Home | Site Map | Contact
Hearings Banner Click here to go back to the home page
  Click to learn more about the committee Click to learn more about committee resources Click to learn more about hearings and meetings Click to learn more about legislation Click to learn more about nominations Click to learn more about press  
Hearings and Meetings
Print Page | Email Page | text changer normal text size text size plus 1 text size plus 2
< Return To Hearing
Testimony of

Janice L. Kephart

May 8, 2007

U.S. SENATE JUDICIARY COMMITTEE
"WILL REAL ID ACTUALLY MAKE US SAFER? AN EXAMINATION OF PRIVACY AND CIVIL LIBERTIES CONCERNS"
MAY 8, 2007
TESTIMONY OF JANICE L. KEPHART

Chairman Leahy, Ranking Member Specter. Thank you for having me here today. It is an honor to be before you as an alum of the committee that prepared me so well for my work as a counsel to the 9/11 Commission. I appreciate very much this committee's continued interest and effort in the 9/11 Commission recommendations, including the issue of identity document security that REAL ID addresses head-on.

I am here in my own capacity today, but you should know that when the 9/11 Commission issued its final report card in December 2005, one of the highest marks it gave was to Congress for passing REAL ID legislation. Today, 9/11 Commissioner John Lehman works alongside me in our effort to get REAL ID implemented. I am also happy to be one who speaks with the 70 percent of Americans who, in a recent Zogby/UPI poll, are in favor of secure driver licenses.

Today, every state DMV has taken at least a couple of steps towards REAL ID implementation. All DMVs check for commercial/problem drivers via the state-owned American Association of Motor Vehicle Administrators (AAMVA) network, AAMVAnet. 48 states and DC check SSNs. 20 states check legal status. 3 states are sharing vital events digitized records, and 4 more are about to come online. Digital image access is available in 19 states and underway in 7 others. Alabama, New York and Texas are considered innovators in REAL ID compliance. In addition, at least 23 state legislatures have one or more bills pending supporting REAL ID in some fashion. Those that have passed REAL ID implementation or funding legislation through either their House or Senate include Arkansas, Indiana, Kansas, and Michigan.

In addition, I have written two papers on the subject, the first I published in February 2007 and sets out the policy backdrop for the REAL ID Act, explains its content, and discusses what is at risk if it fails. Identity and Security: Moving Beyond the 9/11 Staff Report on Identity Document Security emphasizes the need for security at the base of the nation's identity document issuance processes. The second paper, Identity and Security: REAL ID in the States, answers policy concerns being echoed in some states regarding REAL ID implementation. Both papers are attached.

REAL ID was passed into law based on the states' own Secure Document Framework developed by AAMVA after the states acknowledged post 9/11 that the current state driver license issuance system is deeply flawed in its ability to generate IDs both secure in their content and production. Such deep weaknesses threaten national and economic security, public safety, and our privacy.

The critical question this hearing asks, Will REAL ID Actually Make Us Safer? is absolutely the correct question to ask. The answer: an unequivocal 'yes'. If REAL ID is implemented, it will help individual Americans to preserve their identities, their children's safety in underage drinking and driving, and the police officer's ability to know who it is they are encountering on a day to day basis. The Fraternal Order of Police believes REAL ID would protect officers and apprehend criminals so much so that they have stated that any attempts to repeal REAL ID would result in pulling their support from a 9/11 implementation bill in this Congress. Their February 2007 letter to Majority Leader Harry Reid is attached.

As was discussed in much depth during an excellent Terrorist Travel hearing Subcommittee Chairwoman Feinstein held last Wednesday (May 2, 2007), secure IDs are essential for assuring people are who they say they are. That goes not only for travel documents, but all forms of IDs. Remember that the 9/11 terrorists--and many other terrorists before them--had a travel operation that included the acquisition of state-issued IDs. (Discussed in depth in my Feb. 2007 paper.)
The 9/11 Final Report recommendations on terrorist travel called for action to "set standards for the issuance" of state-issued identifications, including driver licenses, and "design a comprehensive screening system addressing common problems and setting common standards with system-wide goals in mind."

The 9/11 hijackers assimilated into the United States by attaining 17 driver licenses from Arizona, California and Florida (four of which were duplicates) and 13 state-issued IDs from Florida, Maryland and Virginia. The hijackers then used those IDs for the purpose of renting cars, obtaining living quarters, opening bank accounts, and boarding aircraft on the morning of 9/11. We know that at least six hijackers total presented state-issued IDs on the morning of 9/11. The pilot who flew into the Pentagon, Hani Hanjour, had ID cards from 4 states: Florida, Maryland and Virginia, and an Arizona driver's license. The Pennsylvania pilot, Ziad Jarrah, had three IDs and an unverifiable ID when stopped for speeding two days prior to 9/11. Both pilots had obtained a Virginia ID by fraud.

