< Return To Hearing
May 8, 2007
Testimony of Jim Harper, Director of Information Policy Studies
May 8, 2007
It is a pleasure to speak with you today. I am director of information policy studies at the Cato Institute, a non-profit research foundation dedicated to preserving the traditional American principles of limited government, individual liberty, free markets, and peace. In that role, I study the unique problems in adapting law and policy to the information age. I also serve as a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee, which advises the DHS Privacy Office and the Secretary of Homeland Security on privacy issues.
My most recent book is entitled Identity Crisis: How Identification Is Overused and Misunderstood. I am also editor of Privacilla.org, a Web-based think tank devoted exclusively to privacy, and I maintain an online resource about federal legislation and spending called WashingtonWatch.com. I speak only for myself today and not for any of the organizations with which I am affiliated or for any colleague.
* * * *
Mr. Chairman, the REAL ID Act is a dead letter. All that remains is for Congress to declare it so.
The regulations "punted" on REAL ID's most important technology, security, and privacy problems. Of utmost importance, the DHS proposal lays the groundwork for systematic tracking of Americans based on their race .
There are highly meritorious bills pending in the Senate and House to repeal the REAL ID Act and restore the identification security provisions that were passed in the 9/11-Commission-inspired Intelligence Reform and Terrorism Prevention Act. Congratulations, Mr. Chairman for being an original cosponsor of this legislation in the Senate.
These bills would be improved if they were to chart a path to government use of emerging digital identity and credentialing systems that are diverse, competitive, and privacy protective. We can have identification and credentialing systems that maximize security and minimize surveillance. REAL ID is the ugly alternative to getting it right.
REAL ID Does Not Secure the Country
I will begin with security issues, which are the most important. Simply put, the proponents of REAL ID have not borne their burden of proof. They have not shown that REAL ID would add to our country's protections -- because it doesn't.
The Department of Homeland Security has had two years to articulate how REAL ID would work. But the cost-benefit analysis provided in the proposed rules issued in March (the notice of proposed rulemaking or "NPRM") helps show that implementing REAL ID would impose more costs on our society than it would provide security or other benefits. REAL ID would do more harm than good.
Executive Order 128661 requires agencies to assess the costs and benefits of the requirements they propose. In its cost-benefit analysis, the Department found that implementing REAL ID would cost over $17 billion.2 This is 50% higher than the $11 billion estimate put forward by the National Conference of State Legislators.3
The NPRM was the Department's opportunity to show how REAL ID might add to our country's protections. But on the question of benefits, the Department of Homeland Security essentially punted. It said:
It is impossible to quantify or monetize the benefits of REAL ID using standard economic accounting techniques. However, though difficult to quantify, everyone understands the benefits of secure and trusted identification. The proposed minimum standards seek to improve the security and trustworthiness of a key enabler of public and commercial life -- state-used driver's licenses and identification cards. As detailed below, these standards will impose additional burdens on individuals, States, and even the Federal government. These costs, however, must be weighed against the intangible but no less real benefits to both public and commercial activities achieved by secure and trustworthy identification.4
This is not analysis, of course. It is surmise. A few paragraphs later, it continues: The proposed REAL ID regulation would strengthen the security of personal identification. Though difficult to quantify, nearly all people understand the benefits of secure and trusted identification and the economic, social, and personal costs of stolen or fictitious identities. The proposed REAL ID NPRM seeks to improve the security and trustworthiness of a key enabler of public and commercial life -- state-issued driver's licenses and identification cards. The primary benefit of REAL ID is to improve the security and lessen the vulnerability of federal buildings, nuclear facilities, and aircraft to terrorist attack. The rule would give states, local governments, or private sector entities an option to choose to require the use of REAL IDs for activities beyond the official purposes defined in this regulation. To the extent that states, local governments, and private sector entities make this choice, the rule may facilitate processes which depend on licenses and cards for identification and may benefit from the enhanced security procedures and characteristics put in place as a result of this proposed rule.
The assessment goes on to imagine what protection-rates would cost-justify the REAL ID Act regulations.5 According to the assessment, if REAL ID lowers by 3.6% per year the annual probability of a terrorist attack causing immediate impacts of $63.9 billion, the rules would have net benefits. If REAL ID lowers by 0.61% per year the annual probability of a terrorist attack causing both immediate and longer run impacts of $374.7 billion, the rules would have net benefits.
