preparation. Every item shows the date, the time – down to the minute – the location and the amount of the charge. This information was collected from the insertion, or swipe of a credit card, or the mere touching of a spot with a speed-pass key.

This marvelous technology saves time, reduces errors and streamlines the flow of information. Hundreds of millions of people use this information exchange system. In fact, many people have their paychecks deposited into banks electronically, and pay bills electronically and rarely write checks or handle cash, except for the pocket change necessary for small purchases.

This is the same technology that will provide the foundation for the Real ID system now under construction. The card used is an "Enhanced Driver's License." The "enhancement" is a magnetic strip, or an RFID (Radio Frequency Identification Device), that stores whatever information that may be programmed into it.

The first stage of the system will require the use of this card to board commercial airplanes, to enter federal buildings and may be used in lieu of a passport in bordering countries. If this system is fully implemented, the government will have, and be able to instantly produce, a record of every person's air travel, border crossing and visit to a federal building – in the same way credit card companies produce annual summaries for their customers.

So what? Consider stages two, and three and who knows what else.

The federal government regulates every bank and credit union. Every bank account requires an identification number assigned by the government. A minor regulatory change can require this number to be from an Enhanced Driver's License. These financial institutions are required to file regular reports to the government electronically. Every credit card charge eventually gets posted to a bank account somewhere. It would be a very small programming step to attach individual financial information to the personal record created by the Real ID database. This would result in a record of both travel and purchases – complete with date, time, location and amount.

(Column continues below)




Beginning to get the picture? Add to this database the record that employers are required to report to the federal government: gross income, taxes paid and the net amount deposited into the bank account. Once the Real ID database is created, there is nothing to prevent this information from being added.

When this system is in place, Big Brother can simply punch a button and analyze the life of anyone, anytime. The profile can be quite detailed, showing travel, what merchandise was purchased, where and when it was obtained. It can match income records with deposits and expenditures, and reveal any disparity in taxes paid.

This is only a skeletal picture of a premature system that can ultimately contain every detail about every person in the nation – from birth to death.

This is necessary, we are told, to weed out terrorists. People who are obeying the law will have nothing to fear, we are told. This system will make every American safer, we are told.

The fact is that every American will be in jeopardy if this system is ever fully implemented. Some unseen, unknown, unaccountable person will have access to the most private information about every person. A simple flag on an individual record could lock out that person from his bank account, from his credit cards and from travel. A person victimized by this situation would be at the mercy of the government – essentially enslaved.

People who have had a credit card purchase denied know this feeling, but they have the option of using another card, or paying cash. If the magic number is from an Enhanced Drivers License, there is no other card. There is no place to turn.

This system ignores the constitutional guarantee that every citizen is secure in his person, house, papers and effects.

The government has no constitutional authority to gather this information unless a warrant has been issued by a judge after reviewing an affidavit showing probable cause of a crime; unless, of course, the information is given voluntarily. So far, no one is "forced" to obtain an Enhanced Drivers' License, unless, of course, he wants to drive a car, board an airplane or visit a federal building.

http://worldnetdaily.com/index.php?fa=P ... geId=73804

Why do you need an ID?
By Michael Hampton
Posted: August 26, 2008 1:38 am
Share this story: Digg del.icio.us reddit.com Newsvine

[b]Would anyone fly again if they knew the government’s security procedures weren’t intended to make people safe, but only to make them feel safe?

Would you?

Perhaps you’d better buy a bus ticket or set up a videoconference, then, because Homeland Security secretary Michael Chertoff admitted that at least one aspect of aviation security is intended to be security theater, not real security.

At a speech he gave August 13 at the University of Southern California National Center for Risk and Economic Analysis of Terrorism Events, Chertoff expounded at length on the supposed virtues of government identification. And much of what he said was right. You certainly don’t want your bank to give all your money to someone else who just claims to be you, for instance.

Chertoff said that current measures like REAL ID were only stopgaps and that “21st centuryâ€

Ron Paul’s VP Now John McCain’s Puppet Show

August 29th, 2008 2:52 pm | by Marc Gallagher | Published in Abortion, Activism, Big Government, Bob Barr, Civil Liberties, Constitution, Election, Foreign Policy, Libertarianism, Liberty, Maven Commentary, Neo-con, Politics, REAL ID, Ron Paul, energy, john mccain | 1 Comment

John McCain continues his expertise in politics with the choice of Sarah Palin as his running mate. He also continues his quite Bill Clinton-like “wherever the wind blowsâ€

REAL ID: CONNECTING THE DOTS TO AN INTERNATIONAL ID



By Representative Sam E. Rohrer

August 24, 2008
NewsWithViews.com

History offers many examples of societies which have sought to increase security by sacrificing freedom. America itself provides many pertinent instances. However, our founding fathers have not left us without wisdom on this issue. Ben Franklin has famously stated, "People willing to trade freedom for temporary security deserve neither and will lose both." REAL ID undoubtedly exemplifies a scenario in which a difficult tension exists between freedom and security. By commandeering every state's driver's license issuing process, REAL ID threatens the results warned by Franklin - loss of both freedom and security. It has become the biometric enrollment phase of a plan to implement a terribly invasive tracking system, largely without public knowledge or approval. REAL ID is merely the current face of a far larger, international government and private economic effort to collect, store, and distribute the sensitive biometric data of citizens to use for the twin purposes of government tracking and economic control. At issue are much more than standardized or non-duplicative driver's licenses. This effort extends worldwide, threatening every person alive today. Although very legitimate security concerns exist in this age of terrorism, this Act extends far beyond terrorism prevention or protection of the innocent. Keeping that broad picture in mind, let us move to some background behind the face of REAL ID implementation in America.

The REAL ID Act passed Congress in 2005 buried in a "must-pass" war funding and tsunami relief bill. The little debate in the House and total absence of debate in the Senate ensured that many Congressmen did not realize the full implications of REAL ID. Importantly, the desire by government and economic interests to implement a national tracking and ID system did not start with the REAL ID Act in 2005. Under the guise of security, it has been attempted numerous times in the past, even during Ronald Reagan's administration. When former Attorney General William French Smith proposed to implement what he called a "perfectly harmless" national ID system as well as when a second cabinet member proposed to "tattoo a number on each American's forearm," Ronald Reagan responded, "My God, that's the mark of the beast," signaling an abrupt end to the national ID debate during the Reagan years.

The significant opposition to a national ID system in the past extends to the REAL ID issue today. This conviction has united both Democrats and Republicans as well as such normally opposed groups as the ACLU and the ACLJ. Whether the concern is privacy, religious rights, states' rights, or cost of implementation, REAL ID has galvanized broad and deep resistance, currently including an estimated six hundred groups. Today, over twenty legislatures have passed resolutions or legislation variously opposing implementation of the REAL ID Act. Eleven of those legislatures have gone further by passing laws specifically prohibiting compliance with REAL ID.

