IMPLICATIONS FOR THE IMPLEMENTATION OF REAL ID
A number of takeaways and lessons learned from this comparison might have implications for the U.S.’ implementation of REAL ID and its efforts to gain societal acceptance of the effort by addressing concerns that REAL ID constitutes a national ID system. This issue will especially be important as DHS begins to enforce REAL ID and impose consequences on holders of non-compliant driver’s license and identification documents. Such efforts, in turn, will renew opposition to REAL ID and renew possible
171 Noack and Kubicek, “The Introduction of Online Authentication as Part of the New Electronic National Identity Card in Germany,” 89.
172 Ibid., 93.
challenges, legal, and otherwise, to its requirements. With that in mind, DHS would do well to adopt some lessons from the comparison countries.
Get Out ahead of the Critics: (UK)
Considerable opposition will be mounted against efforts to improve security when they impact individuals and by restricting them or imposing additional burdens. DHS must clearly communicate its message, educate the general public and the states, and address the challenges mounted by critics to ensure the public understands REAL IDs objectives and how the government has and will continue to respond to concerns.
Proceed with Caution before Pursuing Anything Like an Identity Register:
(UK)
While not applicable to the REAL ID in its current form, one of the most controversial aspects of the most recent UK effort on a national ID system was the maintenance of a national register that would collect information on the entire population in a centralized manner. While not unusual in national ID systems, its existence proved particularly controversial and confusion and misinformation occurred as to whether REAL ID establishes a similar system. That misinformation needs to be confronted directly and firmly, while addressing why it is critical that states share information regarding applicants for driver’s licenses and identification documents.
Enlist the Business Community, Particularly the Technology Sector, in Furtherance of the Effort: (India)
This issue is particularly important when implementing complex systems that depend upon non-government systems and systems dealing with technology and implementation and adoption issues. Recent developments regarding surveillance activities of the National Security Agency (NSA) have eroded the trust between business and government on issues affecting individual privacy. However, DHS should enlist private entities in advising as to the best way to develop tools at both the federal and local level to help states effectively implement REAL ID in a secure and reliable manner.
Set Standards for the Technology: (South Africa)
As biometrically enabled ID cards need to distinguish between individuals presenting them to ascertain that the individual presenting the document is actually the individual to whom the card was issued, reliable technology is necessary to match the card quickly and accurately to the presenter, and is important for the system to be usable and accurate. Part of the implementation challenges for South Africa and others has been that the technology supporting the identity management and verification efforts was not standardized, and as a result, various incompatible systems were established that would not effectively interact with each other.
Beware of Feeding the Beast of Business Interests: (South Africa)
While the federal and state governments may do well to enlist the assistance of business, and will always be dependent upon its products and services to implement any effective government technology based program, let alone a national ID system, the management of how business supports critical government functions must be monitored to ensure that the government does not promote the spread of systems supporting incompatible and interoperable government functions. The government must also take care to ensure that business does not become itself too powerful in making use of that information about individuals in ways that could be seen by the public as threatening information security and individual privacy.
Address Concerns Regarding the Accuracy of the System by Encouraging the Capture of Multiple Biometrics: (India)
India found itself faced with the enrollment of an enormous population. The accuracy of the enrollment and of the matching of identity card to enrollees was legitimate concern and was critical to address for the system to be reliable and perform its intended purpose. India chose to collect more then one form of biometrics, to include fingerprints and iris scans. Proof of concept and post enrollment studies have reinforced the wisdom of that decision and have served to increase overall confidence in the accuracy of the system. The federal government should encourage the use of multiple
biometrics, as well as to ensure that confidence in the system’s accuracy grows and inaccuracies do not become a reason to oppose the system.
Give People Choices Regarding the Use of Their Personal Information (Germany)
Germany successfully implemented a national identity card notwithstanding its history and legitimate concerns of using identity documents to oppress its citizens. It has been careful to provide choices to the population regarding how much information it provides and how that information will be used. Giving citizens control over their information diminishes the ability of the government to abuse the identity cards, while empowering the citizens to make judgments about how much private information they want to provide for additional convenience.
D. CONCLUSION
The REAL ID Act has provided the United States the opportunity to enhance the security and reliability of state driver’s licenses and identity documents through the issuance of federal standards by DHS governing the issuance of those documents. Since the introduction of the legislation in Congress, critics have raised concerns that the program was establishing a national ID as part of a coercive identity regime. While the federal government continues to assert that REAL ID does not constitute a national ID scheme, this issue has been one contributing factor in the reluctance of many states to come into full compliance, thus weakening the efforts to address this vulnerability on a national basis. This chapter has sought to explain the claim that REAL ID is a national ID, the U.S. response to the claim, and shows how US. efforts differ from those of countries that have established or have sought to establish a national ID system.
As DHS addresses the lingering concerns, and adopts measures to promote full implementation by the states, it would do well to study and learn from the experiences of the other countries. Doing so will allow it to undertake public messaging to distinguish the U.S. efforts from those of countries with national ID systems and help to promote societal acceptance. DHS and the states must engage with each other to ensure smart and effective implementation of the law to minimize the effects on privacy and security of the
information. DHS should also explore how best to fund, and allocate grants to the states to facilitate the acquisition of technical support. Technology investments and acquisitions should support verification activities in a manner that is integrated, and serves national security interests that protect privacy and information security.
IV. PRIVACY ISSUES ASSOCIATED WITH REAL ID
As discussed earlier, deficiencies in the security of the issuance process related to state driver’s licenses and identification documents had enabled the hijackers to remain in the United States and access the air transportation system, raising concerns about the integrity of the issuance process. This situation led to the 9/11 Commission’s recommendations regarding the need for federal standards for the issuance of birth certificates and other sources of identification, such as driver’s licenses and state identification cards.173 As part of the federal efforts to set and implement such standards, DHS has required states to utilize technology to embed data in the MRZ of the identification documents.174 The MRZ refers to a specific physical area on the document or card where data is encoded in a machine-readable format.175 It allows the data appearing on the face of state-issued driver’s licenses and identification documents to be verified in real-time. This chapter addresses the following: the required data elements for REAL ID documents, the technology specified for the required MRZ (specified as 2D Barcode technology), how it compares to RFID technology—the most likely alternative to 2D Barcode technology, and the process through which DHS selected this technology and addressed privacy related concerns regarding its use.
REAL ID requires state driver’s licenses and identity documents to include defined data elements and make them accessible through a common machine-readable technology. The use of machine-readable identity cards has increased significantly to allow the efficient transition from a manual to an automated authentication process.176 The text information and biometric identifiers, such as facial image, signature, fingerprint
173 National Commission on Terrorist Attacks upon the United States, 9/11 and Terrorist Travel.
(Vulnerabilities include the submission of false documents to demonstrate residency, use by an imposter of documents relating to another individual, and tampering with legitimate documents to enable their use to demonstrate eligibility for state documents.)
174 6 C.F.R. § 37.19.
175 National Commission on Terrorist Attacks upon the United States, 9/11 and Terrorist Travel, 13, 44.
176 Afzel Noore,Nikhil Tungala, and Max M. Houck, “Embedding Biometric Identifiers in 2D Barcodes for Improved Security,” Computers and Security 23, no. 8 (December 2004).
template, or iris template, are typically stored on the card and enable verification of the identity of the owner. The technical standards for the machine-readable technologies to be employed by the states are set forth at 6 C.F.R. § 37.19.177 For purposes of this discussion, it is sufficient to know that DHS established the Portable Data File 417 barcode (PDF417) as the required technology to embed data into the MRZ.