This is an unsound way of judging the anti-terrorism benefits of REAL ID, and it reflects almost no thinking about how REAL ID might work as a security tool. I have attached as Appendix A a rudimentary analysis of the REAL ID Act in terms of risk management, using the framework put forward by the Department of Homeland Security's Data Privacy and Integrity Advisory Committee.6
To summarize, creating a national identification scheme would not just attach a known, accurate identity to everyone. It would cause wrongdoers to change their behavior. Sometimes this would control risks, sometimes this would shift risks from one place to another, and sometimes this would create even greater risks.
The NPRM concludes with this:
The actual economic analysis produced by DHS and placed in the rulemaking docket has some more specific information about "ancillary benefits." It estimates that REAL ID could reduce the costs of identity theft by merely $1.6 billion during 2007-16.8 Relatively little identity fraud uses drivers' licenses. No other benefits are estimated.
If REAL ID did add to our country's protections, it would not have been passed attached to a military spending bill two years ago. It would have had hearings, up-or-down votes in both houses, and fanfare at every step of the legislative process.
If REAL ID added to our country's protections, Americans would happily tolerate the expense, inconvenience, and intrusion created by the REAL ID system. They do not.
DHS Punted on the Hard Issues
The potential security benefit of having a national ID is the most important consideration. As we now see, REAL ID fails cost-benefit analysis. But there are additional costs of REAL ID that are not considered in the NPRM's cost-benefit analysis. These costs are denominated in the privacy and civil liberties of law abiding Americans.
Were they to comply with the REAL ID Act, states would have to cross a mine-field of complicated and expensive technology decisions. They would face enormous, possibly insurmountable, privacy and data security challenges. But the Department of Homeland Security avoided these issues by carefully observing the constraints of federalism even though the REAL ID law was crafted specifically to destroy the distinctions between state and federal responsibilities.
The Federalism Issue
The Constitution established a federal government with limited, enumerated powers, leaving the powers not delegated to the federal government to the states and people.9 Because direct regulation of the states would be unconstitutional,10 the REAL ID Act conditions federal acceptance of state-issued identification cards and drivers' licenses on their meeting certain federal standards.
This statutory structure -- using state machinery to implement a federal program -- is unfortunate. It blurs the lines of authority and obscures the workings of government from citizens and taxpayers. But it does draw federalism into play as a potential limit on the Department's ability to regulate.
As the Notice of Proposed Rulemaking notes,11 Executive Order 13132 says that "issues that are not national in scope or significance are most appropriately addressed by the level of government closest to the people."12 Laying out the criteria for policymaking when federalism is implicated, the Executive Order says, "National action limiting the policymaking discretion of the States shall be taken only where there is constitutional and statutory authority for the action and the national activity is appropriate in light of the presence of a problem of national significance."13
In support of a federal function -- national security -- the REAL ID Act conditions federal acceptance of state identification cards and drivers' licenses on their meeting federal standards for documentation, issuance, evidence of lawful status, verification of documents, security practices, and maintenance of driver databases. The federal government has equal power -- and the Department of Homeland Security had discretion in this rule -- to condition acceptance of identification cards and drivers' licenses on closely related priorities, including meeting standards for privacy and data security.
Many different federal laws and policies seek to foster privacy and data security, even in the context of national security programs. The Executive Order establishing the President's board on safeguarding Americans' civil liberties, for example, states in its very first section:
Among the many federal laws that are relevant is the Privacy Act of 1974.15 The Privacy Act requires federal agencies to undertake a variety of information practices, and it accords individuals a number of rights intended to protect privacy and similar interests. The law requires agencies to extend these protections to systems of records operated "by or on behalf of the agency . . . to accomplish an agency function" when that is done by contract.16
The Privacy Act did not contemplate that states would maintain systems of records in furtherance of federal functions. However, Office of Management and Budget guidelines issued after the Privacy Act's passage say that the Act is intended to cover "de facto as well as de jure Federal agency systems."17
Another relevant law is FISMA, the Federal Information Security Management Act of 2002.18 FISMA seeks to bolster information security within the federal government and for federal government functions by mandating yearly security audits. FISMA makes the head of each agency responsible for information security protections with regard to information systems and "information collected or maintained by or on behalf of the agency."19
The legislative history of the REAL ID Act suggests Congress' intention that the Department should implement REAL ID consistent with federal government policies on privacy. The Department of Homeland Security's Privacy Impact Assessment reviews relevant portions of that history:
The House Conference Report for the REAL ID Act includes several key statements of Congressional intent regarding privacy. For example, in its discussion of section 202(d)(12) of the Act, which requires each state to provide electronic access to the information in its motor vehicle databases to all of the other states, the Conference Report makes clear that Congress recognized the need for the regulations to address privacy and security and that those protections should be at least the equivalent of existing federal protections. The Conference Report reads in relevant part:
DHS will be expected to establish regulations which adequately protect the privacy of the holders of licenses and ID cards which meet the standards for federal identification and federal purposes.