What does REAL ID do? REAL ID attempts to mandate a standardized process and format for all state drivers' licenses to achieve increased security. Most importantly in this standardized process, REAL ID mandates a certain picture quality. A footnote issued by the Department of Homeland Security establishes this quality as compliant with the ICAO Document 9303 biometric format. The global body setting this format, the International Civil Aviation Organization (ICAO), is a specialized agency created under the United Nations. Biometric data can be produced from a simple digital photograph of this quality by running the picture of a person's face through a software program which measures and analyzes the unique, personally identifiable characteristics of that face. The process results in a unique numeric code which identifies a person according to facial measurements. You read that correctly. A unique number or "code" is developed from an algorithmic formula which converts a digital biometric sample to biometric "face print" data. Under REAL ID biometric facial recognition technology, you become a number literally worn on your face - a number which is read by computer, tracked by surveillance camera, and distributed worldwide. Clearly, this international standard provides global compatibility of American citizens' biometric data collected through REAL ID.

Having this background, we should observe that many Americans still do not know why the provisions of the REAL ID Act must be rejected and aggressively opposed because they do not understand the full implications of REAL ID. Many wrongly assume that the legitimate need for security trumps all other considerations. However, REAL ID is not primarily about a secure driver's license or terrorism prevention. The full and dangerous implications of REAL ID may be fleshed out through a discussion of why each American must vigorously oppose this Act's most basic tenets. It poses dangers in the following three areas:

1 - REAL ID violates Constitutional rights.
2 - REAL ID compromises national and state sovereignty.
3 - REAL ID threatens the safety of all Americans.

I- First, let us note that compliance with REAL ID would violate our constitutionally protected freedoms.

Amendment I - Freedom of Religion

REAL ID violates freedom of religion for some citizens by forcing inclusion into a system which requires a picture - and more - just to access public services. The Amish and some Mennonites provide examples of religious groups who view the mere taking of photographs as idolatry. REAL ID conditions their freedoms, such as entering a federal building, upon a provision which violates their religious beliefs. Because this "government" identification system limits travel and access to certain public places, and could even become a debit card, other more mainline religious groups view REAL ID as the advent of the "mark of the beast."

Particularly because this technology assigns a unique number to represent each person's biometric face print, these concerns are hardly unfounded.

A Powerpoint presentation from L-1 Identity Solutions, the major biometrics company in the U.S. today, bolsters this claim. A slide in that presentation includes a graph which charts future likely applications for biometrics. Phase 1 of this "blueprint" for biometric implementation utilizes the authority of Federal agencies to impose such requirements as REAL ID. Phase 2 utilizes bureaucratic leveraging on regulated industries to implement biometrics. Phase 3 anticipates mass implementation on the citizens at large for such everyday activities as buying and selling. As an example, under Phase 2 DHS is attempting to force airlines to pick up the costs of collecting biometrics from foreigners at airports. In Texas under Phase 3, a company is experimenting with using the driver's license as a debit card. Whether one is personally alarmed at some or all of these concerns, REAL ID would prohibit the free exercise of religion for many people.

Amendment IV – Freedom of Privacy

REAL ID also violates the Fourth Amendment's guarantee of freedom of privacy. First, by mandating the collection, storage, and dissemination of personally identifiable data without any informed consent, REAL ID tramples on this right. In reality, this practice constitutes government-sanctioned identity theft and seriously breaches the "security of person" guaranteed to every U.S. citizen. No sufficiently compelling need exists to warrant government mass collection and storage of such sensitive information about its citizens. Concern heightens even further when private corporations control the databases being set up to house this information. As an example, L-1 Identity Solutions houses a database of U.S. driver's license information. This company, which has consolidated a virtual monopoly on the driver's license issuing market in the U.S., will handle all private information collected during the license issuing process.

Secondly, REAL ID threatens freedom of privacy because this warehoused data cannot be confidently secured. Even the Department of Homeland Security's own Privacy Impact Assessment fails to guarantee that the database linking and networking that will result from REAL ID will be secure. Many privacy experts agree that REAL ID will actually increase identity theft! In reality, the database and access to it will create an electronic superhighway for potential mass identity theft.

Thirdly, REAL ID violates the Fourth Amendment in that the process of collecting personal biometric data without consent violates the very laws that exist to protect against such measures. This is probably one of the most significant Constitutional issues. Current US law allows the collection of biometric information only in the case of criminal activity. However, REAL ID institutionalizes the capture of facial recognition biometrics for every driver, regardless of criminality.

Fourthly, REAL ID ripens the climate for aggressive efforts to control the masses via information and leading-edge technology, regardless of crucial privacy considerations. Data collection and surveillance is simultaneously occurring across several diverse fronts, each one a potential privacy danger painting the broader picture of where REAL ID will take us as a country. For instance:

1- In Rhode Island, a school district is allowing a company to place radio frequency tracking (RFID) chips in students' book bags.

2- Nationwide, Great Britain has installed an estimated 4.2 million surveillance cameras utilizing facial recognition technology to keep tabs on all citizens. These cameras, of which there is 1 for every 14 citizens, can observe a person up to 300 times in a normal day in the city of London.

3- China is aggressively pursuing country-wide surveillance of its citizens using facial recognition technology purchased from a contractor supplied by the previously mentioned L-1 Identity Solutions.

4- According to a June 28, 2008 New York Times article, US and European officials are nearly agreed upon a "binding international agreement" which would allow "European governments and companies to transfer personal information to the United States, and vice versa." Under the cloak of terrorism prevention, European governments could request "private information - like credit card transactions, travel histories, and Internet browsing habits" about American citizens.

5- Homeland Security Presidential Directive 24 issued by the President on June 5, 2008, "establishes a framework to ensure that Federal executive departments and agencies use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information of individuals." This step shows the President's extensive authority and disregard for privacy in streamlining the biometric sharing process.

6- The FBI is currently building a billion-dollar database to house an enormous amount of biometric data. While officially aimed at housing criminal and terrorist data, this database already retains finger prints, iris scans and other individual biometrics that the government collects on ordinary citizens. Who knows the extent of the private information that will be stored in this massive database? REAL ID-collected "face prints" are just one more piece of the data collection and tracking system.

These examples only serve to underscore the aggressive global government efforts to track and control citizens. In every case, REAL ID violates the freedoms guaranteed by the Fourth Amendment.

Amendment X – States' Riights

REAL ID violates the Tenth Amendment in that the federal government is attempting to force the states to collect private data on their citizens, only to allow that data to be shipped out-of-state and shared worldwide. This action forces the states to work against the very interests of the citizens they are to protect. When states accede to this pressure under REAL ID, they allow the transfer of state authority to the federal government. The separation of powers built into our Constitution then crumbles as the federal government makes the rules, interprets the rules, and enforces the rules regarding all state drivers' licenses.

II- In addition to the three ways REAL ID would violate the Constitution, compliance with the REAL ID Act would undermine our national and state sovereignty. While REAL ID reads like a manual for a national ID card, the Department of Homeland Security's own rules for REAL ID reveal that it implements an international ID system based on biometric identification. Complying with the requirements under REAL ID would violate U.S. national and state sovereignty by forcing states to adopt international biometric facial image standards and to document standards set by international organizations.

As mentioned previously, the ICAO, affiliated with the UN, sets the standards for facial image captures (photos). Besides tracking the movements of international travelers, the ICAO also has assumed the responsibility of creating a common international passport system that stores individual personal and biometric information on a RFID chip built into the passport. The American Association of Motor Vehicle Administrators (AAMVA), which recognizes ICAO standards, "enables" this scheme. This international body and private organization sets nearly all the standards for REAL ID document scanning, storage, data encryption, barcode and layout design to comply with their 2005 international driver's license system. Under REAL ID, AAMVA is the hub and backbone of the database system being set up to share information between states. From a broad perspective, the system created by REAL ID destroys national sovereignty and constitutional authority by removing control of government from the people and establishing government control over the people.

