But why should we assume that? If a bar or other business told me that I had to let them swipe my license to buy something or enter the store, I would go elsewhere. I imagine most other people feel the same way.

I imagine you are wrong. I mean, it's an empirical question, to be sure. But my intuition is that there's a lot of inertia/take-it-as-you-find-it with this sort of thing, once it's in place. People are already asked for ID all the time. They already had their credit cards to strangers all the time. So handing your ID to be swiped isn't going to feel like such a big step. It's similar to the way people threatend to stop going to bars and restaurants in CA and NYC if smoking bans were introduced, but after the fact there was no discernable drop in business. The ChoicePoint example isn't just a scare tactic. Once they're in place, databases like this are always susceptible to abuse in large or small ways. The shocking way that people's credit histories are managed isn't very encouraging.

I can definitely see widespread swiping. Probably under the auspices of preventing ID theft in order to make sure that the ID is legitimate.

Sort of like grocery store POS systems that require the clerk to key in a date of birth for anyone purchasing liquor in order to proceed with the sale -- even if it is a 90 year old lady. Instead of keying in the DOB, just a swipe of the ID. Grandma probably won't even know all the info on her that is being captured.

I note that ATM cards are machine-readable, and even carry an encrypted version of the PIN. Countless ATM card readers are installed in all kinds of establishments. Yet PIN theft via card readers is not happening.

"Sorry, that's not true. Unregulated ATM's in delis, convenience stores, etc. are becoming a favorite tool for identity thieves. "

I believe that what he meant was that merely swiping an ATM card cannot get you the PIN. If you fool the owner into swiping his card and typing in the PIN on the fake ATM machine, then you can get the PIN.

But back to the issue at hand here - in my opinion it is perfectly reasonable to require that all states use a common format for the encoded data on drivers licenses.

How many people go through the airport screening process each day and present their drivers license as proof of identity, and do the screeners ever use the encoded information on the back of the drivers license to verify that the license is authentic? They don't use the encoded data because each state has come up with their own standards. NY and NJ drivers licenses are different - NJ uses a 2D bar code while NY uses a magnetic strip and 2D bar code. There's no way they could handle 50 different encoding standards.

To add to Kieran's comment, I think an empirical analysis of department stores show how people would react to having to show their license before entering a business. Most big stores like Nordstroms, Macy's, Marhsall Fields, Saks, etc. all ask for phone numbers with your purchase. I rarely see or overhear anyone deny this request. There may be a bit more annoyance with having to fish out a driver's license, but that's not much different than just being asked for your credit card.

Also, an especially attractive group for advertisers, 18-24-year-olds, are also much more likely to be willing to give up their driver's license if it means getting into a club or bar. Have you ever seen the lines at those places?

"Most big stores like Nordstroms, Macy's, Marhsall Fields, Saks, etc. all ask for phone numbers with your purchase. I rarely see or overhear anyone deny this request."

Well, I for one resent being asked, and if I don't object I usually give them the number 202-456-1414 (the main switchboard at the White House).

"And why for driving? What does driving have to do with all of this? I find myself wondering if states will create new "motor vehicle operations certificates" to handle licensing drivers without the trouble of vetting everything for the national ID card."

Exactly! Driver's licenses should be for the purpose of confirming that the holder is qualified to drive a car on the highways of the issuing state. If Uncle Sam wants a national ID, he should have the gumption to do so openly, rather than hijacking the state governments to do it for him. (Remember when the Republicans were the ones opposed to unfunded mandates on state governments?)

The biggest headache of all of this will be requirement that state DMVs must personall verify by phone call to the issuing authority the four forms of ID that you have to present.

Statements like these are among the biggest problem with the debate over REAL ID. There is nothing in the bill that requires verification to be make via telephone call. In fact, the bill is silent as to the method of verification, it merely states that verification is required to be performed prior to issuing a license or ID card.

