Today legislation was introduced in Congress to provide a much needed overhaul of the REAL ID program by Senators Akaka (D-HI), Baucus (D-MT), Carper (D-DE), Tester (D-MT), and Voinovich (R-OH) the new bill is known as the Providing for Additional Security in States’ Identification (PASS ID) Act of 2009.

Since its inception in 2005, REAL ID has long been a pariah among the states and civil rights/civil liberties groups alike. At last count this year, thirteen states have passed legislation prohibiting REAL ID implementation, and another ten have passed resolutions denouncing REAL ID’s approach. CDT has repeatedly pointed out at every step of REAL ID’s development the serious risks to privacy and security the program creates.

The PASS ID Act mitigates or corrects critical privacy and security flaws in REAL ID while still establishing minimum federal standards for the issuance of driver’s licenses and ID cards. Most notably, the PASS ID Act:

• Removes the requirement in REAL ID that states must give all other states access to the personal information contained in motor vehicle databases. This change will help secure such information against loss and authorized use.
• Specifies the limited purposes for which a PASS ID can be required by a federal agency and denies DHS the authority to unilaterally determine additional purposes, thereby helping prevent “mission creep.�
• Requires privacy and security protections for the personal information collected and stored in back-end databases for the program. The Act requires states to establish safeguards against unauthorized access and use and to create a process for cardholders to access and correct their own information.
• Provides protections for personal information contained in the machine-readable zone (MRZ) of driver’s licenses and ID cards. While the PASS ID Act still mandates an MRZ and doesn’t require encryption, the Act prohibits the inclusion of your social security number in the MRZ and limits the storage, use, and disclosure of information in the MRZ. These changes will limit the use of the card as a tracking device.

CDT supports the adoption of the PASS ID Act. Years of delay and contentious wrangling over REAL ID’s flawed approach have done nothing to make driver’s license and ID card issuance more secure. Indeed, REAL ID very well might exacerbate existing threats to personal privacy and security. It is time to cut our losses and begin to address the security gaps first identified by the 9/11 Commission in a way that protects the civil liberties of the 240 million Americans and lawful residents who carry government-issued identity credentials.

Finally, while the PASS ID Act would be a considerable improvement over current law, protecting privacy is an ongoing process — and the devil is, of course, in the details of implementation. Congress and DHS would do well to learn from the mistakes of REAL ID by continuing to take into account the views of all relevant stakeholders, including the states and civil rights and civil liberties advocates.

This entry was posted on Monday, June 15th, 2009 at 4:46 pm and is filed under CDT, Consumer Privacy, Security & Freedom. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.