12.18.2006

At last, action in the Senate!

A story by K. C. Jones for Information Week reports that two senators have threatened to repeal Real ID unless changes are made. Of course the story reports this:
[Senator] Akaka echoed complaints from hundreds of groups -- including the National Rifle Association, the American Civil Liberties Union, and associations representing state lawmakers -- in criticizing the legislation. He noted that the law was attached to defense spending, tsunami relief, and terror prevention. He said the proposal was not subjected to scrutiny, floor debate, or hearings before Congress was "forced" to pass it.

The other senator is John Sununu. Here's Senator Akaka again:
"It's taken DHS over a year and a half just to issue the regulations," he said. "Expecting the states to execute the new system in even less time is unrealistic.

And also:
"If the new state databases are compromised, they will provide one-stop access to virtually all information necessary to commit identity theft," he said.

Go, Senate, Go!

Georgia Rebels!

That's Georgia ReBELS, accent on the last syllable. Their lawmakers are really upset about Real ID, according to this story. Here's a key quote:
State Sen. Mitch Seabaugh (R-Sharpsburg) says the act's requirements are an invasion of privacy, could open the door to identity fraud and will cost Georgia taxpayers as much as $85 million to implement.


What identity inof would be available to fraudsters? Here's another, familiar quote from the story, and well-put, too:
Imagine a massive database accessible by government officials throughout the U.S. containing your name, address, photograph, Social Security number, birth certificate, citizenship status — and possibly even your fingerprints and retinal scan.

The story I've quoted was filed by Carlos Compos for the Atlanta Journal-Constitution. It also mentions the current estimate of the nation-wide cost: $11 billion.

The EU decides to adopt a uniform license:

The European Union will adopt uniform driver's and motorcyclist licenses. There will be a common data base of shared information. Is the EU falling into the Real ID trap? I think not, the differences are refreshing.

First, the obvious goal is safer driving. A goal of the common data base is to keep people who lose their licenses for drunk driving from getting another valid license in yet another country.

Second, this is not a rush job. If anything, it might be too slow. The new license will be introduced in seven years, and be mandatory by 2032. (I have some personal experience watching a Swiss bank NOT get ready for the Euro, and I must say it's a good idea not to try to enforce these big changes too quickly.)

The news story I pointed at said nothing about security interests. If the EU tries to make drivers licenses that are good for the business of driving, they ought to manage to do the job well, for a reasonable cost.

12.15.2006

Michael Chertoff defends Real ID:

Anne Broache reports on an interview or a talk with Michael Chertoff (the DHS chief) here, for CNET news.com. From the article:
The importance of such documents was magnified by an announcement Wednesday, Chertoff said. Federal authorities reported that they had made more than 1,200 arrests related to immigration violations and unmasked criminal organizations stealing and trafficking in genuine birth certificates and Social Security cards belonging to U.S. citizens.

Common sense, if you know ANYTHING about security, is that Real ID will make traffic in birth certificates and social security cards more expensive and more valuable. They'll still be obtainable, and the temptation to cash in on illegal trafficking will be a sore temptation for some of the thousands of people who will have access, after Real ID is implemented.

Will making it more expensive to get these documents stop terrorists? That's unlikely, as it appears that the terrorists we fear most have billions at their disposal. And the plans to rush Real ID into being in 2008 will create many dozens of serious security loopholes to work the system. Another quote from the article:
Conspicuously absent was any mention of the department's cybersecurity plans. After more than a year of delay, Chertoff hired Gregory Garcia, who had been working as a vice president at the Information Technology Association of America lobby group, as the department's first assistant secretary for cybersecurity. That step came after the department had sustained repeated bashing of its efforts in that realm from members of Congress.

It's a pity that DHS can't make a cybersecurity plan of their own, but they KNOW Real ID will work.

12.12.2006

Everybody's afraid of real ID:

The National Governors Association and the National Conference of State Legislatures have issued a statement about real ID. Apparently they're afraid to say that they really, really don't like it, so they want to say somehow or other that it's pretty good. But they can't stand it in its current form.
"NGA and NCSL remain eager to work with Congress and the Administration to ease the impact of Real ID and strive for a solution that will ensure the act is implemented in a cost-effective and feasible manner with maximum safety and minimum inconvenience for all Americans."
and in asking Congress and the administration to work for them. The governors and the Conference merely want the administration to notice that Real ID is going to cost $11 billion, and that the deadline of May 2008 is impossible.

12.06.2006

Real ID and RFID:

RFID is a side issue for Real ID, and I've been ignoring it. But here's an interesting article from "Citizens Against Government Waste" (CAGW). They feel that Real ID cards should not have an RFID chip. Some quotes:
"RFID may be good for tracking produce, but is an expensive, intrusive way to track people," said CAGW President Tom Schatz. "We strongly urge the Privacy Advisory Committee to adopt this report in its current form."
...
The subcommittee report, The Use of RFID for Human Identification, finds that RFID technology "is no more resistant to forgery or tampering than any other digital technology ... (and) exposes identification processes to security weaknesses that non-radio-frequency-based processes do not share." Other privacy concerns include an individual's inability to choose when he or she is identified and what information is read. The subcommittee also proposes safeguards for the use of RFID such as notification of and ability to control when and what information is collected and by whom, enhanced security for chip readers and databases, and limited collection and storage of data.
...
"The use of RFID for human identification burdens taxpayers and leaves Americans vulnerable to potential invasions of privacy with only minimal benefits. We hope DHS will heed the advice of the subcommittee's report and not recommend the use of this expensive and ineffective technology," Schatz concluded.

12.04.2006

Protecting identity credentials is costly:

Dan Farber and Larry Dignan, at ZDNET Blogs, have another perspective on Real ID. (I must say, we have covered this point before, but only briefly.) They say that "The more valuable having an identity credential is, the more likely it is to be counterfeited. Consequently, the more money you have to spend to protect it." They mention a case of a DHS official convicted of taking bribes to fake documents, and note that if a credential is valuable, people will pay a lot of money to fake it. They conclude:
Having multiple credentials is not only smart from a "not putting your eggs in a single basket" perspective, it's also more efficient. No sense protecting your Starbucks Coffee Card to the same level you protect a passport. Real security won't come from a single, all-powerful identity credential, but from a healthy ecosystem of useful, practical, and effective identifiers.

And let's be clear: Real ID is an "all eggs in one basket" solution. Its standardization means that EVERYBODY will have equipment to swipe it, and fake RealID cards will be worth tens of thousands. The states will have to hire SO MANY new employees to process Real ID cards; do you suppose they might hire a villain or two along the way?

Well actually, Real ID is not truly an "all eggs in one basket" process. When you consider Passports, you really have two nearly identical eggs for each person to keep in their basket. Please tell me, why do we need passports if we have Real ID? Or vice versa?