May 8, 20087
Department of Homeland Security
Atttn: NAC 1-12037
Washington, DC 205388
Re: Docket number DHS-2006-0030
Description of organizations signing onto these comments
Privacyactivsm is a non-profit organization dedicated to informing and empowering individuals about consumer privacy issues. Through a mixture of education (using graphics such as posters and video games), activism, and the law, we strive to make complex issues of privacy law, policy, and technology accessible to all. We can be found on the Internet at www.privacyactivism.org.
Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) is a national grass-roots consumer group dedicated to fighting supermarket "loyalty" or frequent shopper cards. CASPIAN's efforts are directed at educating consumers, condemning marketing strategies that invade shoppers' privacy, and encouraging privacy-conscious shopping habits.
CASPIAN was founded in October 1999 by Katherine Albrecht. Since that time, CASPIAN's volunteer executive team has grown to include over a dozen talented professionals and our membership base has expanded to include activists in nearly every state in the nation.
The Fairfax County Privacy Council (FCPC) was established in 2003 to focus attention on privacy issues affecting Virginians. FCPC is a member of the Coalition for Constitutional Liberties and the Liberty Coalition, but we are not registered with any government agency because we do not need the government's permission to speak freely and assemble ideas.
The Department of Homeland Security issued the “Notice of Proposed Rulemaking (NPRM) as well as a Privacy Impact Assessment (PIA) on the Real ID Act on March 1, 2007. Privacyactivism and others are responding with formal comments in response to the proposed rules.
The draft rules proposed by DHS to implement the Real ID Act are fatally flawed. Focusing on how to best implement an Act as deeply flawed as this one is not in the best interests of individuals or the states; therefore we recommend that the proposed rule be withdrawn. Ultimately, Privacyactivism believes that the Real ID Act should be repealed, but understands that this is outside of the scope of this rulemaking process. Privacyactivism’s comments will therefore focus on the lack of privacy protections in the proposed rule, and why the lack of these protections require the withdrawal of the proposed rule.
Specifically, our comments will cover these areas: 1) The general lack of privacy and security protections; 2) the difficulty of compliance; 3) exceptions in the draft rule that lead to inadequate security; 4) the cost involved.
Most provisions in the Real ID Act are hostile to privacy protections, and will result in harm to consumers
A. The proposed rule lacks any privacy protections with regard to third party access to information contained in the machine readable technology, enhancing the threat of harm to the individual, including that of identity theft
There is no language in the Real ID Act to prevent third party access to information contained in the machine-readable section of the card. DHS has stated that "DHS believes that it would be outside its authority to address this issue within this rulemaking," and encourages the states to come up with a solution.
Failing to address protection of personally identifiable information (PII), and passing the responsibility to the states ignores the risk to an individual’s privacy. Without either a technology or statutory solution, hotels, clubs and bars, and retailers, among others, could get access to that information. A few states have statutes that prevent private entities from collecting information gleaned from driver’s licenses into a database, but most don’t. At best, some states will pass statutes to protect personal information, but there will be a lag before the statutes are put in place, and the damage to an individual’s privacy (and security) will already have been done.
DHS suggested that states adopt model laws that prohibit skimming or swiping of driver’s licenses. Model laws however often contain numerous exceptions with regard to these practices. Fines for violating the law are low enough that it may still be profitable for shadier companies to continue the practice.
“Function creep” is also a risk to privacy. As these cards become more accepted, and contain more data, they become attractive to corporations as they compile information about their customers. This data can then be used for many different reasons, such as profiling and redlining.
The use of a unique identifier only exacerbates the situation. The identifier can be captured by a retailer, linked to transactions and then sold or shared with third parties; absent any laws to the contrary. People would generally be unaware that their information was being used in this way until they become inundated with unsolicited marketing pitches, or became identity theft victims.
Also left unanswered by DHS is what happens when someone does become a victim of identity theft? Once the Real ID cards are rolled out broadly, the presumption will grow that these cards are very secure and close to unforgeable. Under this scenario, how does that person prove to the Department of Motor Vehicles and/or DHS, that they have become a victim of identity theft? What steps will they have to go through in order to clear their name? Even today we see people who have had others commit crimes in their name, some have even been arrested on multiple occasions. A newer form of identity theft occurs when someone assumes another’s identity for the purpose of medical records identity theft. It’s difficult today for victims of these types of identity theft to clear their names, what will happen once Real ID is adopted?
B. The Machine Readable Technology
Protection of the information stored in the machine readable technology (which they are mandating as a 2D bar code – PDF-417 2D) – DHS recommends encryption, but that recommendation is only lukewarm at best, as any encryption may hinder law enforcement access. As we heard on the web cast of the Town Hall Meeting that DHS held at the University of California, at Davis on May 1, 2007, DHS was more concerned about law enforcement’s needs to be able to read the card instantly instead of showing any concerns for individual’s privacy (and security) of their data. Others who have nefarious intentions can also get at unencrypted data and use it for their own purposes.
Even though DHS is mandating the use of a 2D bar code, not an RFID tag, a back door route to putting RFIDs in the Real ID license is still a threat. It comes in the form of the Western Hemisphere Travel Initiative (WHTI). This initiative was designed to ease travel between Canada, the US, and Mexico now that passports are required for travel to Canada and Mexico.
Some of the border states are interested in “exploring whether enhanced driver’s licenses and identification cards could be acceptable at the land border to satisfy the WHITI requirements.” Questions raised include how to denote citizenship (DHS is not proposing putting citizenship on the face of the card), and how to integrate the type of ICC technology with the machine readable technology proposed In the Real ID licenses. It would seem that RFIDs could show up in some Real ID licenses. The RFID standard that WHITI prefers is an RFID tag that can be read from twenty to thirty feet away from a reader. If such a tag were part of a Real ID document, the individual is in danger of begin remotely tracked as well as having their data skimmed by remote means.