In December 2005, the 9/11 Commissioners' final report card on its recommendations gave Congress a good mark for passing into law solid language pertaining to its identity security recommendations in the 2004 Intelligence Reform Act and 2005 REAL ID Act. However, the Commissioners remained concerned at the states' ability to comply, stating: "The REAL ID Act has established by statute standards for state-issued IDs acceptable for federal purposes, though states' compliance needs to be closely monitored."

What has become unfortunate about the REAL ID debate is that myths and misinformation continue to abound. Let me address the most critical ones.

First, REAL ID is not a mandate. REAL ID preserves state rights. The REAL ID Act stipulates that in order for a driver license or state?issued ID to serve as an identity document for entering a federal facility- including boarding a plane- the document must meet, at a minimum, the security standards spelled out in the Act. Thus states are not required to issue licenses and IDs in accordance with REAL ID. The rules provide minimums, not a mandate. States can choose whether to comply or choose to exceed the minimum standards the law sets out. States keep control of issuing licenses, applicant data, and adjudication of applications. States can choose whether they will inconvenience their legal residents when they board planes or enter federal facilities by not providing them with a REAL ID; it is the federal government that is bound to only accept REAL IDs by the compliance date. Those that choose not to comply will likely require their citizens to carry passports for such federal activities as boarding domestic flights.

Second, REAL ID does not create a national database. REAL ID does just the opposite, keeping data flows narrowly confined with only the originator of the data capable of holding the data. REAL ID enables verification of identity information such as SSNs, birth records, driving records, and immigration status between states and the federal government. The data is limited to defined fields of information with limited personnel access over a network owned and operated by the states, almost wholly through AAMVA. State to state interchange of information will continue to be up to the states. The states hold their own data and it is not acquired by any other entity. The same goes with the federal government.
Third, REAL ID does not invade privacy. The current REAL ID Notice of Proposed Rulemaking makes recommendations for best practices state should employ to protect privacy through stronger identity authentication. These best practices are hefty and build on the Commercial Driver License Information System (CDLIS) and National Driver Register (NDR) database created in 1986. These databases together have been servicing 45 states for 20 years. There have been no complaints about intrusions on privacy or identity theft with either of these databases. One reason why is because federal law already protects the use of such data udner the Driver's Privacy Protection Act of 1994. This law restricts how driver license information can be used by states, barring states and their employees from selling or releasing personal information such as SSNs, images, addresses, phone numbers and birthdates. Until that law was passed, 35 states had such information public and many made money off the sale of such information to all varieties of private enterprise. Congress set a higher bar to protect privacy in the area of state-issued driver licenses then, and REAL ID 20 years later is a natural follow-up: not only securing data, but identities and the documents that support those identities as well.

In part due to the success of the CDLIS and NDR in providing solid data without privacy breaches, this CDLIS and NDR system today accessed via AAMVAnet is likely to be the foundation for other identity verification and document authentication requirements under REAL ID.
REAL ID also provides greater protection of privacy, requiring background checks of DMV employees, secure productions sites of cards, alongside due respect to civil liberties. Just to be clear, there are no plans for an embedded RFID chip in REAL ID driver licenses.

Also worthy of mention is that the Information Technology Association of America, who represents the largest producers of computer security systems--IBM, Microsoft, Hewlett Packard, Oracle and others--has concluded that REAL ID, if implemented, will further protect privacy. In a May 7, 2007 report (yesterday), the ITAA stated that REAL ID will actually "raises the bar on privacy for driver licenses" because it sets higher benchmarks for data security; requires tougher identity adjudication; and builds on existing practice.

Fourth, REAL ID does not create a National ID Card. REAL ID, in fact, avoids a national ID card. States use and control their own issuance processes, including meeting or exceeding REAL ID minimum standards. Calls for pull back or repeal will only make the debate surge again for proponents of a national ID.

To make REAL ID a reality requires more than either the federal government or the states can do on their own. It requires partnership. It also requires an acknowledgement that securing our nation's physical and economic integrity is not just a federal responsibility; it is everyone's responsibility. No REAL ID simply keeps us right where we are--vulnerable. The Congressional lobby we need now is for more seed money to help states comply with REAL ID, including built-in incentives for states that do so. Resolution of this issue is what gets us closer to secure IDs sooner rather than never.
Privacy and Security Information