Instapundit, Eschaton, Dan Solove and others have linked to Bruce Schneier’s case against the Real ID Act, an Act that among other things will require the states to meet certain standards for their state drivers’ licenses. I am tentatively against the Act, as I don’t see exactly what problem it will solve. At the same time, I wasn’t terribly impressed with Schneier’s criticisms, which struck me as heavy on rhetoric but rather weak on analysis.
The most controversial aspect of the Real ID act seems to be the list of items that a driver’s license must have:
(1) The person’s full legal name.
(2) The person’s date of birth.
(3) The person’s gender.
(4) The person’s driver’s license or identification card number.
(5) A digital photograph of the person.
(6) The person’s address of principle residence.
(7) The person’s signature.
(8) Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes.
(9) A common machine-readable technology, with defined minimum data elements.
In particular, the controversial provisions are (6) and (9). Element (6) apparently would require driver’s licenses to contain actual addresses, instead of P.O. Boxes or other mail drops, and (9) would apparently require that cards retain data much like your credit card retains its number, so driver’s licenses could be “swiped” instead of manually checked.
Specifically, here are Schneier’s three primary arguments against the Real ID Act:
[Element (9)] will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom.
But why should we assume that? If a bar or other business told me that I had to let them swipe my license to buy something or enter the store, I would go elsewhere. I imagine most other people feel the same way. Perhaps making the information more easily accessible would change information collecting practices, but that’s a case that has to be made. (I recognize that invoking ChoicePoint is a good scare tactic, but I would be interested in a careful analysis of why Schneier thinks ID cards would be used this way rather than his inistence that we should just assume it.)
Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver’s licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).
The problem is the law doesn’t require the use of RFID. The fact that RFID could be used in lieu of a swipe card doesn’t mean that it would have to be used, and I imagine most people would much prefer the use of a familiar swipe card instead of RFID. Schenier doesn’t explain why he expects RFID would be used.
REAL ID requires that driver’s licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police — even undercover police officers. This seems like a major unnecessary security risk.
I appreciate Schneier’s concern for our nation’s judges and police officers, but I don’t understand the source of it. Undercover police officers don’t carry around their real IDs anyway, and if they do it’s a police badge, not a driver’s license. And I’m unaware of judges or police officers as a whole being concerned about the security risks of having their home addresses on their licenses. (I would imagine that the overwhelming majority have their home addresses on their licenses now.)
As I said up front, I am tentatively against the Act. I agree with Dan Solove that it should be debated carefully, not passed as a rider on a military spending bill. But if there is a slam dunk case against the Act, I don’t think Bruce Schneier has made it.
I’m not sure if this is something readers will want to comment on, but I’ll enable comments just in case.
Comments are closed.