Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

REAL ID continues to have 'real' challenges

by Shannon Kellogg on 6/18/2007
Topics: Compliance | E-Security | Government Policy

I have been meaning to write something about "REAL ID" for a while now, so will attempt to provide an update on what's happening with this initiative and some additional food for thought. What is REAL ID you say?

Well, for those of you who haven't managed to hear about this identity card mandate, it started with the 9/11 Commission's recommendations (Recommendation #14 in fact) and became a matter of law in 2005 as the "REAL ID Act." The authors of the 9/11 recommendation and the subsequent legislation all were ostensibly aiming for the same thing: preventing the use of a fraudulent driver's license by terrorists through the development of safeguards that would help prevent tampering and use of such a document for false identification -- and that would also enable more effective and trustworthy authentication of individuals for purposes such as boarding a plane. (For more background on the history of the REAL ID program, see John Lehman's op-ed in the Washington Post of May 8, 2007 entitled "An Identity Crisis We Can Ease." Lehman is a former Secretary of the Navy under President Ronald Reagan and was a member of the September 11 Commission.)

Lehman and other 9/11 Commissioners, as well as key Congressional backers such as U.S. Representative Tom Davis (R-VA), have put forward a pretty compelling case over the years for moving forward with REAL ID. However, as respected as many of these proponents are in national public policy circles, their principal message of identity security being an important part of preventing future terrorist attacks has often been drowned out by the deafening criticism from privacy advocates, U.S. state government officials, and others. In his Washington Post column, Lehman writes that "...Current efforts to gut the law are based on two concerns: Some object to denying illegal immigrants the right to drive legally, citing safety and compassionate concerns. Others see the Real ID Act as the thin end of the wedge of a national identity card." Lehman goes on to state in the column that: "Neither objection is valid." He does, however, acknowledge that one objection is "legitimate" -- and this is the central argument against REAL ID that I have heard frequently from the states -- that it is an "unfunded mandate."

Whether you agree or disagree with privacy advocates in their criticism of REAL ID, or proponents such as Lehman or Congressman Davis, I have heard little disagreement about one fundamental point: that something needs to be done to provide more secure identity credentials in order to enhance national security. The other principle that many key voices seem to agree on is that a so-called "National ID Card" is probably not going to go far in this country either. And while, some opponents of the REAL ID card would argue that, if implemented correctly, this would indeed be the first step toward a national identity card, many others would argue just the opposite -- that if properly implemented, REAL ID will effectively replace any future need for a centralized, federal ID card.

So where does that leave us?

Right now, it appears that while REAL ID will be implemented in some states, it will continue to proceed very slowly, with some state legislatures and governors engaged in an outright "rebellion" against this federal mandate, largely based on funding issues. While the U.S. Department of Homeland Security (DHS) has some funding available for REAL ID pilots and the U.S. Congress is currently debating whether to make additional funding available in 2008 spending bills, it appears that only a fraction of the overall funding needed by states to fully implement REAL ID will be realized any time soon. In addition, it also appears that the privacy community will continue to be critical of REAL ID. Also, with Congress in a full-blown debate over immigration policy, who knows where this issue will turn out in that context.

Perhaps, in hindsight, one of the things that proponents of REAL ID might have done better from the outset -- in addition to directly addressing funding and privacy concerns -- would have been to lay out additional benefits that could be realized from an identity card initiative -- that did not just point to national security concerns, but would also include other uses that would provide additional value to citizens as well as state and local governments (other than just a driver's license document). That theme came up a lot during an international panel on what works and what doesn't in government ID card initiatives that I hosted at the 2007 RSA Conference in San Francisco. Toby Stevens of the U.K.-based Enterprise Privacy Group hit the nail on the head: he said that while he is a big fan of ID cards, "...It is inconceivable that we can move forward in the electronic age without some form of strong authentication," and that the long-stalled U.K. ID card was, "built around national security rather than citizen convenience."

Taking Mr. Stevens' idea and building on it, if the REAL ID card were to be used by U.S. states for other purposes -- applications such as applying for or collecting welfare or medical benefits, or for state employees' access to government buildings or information systems -- then it is arguable that this type of credential could pay for itself over time. Of course, that would mean re-working the federal REAL ID standards to allow for the use of more smart card technology -- not an unreasonable path forward, especially since a smart card would have more security features built in than the current specifications for REAL ID released by the DHS. More security features would also likely mean addressing a lot of the concerns that privacy advocates have about REAL ID today.

