Back in 2005, Congress snuck an obscure provision into a military spending bill that, in effect, created the first national ID card in US history.
The "REAL ID" Act imposes security, authentication, and issuance standards for American state driver's licenses and state ID cards. There are 43 separate requirements in all. Any state-issued ID that doesn’t comply with the new standards will no longer be accepted for any federal “official purpose,” including boarding a domestic airline flight, entering a federal courthouse, etc.
The original deadline for states to comply with the law was May 11, 2008. But the Department of Homeland Security (DHS) repeatedly extended it when legislators in almost half the states refused to go along with the unfunded federal mandate.
Now, DHS has announced it’s no longer willing to play Mr. Nice Guy. After October 1, 2020, you won’t be able to use noncompliant ID to enter a federal facility. And 23 states have yet to comply with the new requirements.
According to the DHS, “Individuals holding licenses from noncompliant jurisdictions will need to follow alternative access control procedures.” That means if you don’t have compliant ID, you’ll be turned away from federal facilities unless you have an “acceptable second form of ID,” such as your passport. And if you don’t have a passport (perhaps the State Department confiscated it because you owe money to the IRS), you might be out of luck.
Apart from the enormous cost of implementation (estimated at more than $11 billion a decade ago), REAL ID is a bureaucratic nightmare. States must require drivers to prove they possess a valid birth certificate and social security number. Before renewing your driver's license, your state Motor Vehicles Department must now check your driving record in every other state. If you have an outstanding violation in any other state—even an unpaid speeding ticket from decades ago—you won't get your new license. And everything must be in perfect order, or you’ll have to negotiate a labyrinth worthy of a Kafka novel to resolve the problem.
A few months ago, I met a young woman I’ll call Rita who had been abandoned at birth and raised by a band of hippies in the California desert. She had recently applied for a REAL ID-compliant driver’s license and had been asked to produce her birth certificate.
Rita doesn’t know her birthdate, the identity of her parents, or even her real name. She’s not even sure she was born in California. That’s just the state where the hippies told her they had found her. The hippies didn’t believe in bureaucracy, so they didn’t bother to formally adopt her. After doing a little research, I concluded her only recourse would be to hire a lawyer to sue the State of California to force it to issue her a birth certificate. And that might not even work, unless Rita can get one of the hippies to testify that she was born in California.
The most threatening aspect of the REAL ID initiative is that it’s a security and privacy nightmare. Once the remaining states fall in line (which is inevitable), there will be 50 interconnected state databases containing private and sensitive information on more than 220 million licensed drivers. Each state must provide all other states with electronic access to its motor vehicle database. To work properly, the database will need to be available to any authorized user. That will include airport ticket agents, police, DMV employees, and countless other individuals.
All the data in the database will need to be verified to ensure accuracy. That’s far from easy. For instance, approximately 14,000 people each year are added in error to the Social Security Administration’s “Death Master File” (DMF), a compilation of persons who have died and are thus no longer eligible to receive social security benefits. If you are added to the DMF, you won’t be able to apply for credit and might even find your bank accounts closed. And you won’t be able to get a REAL ID compliant driver’s license, because your state will have to check your social security number in the DMF.
And this is just one friggin’ database with errors.
Of course, the REAL ID database will need to be secure. That’s a huge task, given how much confidential information will need to be protected. Plus hundreds of thousands, perhaps even millions, of people will need to access it.
Outside hackers are an obvious threat. But consider the threats posed by an underpaid cop or a blackmailed ticket agent. Any such insider will have instant access to sensitive information on millions of people.
And as I’ve pointed out before, a single centralized database is far less secure than multiple databases. The reason is easy to grasp. If you have a centralized network with a single point of penetration, hackers (or foreign intelligence agencies) only have to focus their efforts on that network. But when multiple networks exist, hackers may not know which network to target to acquire the data they seek.
Along the same lines, a single ID is more susceptible to identity theft than a decentralized one in which individual states issue ID cards according to their own rules. Again, it’s easy to understand why. As security expert Bruce Schneier has observed:
A single ubiquitous ID card will be trusted more and used in more applications. Therefore, someone who does manage to forge one – or get one issued in someone else's name – can commit much more fraud with it.
All of this makes me nostalgic for the days when applying for a driver’s license merely meant an encounter with a grumpy and incompetent clerk. Now, it means exposing your most sensitive data to theft by anyone clever enough to hack into the REAL ID database.
Under the circumstances, our best hope is that DHS extends the 2020 deadline yet again. Another option is to relocate to a country like Switzerland that takes privacy and security much more seriously than the US!