Furthering AAMVA's control strategy here in North America, implementation of REAL ID is "de facto" enrollment of each state into AAMVA's Driver's License Agreement (DLA). AAMVA has pushed the DLA, which meets REAL ID specifications, for nearly ten years. The implementation of this DLA is crucially important to the global effort because it mandates the sharing of all U.S. drivers' license information with Mexico and Canada. This egregious step places U.S. citizen's data at the mercy of Canadian and Mexican privacy controls, further exacerbating the identity theft problem, and violating Constitutional law and national sovereignty by essentially having states form a treaty with a foreign nation.

REAL ID also violates national sovereignty because any international system includes and requires agreements and obligations that would weaken any sovereign standing. In fact, a Government Computer News report notes the following from Robert Mocny, acting program manager for the U.S. Visitor and Immigrant Status Indicator Technology program. His quote comes from comments about a federal plan to extend biometric data sharing to Asian and European governments and corporations, so as to create a Global Security Envelope of identity management.

"My question is, how is it ethical not to share?" Mocny asked. "It makes no sense for us to develop separate systems . . . information sharing is appropriate around the world." Government Computer News further notes that he is sketching a plan for sharing biometric data that would permanently link an individual with data that governments and corporations hold. Since both governments and corporations have been infiltrated by extremists and terrorists and since certain governments of today may be our enemies tomorrow, I hardly think that worldwide sharing of our citizen's data is a good idea!

Enhanced Driver's Licenses (or EDL's) provide a further example of the undermining of national and state sovereignty. Citizens that purchase these nearly REAL ID-compliant licenses, which contain biographic and biometric information on an RFID chip, can use them as a passport to enter either Mexico or Canada. This advancement establishes the international ID designation of REAL ID. The Canadian province British Columbia has also issued a new EDL which, according to their website is also, "an acceptable document for entry from Canada into the United States by land and water."


REAL ID violates state sovereignty because the issue in contention is "national identity management", with the federal government manipulating the tool of state driver's licenses. Consider the following statements about REAL ID from Electronic Data Systems, the very company likely to maintain AAMVA's driver's license database: "The Real ID Act, then, is about more than a driver's license. It puts in place a set of standards for Identity Management (IdM) that can be leveraged across an entire government organization to create an integrated citizen identity security program." The international biometric standards mandated in DHS's final rules, paint the broader picture of an international ID card for government surveillance and tracking.

III- REAL ID would endanger Constitutional rights and both national and state sovereignty. Finally, let us consider that compliance with the REAL ID Act would compromise the safety of our people. Unlike what some government officials might say, 9/11 and the prevention of terrorism are not the real reasons for REAL ID. In fact, this technology was being pushed well before 9/11. Although REAL ID and biometrics are promoted as the "cure-all" to terrorism and identity theft problems, many highly dispute this claim. In response to the post-9/11 claims of biometrics companies that their technology could have prevented 9/11, Jim Wayman, the former head of the US Biometrics Center countered, "No, the government didn't have this stuff in place, precisely because it had been working on it and knew its limitations and didn't find any value for the costs involved." He further noted, "It's going to be hard to know how these technologies can be applied to increase national security. We're not just going to turn these machines on and start catching terrorists." REAL ID will not assure greater safety since terrorists will either avoid or duplicate a REAL ID compliant drivers' license, although a correctly operating biometric system would certainly increase the difficulty of faking or forging a license.

Despite the government's assurances about the "certain" safety benefits of REAL ID, no government or company can create a foolproof, perfectly secure system. A person who breaks the law or who desires to wreak havoc on American soil will find a loophole with which to avoid the requirements of REAL ID. One needs only consider that driver's licenses on the black market will continue to be readily available.

Further, the safety of law abiding citizens will be compromised as their identities are stolen, stored and made accessible to thieves around the globe. Some people reject this idea because they hope that the government will be able to protect their identity once it has all of a person's information. The simple faith implicit in this idea is widely misplaced, however. As proof, consider that in 2007, a Globe and Mail report noted, "A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports." A breach of security in Great Britain last December resulted in the loss of approximately 25 million individual records. In my state of Pennsylvania, a security breach which occurred two years ago at a Driver's License Center resulted in over 11,000 records being compromised. Such security breaches highlight significant personal dangers to law abiding citizens and prove that the only secure data is uncollected data.

Finally, REAL ID does not assure safety because biometric technology itself does not work predictably. At this point in time, the technology we are discussing does not work well; hence REAL ID and facial recognition biometrics can not ensure safety. As a result, no one has yet been successfully prosecuted via facial biometrics. The opportunity for false identification and therefore being, "guilty before proven innocent" is great. For example, the Tampa, Florida police force scrapped a facial recognition system in 2003 because, according to a spokesman, "We never identified, were alerted to, or caught any criminal. It didn't work." While on its face, the concept of REAL ID seems like it would increase security, it does not. A Privacy International Study conducted in 2004 found "Of the 25 countries that have been most adversely affected by terrorism since 1986, eighty percent have national identity cards, one third of which incorporate biometrics. This research was unable to uncover any instance where the presence of an identity card system in those countries was seen as a significant deterrent to terrorist activity." The simple truth is that REAL ID cannot stop crime.

In summary, we have seen that REAL ID threatens Constitutional rights, national and state sovereignty, and the safety of our people. The enrollment of American citizens into an international biometric system of identification and tracking constitutes the heart of the REAL ID issue. A secure driver's license is not the ultimate goal or certainly the ultimate result of the REAL ID Act. And it is unfortunately clear that the ultimate purpose is government tracking and economic control through enhanced knowledge and surveillance through biometric identification and tracking.

This being established, it is clear that this aggressive effort of the federal government, working hand-in-hand with private commercial interests, must be opposed on every level. While Congress must move to quickly repeal the passage of the REAL ID Act, the states provide an ideal position from which to fight this encroachment by the federal government. The responsibility for the security and privacy of our own generation and the generations to come, however, rests upon our shoulders.

The next action to be taken involves the following three steps.

First, Congress must immediately repeal the REAL ID Act and resist any effort to pass anything remotely similar. Secondly, individual states which have not passed legislation preventing implementation of any provision of REAL ID, particularly the biometric portion, must do so without delay. As has been stressed throughout this article, biometrics is the core provision of REAL ID; consequently, the states must move to protect their citizens' biometric data immediately. This step is critical because the vast majority of statutory law did not envision the breadth of individually identifiable data that could be gleaned by rapidly advancing technology. Further, because L-1 Identity Solutions holds a virtual monopoly as contractor for state DMVs, they could use their position to coerce the states into implementing all of DHS's wishes. This scenario further endangers state's rights.

Therefore, it is not enough for states to simply stop collecting biometric data. They must purge and "dumb-down" databases to preclude any government knowledge or use of private citizen's biometrics. Additionally, private third-party inspections should be ordered to ensure that all measures have been fully implemented. Fundamentally, the states must demand control – they must inform the contractor what to ddo, not vice versa. Thirdly, citizens must play a role in resisting illegitimate actions of the federal government. They must be encouraged in their capacity as law-abiding citizens to whom Constitutional guarantees were acknowledged, to resist implementation of any effort that would compromise their individual, God-given rights.

