Thread: Support H.R.220 - Common Sense About Identity Theft & RE

Guest warns against Big Brother, Real ID
by Alyson E. Raletz
Wednesday, February 11, 2009

JEFFERSON CITY, Mo. — The leader of a movement against national driver’s licenses promoted legislation Tuesday that would prompt a showdown between the states and the federal government.

While some lawmakers alluded to fears of the Federal Real ID Act of 2005 as conspiracy theories, state Rep. Jim Guest, R-King City, warned that requirements that could come down from the U.S. Department of Homeland Security would put Missourians’ identities at risk, pointing to easily scannable biometric technology.

“We do not need Big Brother watching us and knowing where we are,â€

Data collection sparks privacy concerns

By ERIC NEWHOUSE • Tribune Projects Editor • February 9, 2009


Montana's Office of Public Instruction has begun collecting information — including medical data — on students with disabilities, raising some confidentiality concerns among school officials.
Advertisement

"I don't have any problem submitting this data to the state, but it's wrong to associate it with an individual student by name," said Doug Sullivan, superintendent of schools in Sidney.

In addition to a list of the physical and emotional disabilities students have, Sullivan also is concerned that the state requires general income information by asking which students are eligible for a subsidized school lunch, Sullivan said.

"I asked the principal not to disclose some of that specific information about my son, but he told me that could jeopardize federal funding of school programs," Sullivan said. "But that jeopardizes my right as a parent to control information about my own child."

Madalyn Quinlan, chief of staff for OPI, said the data is required by the Achievement in Montana system, which is used to assess and track the educational progress of students.

"It's an accountability requirement for the federal government to ensure we are providing services to the students they're providing funding for," said Great Falls Public Schools Superintendent Cheryl Crawley. She said the system's current security provisions appear adequate to her and her staff.

The program, which collects 108 data sets on each child, is in the fourth year of a five-year contract with the software vendor, Infinite Campus Inc.

"The system for the special education program is just being rolled out this year," said Bob Runkel, assistant superintendent of OPI.

Information in that system includes individual education programs, in which teachers devise strategies to educate students with a variety of physical, mental and emotional disabilities.

"My point is that that information doesn't belong to the state, at least not on a personal identification basis, particularly in a state that has so strongly rejected the Real ID program (a national program of standardized identification)," Sullivan said.

Runkel said school officials are sensitive to those concerns.

"Of course we're concerned," he said. "We've developed a system, keeping privacy and confidentiality of student data in mind, and it has a lot of safeguards built into it."

"The product itself is actually stored with the state (online) firewall," Quinlan said. "Any information uploaded from the school districts comes across a secure site, and no information is exchanged via e-mail."

Additionally, all OPI employees are trained on student confidentiality procedures, she said.

Those measures aren't enough, according to Sullivan and the board of trustees of the Sidney Public Schools.

Sullivan said he wonders why OPI can't generate a student identification number and send it to the district, which will then assign it to a student. Once that is done, the district and OPI could refer to that student by the number, with only the district having access to the name assigned to the ID number.

"The (software) product we purchased has the student name as an integral part of the program," Quinlan said. "And the student name helps us when we deal with the local school district."

Even if an ID number is created, the information could still be exposed at the district level, said Glynn Ligon of ESP Solutions Inc., a consulting firm in Austin, Texas, that bills itself as specialists in K-12 data systems.

"I personally think the ruse of getting only the ID number goes only so far in protecting the student's identity, because it still creates a unique record that is linked back to a personally identifiable record at the local level — and possibly elsewhere," he said. "Plus, within the record itself, there will be, at times, data or combinations of data that uniquely identify individuals."

Barbara Clements of ESP Solutions added that system hackers tend to be more successful on a local level.

"Frankly, I haven't heard of any hackers getting into student records at the state level. They are usually high-school students wanting to change a grade, and they are more likely to go after school district systems," she said. "There is nothing, really, to gain from state records, which contain only a small portion of what is kept at the local level."

Clements said that other states' education departments have adopted different strategies to protect student privacy.

"In some states we have worked with, there was concern about collecting the student name," Clements said. "Those states have generally either collected the student records without the student name or stripped the name of the record when the data are entered into a data warehouse.

"The name is important to ensure that the student identifier is correct," she added. "Once that check is done, the name is not really needed at the state level. "

It can be a delicate balancing act to meet all the legal requirements and ensure security.

"Many states have collected records ... over the years — without the student's name," Ligon said. "The real solution is to have a solid, legal, defensible data access and management policy that complies with FERPA (the Federal Education Rights and Privacy Act), HIPAA (the Health Insurance Portability and Accountability Act, which provides for patient privacy), and your state laws, and allows local policies to be adopted that are consistent."

OPI officials are beginning to revisit the issue as the current software contract, which calls for the state to pay $435,000 annually, nears the end of its terms.

"We're doing some research now on what other states with a longer track record have been doing to keep student names separate from ID numbers and accompanying information," Quinlan said. "There is some precedent for it nationally."

Reach Tribune Projects Editor Eric Newhouse at 791-1485, 800-438-6600 or enewhouse@greatfallstribune.com.


http://www.greatfallstribune.com/articl ... /902090302

The Real ID Act, and why Virginia needs to stop it
ERIC HILL - Contributing Writer
Issue date: 2/9/09 Section: Opinion


A process has been set in motion to rob you of your civil liberties. This is not an exaggeration, it is called the Real ID Act and it was passed into law in 2005 by Congress, and will take effect Dec. 31, 2009. Since the news fails to talk about anything pre-Obama these days, let me catch you up to speed if you haven't yet heard.

In 2005, President George W. Bush asked Congress for more defense funding and relief funding for Hurricane Katrina. Hidden within a multi-billion dollar defense bill was a section that outlined stipulations that required the Department of Homeland Security to develop and implement a federal ID program. Without meaningful debate, recourse or even a simple "Hey what's this part?" Congress signed the act into law.

Referred to as the Real ID Act, this sneaky piece of legislation requires all states to meet federal standards for issuing identification cards. Also included was the creation of a national identification registry and new laws which would make it more difficult for immigrants to obtain IDs.

Now it's 2009, and the deadline to get with the program is fast approaching. The question is-why do we need such a program? According to the Department of Homeland Security Web site, the Real ID Act is designed to impede terrorists from falsifying documents such as the fake passports used to obtain the plane that crashed into the Pentagon. I know what you're thinking-how in the hell did they find falsified passports (made out of paper) when they couldn't find the plane's wings or engines? That's another issue though. The Real ID Act already is federally mandated, so the only thing that could stop it is another act of Congress or a bunch of state legislatures opposing it. This is where Virginia comes into play.

Right now, a bill is being debated in the Virginia General Assembly, which would allow Virginia to not participate in the Real ID Act and any other federal ID program. The bill is called House Bill 1587, and several other states have already introduced legislation that opposes the Real ID Act-such as North Carolina and Maryland.

The implications for the Real ID act are far-reaching and numerous. If the Real ID act is put into place, anyone could be identified with a scanner at any federal building or place of business. Failure to carry a federal ID would result in many unpleasant things-including the possibility of arrest as a suspected terrorist. Not only that, but the electronic components of a readable card mean that you could be tracked and your information would be available on a national network of state registries.

The American Civil Liberties Union is staunchly opposed to the Real ID Act, and has many well-constructed arguments against it. I urge all students to look up the facts on the Real ID Act and let your representatives know what you think about it. If we do not watch our government closely, we might end up signing away our freedoms one by one. It would be a sad day in America to wake up and realize that we're card-carrying members of a free democracy.

http://media.www.commonwealthtimes.com/ ... 9683.shtml

February 6th, 2009
Privacy Advisers Tell Government to Improve REAL ID, Border Search Policies
Deeplink by Marcia Hofmann

A committee of privacy advisers has recommended that the government add vital privacy protections to two high profile and controversial homeland security efforts.

The Data Privacy and Integrity Advisory Committee made a host of recommendations to the new Department of Homeland Security (DHS) secretary and acting privacy officer in a February 2 draft letter February 5 final letter, which has been posted on the DHS web site. [UPDATE: the February 2 draft letter has been removed from the DHS web site, but is available here.] Among the issues flagged for improvement, the committee highlighted the implementation of the REAL ID Act and handling of travelers' digital information during border searches.

