DHS Unveils Final REAL ID Rules; Chertoff Slams ACLU ‘Misinformation’

DHS made substantial changes based on 21,000 comments on its initial proposal (WID March 13 p4), Chertoff said. State implementation costs will be about 75 percent less under the final rules, falling from $14.6 billion to $3.9 billion, due largely to delaying the deadline to apply the law to older drivers. In its first pass, DHS said implementation could cost as much as $23 billion. To help defray states’ costs, DHS is distributing $80 million in dedicated REAL ID grants and $280 million in “general funding” from DHS, for a total of $360 million in aid. Cards themselves will cost state motor vehicle departments about $8 each, “a small price to pay” for confidence in an ID that can’t be faked or stolen, Chertoff said.

States have a decade to comply fully with the new rules. Dec. 31, 2009, is the deadline for completion of checks on residents’ citizenship and the authenticity of their Social Security numbers, as well as the backgrounds of DMV staff and contractors. States must electronically verify all identity documents with the “issuing source,” confirm that licenses are tamper-proof and begin issuing them by May 11, 2011. By Dec. 1, 2014, enrollment must start for drivers under 50. For over-50s, that starting date is Dec. 1, 2017. Chertoff said DHS is sending states on a “gentle but nevertheless expeditious glide path” for compliance.

The law creates no “national database,” nor will material be available “willy-nilly,” Chertoff said, declaring that civil libertarians are objecting based on “misinformation.” He challenged the ACLU to explain why government should tolerate people lying about their identities. The federal government isn’t “bigfooting” the states, which went through an “iterative” process with DHS to refine the rules, he said. People who evaluate REAL ID in a “fair-minded and objective way” will embrace it, but “I invite criticisms,” Chertoff said. DHS will post all complaints received on a Web page, he said. “Simply kicking this problem further down the road… is a time- tested Washington way of smothering” proposals, he said.

DHS still hasn’t specified many elements of database and network security, such as encryption, on which critics have harped since enactment. Though Chertoff said states “must take steps” to secure DMV databases, DHS hasn’t explicitly told them how. The initial version of the rules didn’t address encryption to be used for data at rest in state databases or in transfer between states.

The final rules suggest that existing networks could form the backbone of interconnected REAL ID databases. To set requirements for a “hub"-based network and messaging systems for REAL ID use, DHS is working with states, as well as the American Association of Motor Vehicle Administrators (AAMVA), Department of Transportation, Social Security Administration, State Department, and the National Association of Public Health Statistics and Information Systems. The AAMVA network and systems architecture could act as the hub. DoT is paying for an AAMVAnet update that builds in end-to-end encryption and security standards based on the Federal Information Security Management Act, the final rules said. AAMVAnet already lets states query the Social Security Online Verification database. DHS acknowledged that many states don’t have birth certificates online, making them harder to check through AAMVAnet. The agency also is considering the Commercial Drivers Licensing Information System as the basis for state-to-state data exchanges, it said. Commenters warned DHS about the perils of using CDLIS and similar centralized systems. But the agency said it would be “technically and economically difficult” to design a decentralized system.

Encryption of data on licenses themselves also was rejected in the final rules. Information in the card’s machine readable zone could undergo “skimming” by third parties who could create and sell information, some commenters said. Police said encryption would mean laggard access for them to data on the cards (WID March 22 p9). As with much of the rules, DHS encouraged states to take the lead on handling encryption demands. States should collaborate to gauge the potential for implementing encryption without impeding law enforcement, the rules said. California, Nebraska, New Hampshire and Texas bar ID card skimming and the AAMVA has proposed a model mandate outlawing the practice, DHS said.

Spam Will Balloon without Anti-Skimming Rules?

DHS has “kicked the can down the road” perhaps two future presidential administrations with its deadline extensions, said Barry Steinhardt, director of the ACLU’s Technology and Liberty program. On a conference call after Chertoff’s news conference, Steinhardt gave as good as he got from the DHS chief. “They don’t want the blame” when implementation inevitably collapses, what with “no real penalties” for non-compliant states, he said. Senior Legislative Counsel Tim Sparapani said DHS cut its cost estimate by assuming that one person in four won’t apply for a REAL ID license. “No agency would give this kind of economic analysis real credence,” he said.

Spam will rise unless there are anti-skimming rules in the DHS regulations, Sparapani said. A store could start demanding REAL ID licenses with every purchase to track who buys what, then sell the data it amasses to marketers who inundate those customers with e-mail, he said. The rules don’t limit what information states could put in the machine readable zone. Responding to our question about whether DHS has authority to ban skimming, a matter that may be the province only of the FTC, Project Counsel Chris Calabrese said DHS easily could have asked Congress to authorize it to fight skimming, or even to outlaw skimming on national security grounds by making a case that data could be copied and used to forge licenses. Steinhardt said the pattern is clear: DHS ignores statutory authority on issues like compliance deadlines, where states have been most critical, but says the agency is statutorily “hamstrung” from setting privacy and security standards.

The electronic systems that DHS says will handle data verification largely aren’t built, Sparapani said. “Enormous software systems” for integrating databases nationwide will take years to build amid many technical hurdles, he said. Without federal security standards for the state databases, all states will be at the mercy of the one with the loosest information security standards, he said.

The Hill’s leading REAL ID critic wasn’t pacified by DHS changes. Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., said the law still imposes a “massive unfunded mandate” on states, offered “absolutely no federal privacy protection” for citizens, and marks the first step toward a national ID. Led by Leahy and others, Congress in 2004 approved “shared rulemaking procedures” for a stronger ID card, and Congress should return to that process, he said. Leahy and Sens. John Sununu, R-N.H., Max Baucus, D-Mont., and Lamar Alexander, R-Tenn., introduced a bill to replace the license portion of the law with the original approved rulemaking.

The final rules raise “more questions than answers,” House Homeland Security Committee Chairman Bennie Thompson, D-Miss., told Chertoff in a letter Friday. He chided Chertoff for apparently briefing “other legislative staff” on the final rules before he briefed the committee. The new DHS estimates on implementation costs are unacceptably high, with states possibly in line to foot nearly 60 percent of costs, Thompson said. That situation is especially alarming because the Bush Administration didn’t request any funding to implement the law, though Congress provided $50 million on its own, he said.

Some federal databases that states will have to use are in “dire need of significant enhancements,” Thompson said, and DHS hasn’t provided “the basic tools necessary to get the job done” and make them work better. He asked Chertoff to ensure that “reliable and secure connectivity is made a priority.” Thompson faulted the rules for lacking privacy and security best practices. DHS said it “intends” to develop guidelines. “The personal identifiable information of the more than 245 million license and cardholders nationwide is at risk” while DHS devises guidelines, Thompson said.