Another point that is often overlooked, though not by people here, is that this bill, based on a plain reading of its text, will eventually apply to everyone, regardless of "immigration" status. There is no grandfather clause or any waiver available. So even if you have had a license in the same state for 50 years you will still have to present documents to the MVA/DMV in your state at least once prior to renewing your license. Currently there are several state, 10 or so I think, that permit renewal by mail or other "speedy" renewals. Not anymore, those laws would appear to be inconsistent with the requirements of REAL ID, thus, states that have had reduced loads due to renewal by mail or internet will have to deal with all of those people if this law is enacted.

Finally of potential legal signifigance, where is the 10th amendment discussion in all of this. Reading New York v. US and Printz v. US, one can't help but wonder if this law does't conscript or commandeer state legislative and executive powers in a manner inconsistent with the 10th Amendment's protections of state soveregnity.

It's a reasonable and valid assumption that if the card is available its presentation will be widely demanded and used. In Washington, DC, I must sign in and show my driver's license at almost all large buildings, both governmental and commercial, to get entrance. My cable company (Comcast) has demanded that I provide my Social Security number before it will discuss a billing problem over the telephone -- and when I have refused to provide it they have refused to continue the conversation. What are my options, if I need to get to an office in a building or need cable Internet or television service?

The use of Social Security numbers as identification is roughly equivalent to the use of a secure Real ID card. Nobody should do it -- but unless it is explicitly forbidden by law it will be done. And the convenience of swiping a machine readable card means that its use will be widespread -- to make a purchase, to get a drink in a bar, or to get into an office building.

If "swipe card" means a standard credit-card type of magnetic stripe, that won't work. Credit-card magstripes hold about 130 bytes of data, which isn't nearly enough for the required textual information plus digitized photo.

To hold enough data, states will probably have to use 2D barcodes, or smartcards, or RFID. Each has its disadvantages.

Storing the data in digital form allows the state to digitally sign the stored data, which prevents some types of forgery. Private organizations can take advantage of these anti-forgery benefits only if they scan or swipe the card. So even private organizations that don't want to gather databases will have an incentive to read licenses digitally rather than by eye.

There is a decent slippery-slope argument that RealID will lower the cost of license-scanning technology, thereby fostering the collection and storage by private parties of information about citizens. That is probably one source of Schneier's worry.

Two unrelated comments: First, you don't have to be an undercover policeman to want your home address to remain private. For example, my sister is a physician, and she has to be extremely careful about giving out information that might give away her home address or telephone number. Otherwise, she's opening herself up to daily harassment from disgruntled, mentally ill or substance-addicted patients. That would also mark her home as a likely place that thieves could find a (genuine) prescription pad, which would be worth a significant sum to someone who had an addiction to painkillers, etc. In my own experience, I had a young man stalking me for a period of about six months; he got my address by pilfering my personnel file from work, but an ID card would have done as well. Coming home to find my place vandalized repeatedly for half a year made me much more cautious about who gets my personal info— even if I'm not an undercover cop.

Second, as far as "what does driving have to do with this?"... if a driver's license (the card) is not tightly bound to the identity of the human being presenting it, then it's useless as proof of approval to drive (or anything else). It would be only a piece of plastic showing that "somebody" is authorized by the state of (wherever) to drive. Every state requires photos, which are a simple form of human-readable biometric, if you will. Whether that should be augmented, and by what means if so, is the question.

What information would be on this ID that is so "private"? Name, height, weight, DOB. My question: Who cares if that information is "harvested"?

Unfortunately the U.S. doesn't have a rational debate about identification, security, and data privacy. Since we don't and won't, I say:

* we should be doing away with the social security number, not further embedding it into our systems (Unlike other data it often serves both to identify and authenticate the person, which violates good security logic.)
* the implementation of Real ID should be flexible. The Federal govt. has guidelines for e-authentication that agencies are in the process of implementing, but that seems to be a separate line of discussion/development from Real ID. It's going to be expensive to implement both; we ought to be doing them logically.
* RealID ought to include restrictions on the state databases, including provisions for audit trails and transaction logs, encryption of data, provision for review and access.