The misguided Real ID Act requires state-issued drivers' licenses and ID cards to meet uniform standards to be used for purposes such as traveling on an airplane or entering a courthouse. The law also calls for the establishment of a vast national database to link all ID records. Last January, DHS released a final rule describing procedures for implementing the law, which EFF opposed because it failed to provide critical privacy and security safeguards for personal data. Moreover, many states have opposed the Real ID Act, refusing to implement its provisions because of crushing cost and privacy concerns.

The advisory committee's letter agreed that the REAL ID final rule fails to "fully address privacy and data security," and noted that the committee's past recommendations to improve the situation have not been carried out. As a result, "the rule leaves states in the position of subjecting their residents' personal information to the vulnerabilities of the state with the weakest protections." The committee suggested that DHS review and revise the rule, but we believe the true source of the problem is the profoundly flawed Real ID Act itself, which Congress should repeal.

The committee also recommended that DHS revisit its policy on searching travelers' digital information at the border, an issue that has prompted heated public debate and proposed legislation to protect travelers' privacy. A recent Freedom of Information Act lawsuit by EFF and the Asian Law Caucus revealed that DHS's policy on searching travelers' personal documents has become dramatically more permissive in recent years. As the advisory committee noted, however, "while certain DHS components may have legal authority to conduct border searches, there is a significant difference between looking at paper documents and searching through the volume of digital information that can be carried by travelers." The committee recommended that the agency's Privacy Office help review DHS's approach to searching and seizing digital information and develop guidelines to protect privacy during such searches.

EFF agrees with the committee's recommendations and hopes that recently confirmed DHS Secretary Janet Napolitano takes this advice seriously. DHS has a long way to go on the civil liberties front, and a commitment to addressing the problems created by REAL ID and digital border searches would be a strong first step.

http://www.eff.org/deeplinks/2009/02/pr ... prove-real

Florida has sold license photos

That's right. The state got a penny from a company in New Hampshire for your driver's license picture.

By KRIS HUNDLEY

© St. Petersburg Times, published January 23, 1999

If you have a Florida driver's license, the state has sold your photo for a penny to a New Hampshire company.

Image Data LLC of Nashua, N.H., bought the 14-million pictures for a data base that it wants to sell to retailers eager to prevent fraud. But its system has not been proven to be either secure or economically viable for retailers.

Driver's license information, such as addresses, has been considered public record and available, for a fee, to anybody from the local newspaper to a nosy neighbor. But previously, only Florida law enforcement personnel had access to the photos.

That changed last spring when the Legislature approved a bill that allows the photos to be sold for fraud prevention uses, raising serious concerns among privacy advocates about the vast amount of personal information now available through computers.

Though proponents promise the images will be used only to catch crooks, Robert Ellis Smith, publisher of the Privacy Journal, said it instead creates a mugshot file of all law-abiding citizens.

"Whenever the basic principle of privacy is violated it's a bad idea," said Smith, who is based in Providence, R.I. "Information gathered for one purpose shouldn't be used for another."

Lorna Christie, spokeswoman for Image Data, said the company's contract with Florida strictly limits use of the photos to prevent fraud.

"We're not a marketing company, and there will absolutely be no secondary uses of these photos," Christie said. Individuals can also opt out of the program by requesting to have their photo deleted from Image Data's file.

Image Data's identity verification system was tested last summer in South Carolina, which was the first state to approve the sale of driver's license photos. Colorado recently agreed to join the program. Both Louisiana and Image Data's home state of New Hampshire rejected the company's request to sell license photos two years ago.

Under Image Data's system, when a customer makes a purchase by check and produces a driver's license, the cashier swipes the driver's license into Image Data's system. Within seconds, Image Data transmits the photo on file for that license. No other information about the person is given.

The image, which appears on a screen about the size of a postage stamp, is only shown for eight seconds, then it disappears. The cashier then decides if the image matches the person at the register and either accepts or rejects the check.

"There's no way the cashier could download the image," said Christie, who said no price has yet been set for the service. "The only thing transmitted is the image, so why bother? That's not a building block for building an identity."

Not true, said Winn Schwartau, an expert on computer security issues who thinks hackers and criminals will have a field day with Image Data's system.

"Nobody's secure," said Schwartau, who runs a Website (www.infowar.com) on security and privacy issues from his Largo home. "When you consider what's already available online -- Social Security numbers, addresses, buying habits, then you add the photo, you've given the criminal element the final tool they need to commit any crime they want in someone else's name."

Rep. Tom Feeney, the Republican from Oviedo who sponsored the amendment allowing sale of the photos, said he was assured by state law enforcement that Image Data's system was secure and he doubts that crooks would have much use for a photo, even if they could access it.

"Maybe there are some possible bad purposes I haven't con-ceived of, but then, some crooks are brighter than me," Feeney said.

The purpose of his amendment, which was passed the day before the Florida Legislature concluded its session last spring, was to help retailers avoid costly check and credit card fraud.

"And if word about it gets out to the criminal class, maybe a few less wallets and purses will be stolen," said Feeney, who was Gov. Jeb Bush's running mate during Bush's first gubernatorial campaign in 1994.

But some Florida retailers question the value of Image Data's system, which could be available in the state by mid-summer. Lori Elliott, spokeswoman for Florida Retail Federation, said her group's members support efforts to deter fraud. But she notes that many retailers already pay a third party for a check verification and guarantee service, which guarantees a check will be paid, even if it turns out to be worthless.

"So why would a retailer want to pay more for an image if the check is already guaranteed?" Elliott said.

Conrad Szymanski, president of Beall's Department Stores in Bradenton, said he can see the value of Image Data's system if it worked with credit cards.

"It's a delicate issue," he said. "It could be seen as an invasion of privacy, but it serves a measurable consumer benefit by making it hard for people to steal your credit cards, run up your charge accounts and destroy your credit."

But Szymanski doubts his chain will have much use for Image Data's initial system, which will only work for check transactions.

"It would be hard for me to buy such a service based on check losses alone," Szymanski said. "It would have to work with credit cards as well or it would not fly economically."

Image Data's spokeswoman said the system eventually will be expanded to handle credit-card transactions. She points out that the company was founded two years ago when Bob Houvener, now Image Data's president, had his own credit cards stolen and run up with fraudulent charges.

"This company has been built from a victim's perspective," Christie said. "We worked to achieve a balance between protecting the consumer's identity and giving retailers an effective loss prevention product. And we used a technology that protects both consumers and businesses."

Schwartau, the security consultant, isn't buying that argument.

He said Image Data's plan is "full of holes" and is destined to be replaced within a few years by systems that will allow customers to prove their identity through fingerprint identification.

"Then unless you take my thumb, you can't steal my identity," he said.

http://www.sptimes.com/News/12399/State ... _lice.html

Florida driver's license settlement: $2.9M for lawyers, $1 for you
Cash-strapped Florida will shell out $10.4 million to settle a suit that reimburses state drivers $1 each.


BY STEVE BOUSQUET
Herald/Times Tallahassee Bureau

TALLAHASSEE -- Facing a $3.5 billion deficit next year, Florida desperately needs all the money it can get. But millions more will disappear because the state has settled a lawsuit that affects millions of motorists.

The Legislature will spend $10.4 million to settle a class-action lawsuit over allegations that the state illegally sold drivers' personal information to marketing firms over a four-year period in violation of a federal law barring the practice. The state made $27 million each year on the deal, according to the lawsuit.

The settlement to drivers? $1.

Drivers who held a license, car registration or state-issued ID from June 1, 2000, through Sept. 30, 2004, will get a one-time credit of $1 when they register or renew a registration between July 1, 2009, and June 30, 2010.

''Just one dollar?'' Sen. Gary Siplin, D-Orlando, asked in a committee hearing on the settlement.

The four South Florida motorists who sued will get $3,000 each, and five law firms that pursued the case for more than six years will divide $2.85 million in legal fees, which is separate from credits paid to consumers.

