The release last Friday of the final rule for REAL ID did not mark the end of the road for this issue, but the end of the beginning. In this second of our series of posts taking a high-level look at various technology policy issues, we focus on REAL ID, and how it stands a good chance of being involved in other aspects of technology policy in the coming months. There will probably be legislative efforts to either increase funding for the program or to repeal it outright, and we will cover those bills as they happen. Read our earlier posts to understand the details of the REAL ID final rules, and the implications of those rules.
What is not in those rules – at least explicitly – is how the Department of Homeland Security will encourage the use of REAL ID without formally requiring it. The law and regulations prevent DHS from requiring it, or from using it as a national ID. Our comments from last May explain how REAL ID will create a de facto national ID. The actions of 17 states to either opt out of REAL ID and/or registering objections demonstrates how widespread this concern is. Of course, the privacy and security problems of REAL ID are also concerns for states, especially when so many agencies have trouble securing personally identifiable information
DHS has at least two different ways to encourage more and more people to use a REAL ID, working around the legislative restrictions. The first way is through encouraging the expansion of the ‘official purposes’ that require a REAL ID. For these ‘official purposes,’ should a driver’s license be used for identification, it must be a REAL ID. A DHS official recently suggested that REAL ID can be a means to combat meth labs, so pharmacies should start requiring REAL IDs in order to prevent people from purchasing the necessary supplies. This presumes that nobody tries to buy meth supplies with a legitimate ID, and that pharmacies are immune to insiders acting badly. We can expect other entities – not just the DHS – to claim that the use of a REAL ID would magically achieve some desirable policy objective. With any proposal claiming REAL ID as a silver bullet, it is essential to assess whether or not a REAL ID would really achieve the intended objective, and whether it is really worth the increased privacy and security risks.
Another workaround is through the enhanced driver’s license that some states are exploring as a way to expedite border crossings. These licenses are required to be compliant with the Western Hemisphere Travel Initiative (WHTI), and may use Radio Frequency Identification (RFID) chips – another technology prone to low security. While RFID is not part of a REAL ID, DHS is interested in making sure that WHTI compliant licenses are also REAL ID compliant. For a state like Washington, where they have signed legislation to opt out of REAL ID, but have started a test program for an enhanced license, it is possible that they will end up with REAL IDs even though they passed legislation against them.
Finally, as the systems designated to support REAL ID become active, the security and privacy protections of those systems need to be scrutinized. For instance, the recommendation in the final rules encouraging the use of e-Verify – a system to verify employment eligibility electronically – must be changed, due to the problems associated with scaling up a database from a few thousand entries to over 240 million – which USACM submitted testimony on in June of 2007.
As we move through 2008, REAL ID will continue to be an issue. It will be fought in Congress and in the states. It will be fought over the ID cards and the underlying databases that support REAL ID.