As the ID offers convenience to proprieters, its use will become more accepted by consumers, and eventually ubiquitous. At that point, the ID becomes a way of tracking the day-to-day and moment-to-moment movement of individuals.

Like credit cards, what begins as a convenience quickly becomes mandatory for those wishing to participate in society.

The idea that this will not happen is, frankly, and with all due respect to Mr. Kerr who I greatly admire, ignorant of history, business, and human nature.

It is the natural inclination of commercial proprietors to accumulate information, to impose "security" restrictions, and to co-mingle the two.

This is why websites at which I am required to register ask for my birthday and zipcode and oodles of other information not necessary to verify my credit card. They ask for a phone number even if they swear both never to call and never to sell the information.

Colleges and office buildings are replacing metal keys with electronic key cards, of lower cost and greater convenience to all involved. And why not keep track of who's sleeping in who's dorm and taking what breaks while they're at it; if the information exists, why not collect it?

Search bags on entry to baseball stadiums; even if its pointless to deter terrorism, it at least ends that pesky problem of people paying $1.75 instead of $6 for Pepsi.

Swipe-on-entry will begin, I suspect, in five places. Bars, of course. (At the moment, those scanners verify only that the ID is real, they cannot read its contents - but who'll notice the change?) Jewelery stores and other retail establishments that already have very high entry security. And retail establishments that serve the poor, where pilferage it high and the clientelle is used to terrible treatment. (Check out the Fulton St. Mall in Brooklyn sometime.) Government buildings. And firearms sellers, as more efficient mandated enforcement of federal background check laws. (Not that I'm against that; I'm not.)

From there it will spread generally to retail establishments with significant "shrinkage" problems. Department stores and clothing retailers and so forth.

It will become a convenience-card replacing others to thin bulging wallets. Why should Duane Reade pay the 10 cents to manufacture its own reward cards when they can just use the ID? At the same time, buildings (schools, businesses, apartment complexes) that would be switching to their own RFID cards will instead switch to the Real ID cards. Why should the customer have to carry an extra card?

From there, ubiquity. Perhaps we use the cards to identify credit and bank account holders rather than separate credit cards. All of the information in all of the databases is now easily linked on the Real ID number. And we're no longer a civil or free society.

Some number of parole jumpers or sex offenders will be caught through their use of the cards. Some state or town or county will mandate its use at all points of entry, the better to protect the good citizens within from ne'er do wells from without. Perhaps regions will go on lockdown, requiring use of the cards at ports of entry only after Amber Alerts?

I think people who aren't deathly afraid of this are misunderstanding the impact that its had in places that have done it. It reaks of the Russian internal passport system.

Prosecutors who have done cases with nasty people often get a non-home address put on their Driver's Licenses.

There's no real-world guarantee that people will keep living at whatever address they submit when they apply for a D.L., so there's no good reason to demand anything but a legitimate mailing address--so that the D.L. authority will know where to send the new card. Used in that way, the address would be self-validating--anyone applying for a card would have to give an address good for a few weeks at least--long enough to check out their other credentials like birth certificate. I propose a simple but effective test for the true need for a residence address: why not let a citizen put just a mailing address on his/her D.L., with the "residence" address held in confidence by the DMV retrievable only by a search warrant (not an administrative subpoena or national-security-letter)? The residence address could be used for fraud checks at D.L. issuance, the police could get it by showing probable cause to a judge, but casual license inspectors would not get it. We all know that the bureaucrats driving this thing consider that unacceptable, but why?

