States are revving up their opposition to the "REAL ID" national driver's license program.

At least 33 states are pushing for laws or resolutions blocking the program, the Senate recently held hearings on its implications for civil liberties, and the Department of Homeland Security's own privacy department gave the initiative the thumbs-down.

At Senate Judiciary Committee hearings yesterday, Jim Harper, policy analyst for the libertarian Cato Institute, testified that the program was a "dead letter." Harper criticized DHS for not providing strong federal guidelines for privacy and security for the program, leaving it to the states to handle.

"Were they to comply with the REAL ID Act, states would have to cross a mine-field of complicated and expensive technology decisions," Harper testified. "They would face enormous, possibly insurmountable, privacy and data security challenges.

"But the Department of Homeland Security avoided these issues by carefully observing the constraints of federalism even though the REAL ID law was crafted specifically to destroy the distinctions between state and federal responsibilities."

Senate Judiciary chair Patrick Leahy, whose home state of Vermont has expressed opposition to the program, shared his own criticisms.

"While the Federal government dictates responsibilities for what has traditionally been a State function and adding layers of bureaucracy and regulation to effectively create a national identification card there is no help in footing these hefty bills," Leahy said.

Most recently, Montana, and Washington have passed state laws rejecting participation in the REAL ID program, joining a chorus of governors and state legislatures that are protesting the financial burden of upgrading their motor vehicle agencies to handle REAL ID compliance.

Although DHS has appropriated $40 million to help develop procedures for the program, the bulk of the funding will come from the states -- and they're not happy about it.

At a town hall meeting convened in Davis, California to discuss REAL ID, DHS Assistant Secretary Richard Barth got an earful from angry protesters who called the program "racist" and said it would single out immigrants. Under REAL ID, only those with a REAL ID-certified license could enter federal buildings or board airplanes.

"We are trying to make sure no state is the weakest link in letting people do things they shouldn't do, whether that is boarding an airplane, or any other activity we want to prevent," Barth told the audience. "This is not a national ID card."

Dissent At DHS

But even parts of the Homeland Security juggernaut are at odds over the implications of REAL ID. The Data Privacy And Integrity Advisory Committee issued a series of comments on May 7 on REAL ID, stating that DHS' prior efforts to address privacy and security concerns were insufficient.

"Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate," the committee wrote (pdf file).

The committee, chaired by DHS Privacy Officer Hugo Teufel, recommended stronger minimum security standards for states to adhere to, as well as limiting "secondary uses" of information collected from the REAL ID authorization process for drivers' licenses.

DHS had previously issued a "Notice of Proposed Rulemaking" to address the privacy issues raised by REAL ID and opened a comment period to solicit opinions from the public. Organizations opposing REAL ID such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) put out calls for Americans to submit comments against the act. The comment period closed Tuesday, May 8.

The ACLU's "Real Nightmare" Web site said that the REAL ID card was "a genuine national identity card and [would] impose numerous new burdens on taxpayers, citizens, immigrants, and state governments while doing nothing to protect against terrorism."

Security Failures

Privacy analysts and security experts have criticized the REAL ID act for creating new vulnerabilities for consumers to identity theft, fraud, and data breaches. The sharing of personal information across interlinked databases, collected through extensive gathering of "breeder documents" such as birth certificates and passports, and presented in public at motor vehicle agencies, represents a "gold mine" for hackers, fraudsters, and cybercriminals.

Security analyst Bruce Schneier, who also testified before the Senate Judiciary Committee, said that the security risks of the overall REAL ID database were "enormous."

"The daily stories we see about leaked personal information demonstrate that we do not know how to secure these large databases against outsiders, to say nothing of the tends of thousands of insiders authorized to access it," Schneier testified.