By Martin Bosworth
As a reminder, the deadline to submit comments to the Department of Homeland Security on the Real ID program is 5pm Eastern time, May 8th.
The ACLU’s Real Nightmare Action Center has detailed instructions on how you can submit comments. You can also do so courtesy of the Electronic Frontier Foundation. Here’s the form to submit comments, and helpful instructions on how to do so. And here’s a reminder of why this is important.
I’ve included the full text of my submitted comments below the jump, in case you’re interested:
I am a writer who specializes in issues of technology and privacy, and a recognized expert on identity theft, fraud, and data security. As such, I am joining the chorus of authorities who have spoken up to say that REAL ID is a security nightmare of the first order.
REAL ID is bad politics, bad policy, and bad practice. It will have the following effects:
*It will put low-paid entry level workers at state motor vehicle agencies on the front lines of the war on terrorism, by making them responsible for gathering sensitive personal information to authenticate these new REAL ID-sanctioned drivers licenses. That sort of work is challenging for trained and experienced security professionals, so how sensible is it to ask of people who have no such training or experience?
*It will increase the likelihood of identity theft and massive data breaches a thousandfold. Not only will you have a huge interlinked database that will no doubt require private contractors to build and maintain, and which will probably have minimum levels of security at best, but the aforementioned DMV workers will have easy access to personal information which they can sell on the side to make money, often going right into the hands of potential terrorists or criminals. All of these links in the chain guarantee that unauthorized access of the data will occur. It’s not a question of “if,” but “when.”
*Bruce Schneier has noted that this law will have a similar effect to the “Registered Traveler” program–that of creating two classes of citizens, one considered more “legitimate” by having a REAL ID-approved identification. How easily will those who don’t have a REAL ID-approved license be singled out, discriminated against, or held under suspicion? All too easily, I suspect.
*The costs for this program–the upgrading of DMVs across the country, the building of infrastructure to transmit the data, training workers to understand their new duties–is absurd, and the states are being asked to shoulder nearly the whole of the burden. How long will it be before states are forced to raise taxes or cut other services to bring in revenue in order to meet these obligations?
*Most of all, this simply will not be effective in preventing terrorism. Anyone who gets fake versions of the “breeder documents” needed for this ID will get past the screening, and the huge push for compliance in the first few years will ensure mistakes are made. Not to mention that a single ID standard is much easier to forge and duplicate than one that varies across fifty-plus states and territories. Decentralization is better for security in every respect, and this is no exception.
When I attended the FTC’s conference on identity theft and authentication, every time REAL ID came up, the idea was universally derided as a monstrous mistake by privacy and security experts from across the world. It isn’t too late to prevent this mistake, so I urge you to give the words of commenters consideration.
Do not implement REAL ID.