The American people remain the strongest defenders of freedom in the world. Many in our past have died for the liberties we enjoy today. Most of us are still willing to fight and die today for our freedom and the freedom of our children tomorrow. May we each do our part to ensure the greatest nation on earth remains "the land of the free and the home of the brave!"

"Liberty has never come from the government; it has always come from the subjects of it. The history of liberty is a history of limitation of governmental power, not the increase of it." -Woodrow Wilson

Sam Rohrer is a Representative for the state of Pennsylvania and a member of the American Policy Center Advisory Board.

http://www.newswithviews.com/guest_opinion/guest128.htm

Remarks by Homeland Security Secretary Michael Chertoff at University of Southern California National Center for Risk & Economic Analysis of Terrorism Events

Release Date: August 13, 2008

Los Angeles
University of Southern California National Center for Risk and Economic Analysis of Terrorism Events

Secretary Chertoff: I want to thank the Provost for that very kind introduction and even more so for inviting me to return again to USC to speak on the issue of homeland security and also to talk to some of the members of the first DHS center of excellence which I think is approaching, maybe it's already reached, its fifth anniversary.

As we're looking at our fifth anniversary at the Department of Homeland Security, which we celebrated in March, and as we look ahead to a change in the Administration, what I'm trying to do is to both look back and look forward in terms of some of the strategic lessons that we've learned and some of the strategic goals that we have to set for ourselves as we move forward to deal with the issue of homeland security in the very broadest sense of the word and so I'm giving a series of speeches over this period of time outlining the progress we've made and the challenges we continue to face in the area of homeland security.

The first speech, which I gave at Yale, dealt with the issue of the kinds of threats that are likely to bedevil us over the next 10 years, natural disasters like hurricanes and manmade disasters and attacks, like those launched by Al-Qaeda or other terrorist organizations or even the possibility of transnational organized groups, becoming a threat on a scale of a national security problem.

The second speech I gave at Rice dealt with the issue of our strategy of prevention. How do we prevent the manmade threats at least from being successful, from being carried out against citizens here in the United States, and how do we prevent dangerous people and dangerous things from coming into the United States where they might choose to launch those attacks?

Now, of course, there's other elements, there are other elements to our strategy. We have to talk about how we reduce our vulnerability if in fact dangerous people do come into the United States or if some of our own citizens become what's often described as "home-grown" terrorists and decide to carry out attacks against our institutions.

That's the issue of protection, and then my final speech will deal with the issue of response. How do we mitigate bad things when they happen?

But today's speech, which really focuses on the issue of protection, deals with one particular, I would argue, special challenge that we face on the eve of the 21st Century and it's a challenge that lies at the core of a great deal of what we do in protecting homeland security. It also lies at the core of a great deal of what we do protecting our financial security, our personal security, and our reputational security, and what I'm referring to is how we manage and protect our personal identities because I'm going to submit to you that in the 21st Century, the most important asset that we have to protect as individuals and as part of our nation is the control of our identity, who we are, how we identify ourselves, whether other people are permitted to masquerade and pretend to be us, and thereby damage our livelihood, damage our assets, damage our reputation, damage our standing in our community.

Now, often when we talk about the issue of identification, certainly over the last few years, it has come up in a very specific context. We talk about using identification to screen out dangerous or ineligible people from entering the United States through our borders, through our airports and our seaports, or from getting on airplanes or walking into federal buildings.

The 9/11 Commission spent a good deal of its time in the review of the events leading to 9/11 addressing the question of vulnerability and weakness in our identity security systems, the ease with which people could fabricate identities and use it as a way to live amongst us without being detected by the authorities or use it as a way to get on airplanes without being intercepted as somebody on a watch list.

But I'd suggest to you that identity is at the heart of a number of other very significant elements of our social fabric, even beyond simply protecting ourselves from terrorists or people who want to do us harm.

As we know from a lot of the debate over the last few years, identification is at the heart of the debate about illegal employment, people who come into the United States illegally and work illegally, and the question is how do we ascertain whether the people who are working for us are who they say they are so we can check their background, whether they are entitled to work so we can determine that we are complying with the law, and whether they are connected to the name in various tax databases so we can make sure that when we, for example, withhold the payroll tax, it's actually going to the right person?

So when you think about it, identity lies at the heart of the issue of employment which touches virtually every American. Identity, more and more particularly with the use of the Internet for purposes of transacting business, lies at the heart of our entire financial and market system. If we don't know who you are, if we don't know whether you are accurately representing your assets and your intentions over the Internet or even transacting business face to face, we introduce an element of risk into that business model.

The Internet depends upon the ability to believe that when you sell something to someone, that person in fact is going to be responsible to pay you and has the means to do it. When you get access to certain sites, when you withhold access to certain sites, when you safeguard information in certain databases, the key to entry and exit is again dependent upon identity. Are you a person who is authorized to get into that database, to remove that information, to see what's in there?

So when you think about it from that standpoint, the entirety of our economic livelihood in the 21st Century is going to turn in large measure upon our ability to verify identity for those who want to transact business, and, finally, our reputation and our privacy depends on our ability to control our identity. If people can pretend to be us, if they can speak in our name in an unauthorized way, they can do great, perhaps irreversible, damage to our privacy or to our reputation and this again from a personal standpoint suggests that identity is increasingly going to become the asset that we have to be most careful to protect in the 21st Century where the ability to get information, move it around the world and store it indefinitely creates greater and greater risks to personal reputation and personal privacy.

Now when I talk about identification, I want to separate two distinct elements because they are related but they are still separate. One is, we need to identify an individual as a distinct individual, a distinct person with certain rights and privileges. For example, everybody has a unique DNA and if we can identify that person and their DNA and know, for example, that they are lawful citizens of the United States, certain consequences flow from that. You can vote. You can sit on a jury. You have the right to work and therefore we need to verify at a whole host -- in a whole host of circumstances that the person who presents himself or herself to claim a right or a privilege in fact is entitled to that.

But once you've made that determination, the issue of convenience and efficiency comes into play. How do we know in casual encounters and Internet encounters, at the airport or at the border, that you are the person who has previously been validated as having certain rights and privileges, and that's the issue of authentication.

So first we validate you. We determine in some form or fashion that you are a citizen, you are who you say you are, you have certain rights and privileges, and then we need a means that other people can test that validation, can authenticate that validation.

Now, before I talk about the different ways we do this, let me give you some concrete examples of how even in the last few years, we have increasingly seen a decrease in our ability to authenticate identity with very serious consequences for people all across the country.

Of course, the most obvious example is a situation of people who try to sneak in in order to do harm, terrorists, for example like the hijackers on 9/11, some of whom used false identification as a way to conceal themselves from the authorities or investigators so they could get on the airplanes that caused the tragic events of September 11th, and we've talked a great deal about the need to prevent people from exploiting weaknesses in our identity system in order to be able to get on airplanes and blow them up or enter places that they're not supposed to be and cause damage.

But there are also increasingly financial and other costs being borne by citizens apart from terrorism because we have not brought our identification management systems into the 21st Century. Some of these costs are not obvious to individual citizens. For example, credit cards routinely absorb fraud-related charges as "acceptable" losses. You don't necessarily know as a cardholder that that loss has been incurred. Oftentimes, you won't even be notified about the fact that they've somehow suppressed an effort to use your name in order to falsely acquire goods.

