Real ID creator: Law's been misunderstood

Rep. Tom Davis (R-Va.), the ranking member of a U.S. House of Representatives government oversight panel, said he has asked committee chairman Henry Waxman (D-Calif.) to hold hearings to explore questions related to the requirements, which were approved by Congress as part of an emergency military-spending bill two years ago.

"States don't have to participate," Davis told attendees at a meeting here organized by the Information Technology Association of America. "They can issue driver's licenses to whoever they want under whatever standards."

But he acknowledged that only a Real ID-compliant license will allow Americans to do things like board airplanes or enter federal buildings. (A U.S. passport issued by the State Department--new ones have RFID tracking chips embedded--could be a substitute.) He emphasized the importance of pushing ahead with the new standards, which supporters say are necessary to keep terrorists and other dangerous people out of spaces where they could do harm.

Davis said he was confident that after thorough hearings, which he hopes will occur in the "not-too-distant future," "naysayers will have fewer specious arguments to hide behind."

The congressman's remarks come as "="" data-asset-type="article" data-uuid="f84bf3a0-fee1-11e4-bddd-d4ae52e62bcc" data-slug="homeland-security-offers-details-on-real-id" data-link-text="The proposed plan for the cards"> published last month by the U.S. Department of Homeland Security also continues to attract concern from privacy and security experts--even some within the federal agency.

They have balked at the idea, for instance, that the information on the licenses' mandatory bar codes, which could be scanned by banks, bars and other businesses, is not currently required to be encrypted.

Two-dimensional bar codes can be easily photocopied and redistributed, so they are likely to become the "weakest link" in the system, said Kelly Emerick, executive director of the Secure ID Coalition, a group that pushes for greater adoption of secure "smart card" chips.

And even if bar code data is encrypted, it could be hacked by a brute force attack, subsequently allowing break-ins on every other card that's in the system, she said.

Toby Levin, a senior adviser to the Homeland Security Privacy Office, said she shared concerns about the use of that technique.

"The fact of the matter is that the 2D bar code does not protect privacy," she said.

But the department believes it cannot prohibit third parties from scanning information off the cards because Congress did not give it "express authorization" to do so in the law governing Real ID, Levin said.

She said the department's privacy advisers are nonetheless very concerned about protecting the information on the bar code and are exploring ways to limit the data stored there or encrypt it in a way that would not be objectionable to law enforcement authorities. If encryption isn't rejected, she suggested that a "huge educational campaign" will be needed to make sure Americans are aware of what information can be swiped from their cards by anyone with the proper reader.

Homeland Security's assistant secretary for policy development, Richard Barth, continued to defend the program at Thursday's event, saying he has grown to become "very passionate" about the cause. "A good ID, a driver's license, is virtually a weapon in the hands of a terrorist," he said.

Barth said he did not believe the new cards would diminish privacy at all. He also bristled at what he called a "misperception problem" that the Real ID-compatible cards would be required to contain any sort of radio-frequency identification chip that can be read without contact with a machine.

"RFID chip has nothing, nothing, nothing to do with the proposed rule, nor, I believe, the final rule for Real ID," he said. "Real ID and the word chip do not appear in the same sentence in anything I intend to implement."

The department believes data shared among states through their individual driver's license databases should be encrypted in transit, but it's still wary of encrypting the data on the bar codes, Barth said. That's because law enforcement officers want to be able to read the data at traffic stops, he said, and it would be too costly for them to carry special readers that had to be "rekeyed" frequently.

Department officials urged the public to submit comments about proposed rules for the cards until the May 8 deadline because the department is "in a very high listening mode." The department has also scheduled a "nationwide town hall" in Sacramento, Calif., on Tuesday and will allow people outside the area to participate in that forum by submitting questions and comments via the Web or a toll-free phone number.

After reviewing those comments, the department plans to release a final rule sometime during the summer, which Barth admitted could mean as soon as July or as late as September 21.