Thursday, July 28, 2011

Can Real ID live up to it's base security framework for driver's licenses?

BTC- Homeland Security News performed an exit interview with Heritage fellow, Jena Baker McNeil, who expressed Real ID is "absolutely necessary".  To our shock and awe, she conveyed belief that Real ID is not a national ID system.
"HSNW: The Department of Homeland Security insists that REAL ID is not a national ID instead it only imposes federal standards for IDs but leaves the operation and maintenance of databases in the hands of states. Despite these claims, would you consider REAL ID to constitute a national ID?
JBM: I agree with DHS. There is not a single database created to serve REAL ID. It simply directs states to network their own databases together so that they can talk to one another and try to identify fraud. No one in the federal government will be able to access any information—meaning there is nothing “national” about the process."

To wit, I asked State and national advocates to chime in her recalculation of the relevance of Real ID.

The First Responder on the scene was Pennsylvania voice of veteran advocate, Aaron Bollenger.

"This is all part of the NCIC Clarksburg, WV data hub. Who has access? States. Where is biometric info collected? States. The statement that “no one in the fed gov will be able to access any information” is just a rude LIE. This “network” also includes members of the AAMVA, who has their own collection of info. Picture a government-access-only Internet teeming with info on the lives of their sheep. That’s what this is all about. “National ID” is a matter of semantics, and a question of degree. All irrelevant when the reality is the data IS being collected AND shared."

There is the hanging question of what happens to the license information funnelled through the private network handlers at AAMVA. This government information clearinghouse contractor is networked over all of the US and almost every province of Canada. They could provide such a service. What, if anything, would be stopping them?

The majority of what has driven Real ID's continental network for secured license standards so far has been AAMVA's drivers license security framework.  A point of real grief for States has been coming along the sidelines making determinations on less nefarious points of the framework standards: tamper proof laminates, holograms, magnetic strips, the bar codes etc.  Immigration enforcement implications, costs of implementation, privacy violations, public outrage over lengthy lines and extreme demand on proof of identity conventions created many States' wedge on what is known as Real ID today.

One ofthe "Business Requirements" from the AAMVA framework is that,"All North American MVAs shall accept and endorse the eight privacy principles  as specified in Appendix “05-4.5-03 Privacy Principles.” 

These principles put limits on data retention, acknowledge persons rights to examine information kept about themselves and requests for corrections, disclosure limitations, information security and the public be made aware about all systems and databases where their license information is held.

"Each MVA shall ensure it has a means to oversee the previously mentioned principles."

So why the big frakas over Real ID? It could be the penchant for internal fraud. This haunting problem has not been overcome as recently as this week. It might be a key reason in deducing why REAL ID shouldn't be a requirement at all, much less a necessity. MVA's don't yet completely have the wield to justify the additional responsibility to live up to the security rigors of REAL ID.

States, like Florida, who have created literally impossible requirements for drivers to provide proof of identity.  License offices have been aggregating anything from marriage records to biometrics in a local database. There is literally no assurance that this information won't suddenly become part of a DMV information moonlight sale to ANYONE.

The Heritage Institute cannot assure New York or Florida license holders that their data will be safe when local drivers license administrators are corrupting fundamental information and license security holding patterns.  Unfortunately, license holders in most Northeastern seaboard States are also sitting ducks.  The ugly truth is local license admins are undermining the relevance of Real ID with much better success than millions of angry license holders and an army of immigration lawyers.

There is no real way to hold up AAMVA's "driver's license agreement" because the stone truth is no matter how secure an ID card may be - the information space where it is held is not.


Jim Babka said...

Did Congress pass the bill? Is a federal agency or cabinet level department managing the standards? Can states voluntarily opt out? No, they're nullifying at the moment, and the feds are bowing to reality. Are federal funds being used to bribe states into compliance? encourage state-level bureaucrats to undermine their legislators where they've somehow nullified the act? If the feds didn't bow to political reality, would an American whose state didn't follow the standards be able to enter a federal building or board a plane? said...

The databases are controlled by the state, that part is true, but what they rarely ever mention is that the data hubs that connects those databases are controlled by the feds. All data going though those hubs can be siphoned off. If the feds control it, that makes it a national id systems. If the system is connected to all states, that makes it a national id.

Aaron Titus said...

The guy you really want to talk to is Jim Harper at Cato. He’d definitely have a full-throated response.

Beat The Chip said...

WTF?! Do the rest of you guys just pay Harper to do your policy homework on this? What?! I get that Harper is the national ID guy but it's beginning to sound like a shop full of pet parrots in D.C. I mean I get it that he shows up to work, buut.. c'mon you lazy bastards...