But the fact is everybody pays for this. Everybody pays for it in increased charge costs, in increased transaction costs, and in increased retail costs. So that's a widely-distributed but very real consequence of the imperfections we have in safeguarding identity.

Sometimes, though, these types of crimes or these types of exploitation of vulnerability in identity do hit the public radar. Last week was a good example. I was up in Silicon Valley and I announced what I think is the largest prosecution of identity theft in American history, an identity theft that took place over a period of years, according to the allegations in the indictment, which led to charges against 11 individuals, a scheme that is alleged to have involved the theft and sale of more than 40 million credit and debit card numbers hacked from eight major U.S. retailers.

This was truly, according to the allegations, an identity theft on a grand scale with the potential to generate millions of dollars of losses, based on people using these credit card numbers which are, after all, identifiers. They're the way you identify or validate someone's identity, using these credit card numbers to cash out at ATMs all over the place and to use these -- exploit these identities in other ways.

But apart from just the issue of the credit card industry and other financial services industries which increasingly suffer from identity theft, individuals suffer sometimes from identity thefts that occur on a very small level. Again, there's been a lot of discussion in the last year or two about the issue of people who are in the country illegally and working illegally. Some of them, of course, work without papers. Some of them simply make up papers out of whole cloth. They make up phony social security numbers and we try to tackle that using an electronic online system that you can use to check whether the name and the number are valid and matching, but increasingly, as we raise the bar to the simple schemes of impersonating legitimacy or legality, more and more of these people working illegally are using genuine identities that have been stolen from real people. In other words, identity theft has become a major enabler of illegal working in our economy.

Now some people dismiss this as an insignificant threat or an excusable effort on the part of people who are looking to work to evade the laws, but for those who believe it's a victimless crime, let me direct your attention to a Wall Street Journal article which I happened to read on August 7th of this year. It involved an individual from this part of the country whose name I won't use who discovered one day in mid 2003 that they had a letter from the IRS concerning $18,000 in unreported income.

This person, however, had never worked in the company in question. In fact, the company was on the other side of the country in North Carolina, and all of a sudden, they had an IRS problem that they had to clear up. So they hired a lawyer. They wanted to try to fix it. They kept getting more and more letters from the IRS. They had to try to contact authorities, this is in 2003 and 2004, to see if something could put an end to this individual who was impersonating the Californian and continuing to earn money, but, of course, it was the Californian who was being asked to pay the taxes.

And then the problems continued to multiply because the individual whose identity had been stolen by this illegal migrant started to receive calls from collection agencies for medical, furniture and cell phone charges. The individual's husband recalled that these collection agencies would telephone as many as eight times a day. "My wife would jump up every time the phone rang. In the middle of the night, she would wake up afraid and just sit up in bed."

This is the very real cost of identity theft, even when it turns out to be an identity theft committed to enable an illegal migrant to work in a way that's unauthorized, and by the way, for those who wonder where the impact falls, the statistic in the Wall Street Journal, which is somewhat surprising, is that about 53 percent of all Latinos who were victims of identity fraud in 2007 reported that the fraud involved opening an account in another person's name and Latinos are 1.5 times more likely to have an account fraudulently opened in their name than are fraud victims of other ethnicities and that's because of the comparative large number of people with -- from Latin countries who are working illegally in the economy.

So here again, we see that even when a single individual commits an identity fraud and even when it's in the course of an illegal employment rather than a much more sophisticated scheme, people have real consequences to their reputation, to their finances and to their peace of mind.

So how do we deal with this issue of identity management? Well, here in the first decade of the 21st Century, our basic strategy of dealing with protecting our identity hasn't changed very much, frankly, from what it was in the last century. We basically rely on two types of ways of protecting identity, sometimes separately and sometimes we use them together.

One is a card or a document. The passport is generally regarded as the gold standard. We use driver's licenses. Anybody on a college campus, and don't raise your hands if you know about this, probably knows where to get a false ID in order to drink. So that's certainly a much less robust form of protection than a passport and sometimes we allow people to identify themselves using documents that are even unofficial. So that's one method that works imperfectly.

The second method is what I call the secret information method. It's the use of some number or some word or something that's like a password that is meant to authenticate you as the genuine person who is entitled to engage in a transaction or work or access a bank account.

It's because of this secret information type of identity management that we often read in the paper about laptops being stolen and then people worrying about their identities being stolen as well because the laptop has a name and a social security number.

The difficulty with the social security number is not that there's anything intrinsically private about it. It doesn't reveal personal details about your preferences and what you read, but it's that the more we rely upon a number as an identity authenticator, the more dangerous it becomes to lose control of the number and yet if you think about it, using a number or a word as an authenticator carries its own inherent vulnerability because as you give the number to the people who are going to authenticate you, they now have the number and the more people that have that number, the more easily they will lose it.

So you can see both of these methods, a card that is easily forged or counterfeited or a number which can be lost or misused, both of these are imperfect ways to protect identity and, frankly, it's this imperfection that has led to what I think is increasing stories about identity theft and an increasing concern.

Now using 20th Century tools, we are doing some things now to try to strengthen our ability to protect identity using these two methods, but what I'm going to say to you shortly is that I actually believe in the 21st Century, there's a better way to do it and one that's ultimately going to replace what I consider to be a comparatively primitive way of protecting identity.

The first thing we do, using again traditional 20th Century methods, is we try to make it harder to counterfeit a card and this is a pretty good approach if you're going to use a card-based identifying method by itself. We've put chips in passports. We've created pass cards. We've put bar codes in. We've embedded certain kinds of holograms, all of which are designed to make it more difficult for people to fabricate these cards, and we've required higher standards through things like our Western Hemisphere Travel Initiative which governs what people need to show when they cross a land border or our Transportation Worker Identity Card or even the Real ID Initiative to strengthen the security of our driver's licenses.

But while this has done something to deal with the issue of forgery and counterfeiting, it's certainly not a complete solution because time and again, I certainly have seen intelligence that tells me that sophisticated criminals and sophisticated terrorists spend a great deal of time learning to fabricate and forge even these improved cards. The net effect of this may be that it's going to be harder for people on campus here to get a drink when they're under 21, but unfortunately it's not going to be that much harder for the most sophisticated dangerous people to counterfeit an identity card.

With respect to the vulnerability that we experience when we give people our social security number or our PIN number, again here a partial solution that works somewhat well is encryption. If you encrypt, if you safeguard, then you do in fact minimize the possibility that someone is going to steal your number and therefore make off with it.

But I want to remind you, every time you get on a telephone, you give your credit card to somebody in a company as a way of validating your identity, you are trusting that the person on the end of the line is not going to misuse it. That's part of the inherent vulnerability of secret information as a sole identifier.

So I think that we are taking steps now to deal with the issue of these identity vulnerabilities. I think they are partly successful, but I think in the long run, they have inherent vulnerabilities that suggest they may not be a complete solution.

Now some people take a totally different tack. They actually don't want us to do anything at all to improve identity management by either creating different or better cards or collecting more information or doing anything of that sort. They take a general privacy objection to all the efforts that we are undertaking and the efforts I'm going to suggest we should undertake with respect to securing our identities and giving us greater confidence that we can identify people and we can -- people can identify us.

And before I go further, let me tackle these objections straight on. The first objection is, I think, probably the most persuasive from a policy standpoint and that is the argument that you have a right to anonymity, that you shouldn't be required to identify yourself willy-nilly. We can walk down the street without having to justify that to anybody else.

