Why Real ID is a flawed law

It's been nearly three years since Congress passed the act, and the Department of Homeland Security just published final regulations to implement the law that will change the way state driver's licenses are issued.

Of particular concern is the department's flirtation with a central ID database. The final regulations, released January 11, strongly support leveraging existing technology by expanding the central database for commercial drivers to include all drivers and state ID card holders--that is, virtually every American.

Following this path of least resistance fails to acknowledge that the security risks of a central ID database are enormous, as is the potential for abuse by government and business. Security experts agree that creating a "one-stop shop" of highly sensitive personal information on millions of Americans, not just a relatively small pool of commercial drivers, is a bad idea. It would be an irresistible treasure trove for identity thieves, terrorists, and other criminals.

The law's basic goal of making the driver's license a more reliable assertion of identity is a good one. Setting minimum federal standards to make the issuance process more secure so that it's tougher to get fake driver's licenses or hold multiple licenses from different states is not unreasonable.

The ostensible purpose for a centralized repository of ID information is to enable states to more easily check whether new applicants already have a driver's license from another jurisdiction, thereby ensuring "one driver, one license." But this can be achieved without creating a central ID database that puts Americans' privacy and civil liberties at risk.

Building a distributed system that stores ID information in different locations, such as state motor vehicle databases, makes more sense. Each state could check with other states for possible existing driver's licenses without having to ping a central database, while maintaining control over its residents' data. This is technologically possible, especially if states have adequate funding to scale up their systems to handle the incoming traffic.

Regardless of whether ID information is stored centrally or in separate databases that are accessible via a central portal, an equally important question is who would have access to the ID data and for what purposes?

If it is run by DHS or otherwise deemed a "federal" system, some limitations would be placed on the U.S. government by existing federal privacy and security laws. But these laws may still need to be bolstered in light of Real ID.

If run by a private organization, as is the current commercial driver's license database, federal privacy and security laws may not apply. Nor would the much-touted--though still weak--Driver's Privacy Protection Act, which only regulates how state motor vehicle departments disclose personal data to government agencies and commercial entities.

Thus no robust legal framework exists to protect the personal information that would be held in the centralized ID system envisioned by DHS from misuse by government and business. Allegedly, the Department of Transportation and other federal agencies already regularly access the privately managed commercial driver's license database with virtually no oversight.

And neither the Real ID Act nor the final regulations prohibit the recording of individuals' transactions in the central ID database or the skimming of personal data from the card itself, both of which would facilitate intrusive tracking by the government and unsolicited marketing by commercial entities.

The law mandates that ID information be digitally stored on the card in a standardized format, but neither it nor the final rules include encryption or other security requirements. There have been news reports that some businesses are already collecting personal data from driver's licenses using commonly available readers without patrons' consent. A national standard would make this even easier.

Supporters of the Real ID Act shamelessly exploit the contentious illegal immigration and national security issues as political cover for what could evolve into much darker government uses. Legislation has already been introduced in the Senate and House to address some of these concerns.

State legislatures are also speaking out against Real ID. Seventeen states have passed legislation rejecting Real ID, and in 22 other states such legislation has either been introduced or has passed one chamber.

The ideal solution is for Congress to revisit the fundamentally flawed Real ID Act. But even if Congress doesn't act to repeal the law or otherwise attempt a fix, DHS has a responsibility--and the statutory flexibility--to build strong privacy and civil liberties protections into its regulations to ensure that the implementation of Real ID doesn't do more harm than good.