The increased data collection and data retention required of states is concerning. Requiring states to maintain databases of foundational identity documents will create an incredibly attractive target to criminal organizations, hackers, and other wrongdoers. The breach of a state's entire database, containing copies of birth certificates and various other documents and information, could topple the identity system we use in the United States today. The best data security is avoiding the creation of large databases of sensitive and valuable information in the first place.
The requirement that states transfer information from their databases to each other is concerning. This exposes the security weaknesses of each state to the security weaknesses of all the others. There are ways to limit the consequences of having a logical national database of driver information, but there is no way to ameliorate all the consequences of the REAL ID Act requirement that information about every American driver be made available to every other state.
There are serious concerns with the creation of a nationally uniform identity system. Converting from a system of many similar cards to a system of uniform cards is a major change. It is not just another in a series of small steps.
Economists know well that standards create efficiencies and economies of scale. When all the railroad tracks in the United States were converted to the same gauge, for example rail became a more efficient method of transportation. Because the same train car could travel on tracks anywhere in the country, more goods and people traveled by rail. Uniform ID cards would have the same influence on the uses of ID cards.
There are machine-readable components like magnetic strips and bar codes on many licenses today. Their types, locations, designs, and the information they carry differ from state to state. For this reason, they are not used very often. If all identification cards and licenses were the same, there would be economies of scale in producing card readers, software, and databases to capture and use this information. Americans would inevitably be asked more and more often to produce a REAL ID card, and share the data from it, when they engaged in various governmental and commercial transactions.
In turn, others would capitalize on the information collected in state databases and harvested using REAL ID cards. Speaking to the Department of Homeland Security's Data Privacy and Integrity Advisory Committee in March last week, Anne Collins, the Registrar of Motor Vehicles for the Commonwealth of Massachusetts said, "If you build it they will come." Massed personal information will be an irresistible attraction to the Department of Homeland Security and many other governmental entities, who will dip into data about us for an endless variety of purposes.
The REAL ID Act provided the Department of Homeland Security with very little opportunity to "fix it in the regs." And DHS did not fix it in the regs. In fact, DHS created new concerns, such as the possibility of tracking by race.
REAL ID: The Race Card
The "machine-readable technology" required for every REAL ID-compliant card has been a subject of much worry and speculation. This is not without reason. A nationally uniform ID card will make it very likely that cards will be requested, and the data on them collected and used, by governments and corporations alike. DHS was wise to resist the use of radio frequency identification tags in REAL ID.22
But even more significant issues have been created by the DHS's choice of technical standards. The standard for the 2D barcode selected by the Department includes the cardholder's race as one of the data elements.
For the machine readable portion of the card, the technology standard proposed by DHS in the NPRM is the PDF-417 two-dimensional bar code. According to DHS, the PDF-417 barcode can be read by a standard 2D barcode scanner.23 This is a more highly developed version of the barcode scanning that is done in grocery stores across the country.
The version selected by DHS is the 2005 AAMVA Driver's License/Identification Card Design Specifications, Annex D. This is a standardized format for putting information in the bar code.
Congratulations again, Mr. Chairman on your leadership in cosponsoring legislation to repeal REAL ID and restore the ID security provisions from the 9/11-Commission-inspired Intelligence Reform and Terrorism Prevention Act.
The recent push for national ID cards is in reaction to the terrorist attacks of September 11, 2001, of course. An appendix to a report by the Markle Foundation Task Force on National Security in the Information Age recommended various governmental measures to make identification "more reliable."24 This report was cited by the 9/11 Commission as it recommended "federal government . . . standards for the issuance of birth certificates and forms of identification, such as drivers licenses."25 But it is important to know that the 9/11 Commission devoted about ¾ of a page in its 400-page report to identification issues. Identification security was not a "key finding" of the Commission.