This "real residence address" part of the requirements is the subtle but really dangerous part of the bill. The half-smart anti-fraud wonks want it to check whether it correlates with the other info you give, to assess the probability that your application is fraudulent. In the real world of millions of applications processed by dullwitted DMV clerks that simply won't work. The police want that address so they can go there at 3:00 AM to arrest you, and if you aren't there, they can add "felony D.L. fraud" to the charges against you. But the likes of ChoicePoint want it the most--they will use that address for cluster analysis. It really screws up the statistical models they use for targeted marketing when your D.L. address (which they get either from the DMV or from one of those taverns swiping your license) says you live in "Yuppie Heaven" when you really live in "Below Dirtbag." I would bet money that the cluster-analysis people are driving the address requirement with the security and police folks just along for the ride. But as people keep pointing out, it's dangerous to the D.L. holder to give out his residence address to everyone who sees that card or accesses that record. Who wants a visit from any stalker who can bribe a convenience-store clerk?

[Element (9)] will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom.
But why should we assume that?

Because unless we assume that, we can't assume there will be any greater security in the use of these licenses than in the standard ones. The greater authentication strength of the license lies entirely in its ability to be verified in real time.

The best argument on why having more swipe-IDs leads to worse security is this:

It makes people feel like they've got security. But in reality, they'll do even less than they do now to check that you MATCH your id. All they will do is test if the ID is valid--id valid, good. Whether or not you LOOK like your ID will be unaddressed. This is already what happens at department stores, convenience stores, etc. IDs are swiped for validity for buying cigs/alcohol in CA, MN, and many other states already.

Every time we increase the amount of ways that information is kept in data bases, we increase the amount of ways that that information can be stolen by people. We see this all of the time with dbs that contain SSNs, medical records, billing records, etc. There will be no way to prevent that information from being collected, stored, sold; no way to stop it from being ILLEGALLY collected, stored, and sold.

What problem does this solve? That's the real issue. I don't mind a national ID--I've already got two. But I mind identity theft and mechanisms that simplify it.

I think there are more important provisions in Section 102 of the Real ID Act (H.R. 418) that need airtime.

First, the section allows the Secretary of Homeland Security to waive any law if it is deemed necessary for the expeditious construction of border barriers.

Second, and more importantly, it prohibits judicial review of such waivers and bars judicially-ordered compensation, injunction, or other remedy for damages as a result of a waiver.

Isn't anyone concerned that judicial review is at stake here?

Guido, Congress is allowed to restrict the scope of judicial review. Moreover, in policy questions regarding border integrity or immigration enforcement, the courts generally defer to Congress and the Executive Branch's judgment. How exactly do you see the restriction on judicial review of border enforcement policy, as a threat to judicial review at large?

What information would be on this ID that is so "private"? Name, height, weight, DOB. My question: Who cares if that information is "harvested"?

In that case, pleas post your full legal name, date of birth, gender, driver's license or identification card number, address of principle residence, and links to digitized versions of your photograph and signature. Thanks.

On a more mundane note, what would happen if the magnetic strip on your license wore out? I routinely wear out the strip on my most-used credit cards before they expire; I rather doubt that one could get a new driver's license with the same ease as a replacement credit card.

I also discovered a while back that cards can be demagnetized by sitting in the same pocket as a ringing cell phone. And many are aware that cards can be similarly zapped by being laid down on the counter above the electromagnets that deactivate theft alert tags.

Would a license with a worn-out or demagnetized strip still be considered valid? That is, would bars etc have the right to reject it as proof of identification? Considering what a pain it is to replace a lost license as is, I don't like how this might be shaping up . . . .

Don't all you "good people" ( I just love to borrow phrases from our president, such a way with words) this is the mark of the beast. Says so in the "good book". That's why I'm agin it.

I'll second all the concerns about swiping becoming the norm. All of these could be addressed while still achieving the security aspects of a national ID by merely designing the card to verify instead of identify. In other words, the card would not contain any personal information of you other than the minimum required to verify that you are who you say you are. Last year, Wired discussed an example of how this could be done.

Basically, the card could use something similar to private/public key encryption. The card would contain your public key, and your fingerprint would be the private key. Swiping the card would cause it to create a digital signature that could be verified against your thumbprint, proving that the card is yours and that it's valid. This would protect privacy as long as the fingerprints weren't stored in a central database, but I'm not sure how that would be ensured. Maybe by making all of the card-reading terminals open-source or something.

I might be wrong on this interpretation, but that was my understanding.

In my mind, the question is why a new law is needed when a process to create better drivers licenses was already underway at the Department of Transportation, in which all the stakeholders had a say in the development of the id.

I suppose that some of you worrywarts don't have listed telephone numbers, conduct all your transactions in cash, move every year or two, buy pre-paid cellphones from different providers and post to this blog from anonymous sites. I don't.

My current Ohio Drivers License has all of the elements required by the new law, except the machine readable portion (it has a magnetic strip, but I don't think it works). It doesn't bother me, indeed it is a real convience to have and I would want it or something like it even if it were not required to drive.

In any event, I do not think that this law creates a real problem because it does not invande privacy it only limits anonymity.

I think there is a useful distinction to make between privacy (the right to not walk around naked and to not be observed at home, the 4th amentment and similar concepts) and anonymity. I am very skeptical that the concepts are the same or overlap.

I think that privacy should be protected, but that anonymity is a historical anomaly that does not deserve protection. My heuristic for distinguishing between privacy and anonymity is to imagine a pre modern village. In the middle of the village is a marketplace where old ladies sat, sold vegetables and gossiped betimes.

You were born in the village, lived there and probably never went more than a few miles away. The old ladies in the marketplace knew who you were, where you lived and the identities of all of your ancestors and kin. They also knew whether you liked brocolli, whether you paid your bills on time and if you were charitable to the poor. You were not anonymous, but they had no way of knowing what you did in private.

In the 19th century, cities began to grow so large that most people began to live in places where they were anonymous. This was a historical anomaly.

Now, anonymity has its uses, especially if you want to comit a fraud or a crime or overthrough the government. And many people began to enjoy anonymity, especially among radical political groups who dreamed of the "Revolution," that final redemtion from history.

In the 21st century, the electronic data processing revolution has begun to dispell the fog of the 20th century city that engendered anonymity and create a new global version of that ancient village square. It is not of itself evil, it is merely a return to the common condition of mankind. Revolutionaries and their sympathisers are deprived of a usefull tool and the world is not yet redeemed, but for most of us life will go on as it always had.

The forgery issue I mentioned above is, as Sean says, that traditional licenses can be forged by manipulating paper, ink, and plastic; but digitally information, digitally signed by the state, can only be forged by somehow compromising the state's cryptographic key.

Orin asks whether the statutory language requires the photo to be stored digitally. I'm not sure how to interpret the language on this point. It doesn't say explicitly that the photo must be stored digitally, but the list of required elements on the license includes "a digital photograph of the person". (None of the other required elements says "digital".) Perhaps "digital photograph" means a photo taken on a digital camera. But why would anyone care what kind of camera was used to take the photo, if it only ends up printed out on a paper license? The alternative interpretation, that "digital photograph" means a photo stored in digital form on the license, seems just as plausible.

In any case, there are good security reasons to make the photo digital. If the photo is only printed on the license, then old-fashioned forgers can put Bob Badguy's photo onto Ike Innocent's license, and Bob can impersonate Ike with impunity. Verifying the state's digital signature on Ike's license information doesn't help, since the forger only modified the photo, which by assumption isn't covered by the digital signature. Having a single digital signature that covers the photo and the other information serves to tie the photo to the other information.

Regarding the discussion of cryptographic alternatives, verify-but-don't-identify schemes, and so on: There are many complicated tradeoffs in designing a national ID system. There's a very nice National Academy report on this, at http://www7.nationalacademies.org/cstb/ pub_nationwideidentity.html.

"Driver's licenses should be for the purpose of confirming that the holder is qualified to drive a car on the highways of the issuing state."

And I thought the REAL purpose of the driver's license was to make it easy for the police to give you a traffic ticket.