Why the New Department of Homeland Security REAL ID Act Regulations are Unrealistic:
Risks of Privacy and Security Violations and Identity Theft Remain, and Burdens on the States Are Too Severe

By ANITA RAMASASTRY
Friday, Apr. 06, 2007

In March, the Department of Homeland Security (DHS) published draft regulations to establish minimum standards for state-issued driver's licenses and identification cards, in accordance with the REAL ID Act of 2005.

The Act - moved quickly through Congress in 2005 as part of a must-pass military appropriations bill -- has been touted as a national effort to prevent terrorism and reduce identity fraud. Eventually, the Act will require every person in America to carry a REAL ID-compliant identification document, issued by a State Department of Motor Vehicles (DMV), in order to fly on commercial airlines, enter government buildings, or simply open a bank account.

Unfortunately, DHS's proposed regulations do not alleviate any of the major concerns that have been raised regarding privacy and security, ever since the REAL ID Act was passed. Thus, those concerned with privacy and/or security ought to voice their concerns about the proposed DHS regulations before they become final, and it is too late.

In this column, I'll outline some of the major problems regarding the proposed regulations.

DHS Should Have Taken on Identity Theft and Security Directly

First, DHS expressly punted on the identify theft issue, despite its importance.

The proposed regulations assert that "DHS believes that it would be outside its authority to address this issue within this rulemaking." Thus, DHS requires the states to devise a comprehensive security plan for safeguarding information collected, stored, or disseminated for purposes of complying with the REAL ID Act. As for security of the ID itself, DHS has mentioned that encryption of the magnetic stripe data on licenses might be preferable - but it has not mandated that states in fact encrypt the data.

The states, however, are unlikely to be eager to take on this added responsibility. As it is, simply complying with the proposed regulations will put a large fiscal burden on the states. Effectively addressing security concerns will be even more expensive.

DHS itself should be forced to confront, not dodge, the important privacy, security and identity theft issues the REAL ID program raises. In addition, the federal government should pay the tab for addressing the information-security issues its legislation will predictably create.

The Burdens of Document Verification are Onerous

The DHS regulations require verifying the identity of each document submitted by each person who seeks a REAL ID-compliant ID with the original issuing agency. Such agencies might be located in other states, or even in a foreign country. That will be costly indeed. And the regulations will only make it more so: They go beyond the Act to require document re-verification for renewal; mandate two documents evidencing proof of address; and require the verification of birth certificates with state vital records offices. Such requirements appear to be far more than what the federal government itself does to verify the identity of its citizens.

In addition, states will be asked to verify vital records (that is, birth/death certificates) using the Electronic Verification of Vital Events (EVVE) system. That system is not yet fully functional.

States are also concerned about foreign passport verification. There may be no practical or reliable way for DMV agencies to verify the accuracy of each passport with the issuing agency - that is, the country of which the passport-holder is a citizen. Passports also change format over the years, so individuals may have outdated passports or ones that are more difficult to verify.

The federal government should fund the upgrade of document verification systems, as well as the cost of states' use of the databases. Meanwhile, while the federal government brings the databases up to speed, states should enhance their manual verification and fraudulent documents detection methods.

Both visits to and waiting times at already-crowded DMVs will doubtless skyrocket when the regulations are in full effect.

Moreover, the regulations provide flexibility only for extraordinary circumstances. As the ACLU has noted, this exception, while it won't help the ordinary citizen at all, does create a loophole that identity thieves and other criminals could potentially exploit.

DHS has conceded that the cost to the states will range from $10.7 billion to $14.6 billion, and individuals will have to cover an additional $7.8 billion in costs. These additional costs could bring the total cost for Real ID up to a reported $23 billion. (No wonder many states have balked at the prospect of implementing REAL ID. Some have even passed legislation on the topic -- as I'll detail below.)

DHS Should Have Exempted Government Benefits Facilities

Another problem with the Act and regulations derives from the requirement that a REAL ID driver's license must be used for several "official purposes." The law itself lists several such purposes, including accessing a federal facility. In the proposed rule, DHS suggests it will stick to the listed purposes for now, but may consider expanding the list through future rulemakings.

The problem with the "federal facilities" provision is that the very people who may have the greatest difficulty complying with the Act by providing verification documents - the poor, lawful immigrants, refugees, elderly people, and transient or homeless people - may also be most in need of the benefits and services offered at federal facilities.

Thus, Congress or DHS should have exempted federal facilities administering entitlement programs from the REAL ID requirement. No one should be denied a Social Security check due to heightened REAL ID formalities.

The States' -- and Some Congresspersons' - Objections to REAL ID

In January, the Maine legislature passed a resolution rejecting participation in the REAL -ID scheme. Arkansas and Idaho have also followed suit and other states are considering resolutions or legislation rejecting REAL ID.

These resolutions may have little practical force, however, as the federal government has the power to condition states' receipt of federal monies on their compliance with federal law. Still, they represent a genuine and strong discontent with REAL ID at the state and grassroots levels - a discontent that Congress and DHS ought to heed.

Some in Congress, at least, seem to be listening. Senators Daniel Akaka (D-HI), John Sununu (R-NH), and Representative Tom Allen (D-ME) have introduced legislation to provide privacy safeguards to the Real ID Act. Their bills would prohibit the use of REAL-ID license data by third parties, require data encryption, and preserve any state privacy laws that may provide greater protections than REAL ID and its implementing regulations would provide. There is a real fear that private parties such as insurance companies, educational institutions or employers, could use REAL ID licenses for identity verification and other purposes.

Why States Believe They May Not Be Able to Comply On Time

States also complain that they are being forced to comply much too quickly. The initial deadline was May 11, 2008. An extension has been granted so that some states are allowed to begin issuing compliant licenses no later than January 1, 2010 -- in most cases with a roll-out of new licenses as they expire. All licenses and identification cards from each State must be compliant by May 10, 2013.

States have pointed out how much they are being required to do by REAL ID and its regulations: adopt conforming legislation, receive federal funding, and honor procurement processes to implement the far-reaching changes of the Act. They therefore have argued that a 2016 deadline is far more realistic than the 2013 deadline.

What is taking the states so long? One answer is that they need to first construct large, complex

database systems, and, second, employ them in checking on a tremendous number of licenses. This is a massive amount of detail-oriented work. Moreover, the existing databases simply will not suffice to allow states to truly comply with the Act.

It's Time to Comment Critically Upon the DHS Regulations

The only good news here is that these flawed regulations are only proposed; they have not yet been finalized. Now is the time to speak up, and make sure that the regulations address the serious concerns that have been raised.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Ads by FindLaw