Now, you know, there's a lot of appeal to that in certain settings. I, too, believe, that absent something extraordinary, you shouldn't have to identify yourself walking down the street of Los Angeles and have a document that can verify that you are who you say they are -- who you say you are.

European countries, by the way, differ with this. They require that you carry -- many of them require you carry an ID card, but I think there's a good case to be made that at least in an open street, in an open forum, you should be able to move along without having to identify yourself.

At the same time, I think very few people would argue that you should be able to cross a border without identifying yourself. Most people understand that when someone wants to come into our country, we have a right to know who they are, so we can make a judgment about whether we want to let them in or not and that's true in the same way that we have a right to determine who enters our house and, by the way, that's why when the gas meter reader comes to the door or someone comes to the house in order to perform some kind of a health inspection, you ask for identification because you want to verify the person is who they say they are. So that's the context in which anonymity, I think, doesn't make a lot of sense and isn't very persuasive.

And now, of course, we require identification to get on airlines. Some people may think that that's wrong as well, that we should not require people to identify themselves before they get on an airplane. You understand why we do it, because we know there are people out there who are dangerous, because we would not want to have Mohammad Atta's training camp roommate getting on an airplane where other people are flying and turning it into a weapon or blowing it up, and so therefore from a security standpoint, anonymity has to give way to the right of others on the plane to feel safe.

I've two responses in particular to people who argue with this proposition. One is empirical and one is kind of a philosophical response.

The empirical response is that I think that if you -- if I could run a market experiment, I would set up an airline that is an anonymous airline that allows people to get on without identifying themselves and then I would watch to see how many people decided to fly that airline as opposed to the airlines where people do have to identify themselves, and I think the answer is very few would fly that airline, and I also think you'd have a lot of problem finding pilots who would fly the airline because people understand that that identification is necessary to protect themselves and that gets me to my philosophical argument.

Often the people who argue for anonymity don't recognize that there are two people in any transaction where a person is asked to identify themselves, the identifier and the person who is asking for identity. Both of those people have rights. A person may have a right to control whether they disclose their identity, but the person who's transacting with them has a right to know who they're transacting with.

It's what I call the caller ID model of identification. When caller ID was first distributed widely, there were people who objected on the ground that if you didn't want to identify yourself as the caller, you shouldn't have to have that appear on someone's screen and the solution that was developed, I think, is very clever and very fair and in many ways my model for how we ought to deal with the issue of anonymity across the board.

The model is to give the caller the right to make themselves anonymous, to have on the screen in lieu of a number something that says caller unidentified or refuses to identify. So that protects the caller's right to keep themselves anonymous but the person being called has the right to see that and before they pick up the phone to say, you know, I don't want to deal with a person I don't know and therefore the caller doesn't get to complete the call.

So both sides, the identifier and the person asking for identity, have their rights safeguarded and that's my view really with respect to the issue of anonymity on the airplanes.

The public has a right to know before they get on the plane who's getting on the plane because if they're told that we're going to be letting people on the airplane who don't identify themselves, they're probably going to get off that airplane and that's why I think we are going to continue to see a requirement of identity when you get on airplanes.

The second issue that's raised sometimes is the issue of, well, yeah, we agree that you should be required to identify yourself, but it's wrong to have the government set the standard for what that identity document ought to be.

I have to say this is kind of a silly argument. If you believe that it's fair to ask someone to identify themselves, there's no argument in favor of making it easy for the person to do it with a false identity. Lying and deceiving are not values we generally try to promote in public policy and there's certainly no reason to let any of you -- for any of you in the audience to welcome someone else impersonating you in order to access your bank account or get on an airplane or exercise some other privilege.

The third argument, and the one I'm going to talk about when I discuss -- turn to the last part of my remarks which is what I think we can do in this new century, is the increasing problem that I alluded to earlier of theft of data and forgery.

[b]These objections, I think, are the ones that are the most practical objections we currently face as we deal with how to manage identity and they're actually objections to which I believe we can develop solutions and so to explain what the solution is, how I think we can reconfigure our identity management system to minimize theft of data and further minimize forgery and further safeguard identity, let me stand back and give you a sense of what I see as the universe of tools that we have available for managing identity.

I like to say that the issue of identity authentication, determining that you are in fact the person you claim to be, really rests potentially on what I call the three Ds: description, device, and digit, and what do I mean by that? Well, description means some piece of information or something known to you and not to anybody else that can separate you from the other person who claims to be you.

As I've indicated, standing alone, this has a vulnerability but it doesn't mean that it can't be used in conjunction with other kinds of tools, like device and digit.

The second is device. Now, the device we most commonly use to identify ourselves is the card, the card that can be forged in some cases, in some cases may be harder to forge, but there's no logical reason that only a card can be used as an identification device. A cell phone could be used as an identification device. If you constructed a cell phone and you created a token in a cell phone and the way the token system works, if you operate in the area of intellectual, you know, property and IT, is the token changes every 30 seconds, so that the number that flashes on the token is useless if it's stolen because in 30 seconds, it doesn't grant access anymore.

Now many of you actually use cell phones as identification devices now because you can get on the Internet with your Blackberry and you conduct business using your Blackberry cell phone over the Internet. You're using an identification device. So this is not some startling insight by me. It's a recognition of where we're headed.

The third potential strategic leg, besides description and device, is digit, your finger, your fingerprint, more commonly described sometimes as a biometric. Your digit is unique. Your fingerprint is unique and the ability to use that as an identifier, as we do, for example, throughout the criminal justice system, gives us a third powerful tool that we can use in order to make sure that we can separate real people from impersonators.[b]

Now what I'd like to suggest to you is that the way forward is to work with all of these tools in combination, to take the ability to use some descriptive information, like a PIN, or some private information, a device like a card or perhaps a cell phone or other electronic device, perhaps with a token, and a biometric, like a digit which is easily used and concurrently be captured on a whole host of mobile devices, to combine these together and I can envision a time in the not-too-distant future where, in order to authenticate yourself, whether it's for purposes of getting on an airplane, whether it's for purposes of transacting business at a bank, whether it's for purposes of gaining entry into a student dormitory, that you will have some kind of device, it may be electronic, that will combine two or three of these three Ds, as I call them, to increase the ability to be secure in the knowledge that nobody else can duplicate your ability to identify yourself.

And I think this is the way forward on the theft and forgery issue. Now, some people say, well, of course, it's not perfect. I mean, there will be some people who will be so good that they will be able to somehow -- you know, they'll steal your device, they'll find a way to get your fingerprint and fabricate it and then they'll somehow ferret out the piece of information and having assembled all these things, they'll be able to impersonate you.

But, you know, nothing is perfect. If the test of any movement forward in a system is that the new system has to be perfect, we wouldn't have airbags in automobiles. After all, the airbag is not perfect. If you run headlong into an 18-wheel tractor-trailer, that airbag is not going to help you. But in a lot of accidents, it will help you. So I'm arguing this is a 99 percent solution and in real life that's a very good solution.

I'd also like to suggest that there's some additional things we can use to protect privacy and that involves, first of all, increasingly using the caller ID model where both sides get to make a decision in advance whether someone's going to identify themselves. I think, by the way, that's the model in a sense we use on airplanes these days.