C. The lack of privacy and security protections in the linked databases
Instead of creating a centralized database where all personal information will reside, there will be state databases that are all linked together. Arguably this could be even riskier than a single centralized database because if any of the databases or link between databases are compromised, then the attackers may be able to get access to all of the information.
These state databases will include digital copies of identification documents that applicants bring in to prove their identity (certified copies of birth certificates, passports, and the like). To protect all of this information, as well as the physical security of the Department of Motor Vehicles buildings themselves, the states are directed develop a security plan, and “best practices” would be the standard. As we know from industry “best practices” standards, “best practices” often balance a variety of interests, of which an individual’s privacy and security are just one. We remain unconvinced that “best practices” will be enough to protect the privacy and security of an individual’s personal information once it is left in the care of the Department of Motor Vehicles.
The fear that the linked databases could be hacked, and the data contained can be abused, is dismissed out of hand. The reason given is that law enforcement already has the ability to access these databases, so the privacy fear is overblown.
However a recent story in CNET News, “Cyberattacks at federal agencies draw House scrutiny”
described a precarious state of government databases.
Members of a U.S. House of Representatives cybersecurity subcommittee said they weren't confident that the computer systems at bureaus within the State and Commerce departments were adequately secured and scrubbed of backdoors that could allow cybercrooks to re-enter. They also questioned agency representatives on whether they could truly guarantee that sensitive information hadn't been accessed or copied.
"We don't know who's inside our networks," subcommittee chairman Rep. James Langevin (D-R.I.) said at an afternoon hearing here. "We don't know what information has been stolen."
How do we know that this won’t happen to the databases that contain Real ID documentation and source materials?
Data breaches are also a risk to the personal information kept in the linked databases. Data breaches occur regularly, and many governmental agencies have fallen victim to them. Over the last couple of years we’ve seen breaches occur at the Veterans Administration, the IRS, the Department of Transportation, the Navy, the USDA, the Agricultural Department, Health and Human Services, and the National Nuclear Security Administration. Over this last weekend we saw that the Transportation Security Administration has also had a data breach, affecting over 100,000 former and current TSA employees. Their social security numbers and bank account information may have been compromised.
With so much personal information stored in a DMV database, including copies of birth certificates, the question becomes what do we do when the database becomes compromised, not what do we do if the database becomes compromised.
D. Lack of definition of the federated querying service
The “federated querying service” that the states will use to query federal databases is vague. DHS has said they will support the development of the service but it will not operate it. It’s not clear who will operate it and who will have access to those databases. . States? A third party?
Additionally, the NPRM states that DHS does not intend to expand the purpose for which the querying service will be built, that they will try to mitigate the privacy concerns, and that the federated querying service is voluntary. However, there is no language in the act that prevents it from being expanded, becoming more violative of privacy, and becoming mandatory.
The difficulty of compliance is onerous for the states. Many of the databases needed for compliance are ‘vaporware’ – they don’t’ exist, or are only in their infancy. Yet, states are exhorted by DHS to figure it out.
This is one of the more serious flaws in the rule.
States are required to verify both the document and the data under the Real ID Act, yet in many cases the databases used for verification do not exist. Until these databases exist, and have been tested for reliability, there will be no way for the state DMV to comply, or for a citizen to obtain, a Real ID document.
· Lawful status – it is questionable whether this can be verified using any kind of an automated system. Some systems appear to be working while others are not. Verification of lawful status of students seems not yet fully formed. Apparently a connection between the Student and Exchange Visitor Information System (SEVIS) and SAVE is anticipated, but it is not yet in place.
Many citizens will not have the source documents needed to obtain a Real ID document, therefore exceptions need to be made for these citizens. Unfortunately, this will also allow identity thieves and terrorists to exploit loopholes in the system, and obtain Real IDs. These loopholes, while necessary, will also take away many of the perceived security benefits that DHS has touted.
Even though these exceptions are crucial to the well-being and safety of those who need them, these exceptions also provide security risks. It’s something that cannot be had both ways.
Real ID will cost an astronomical amount of money – and is left for the states to deal with. DHS concedes that the cost to the states will range from $10.7 billion to $14.6 billion, and adds that individuals will have to cover an additional $7.8 billion in costs, raising the cost for Real ID to about $23 billion.
DHS acknowledges a cost of $23.1 billion. DHS also acknowledges that the states will incur the largest share of these costs. DHS explains why Real ID is so expensive; there are 56 jurisdictions and 240 million license holders (assuming every one gets a Real ID identification document).
According to the proposed rule it is “impossible to quantify or monetize the benefits of Real ID using standard accounting techniques.” Secure and trustworthy identification are the two stated benefits. Real ID implementation is purported to lessen the vulnerability of federal buildings, aircraft, and other places where one is required to show an ID from terrorist attacks, but DHS does not explain why this would be so. Nowhere in the draft regulations is there a requirement that would compel an official examining a Real ID document to match it to any database of any kind, thus all that would be accomplished by examining the Real ID document is to note that the ID is valid; precisely the same results that we get today with current driver’s licenses.
As written, the rule does not protect the privacy of its citizens, nor does it enhance the security of the data about citizens. In fact, because of the loose standards for the handling of personal information contained in the database and the 2D barcode, there is an increased chance of theft of personal information. Consequently, protections against terrorism are therefore illusory. As stated above, ultimately the Real ID Act should be repealed, but until then, the Act should not be allowed to be implemented, particularly with standards are lax as the ones in the draft rule. Privacyactivism and our co-signers therefore ask that the draft rules be withdrawn.