Nationwide Drivers’ License Database Law Too Expensive, Easy to Abuse
Potential for breaches and simple bureaucratic abuse is high under a system set up by the Real ID Act, panelists at an Electronic Privacy Information Center (EPIC) conference said Mon. The Real ID Act, signed by President Bush last month and to take full effect in 3 years, mandates new rules for issuing driver’s licenses and orders states to open their databases to all others. A strong argument for the bill was tracking possible terrorists to prevent another 9/11. Dennis Bailey of the Coalition for Secure Drivers License, the lone group supporting the law at the event, endured friendly jabs from panelists and several heated audience questions.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The issue isn’t whether databases are “100% tamper proof,” Bailey said, but “whether you can raise the bar” from an easily spoofed paper-based system to a more secure digital system that protects personally identifying information (PII). George Washington U. Assoc. Law Prof. Daniel Solove said moving to secure digital documents relies on those unsecured source documents in the first place. The U.S. is one of the few democracies left without a national ID system, and none of the nations with ID systems have descended into police states, Bailey said. Steve Lilianthal of the Free Congress Foundation countered that those democracies still have terrorist incidents, and an audience member said most of those states also have stronger privacy laws than the U.S.
Achieving compliance with Real ID could cost states $2 billion, panelists said. Center for American Progress Senior Policy Analyst Raj Goyle said Va. spent $237 million in anticipation of passage. In Md., a task force concluded compliance will cost a similar amount. Solove vented that there are “other things we could be plunking our resources into” with “staggeringly greater risks,” rather than building an information-sharing system for the low-risk possibility of domestic terrorism. “I don’t think the case has been made” for the system’s high cost, Solove said: “Maybe we shouldn’t even be having this debate” before deciding how much security American society wants.
Bailey portrayed the law as a multi-purpose tool that must be national to work: What good is a watchlist “if someone can go to a state with the lowest standards” for ID? he asked. Linked databases in several states have been used for non-terrorism purposes, such as searching for tax fraud, compelling child support and tracking sexual predators, he said.
Solove said he worries that Real ID is a step toward a “dossier society” in which an individual’s entire life is easily accessible in a digital form magnitudes more vulnerable to whimsical misuse. Responding to the law’s supporters, who say a series of decentralized databases will lessen risk of breaches, Solove said “decentralized databases can become, in a nanosecond, centralized databases” with “one click of a mouse.” Deborah Hurley, a member of the State Dept.’s Advisory Committee on International Communications & Information Policy, called such a database a “big, fat, juicy target” for ID thieves.
Murkiness regarding the law’s possible effects should cause more, not less, concern, Solove said: “We don’t really know a lot of what the downstream effects are going to be yet,” emphasizing “yet.” Bailey scoffed at critics who think ID thieves are to have a flood of personal data in which to swim: “If anybody doesn’t think that [personally identifying] information is already out there, I think you're under a misconception.” Solove agreed, with a twist: “The law right now does a terribly bad job of limiting govt. access to that information” and Real ID will compound the potential for abuse and breach.
Chances for bad information to enter the system drew fire from panelists. Assn. for Computing Machinery Fellow Barbara Simons cited a Financial Services Technology Consortium analysis that found 100,000 credit cards in a 500,000-card sample were fraudulent. Applying the same error rates to terrorist activities in the general population, that would mean 40 million Americans being mistakenly flagged as terrorists through Real ID, she said. Legal immigrants are especially vulnerable to misidentification through Real ID because “the [source] documents are very unreliable,” and not updated in a timely fashion, Goyle said. Whatever else happens, renewing one’s drivers license online will probably end, Goyle said: “If you thought the DMV was bad now, wait until Real ID” takes effect.