Religion, Politics and World Events They make great dinner conversation, don't you think? plus Political Film

DHS offers details on Real ID

Old 03-02-07, 11:00 AM
Thread Starter
nemein's Avatar
Join Date: Sep 1999
Location: 1bit away from total disaster
Posts: 34,141
DHS offers details on Real ID

Homeland Security offers details on Real ID

By Declan McCullagh

Story last modified Fri Mar 02 03:35:33 PST 2007

Hundreds of millions of Americans will have until 2013 to be outfitted with new digital ID cards, the Bush administration said on Thursday in a long-awaited announcement that reveals details of how the new identification plan will work.
The announcement by the U.S. Department of Homeland Security offers a five-year extension to the deadline for states to issue the ID cards, and proposes creating the equivalent of a national database that would include details on all 240 million licensed drivers.

According to the draft regulations (PDF), which were required by Congress in the 2005 Real ID Act and are unlikely to assuage privacy and cost concerns raised by state legislatures:

The Real ID cards must include all drivers' home addresses and other personal information printed on the front and in a two-dimensional barcode on the back. The barcode will not be encrypted because of "operational complexity," which means that businesses like bars and banks that require ID would be capable of scanning and recording customers' home addresses.

A radio frequency identification (RFID) tag is under consideration. Homeland Security is asking for input on how the licenses could incorporate "RFID-enabled vicinity chip technology, in addition to" the two-dimensional barcode requirement.

States must submit a plan of how they'll comply with the Real ID Act by October 7, 2007. If they don't, their residents will not be able to use IDs to board planes or enter federal buildings starting on May 11, 2008.

Homeland Security is considering standardizing a "unique design or color for Real ID licenses," which would effectively create a uniform national ID card.

Thursday's draft regulations arrive amid a groundswell of opposition to the Real ID Act from privacy groups, libertarians and state officials. On Wednesday, the National Governors Association endorsed a bill by Sen. Susan Collins, a Maine Republican, that would reduce Homeland Security's power to order states to comply with the law.

The draft rules, which are not final and will be subject to a public comment period, also include a more detailed estimate of how much it will cost to comply. The National Conference of State Legislatures and other state groups estimated last year that states will have to spend more than $11 billion. But Homeland Security says the total cost--including the cost to individuals--will be $23.1 billion over a 10-year period.

Another section of the 162-page regulations says that states have until December 31, 2009, to certify that they're on the path toward fully complying with the Real ID Act.

Push for repeal continues
Opponents of the Real ID Act, who have been advising states to publicly oppose the system, said that the draft rules are insufficiently privacy-protective and reiterated their call for a repeal of the entire law.

"We still need dramatic legislative action from Congress," said Tim Sparapani, legislative counsel for the ACLU, which runs the site. "We've got to wipe out the underlying act."

Sparapani and his allies of more than 50 groups, including the National Organization for Women and United Automobile Workers, sent a letter (PDF) on Monday endorsing a bill to repeal the Real ID Act. The letter says it was a "poorly-conceived law that can never be made to work in any fair or reasonable manner."

The ACLU believes Collins' bill is only a half-hearted step that doesn't go as far as it should. Other proposals include one from Rep. Thomas Allen, a Maine Democrat, that would rewrite the Real ID Act, insert privacy safeguards, and hand $2.4 billion to states over an eight-year period. On Wednesday, Sen. John Sununu, a New Hampshire Republican, and Daniel Akaka, a Hawaii Democrat, reintroduced a broader bill to repeal portions of the existing law.

Some state governments, such as Maine, already have come out against the Real ID Act--a move that effectively dares the federal government to continue even when some states refuse to participate. At least eight states (including Arizona, Georgia, and Vermont) have had anti-Real ID bills approved by one or both chambers of the legislature.

For their part, proponents of the Real ID Act say it's designed to implement proposals suggested by the 9/11 Commission, which noted that some of the hijackers on September 11, 2001, had fraudulently obtained state driver's licenses. But not all did: at least one hijacker simply showed his foreign passport and walked onto the airplane that day.

"Raising the security standards on driver's licenses establishes another layer of protection to prevent terrorists from obtaining and using fake documents to plan or carry out an attack," Homeland Security Secretary Michael Chertoff said in a statement. "These standards correct glaring vulnerabilities exploited by some of the 9/11 hijackers who used fraudulently obtained drivers licenses to board the airplanes in their attack against America."

A 23-page report released this week by Janice Kephart, a former lawyer with the 9/11 Commission, defended the Real ID Act by calling it a "significant step in enhancing our national and economic security and our public safety." Kephart is now president of 9/11 Security Solutions.

States bowing out of Real ID requirements is "not the way to secure America," the report says. "Embedding identity security into state-issued (ID card) systems will take significant planning to fulfill the requirements of Real ID and significant financial resources for the 'brick and mortar' start-up costs. Congress must step up to the plate and make securing of identity documents the national priority that our citizens deserve."

The Real ID Act passed Congress as part of an $82 billion military spending bill that also included funds for tsunami relief. No up-or-down vote on solely the Real ID Act took place in the entire Congress, though the House of Representatives did approve the rules by a 261-161 vote.
Here's the official info from DHS

So what do you think... good idea/bad idea? Will it really help w/ security or is it a waste of money (I'm leaning towards the latter myself but I haven't read all the reasoning behind it yet)? Either way, call me paranoid, but I've already picked up an anti-RFID wallet
nemein is offline  
Old 03-02-07, 11:02 AM
Thread Starter
nemein's Avatar
Join Date: Sep 1999
Location: 1bit away from total disaster
Posts: 34,141
Here's an interesting analysis by computer security expert Bruce Schneier from his crypto-gram monthly newsletter

Originally Posted by Bruce Schneier
Real-ID: Costs and Benefits

The argument was so obvious it hardly needed repeating. Some thought we
would all be safer -- *from terrorism, from crime, even from
inconvenience -- *if we had a better ID card. A good, hard-to-forge
national ID is a no-brainer (or so the argument goes), and it's
ridiculous that a modern country like the United States doesn't have one.

