Real ID is bad? Compared to what?

There's a way to have a meaningful debate on this. Any new security proposal must be compared to the status quo on four dimensions: Security, privacy, convenience and cost. If the new proposal is clearly better at all four, then it's a no-brainer. If the new program is worse on all four, then, well, it has no brains. What if the new program is better on some dimensions but not on others? Should we weigh the relative merits and compromise? Yes, eventually, but not right away! Since the new proposal enjoys the airy freedom of not actually existing yet, we should go back and rework the proposal until it is overwhelmingly better than the status quo.

If we just throw our hands up and refuse to engage Real ID, we'll get the lousy law we deserve.

What is the status quo that Real ID is aiming to replace? Basically, each state has its own standards for driver's licenses, which differ on many of the important details. This is pretty bad across all four dimensions.

If we just throw our hands up and refuse to engage Real ID, we'll get the lousy law we deserve.

Security is a mess under the current systems. Methods of collecting, verifying and storing background data differ from state to state, as do the physical protections on the cards themselves and the qualifications of the people that handle your licenses. It's not terribly difficult to get a fraudulent driver's license in any state, and it's easier in some states than others. This kind of setup is structurally likely to worsen over time as people "shopping" for a fake license disproportionately target states known to have weak security. The argument that monoculture and homogenization of systems are generally bad for security doesn't apply here; all the state systems don't have to fail for a terrorist to get a fake license--it only takes one.

At the security line at Chicago O'Hare Airport, a New York driver's license is functionally equivalent to a California license. Since the federal government has to treat all the licenses as equal, it's perfectly reasonable to ask that they all be equal. And not just equal, but at least passably secure. Real ID can improve this.

Privacy with the status quo isn't much better. All of your personal data is already stored on your license and can be read electronically by anyone with a simple 2D bar code scanner. DMV databases are susceptible to data theft, and there are no consistent regulations for what you're allowed to do with a driver's data. With the bar set so low, Real ID should be able to provide a significant privacy upgrade, so it's disappointing that the initial proposed language is mostly mute on privacy. If passed today, Real ID would probably do no net harm to our already meager privacy, but this isn't good enough. Let's work explicit privacy protections into the plan. Real ID should be about real privacy and real security.

Convenience, usually the single most important factor in the successful adoption of new security programs, is pretty much a wash here. The quality of the worst licenses will go up and more attention to training should even out the experience of dealing with DMV staff, but most people won't notice a difference in convenience. My friend who routinely gets extra special airport security treatment because his official DC license is so poorly printed that it looks completely fake, will feel better, but most people won't care.

Cost is tricky as well. Initial adoption of a new driver's license standard will certainly be more expensive in the short term, but the efficiencies of scale and standardization may save money over time. Is this wishful thinking? Probably.

So how do we judge Real ID? We are already living with a national-scale identity system, except it's an accidental system that sucks for security and privacy and is lackluster in convenience and cost.

Is Real ID overwhelmingly better? Not yet, but it can be made so. Let's.