Gov. Charlie Crist and the Cabinet approved the agreement last August, but the Legislature has to appropriate the money. The Senate Transportation Committee was briefed on the settlement Wednesday.

The personal information that was sold included a driver's photo, Social Security number, driver ID number, name, address, phone number and medical condition.

The preliminary settlement requires the state motor vehicle agency to post on its website a system to obtain names of the mass marketers that bought the personal information, as well as a reference on license and registration forms on state and federal disclosure laws. The state formally denied any wrongdoing.

''No one's hurt, no one's injured, and we're paying $10 million?'' said Sen. Larcenia Bullard, D-Miami.

''It's $10 million or the potential is in the billions,'' replied Steven Fielder, lobbyist for the Department of Highway Safety and Motor Vehicles.

The state's maximum liability was estimated at $39 million, based on a $2,500 penalty for each violation of the federal Drivers Privacy Protection Act.

Congress in 1999 amended the law to prohibit states from providing drivers' personal information unless the state had drivers' permission to do so. But Florida, the lawsuit alleged, continued to market the data anyway. The Legislature passed a law in 2004 ending the practice.

Anyone affected by the settlement has until March 16 to file an objection with the court in Miami. The case is before U.S. District Judge Jose Martinez.

Sen. Carey Baker, REustis, said it looks to him as though consumers should have received more: 'The victim really doesn't benefit very much, and the attorneys make out on attorneys' fees.''

http://www.miamiherald.com/457/story/856123.html

Virginia’s General Assembly rejects REAL ID provisions

By David Sherfinski
Examiner Staff Writer 2/12/09
The Virginia House and Senate have overwhelmingly passed legislation rejecting elements of the federal government’s Real ID law, which requires states to issue federally mandated drivers’ licenses or similar forms of identification that would become part of a national database.

The House approved Del. Robert Marshall’s, R-Prince William, bill 88-10 on Tuesday, and the Senate passed legislation from Ken Cuccinelli, R-Fairfax, 30-9.

“I was obviously pretty pleased with that,â€

Mistake haunts woman’s name 63 years later


By: BRAD DICKERSON
Media General News Service
Published: February 13, 2009

SEBRING — The difference in the spelling of her name is only one letter, but it has sent Geraldean Smith — or now Jeraldean to officialdom — on a roller coaster ride she would rather avoid.

Smith was born June 2, 1945, and has always spelled her first name with a G.

Her driver’s licenses, credit cards, her voter registration and her marriage certificate have all been spelled that way.

But Smith’s Tennessee birth certificate, for some reason, has her first name starting with a J even though her late mother said it was supposed to have been spelled with a G.

The mix-up was not a huge concern for Smith until she tried to register for Social Security disability.

The error had been discovered earlier in 1988. Before then, Smith said she had never seen the piece of paper in question, since the original was destroyed in a fire.

“I asked them (the Social Security office) about it and they said, ‘Just go on the way you’ve always spelt your name,’â€

Post-9/11 reforms don't stop passport fakery

By EILEEN SULLIVAN, Associated Press Writer Eileen Sullivan, Associated Press Writer – 1 hr 4 mins ago


WASHINGTON – Using phony documents and the identities of a dead man and a 5-year-old boy, a government investigator obtained U.S. passports in a test of post-9/11 security.

Despite efforts to boost passport security since the 2001 terror attacks, the investigator fooled passport and postal service employees four out of four times, according to a new report made public Friday.

The report by the Government Accountability Office, Congress' investigative arm, details the ruses:

_One investigator used the Social Security number of a man who died in 1965, a fake New York birth certificate and a fake Florida driver's license. He received a passport four days later.

_A second attempt had the investigator using a 5-year-old boy's information but identifying himself as 53 years old on the passport application. He received that passport seven days later.

_In another test, an investigator used fake documents to get a genuine Washington, D.C., identification card, which he then used to apply for a passport. He received it the same day.

_A fourth investigator used a fake New York birth certificate and a fake West Virginia driver's license and got the passport eight days later.

