Encryption under REAL ID Could Hurt Police, DHS Official Says
Homeland Security officials were told that their department has fallen down on security by failing to set encryption standards under the REAL ID Act. They were testifying Wed. at a DHS Data Privacy advisory committee meeting. The law requires states to standardize the data that appear on state-issued ID cards, mostly driver’s licenses, and to network their DMV databases so other states can search for records. But the data in the “machine readable zone” (MRZ) on compliant cards alarms committee members and hearing witnesses, who fear they could create a booming new market for data brokers and aggravate ID theft.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The agency has been fighting what officials call “misinformation” peddled by privacy activists (WID March 15 p9) since it issued draft regulations following through on REAL ID (WID March 13 p4). DHS isn’t creating a “central database in Washington” ripe for hacking, as critics have said the interoperability mandate calls for, Assistant Secy.- Policy Stewart Baker told the committee. “There is no obvious place that a hacker could go to gather information” except DMV offices, which will continue to house their own digital records, he said. It’s easier to buy Social Security numbers from “darknet servers” than breach a DMV office, Baker added.
The idea of a network of state databases has precedent in Canada and the blessing of the country’s privacy commissioner, said Jonathan Frenkel, DHS senior policy analyst. States won’t be able to rummage through others’ databases, he said, describing the DHS proposed system as “red light/green light” -- Ga. can query the Ariz. database only to find “discrepancies” between records such as birth certificates. When discrepancies are found, state officials contact each other directly.
Four additional states have taken actions against REAL ID since the ACLU gave background materials to the committee last week, said Barry Steinhardt, technology program dir.: “This movement is accelerating across the country.” Under REAL ID, data in the MRZ will be “harvested” by every retailer, airline and other business and sold for “pennies on the dollar” to data brokers like ChoicePoint, creating a “parallel database,” Steinhardt said. DHS regulations impose no obvious limits on who can access REAL ID information and for what purposes, said Center for Democracy & Technology’s Sophia Cope.
A N.J. incident involving data skimmed from ID cards should make DHS question its silence on private use of REAL ID data, said Melissa Ngo, Electronic Privacy Information Center ID project dir. A nightclub started skimming data from entrants’ ID cards -- N.J. cards have an MRZ -- and was promptly told by the state DMV that the practice was illegal, whereupon the nightclub sued for access to the card data, Ngo said. So how will REAL ID make this situation worse? asked committee Chmn. Howard Beales, until recently FTC Consumer Protection dir. and a seeming skeptic of privacy activists’ claims. Ngo called the expansion of unencrypted MRZs “a step backward” that universalizes a practice by some states. Mass. Registrar of Motor Vehicles Anne Collins said 46 states have MRZs on state IDs. Tex. Public Safety Assistant Chief Robert Burroughs said 13 states encrypt the MRZ and don’t give out the keys to other states.
The prospect of skimming card data for sale to data brokers worries DHS, and it plans a review once comments are in, Frenkel said. “We thought pretty seriously about encryption” of data in the MRZ, Baker said: “We're certainly not religiously opposed to it.” But Burroughs testified that police on roadside stops may not be able to scan MRZ data if they're encrypted, Baker said. Some states share their encryption keys with other states for law enforcement use, but some don’t.
A single encryption key for all state IDs, as would be required for law enforcement nationwide to use, is a recipe for hacking, Baker said. Once comments are in, “if we see that there are [security] gaps, that’s something we can work on with the states,” Frenkel said. Through a “combination of suasion and authority,” DHS will pressure states to raise security standards, Baker said: “We will at minimum use the bully pulpit.”
States were at work on their IDs before REAL ID led many to scrap systems they had spent years building, said David Quam, National Governors Assn. dir.-federal relations. But governors are saying “let’s mend it -- we don’t have to end it,” he added. States need more federal money to carry out REAL ID, and they require flexibility to build on top of “legacy [IT] systems,” he said: “A mandate without funding is a hallucination. That may be where we're at.” On securing state databases, he summarized the DHS position as: “Punt it to the states and they'll solve it.”
State database security is “all over the place,” Collins said. Some were written in the old Cobalt code, but staff familiarity with new systems may be a bigger problem, she said: “I find that very often the protocols lag development of technology.” The feds should give states a “point system” that emphasizes what actions to take first, given current levels of funding, Collins said: “We will never get that much money in a single year” to fully implement REAL ID.