One of the things TSA does is it says, you know, if you want to travel on the airplane, you have to identify yourself and that's because of the interest of everybody else on the plane. Now, you don't have to identify yourself at the airport but then you can be refused entry on to the airplane, and as I say, I mean, I wait for the day that an airline comes forward and proposes that they have an anonymous airline.

A second thing we can do is move to a system in which in fact there's a third party who validates identity so that neither the identifier or the person requesting identity actually has to -- the person requesting identity doesn't actually have to see the identifier's information but they get validated from a third party.

This is sometimes called in the non-technical term the "ping" system, P-I-N-G. It's used -- the Europeans use this a lot when they want to validate identity. They check against the third party database. The third party doesn't know who's checking and who's being checked, but they do know they're getting an inputting request and an inputting authentication and then they validate to both sides. This is a form of distributing the information, and I think a lot of people, I know in the tech world, believe that distributing the information is another way forward to protecting privacy and protecting security without sacrificing the benefits of being able to authenticate.

So this is what I think the way forward is in the 21st century, which I think will deal with what I believe is the last really serious objection that we have to our identification methods which is the remaining concern about theft of data and forgery and here's my challenge.

I think this is not a task that the government alone should do. It is my belief the government should set performance metrics on the capabilities that identification must have. Now sometimes we issue identification, we issue passports, we issue licenses, but certainly for things like getting on airplanes and getting in buildings, I would challenge the private sector to come up with methods and forms and systems of identification that would meet these performance metrics, that would accurately identify a person who's been validated, working from a respected breeder document or some kind of database that truly verifies and validates identity, and that satisfies the security measures because I believe that we should then be in a position in the government to say we'll accept that identification.

If someone comes forward with a really good identification, I-dentification, like your iPhone or your iPod, that meets these metrics, we should take it at the airport. We should take it in federal buildings. I think we need to unleash the technical skills and the systems engineering skills of the private sector to tackle a problem that we are still fighting using 20th century means.

So that's my sense of where we are going in the 21st century and what I continue to believe will be very much at the heart not only of homeland security but at the heart of economic security, at the heart of personal security, and dare I say very much at the heart of protecting our reputation and our privacy which are very much the foundation of our liberty.

Thank you very much.

Secretary Chertoff: All right. So now I'll take some questions and I'll ask if you'll wait for the microphone.

Question: Sir, hasn't the James Bond series showed that digital prevention of fingerprints is obviously oversuperseded by wearing a thin latex glove with somebody else's fingerprint on them and then accessing anything you want?

Secretary Chertoff: See, and here's the answer to that, the answer to this which will cleverly be put together by people in the technical world is that, first of all, when you put your finger on a digital reading device in the presence of someone, they're going to look at your finger and they're going to say, what is that funny gummy thing you have on your finger that's being used to replicate a fingerprint? Or, if we're going to use remote fingerprinting, what we're going to do is — and I think this capability exists — we’re going to put into the device that's the fingerprint reader something that measures your body temperature and is going to light up if there's some discrepancy or something that raises an issue.

The one thing I'm confident of is this: any technical threat can be met with a technical solution, but I'll reiterate what I said earlier. There's no 100 percent effective thing and I'm never going to tell you that there will be a 100 percent effective thing. But frankly, if you could reduce identity theft by 99 percent, you'd be way ahead of the game.

Question: Mr. Secretary, you mentioned the impact or the effect of illegals working and obtaining false identification. Do you think we'll ever have a guest worker program that works like they have in some of the European countries?

Secretary Chertoff: Well, I don't know that it works in the European countries, but the answer to that is I believe we will. We tried very hard last year to get a guest worker program which I continue to believe is not only necessary for the economy but it is actually a way of enabling the enforcement.

I mean, there's obviously a straightforward solution to the problem of illegal work, which is you open the front door and you shut the back door and then the people coming through the front door, you know, you check them first because you have a right to invite people in your own house. You give them an identification card. You know who they are. They're protected because they're not working illegally. The employer pays tax and everybody's happy.

Congress wasn't willing to open the front door. It's opened a little bit, but it's not really wide open.

In the interim, to be honest, we're closing the back door and we're doing it because (a) it's the law and (b) I think it's a necessary condition to satisfy the American people that when the front door is opened, we will really bring people only through the front door, but, you know, I'm ready, willing and able any time in the future to get up and work with anybody who wants to get this thing done.

It's a sad thing that, despite overwhelming support for a balanced program, we weren't able to get it done. Government probably has had to devote, you know, effort to re-establish its credibility which we've done, but it's, you know, a tough process.

Announcer: Please stand up and identify yourself. Thank you.

Secretary Chertoff: There you go, humor. It's identity humor. It's really --

Question: I'm Yvonne Kinman. I have a question regarding a recent article in the L.A. Times.

Secretary Chertoff: That's always a dangerous predicate to a question.

Question: And this is their wording. "The government is in the habit of losing laptops frequently with personal information."

Now, my question is what is the standard of accountability of this kind of negligence in light of we're spending this much money on computer chips and holograms?

Secretary Chertoff: Well, of course, the problem with losing laptops is -- first of all, it's not limited to the government. The private sector does it, too. There was a story where a registered travel company, a laptop disappeared.

It's a hard problem. There should be accountability. People do get disciplined when they misuse a laptop. But actually, you've put your finger on a deeper issue which I'll talk about for a moment.

When you build a security measure, it has to be built in a way that works with the natural habits of people in terms of efficiency. The easiest way to prevent laptops from being lost would be to prohibit them from being removed from the workplace. Why have a laptop then? You just use a PC. The purpose of the laptop is to be able to take your work home with you.

Now, you can tell people, encrypt the data, don't lose the laptop. A vast majority of people honor that, but time and again someone fouls up. There have been stories going back historically of -- I think there's a story over in Europe of some very significant disks being lost because someone left them on a train.

You've got to build the system with human nature in mind. There's not -- it's not going to be perfect. There are going to be mistakes and that's why I come back to my issue of personal information. Putting aside the cost of the laptop which is, you know, I know $500, $1,000, the real problem there was it had personal information. Some of these cases involve personal information.

Now, some of it's truly intrinsically personal, like medical records and things like that, but sometimes what's being lost is a social security number. My position is I'd like to see us in 10 years in a place where you don't use your social security number to identify yourself and therefore if somebody gets it, it's not going to do them any good, just like if someone gets your name, they're not going to be able to walk in and say I'm so and so, you know, I want to withdraw my money from the bank.

At bottom, though, any security system is going to depend on people. It has to be built in a way that takes account of human nature, has to take account of the fact that there will be mistakes, and you're right in reminding us that as we spend a great deal of effort, for example, dealing with hackers and trying to build complicated systems in terms of, you know, what goes into computers to make sure we're not getting bad code, in many cases, the most vulnerable thing is the human being who carelessly leaves the laptop on or lets it get stolen and that's why this is a hard issue and the solution set involves a lot of different pieces, but I think that what your point illustrates is the importance of trying to build a system that is capable of being resilient in spite of what will inevitably be human mistakes.

Question: Hi. My name's William. Secretary Chertoff, thanks for coming out.

Considering the amount of people that are on, say, no-fly watch lists mistakenly and unable to correct that status, could you suggest ways to safeguard the government and law enforcement would use the information efficiently and in a trustworthy manner and the people be protected from the government misusing that information?