Criminals and terrorists place a high value on illegally obtained travel documents, U.S. intelligence officials have said. Currently, poorly faked passports are sold on the black market for $300, while top-notch fakes go for around $5,000, according to Immigration and Customs Enforcement investigations.

The State Department has known about this vulnerability for years. On February 26, the State Department's deputy assistant secretary of passport services issued a memo to Passport Services directors across the country stating that the agency is reviewing its processes for issuing passports because of "recent events regarding several passport applications that were approved and issued in error."

In the memo, obtained by The Associated Press, Brenda Sprague said that in 2009 passport services would focus on the quality, not the quantity, of its passport issuance decisions. Typically, passport services officials are evaluated on how many passports they issue. Instead, Sprague said, the specialists should focus all their efforts on improving the integrity of the process, including "a renewed emphasis for Passport Specialists on recognizing authentic documents and fraud indicators on applications."

Over the past seven years, U.S. officials have tried to increase passport security and make it more difficult to apply with fake documents.

But these tests show the State Department — which processes applications and issues passports — does not have the ability to ensure that supporting documents are legitimate, said Janice Kephart, an expert on travel document security who worked on the 9/11 Commission report.

Kephart said this is the same problem that enabled some of the 9/11 hijackers to use fake documents to get Virginia driver's licenses, which they used to board airplanes. Since 2001, states have taken measures to make driver's licenses more secure.

"We have to address the ... document issue in a very big way, and we have yet to do that across the board," Kephart said.

State Department spokesman Richard Aker said the agency regrets that it issued these four passports.

"The truth is that this was human error," Aker said.

He said the State Department plans to have facial recognition screening for all applicants in six months. The agency is also talking to states to see if passport officials can check states' electronic databases to verify licenses and identification cards.

Two members of the Senate Judiciary's terrorism and homeland security subcommittee requested the investigation.

"It's very troubling that in the years since the September 11 attacks someone could use fraudulent documents to obtain a U.S. passport," Sen. Jon Kyl, R-Ariz., said in a statement.

Sen. Dianne Feinstein, D-Calif., said the report confirmed her fears that U.S. passports aren't secure.

"These passports can be used to purchase a weapon, fly overseas, or open a fraudulent bank account," Feinstein said. "This puts our nation in grave danger."

___

Associated Press writer Matthew Lee contributed to this report.
http://news.yahoo.com/s/ap/20090314/ap_ ... _passports

N.C. DMV to Use Facial Recognition Scanners
Associated Press
Updated: 02-6-2009 12:07 pm

The state Division of Motor Vehicles on Friday will begin scanning and digitizing the faces of people applying for or renewing driver's licenses, a measure officials said would help cut ID fraud and find suspected terrorists.

The face recognition technology that goes into use at DMV offices around the state compares facial features with digital images in the agency's database to verify the identity of each applicant, Gov. Mike Easley's office said in a statement Thursday. The images will also be matched against those on federal terrorist watch lists.

``This is another vital step in making our state a more secure place in which to live, work and travel,'' Easley said. ``This new tool will allow us to continue our efforts to make North Carolina's driver license procedures among the strongest in the nation. It is proof of our strong stand against identity fraud, the nation's fastest growing crime.''

The process uses computer software to define characteristics of each face being photographed for a license. Facial features measured by the computer include the distance between eyes, the width of the nose, the depth of eye sockets, and the location of cheekbones and the chin.

The measured features are then converted into a numerical code that can be read by computers that verify identity.

``As the system grows and more images are added, we will have a powerful database that will significantly strengthen our efforts to prevent identity theft in North Carolina,'' DMV commissioner George Tatum said.

The face scans were first proposed in February as part of an effort to cut ID fraud.

Earlier, DMV reduced the types of accepted forms of identification for first time applicants for a driver license or ID card. DMV now accepts only proof of identity documents issued by federal or state governments, such as a valid out-of-state driver license or a passport.

In May, the DMV started using a link that allows examiners to verify the Social Security numbers of an ID applicant with the Social Security Administration.

The DMV plans to roll out a new license and identification card later this fall. They are expected to be harder to fake due to features including added color and watermarks.

http://www.securityinfowatch.com/root+level/1276106