Nonetheless, a provision of the Intelligence Reform and Terrorism Prevention Act of 2004, passed in response to the 9/11 Commission Report, established a negotiated rulemaking process for determining minimum standards for federally acceptable driver's licenses and identification cards.26 This provision -- the result of the 9/11 Commission report -- was repealed and replaced by the REAL ID Act. Restoring the earlier, more careful provisions would be a step in the right direction.
But the Congress should examine our country's identification policies and practices even more carefully. Identification systems have many benefits but, as we know from REAL ID, they also carry many threats. We should have a much more careful national discussion about the design of the identity systems we will use in the future.
It would be unfortunate of the federal government spent so much time and money to build systems that lead in a few decades to a very costly dead end. Even worse would be for government systems to predominate, making it a practical requirement that Americans do have to carry a national ID card in order to function.
As it moves forward, I recommend that the Akaka-Sununu legislation include consideration of emerging open standards for government IDs and credentials. Rather than being locked into the unwieldy federal systems now being created, federal agencies should have the flexibility to accept any identification card or credential that meets or exceeds government standards for data accuracy, security, and verifiability.
1 Executive Order 12866, Regulatory Planning and Review (Sept. 30, 1993), requires "significant regulatory actions," such as those costing over $100 million annually, to be assessed in terms of benefits, costs, and alternatives. 5 This is permitted by OMB Circular A-4 when it is difficult to quantify and monetize the benefits of a rulemaking. 14 E.O. 13353, Establishing the President's Board on Safeguarding Americans' Civil Liberties (Aug 27, 2004). 21 72 Fed. Reg. 10,825 (Mar. 9, 2007). 22 The NPRM left the door for putting RFID chips in our identification cards in the future. See 72 Fed. Reg. 10,841-2 (Mar. 9, 2007). The DHS Data Privacy and Integrity Advisory Committee concluded recently that RFID is not well suited to the task of identifying people, at least at this stage in the technology's development. Department of Homeland Security, Data Privacy & Integrity Advisory Committee, The Use of RFID for Human Identify Verification, Report No. 2006-02 (Dec. 6, 2006). The Department has recently cancelled RFID-related projects. See Alice Lipowicz, DHS Tunes Out RFID, Washington Technology (Feb. 12, 2007). 23 72 Fed. Reg. 10,837-8 (Mar. 9, 2007). 24 Markle Foundation Task Force on National Security in the Information Age, Creating a Trusted Network for Homeland Security (Dec. 2, 2003)
5 This is permitted by OMB Circular A-4 when it is difficult to quantify and monetize the benefits of a rulemaking.
14 E.O. 13353, Establishing the President's Board on Safeguarding Americans' Civil Liberties (Aug 27, 2004). 21 72 Fed. Reg. 10,825 (Mar. 9, 2007). 22 The NPRM left the door for putting RFID chips in our identification cards in the future. See 72 Fed. Reg. 10,841-2 (Mar. 9, 2007). The DHS Data Privacy and Integrity Advisory Committee concluded recently that RFID is not well suited to the task of identifying people, at least at this stage in the technology's development. Department of Homeland Security, Data Privacy & Integrity Advisory Committee, The Use of RFID for Human Identify Verification, Report No. 2006-02 (Dec. 6, 2006). The Department has recently cancelled RFID-related projects. See Alice Lipowicz, DHS Tunes Out RFID, Washington Technology (Feb. 12, 2007). 23 72 Fed. Reg. 10,837-8 (Mar. 9, 2007). 24 Markle Foundation Task Force on National Security in the Information Age, Creating a Trusted Network for Homeland Security (Dec. 2, 2003)
21 72 Fed. Reg. 10,825 (Mar. 9, 2007).
22 The NPRM left the door for putting RFID chips in our identification cards in the future. See 72 Fed. Reg. 10,841-2 (Mar. 9, 2007). The DHS Data Privacy and Integrity Advisory Committee concluded recently that RFID is not well suited to the task of identifying people, at least at this stage in the technology's development. Department of Homeland Security, Data Privacy & Integrity Advisory Committee, The Use of RFID for Human Identify Verification, Report No. 2006-02 (Dec. 6, 2006). The Department has recently cancelled RFID-related projects. See Alice Lipowicz, DHS Tunes Out RFID, Washington Technology (Feb. 12, 2007).
23 72 Fed. Reg. 10,837-8 (Mar. 9, 2007).
24 Markle Foundation Task Force on National Security in the Information Age, Creating a Trusted Network for Homeland Security (Dec. 2, 2003)