Federal ID Act May Be Flawed
A federal law designed to make it harder to assume someone else’s identity may instead have the opposite effect, critics of the measure say.
The Real ID Act, attached to a crucial bill for military spending and tsunami relief that was signed by President Bush on May 11, sets new rules for issuing driver’s licenses and requires states to share electronic access to their records.
The standards are intended to weed out impostors applying for licenses, in part by requiring state employees to check on the validity of birth certificates and other supporting documents. After states adopt the necessary changes, anyone applying for or renewing a license will get one reflecting the new standards.
But once the law takes full effect three years from now, it will also give many more bureaucrats access to personal information on people nationwide. And it will add more data to each file -- including digital copies of documents with birth and address information.
To some industry experts and activists concerned about the fast-growing crime of identity theft, putting so much data before more eyes guarantees abuse at a time when people are increasingly concerned about who sees their personal information and how it gets used.
“It’s a gigantic treasure trove for those who are bent on obtaining data for the purpose of creating fake identities,” said Beth Givens of the nonprofit Privacy Rights Clearinghouse. Armed with a stranger’s name, Social Security number and date of birth, it’s not hard for fraudsters to take out bogus loans that can wreck a victim’s credit record.
The new licenses themselves must contain some data -- as yet unspecified -- that can be scanned electronically by a device like a credit card reader. Virtually all states make machine-readable cards now, but they use differing technologies.
Critics predict the standardization will prompt many more merchants to scan customer licenses and then pass on the information to such data brokers as ChoicePoint Inc. and LexisNexis. The databases of both ChoicePoint and LexisNexis have been exploited by identity thieves.
“There’s no data-protection law, so it can be sold to companies like ChoicePoint,” said Bruce Schneier, the author of several books on security technology. “It would be silly not to, since it’s a revenue stream.”
The concerns of privacy advocates got little airing before the bill became law, and some are already working to overturn it with new legislation of their own.
Debate on the measure was sharply limited by political maneuvering, and other issues raised by the act drew more fire. Greater attention went to the bill’s changes in the procedures for people requesting political asylum, its treatment of other immigrants, and what some decried on civil liberties grounds as a move toward a national identification card.
But the more basic provisions in the law might have the most profound effect on ordinary Americans already beset by a rising tide of identity theft and related credit card fraud.
“We will have all this information in one electronic format, in one linked file, and we’re giving access to tens of thousands of state DMV employees and federal agents,” said American Civil Liberties Union Legislative Counsel Timothy Sparapani.
Others opposed to the bill include the American Conservative Union, the National Organization for Women and the National Governors Assn., which objects to the required increases in state spending.
The bill was introduced by House Judiciary Committee Chairman F. James Sensenbrenner Jr. (R-Wis.), following a recommendation of the 9/11 Commission that the country strengthen its means for identifying people. Noting that some of the 9/11 hijackers held fraudulent papers that helped them rent cars and board planes, the panel wrote that “sources of identification are the last opportunity to ensure that people are who they say they are.”
Commission member Slade Gorton said the act fulfilled the group’s objective.
Even some who fault other provisions of the law, including a national group of state driver’s license officials, agree that it soon will be harder for impersonators to get licenses.
Just the new mandatory background checks on DMV employees “can make a huge impact,” said Jason King, a spokesman for the American Assn. of Motor Vehicle Administrators.
But others say that merely making licenses harder to obtain raises a new set of problems. Among them: While trust in the new cards will be higher, fraud won’t be eliminated completely. Applicants still aren’t required to produce a photo ID to get a license, and foreign passports -- available in some countries for cash under the table -- are acceptable as proof of identity.
Real U.S. birth certificates, another common proof of identity, can be sent to the wrong person after a modest amount of subterfuge, said Joseph Eaton, an emeritus professor at the University of Pittsburgh and author of a 2003 book arguing in favor of a national ID.
The National Academy of Sciences concluded in a 2002 study that keeping any national ID system secure would be even harder than building one.
Yet with more faith placed in the new cards, whoever gets a fake will be able to accomplish more with it.
“It builds a purported real identity on a document that we all know is built on fragile documents,” said Robert Ellis Smith, publisher of Privacy Journal. “Without strengthening the supporting documents, you don’t develop a real ID at all.”
Smith opposes any attempt to fashion a national identity card.
Sensenbrenner spokesman Jeff Lungren acknowledged the concern and said those who accept the identification should avoid letting their guard down. But he said the risk was outweighed by the prospect of more secure identification for more people.
Corruption and theft are already big problems at state licensing agencies.
In April, for instance, a programmer working for the state of Georgia was charged with accessing that state’s driver’s license database for reasons that haven’t been disclosed.
In a more dramatic incident a month earlier, someone crashed a vehicle through the glass window of a state office in North Las Vegas and made off with the physical materials for making licenses plus a camera, a printer and a computer containing information on 8,738 drivers.
More typically, low-level state employees take money to issue licenses improperly.
A 2004 survey of the previous year’s news accounts by the nonprofit Center for Democracy and Technology found licenses-for-bribes schemes in Nevada, New York, Pennsylvania, Indiana, Virginia, North Carolina, South Carolina, Louisiana, Arkansas, and the District of Columbia. In New Jersey, a fraud scheme led to the firing of all 11 DMV employees in one Newark office.
Workers also leak address, Social Security and other information for cash to private detectives, bill collectors and the like, a problem Nevada DMV spokesman Tom Jacobs said probably would increase as information became available from other states’ databases.
“With the records all connected, there may be more temptation to run afoul of the law,” Jacobs said.
