By Martin H. Bosworth

March 1, 2007
In the face of pressure by Congress and state governments to roll back or delay the controversial "REAL ID" national driver's license program, Department of Homeland Security secretary Michael Chertoff has issued new guidelines for how to implement the program, as well as agreeing to extend the deadline for implementation past May 2008, the original deadline.

The 162-page "Notice of Proposed Rulemaking" contains rules for states to meet the requirements of the REAL ID act, including implementing physical and electronic safeguards for both the cards and locations for where they are issued, as well as rules for verifying the information provided by applicants to "ensure their identity and lawful status" in the United States, according to DHS' press release.

DHS also said that it would grant states that were having difficulty meeting the deadline a stay until December 31, 2009.

"Raising the security standards on driver's licenses establishes another layer of protection to prevent terrorists from obtaining and using fake documents to plan or carry out an attack," Chertoff said. "These standards correct glaring vulnerabilities exploited by some of the 9/11 hijackers who used fraudulently obtained drivers licenses to board the airplanes in their attack against America."

The REAL ID program was proposed to create national common standards for state drivers' licenses, including common "machine readibility" across the different states, and creating a linked database to store the information.

State governors and legislatures have objected to the plan as an "unfunded mandate," requiring them to spend tens of millions of dollars of their own money to upgrade their respective drivers' license-issuing facilities, and privacy advocates have decried the plan as a potential goldmine for identity thieves and cybercriminals.

Maine's state legislature voted to oppose the REAL ID act in January, 2007, and several other states quickly drafted legislation to oppose the act or decline participation, including Arizona, Georgia, Hawaii, Massachusetts, Missouri, New Hampshire, Oklahoma, Utah and Wyoming.

In response, DHS agreed to set May 2008 as the beginning of a "phase-in" period for implementation of the program, with full compliance expected by May 2013.

According to the DHS guidance, "All driver's licenses and identification cards that are intended to be accepted for official purposes as defined in these regulations must be REAL ID licenses and identification cards by May 11, 2013."

A survey conducted by the National Conference of State Legislators, the National Governors' Association, and the American Motor Vehicles Administrators concluded that the plan may cost states as much as $11 billion to implement if carried out within five years. DHS has said that it would set aside up to 20 percent of its state antiterrorism funding to help cover the costs of the REAL ID project.

Privacy Concerns

Privacy and civil rights advocates have objected to the REAL ID plan on grounds that a nationally linked database of drivers' license information would be easy prey for government surveillance or private data-mining companies, as well as for identity thieves and hackers looking to harvest information.

Objections were also raised over the possibility of embedding the new licenses with radio-frequency identifier (RFID) chips to ensure their readability by machines. RFID technology has been frequently criticized as both invasive to privacy and easy for hackers to break into.

Security expert Bruce Schneier, an open opponent of the REAL ID plan, has said that a universal driver's license would actually be easier to forge because it would be so ubiquitous.

"A centralized ID system is a far greater security risk than a decentralized one with various organizations issuing ID cards according to their own rules for their own purposes," he wrote.

Even supporters of strong measures against terrorism have balked at the potential problems with REAL ID. Sen. Joe Lieberman (I-CT), chairman of the Senate Homeland Security committee was quoted as saying that the program was overly burdensome, possibly unworkable, and may actually increase a terrorist's ability to commit identity theft."

"DHS expects that any system developed for purposes of the REAL ID Act will build in appropriate privacy and security mechanisms to reduce the risk of unauthorized access, misuse, fraud, and identity theft," the agency said in its guidance notice.

"DHS believes that protecting the privacy of the personal information associated with implementation of the REAL ID Act is critical to maintaining the public trust that Government can provide basic services to its citizens while preserving their privacy."

The full DHS notice is available online (pdf file).