The Electronic Privacy Information Center (EPIC) convened a meeting today to look into the range of policy, technical, and social issues surrounding national identification systems in light of the recently passed Real ID Act, something we’ve been quite active on recently. In April, USACM sent the Senate a letter outlining its concerns about the security aspects of the database provisions and its national ID implications. However, Congress ultimately left many of the concerns of USACM and the privacy community unaddressed.
In light of today’s EPIC event, USACM issued a press release calling for a reconsideration of Real ID’s provisions (click here for the full release):
Addressing the impact on individual’s privacy protections, USACM Chair Eugene Spafford, a renowned cybersecurity expert, said, “The act’s stated goal is to reduce terrorists’ ability to travel, but it does little to actually inhibit a dedicated terrorist from securing a valid ID. At the same time, it vastly increases the risk that an average citizen’s personal data will be stolen. This is ill-conceived security strategy and one that should be reconsidered […]”
Marc Rotenberg, EPIC’s executive director, began the meeting by pointing out how the Real ID Act had worked its way through the legislative process without any meaningful debate — even before affected communities had time to begin educating policymakers about some of the dangers and implications of the act. Rotenberg went on to suggest that the privacy and civil liberties communities have not given up the fight against Real ID. Accordingly, EPIC’s Real ID event was intended to promote the kind of debate that never really occurred before the act became law.
The event included panels on the technology, law, impacts, and international issues associated with identification, as well as the possible next steps for the privacy community. The event featured such notable panelists as USACM’s own Barbara Simons, Peter Neumann, and Lillie Coney, as well as security expert Bruce Schneier and privacy scholars Daniel Solove, Oscar Gandy, and Robert Ellis Smith. Other participating technology and policy experts included Jerry Kang, Stephanie Perrin, Deborah Hurley, and Raj Goyle.
Other highlights of the event included comments from Cheye Calvo from the National Conference of State Legislators — speaking from the perspective of the states as they ponder just what it will mean to put Real ID into action. He pointed out that a great deal depends on how the Department of Homeland Security (DHS) interprets the new law in its rulemaking. Earlier, in his panel’s closing, Professor Oscar Gandy urged attendees to consider the “cumulative disadvantage” that might result as the Real ID Act is implemented. And, during the day’s final panel Bruce Schneier touched on his concern that when rulemaking on the Real ID Act finally emerges (and there is no indication when this may happen — indeed, under the law, which contains no preliminary deadlines, DHS has nearly three years to provide such rulemaking) it will contain specifications for an RFID chip. We will, of course, continue to track the issue closely.
Complete information about EPIC’s event — including a list of panels, speakers’ bios, additional multimedia content, and links to a host of additional resources — can be found here.
The Association for Computing Machinery
|Contact: Virginia Gold
ACM Office of Public Policy
USACM URGES RECONSIDERATION OF REAL ID PROVISIONS
Washington, DC – June 6, 2005 — ACM’s US Public Policy Committee (USACM) added its voice to other organizations meeting in Washington today to express deep concerns over the recently passed Real ID Act, which USACM believes will create a de facto national identification system that erodes individuals’ privacy protections.
Addressing the impact on individual’s privacy protections, USACM Chair Eugene Spafford, a renowned cybersecurity expert, said, “The act’s stated goal is to reduce terrorists’ ability to travel, but it does little to actually inhibit a dedicated terrorist from securing a valid ID. At the same time, it vastly increases the risk that an average citizen’s personal data will be stolen. This is ill-conceived security strategy and one that should be reconsidered.”
When Congress was considering the Real ID Act earlier this year, USACM outlined its concerns in a letter to Senator Lamar Alexander (R-TN) stating that the act increased the risk of identity theft by mandating that states share their drivers’ license databases with each other without basic security protocols identifying access rights. USACM also noted that the act contained no guidance on how the shared databases should be secured or how the personal information contained within them should be handled. In addition, USACM determined that the language did not specify how to hold administrators and users accountable for proper maintenance and use. USACM also said that the act repealed existing law affecting a consultative regulatory process, leaving no clear mechanics for addressing these sensitive questions.
“Any database of personal information presents privacy risks,” said Spafford, “but these linked databases are more troubling because all data could be exposed from any single insecure point in any of the databases or along the communications pathways used to share data.” He added that the act did not recognize the privacy and security issues it created, which is especially troubling in light of the recent spate of episodes involving criminals and others who gained unauthorized access to large collections of personal information. Spafford pointed to the machine-readable nature of the proposed drivers licenses, noting that private parties can more easily collect individuals’ information, which can then be sold to data aggregators.
USACM’s letter also cited its long-standing concern over the risks inherent in national ID systems. For example, (1) knowing the identity of a person reveals nothing of that person’s intent – every criminal and terrorist has an identity, but they have no record prior to their first offense; (2) despite a history of state workers succumbing to bribery to grant driver’s licenses to unqualified persons, this act provides a national ID to anyone who can find a lax or corrupt official – a trivial task given the number involved; and (3) a single ID will accustom some guards to check form rather than content, leading to weaker security than previous protocols requiring guards to determine an ID’s origin and validity.
The full text of USACM’s letter can be found at:
Representatives of many organizations that raised concerns about the Real ID Act and related proposals met in Washington, DC today to discuss their next steps. Bruce Schneier, the author of “Beyond Fear: Thinking Sensibly about Security in an Uncertain World,” addressed the challenges of implementing the Real ID Act. For more information, go to http://www.epic.org/events/id/
USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). USACM members include leading computer scientists, engineers, and other professionals from industry, academia, and government. ACM is widely recognized as the premier organization for computing professionals, delivering resources that advance the computing as a science and a profession, enabling professional development, and promoting policies and research that benefit society. ACM, the world’s first educational and scientific computing society with more than 80,000 members worldwide, hosts the computing industry’s leading Digital Library and Portal to Computing Literature. With its journals and magazines, special interest groups, conferences, workshops, electronic forums, Career Resource Centre and Professional Development Centre, ACM is a primary resource to the information technology field.