Other federal government initiatives could benefit from this approach as well, such as the oft-criticized PASS card program, which is part of the Western Hemisphere Travel Initiative that is co-administered by DHS and the U.S. Department of State. That program is under attack because of the use of RFID in the PASS card, related security and privacy concerns, and worries from lawmakers and others about the associated costs that residents of the border regions may have to absorb as a result of the initiative. Again, why not do more with the card? Utilize technology so that the security and privacy of the individual will be enhanced and more applications can be enabled for use now and in the future.

I am not trying to diminish the range of concerns that have been voiced about REAL ID and other initiatives, including the financial costs involved and legitimate privacy concerns. But, given the national security stakes and the prospective benefits that can be reaped by identity card initiatives that provide additional value to citizens and states alike, we might be able to more quickly get through the current national debate about REAL ID and move forward to implement a secure credential that can help deter terrorism, identity theft, and also enable more secure electronic transactions between the government and its citizens.

What do you think?

-S.L. Kellogg

Comments
Glossing over privacy concerns is dangerous

REAL ID can never be anything except a national ID card. Whether the standard is implemented at the state or federal level, the uniformity of data elements and format would amount to a national ID card, period.

Two states have already passed binding legislation blocking implementation of REAL ID (Washington & Montana). Six more have passed resolutions in opposition, and anti-REAL ID legislation is pending in more than 20 others. More info: http://www.bordc.org/newsletter/bordcnews6-4.php#Briefs

And on that same page, have a laugh -- or a cry -- at DHS's invasive requirements for participating in their public hearing about REAL ID ( Public Comment Solicitation on REAL ID Rules Orwellian ). Privacy concerns are the very last thing on DHS's list.

For those who don't give a whit about their privacy, I hope they'll consider the fact that REAL ID will be a one-stop shop for perpetrators of identity theft. If you think it's too easy for your identity to be stolen now, see what happens when all personal identifying information is collected in one single database, or on one single card. It would be the biggest and most ill-advised honeypot project imaginable -- and one with very real consequences for privacy, personal freedom, and our economy.

Anyway, REAL ID would provide no additional security. As has been widely reported in the main stream media, the FBI and CIA were aware of most of the 9/11 hijackers before that terrible day. Those criminals were able to commit their atrocity because our existing security services fell down on the job -- _not_ because they didn't have the tools necessary to meet their duties.

- Privacy advocate
Let's not confuse identity and uniqueness

There's few who would dispute the right – and duty – of the state to protect its citizens. A universal, trusted and panoptical identity card system would clearly achieve a great deal for national security. The problem is that the entire concept is an oxymoron: and that as soon as we start building massive data silos, our ability to trust them decays, as fraud and inaccuracies permeate the system.

How can the citizen be expected to trust such a structure? The solution rests in a shift away from the monolithic data store, and requires lawmakers to start thinking laterally about the role of the state. There are very few circumstances in which the state actually needs to know who a citizen really is (Bruce Schneier has discussed this at length). In the majority of cases, the state simply needs to understand the citizen's entitlement. Can they enter the country? Should they receive the benefits they've requested? Are they entitled to read the data they're trying to access? In most cases we can deal solely with attributes/metadata to interface with the state, and the state can deliver its services without actually knowing who we are.

Now comes the tricky issue of trust. If a National Identity Scheme is to succeed, then it must be trusted by citizen and state alike. To achieve this, we must have: universality of coverage (every citizen is in the scheme); transparency of operation (the individual knows what data is in there and how it is used); minimisation of data collection (no more data than necessary); provable accuracy. These goals can only be achieved if we shift our sights away from data collection, and towards a "uniqueness" register. Stop trying to prove who everyone is, just prove whether that person is enrolled within the scheme, and is in the scheme just once – an approach which will require the use of biometrics. If our goal is to create a database of uniqueness – potentially with no identifying data for the individual – then that can become the glue for other state and private-sector databases to create trust. Of course we need to ensure that it is built with appropriate privacy-protecting mechanisms (after all, if we start storing SSNs or publishing the index numbers then we're back to square one), but the point here is that within the limits of tolerance of biometric enrolment and verification we can prove how accurate our database is. We can apply biometric encryption techniques (as discussed by Ann Cavoukian) to ensure that the database does not become a honeypot for identity thieves or malicious governments. The state can identify its citizens' entitlements without having to identify its citizens.

Very early days yet, but if the forces behind REAL-ID have the backbone to set aside existing political capital and revisit some basic assumptions for the scheme, then we could still create an identification mechanism that protects, rather than infringes upon, civil liberties. (Please note that I have no connection with, or financial interest in, the supply of biometric technologies, ID technologies etc).

- Toby Stevens

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication