Yesterday USACM filed detailed comments on the Department of Homeland Security’s draft rules for implementing the REAL ID Act. (For background, Congress passed the controversial REAL ID Act in 2005 over the objections of many privacy, security and technology experts. See our posts (1,2) about USACM’s comments on the law.)
The comments detail USACM’s concerns with both the underlying law and the draft rules with respect to identity theft; insider threats; and the lack of privacy, security, and accuracy guidelines, among other issues. To address some of the concerns USACM made the following recommendations:
At a minimum, the final rule should require stronger, more detailed privacy, security and accuracy provisions than the NPRM. Even with the improvements to the proposed rulemaking we suggest below, existing technology and approaches cannot solve the policy problems raised by the REAL ID Act. We urge the Administration to send Congress proposed legislation to address these issues and frame the policy around privacy, security and accuracy goals — or to repeal the REAL ID act entirely. These issues should be addressed before the REAL ID Act becomes active.
1) Delay implementation of the REAL ID until all underlying databases and the federated query service have been fully tested and are operational. The experiences of the election boards that implemented electronic voting systems before standards and testing procedures were put in place demonstrate the folly (and increased costs) of implementing new technologies that are not thoroughly tested.
2) Minimize the data stored on the machine-readable zone (MRZ). With the possible exception of some notation that the ID is a REAL ID, and perhaps citizenship information, the MRZ information should be restricted to information on the front of the license or identification card. The difficulty of establishing strong encryption that allows appropriate access for law enforcement personnel and other agencies makes minimization of data in the MRZ even more important to minimize the data that could be skimmed or collected and used by other parties for unintended purposes.
3) Specify privacy, security and accuracy standards for the licenses, the databases, and the federated query service. Individual states may be free to implement additional protections, but a standard is essential, otherwise the state with the weakest standards places residents of all the other jurisdictions at risk.
4) Base the privacy standards on the Fair Information Practices. Fair Information Practices (FIPs) are a cornerstone of modern privacy practice, and should be familiar to the many vendors and agencies involved in REAL ID implementation. These provisions must include considerations of Minimization, Consent, Openness, Access, Accuracy, Security and Accountability, as we note in USACM’s Privacy Recommendations (http://www.acm.org/usacm/Issues/Privacy.htm).
5) Require security consistent with standards such as the Common Criteria Evaluation and Validation Scheme (CCEVS). In addition to the physical security considerations of the NPRM, the Department must provide minimum computer, database and network security standards to the states.
6) Include strong access control procedures for REAL ID documents and data. It is critical databases follow strict access controls for who has access to what data, and how much data a person can access at one time. Such controls must include sanctions for violations and include recording with non-volatile logging to provide a robust audit trail to be used in cases of misbehavior
7) Require data breach notification procedures for any agency controlling REAL ID data or documents. The California state law requiring companies to notify their customers if personal information is exposed would be a good model for REAL ID data or documents. Similar legislation being considered by Congress would be another strong model.
8) Limit the scope of the usage of REAL ID to only the uses specified by law. We oppose any expansion of the official purposes of the REAL ID. Additional purposes increase the exposure of information on the document, and may well increase the amount of information stored on the document. Any increase in the official purposes of the act must be accompanied by public notice of what purposes the information will be used for, and any additional data that will be collected and stored, per the privacy considerations addressed earlier in our comments.
Below is USACM’s press release:
USACM URGES REVISIONS TO NATIONAL IDENTIFICATION POLICY
Proposes Delay in Real ID Implementation to Assure Individual Privacy and Security
Washington, DC – May 8, 2007 – ACM’s US Public Policy Committee (USACM) today issued a series of recommendations that address serious flaws in the nation’s REAL ID Act. In comments to a proposed rulemaking setting out regulations for implementing this law, USACM said the proposed regulations fall short of protecting privacy, ensuring security, and maintaining accurate personal information. USACM also noted that the regulations fail to set clear standards for states to use in implementing drivers’ licenses and identification cards, which are required under the law.
The REAL ID Act is intended to be the ‘gold standard’ for identification purposes in the U.S. It establishes a de facto national identification system by requiring states to collect, maintain, and share vast amounts of personal information, and to issue standard forms of identification to all Americans.
“The policy behind REAL ID has been flawed from the moment Congress proposed it. Without sufficient safeguards, it has the potential to enable identity theft on an unprecedented scale. The proposed rules are at best vague in addressing privacy, security and accuracy risks, and at worst, they increase these risks.” said Eugene Spafford, USACM Chair, and professor of computer science at Purdue University. “States are likely to be financially strapped when they begin to implement REAL ID. Simply punting the implementation details to the states is a recipe for disaster. We could see a multitude of standards with minimal resources dedicated to ensuring that privacy, security and accuracy concerns are addressed.”
USACM commented that the proposed regulations do not specify minimum standards or accountability for states to manage state-to-state data exchanges openly and comprehensively, and they are silent on key privacy, security, and accuracy issues. For example, the Act and the proposed rules do not consider insider threats to security, which represent a signification percentage of identity theft. There are also no procedures in place to handle common mismatches of data on official documents, which are likely to deny proper identification through honest mistakes.
USACM’s comments recommend that the REAL ID act implementation procedures push for stronger, more detailed privacy, security and accuracy provisions, including:
- Delaying implementation until all underlying databases and inquiry systems have been fully tested and are operational
- Minimizing the data stored on identification cards and drivers licenses
- Specifying privacy, security and accuracy standards for licenses, databases and inquiry systems
- Basing privacy standards on the Fair Information Practices, the cornerstone of modern privacy practice
- Requiring security consistent with established standards, such as those developed by the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO)
- Including strong access control procedures for REAL ID documents and data
- Requiring data breach notification procedures for agencies controlling REAL ID data or documents
- Limiting the scope of the usage of REAL ID to only those uses specified by law
- Requiring mandatory logging of access to sensitive information to protect privacy and combat misuse
The comments from USACM also urged the Administration to send Congress proposed legislation that addresses the many issues that cannot be resolved within the rulemaking process.
For more information on USACM’s comments on the notice of proposed rulemaking for minimum standards for driver’s licenses and Identification cards, please visit http://www.acm.org/usacm/.