Secretary Chertoff: Yeah. Let me tell you, you raise two separate issues. One is the issue of false-positives on watch lists. Contrary to some of what you read in the paper, the actual watch list in TSA is many orders of magnitude less than the figure of a million which was mistakenly put out.

But the issue of false-positives goes back to the name. We are a name-based identification system and many of us have similar names. You know, John -- there's a lot of John Smiths in the United States. If there is a John Smith who is on a watch list for good reason, the challenge is how do you take the other John Smiths off that? How do you remove them from being mistaken or positively identified as that John Smith?

Now, there's actually a simple solution to this. If you can get from the innocent John Smiths their date of birth or some other additional unique identifying fact, you can put that into the system and then when they present identification, they're immediately taken out of the system. Basically, they're excluded from the set of people on the watch list, and we actually in May changed our system to deal with this issue for people who are in selectee status which means they were automatically being put into secondary and they couldn't get their boarding passes without going to the desk.

We told the airlines that we would allow them, if someone gave a birth date, to exclude that person basically from the list and to let that person get their boarding pass directly at home or in the kiosk like everybody else. Some airlines have done this. Some airlines have chosen not to because they don't want to spend the money and their attitude is, well, TSA gets blamed for it, so, you know, I guess they could do what they're doing now with food and they could charge you for it, but I hesitate to suggest that, I may give them an idea, but the bottom line is there's a solution which involves using an additional identifying fact to take people out of the category of the person who's watch listed.

The end state solution is going to be to do what I said earlier which is to have a third party validator. We are very close to issuing a rule which, frankly, we've been trying to get permission to do for some years called Secure Flight, where TSA would actually become the validator, would match the list.

Right now, the airlines do it. So we could internally correct the false-positives with this data and what would happen is the airline would send the manifest and we would simply see whether the people on the list are the real bad John Smith or not the real bad John Smith and then we'd clear everybody else. We wouldn't be interested in where the cleared people are going and the airline wouldn't have to maintain and deal with the issue of that list.

On the issue of people misusing information, you know, when people steal information or something of that sort, it's actually punishable. I'm actually not aware of many cases where people in the government have deliberately stolen information, personal information. There are regrettably more cases where people have negligently mishandled it or somehow lose it or something of that sort.

Let me go way in the back there. Just so you know because the lights are in my eyes, I can't really see anybody out there. I just kind of look where there's movement.

Announcer: Mr. Secretary Chertoff, you have five more minutes. Thank you.

Question: Thank you. My name is Scott Gallagher. My question regards while I understand and I appreciate where we're going with this, what do I do currently, especially when companies are hiding behind the Sarbanes-Oxley Act when it comes to identifying me?

For example, a recent phone call. I call the company and I say I want to talk to you regarding this information I just received from you in the mail and then they begin to vet me to make sure that they're talking to the right person and all the identifying information they're asking me is on the piece of paper that I held in front of me.

Now, if somebody has broken into my PO Box and stolen this, they're getting -- they have all the questions and I will ask them to please find another way to validate me and they say that they can't or they won't.

Secretary Chertoff: Well, see, that's -- but that's a great example of this point of using multiple systems. That's the -- you know, they're still stuck on the old secret information system. They're probably a little stupider than most because many companies don't put all the information and they require you to use something like your mother's maiden name or something of that sort.

But again, if we moved away from that system into a system where you could electronically identify yourself or you could use a combination of things, the concern you have would be abated.

I should say, by the way, not every issue requires, you know, the same robustness of identification. Buying a movie ticket doesn't require anything and it may be that some of this stuff you don't care very much about, but on anything really important, with personal, getting access to personal information, there should be multiple forms of authentication to avoid precisely the problem you've identified.

Question: Secretary Chertoff, I agree with your comment about we need a validation agency of some type, particularly with regard to electronic communications. I'm also concerned also that it would be solely a governmental activity, but haven't we overlooked a constitutional duty and responsibility to have, let's call it, a national electronic postal service? They would do things like issue electronically watermarked postmarks. We could do -- we could even establish systems on computer-maintained files so that we would have privacy issues secured as well.

Do you look at this as we've overlooked a vital organ, if you like, in our attempt to have security in telecommunications by not having a national electronic postal service?

Secretary Chertoff: Well, I'm happy to say one of the very few things that's not in my department is the Postal Service.

Secretary Chertoff: But I don't know about a national electronic postal service. I will say, and I think after this I have to depart, you're right that the Postal Service is underutilized in this respect. I think people are moving more to electronic mail and private services, but the Post Office is now increasingly a place where you get a passport.

The process of getting a passport, you know, that is still regarded as the premier validation document. It's a document which, if you present, should allow you to get other documents that are more convenient and one of the things I hope to see is, as the Post Office re-engineers itself over the next, you know, few years, that they increasingly look at whether they can be in the business of servicing identity management. They can -- because every town has a post office.

You know, I've learned a lot about systems engineering. The biggest problem is getting physical things distributed widely and the Post Office is the government's leading physical -- other than schools maybe, the only institution that exists literally in every town. We've built it. We've got people working there. So I think in the long run as we're getting into this 21st century model of identity authentication, I think that's definitely a resource that ought to be used.

Thank you very much.

Dr. Nikias: Thank you. Let's give him a round of applause. Thank you. Thanks for joining us, Secretary. Thank you.

This page was last reviewed/modified on August 13, 2008.


http://www.dhs.gov/xnews/speeches/sp_1219162986509.shtm

Despite Real ID, WV licensees may exclude photos from licenses
By Jacqueline Emigh, BetaNews
August 8, 2008, 6:25 PM

Religious fundamentalists in West Virginia are now being exempted from getting their digital photos emblazoned on their driver's licenses, after objections over carrying around what they conceive as the biblical "mark of the beast."

Although objecting West Virginians will still be required to have their license photos taken at a state Department of Motor Vehicles office, their photos will be removed from its computer immediately afterward, with the state retaining hard copies of the pictures at its main office.

But like other drivers, the fundamentalists will be required to keep their birth dates and driving records stored on the state's computer system, according to an account in West Virginia's Charleston Gazette today.

So far, only about a dozen people -- consisting of a local pastor and some of his followers -- have applied for special consideration for digital photos.

These folks purport to believe that digital photos on state drivers' licenses could spell the start of the "mark of the beast." In describing the "beast system," the Bible's Book of Revelations cautions that numbering people signifies "the arrival of the Antichrist."

The drivers license issue came up after one of the followers, a local teacher, refused to enforce school rules requiring students to wear bar-coded ID badges because he felt that practice violated his religious beliefs.

In 2006, the teacher, Phil Hudok, met with West Virginia DMV Commissioner Joseph Cicchirillo -- along with pastor Butch Paugh and twelve others -- about compliance requirements around the Federal Real ID Act of 2005, which will ultimately force states to share information among themselves about licensed drivers.

Yet although it was passed in 2005, the Real ID Act has not really taken effect yet. As of April of this year, all 50 states had received extensions beyond the original compliance deadline of May 11, 2008, either because they'd applied for extensions or were simply granted extensions without soliciting them.

West Virginia's DMV commissioner said he views the exemption of the religious fundamentalists from digital photos on drivers licenses to be merely a "pilot project." So far, the state has committed only one camera to the pilot, according to Cicchirillo.


http://www.betanews.com/article/Despite ... 1218234327