Still, most Americans have been and continue to be opposed to a national
ID card. Even just after 9/11, polls showed a bare majority (51%) in
favor -- and that quickly became a minority opinion again. As such, both
political parties came out against the card, which meant that the only
way it could become law was to sneak it through.

Republican Cong. F. James Sensenbrenner of Wisconsin did just that. In
February 2005, he attached the Real ID Act to a defense appropriations
bill. No one was willing to risk not supporting the troops by holding up
the bill, and it became law. No hearings. No floor debate. With nary a
whisper, the United States had a national ID.

By forcing all states to conform to common and more stringent rules for
issuing driver's licenses, the Real ID Act turns these licenses into a
de facto national ID. It's a massive, unfunded mandate imposed on the
states, and -- naturally -- the states have resisted. The detailed rules
and timetables are still being worked out by the Department of Homeland
Security, and it's the details that will determine exactly how expensive
and onerous the program actually is.

It is against this backdrop that the National Governors Association, the
National Conference of State Legislatures, and the American Association
of Motor Vehicle Administrators together tried to estimate the cost of
this initiative. "The Real ID Act: National Impact Analysis" is a
methodical and detailed report, and everything after the executive
summary is likely to bore anyone but the most dedicated bean counters.
But rigor is important because states want to use this document to
influence both the technical details and timetable of Real ID. The
estimates are conservative, leaving no room for problems, delays, or
unforeseen costs, and yet the total cost is $11 billion over the first
five years of the program.

If anything, it's surprisingly cheap: Only $37 each for an estimated 295
million people who would get a new ID under this program. But it's still
an enormous amount of money. The question to ask is, of course: Is the
security benefit we all get worth the $11 billion price tag? We have a
cost estimate; all we need now is a security estimate.

I'm going to take a crack at it.

When most people think of ID cards, they think of a small plastic card
with their name and photograph. This isn't wrong, but it's only a small
piece of any ID program. What starts out as a seemingly simple security
device -- a card that binds a photograph with a name -- becomes a
complex security system.

It doesn't really matter how well a Real ID works when used by the
hundreds of millions of honest people who would carry it. What matters
is how the system might fail when used by someone intent on subverting
that system: how it fails naturally, how it can be made to fail, and how
failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make
it, it will be forged. We can raise the price of forgery, but we can't
make it impossible. Real IDs will be forged.

Even worse, people will get legitimate cards in fraudulent names. Two of
the 9/11 terrorists had valid Virginia driver's licenses in fake names.
And even if we could guarantee that everyone who issued national ID
cards couldn't be bribed, cards are issued based on other identity
documents -- all of which are easier to forge.

And we can't assume that everyone will always have a Real ID. Currently
about 20% of all identity documents are lost per year. An entirely
separate security system would have to be developed for people who lost
their card, a system that itself would be susceptible to abuse.

Additionally, any ID system involves people: people who regularly make
mistakes. We've all heard stories of bartenders falling for obviously
fake IDs, or sloppy ID checks at airports and government buildings. It's
not simply a matter of training; checking IDs is a mind-numbingly boring
task, one that is guaranteed to have failures. Biometrics such as
thumbprints could help, but bring with them their own set of exploitable
failure modes.

All of these problems demonstrate that identification checks based on
Real ID won't be nearly as secure as we might hope. But the main problem
with any strong identification system is that it requires the existence
of a database. In this case, it would have to be 50 linked databases of
private and sensitive information on every American -- one widely and
instantaneously accessible from airline check-in stations, police cars,
schools, and so on.

The security risks of this database are enormous. It would be a kludge
of existing databases that are incompatible, full of erroneous data, and
unreliable. Computer scientists don't know how to keep a database of
this magnitude secure, whether from outside hackers or the thousands of
insiders authorized to access it.

But even if we could solve all these problems, and within the putative
$11 billion budget, we still wouldn't be getting very much security. A
reliance on ID cards is based on a dangerous security myth, that if only
we knew who everyone was, we could pick the bad guys out of the crowd.

In an ideal world, what we would want is some kind of ID that denoted
intention. We'd want all terrorists to carry a card that said "evildoer"
and everyone else to carry a card that said "honest person who won't try
to hijack or blow up anything." Then security would be easy. We could
just look at people's IDs, and, if they were evildoers, we wouldn't let
them on the airplane or into the building.

This is, of course, ridiculous; so we rely on identity as a substitute.
In theory, if we know who you are, and if we have enough information
about you, we can somehow predict whether you're likely to be an
evildoer. But that's almost as ridiculous.

Even worse, as soon as you divide people into two categories -- more
trusted and less trusted people -- you create a third, and very
dangerous, category: untrustworthy people whom we have no reason to
mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC,
snipers; the London subway bombers; and many of the 9/11 terrorists had
no previous links to terrorism. Evildoers can also steal the identity --
and profile -- of an honest person. Profiling can result in less
security by giving certain people an easy way to skirt security.

There's another, even more dangerous, failure mode for these systems:
honest people who fit the evildoer profile. Because evildoers are so
rare, almost everyone who fits the profile will turn out to be a false
alarm. Think of all the problems with the government's no-fly list. That
list, which is what Real IDs will be checked against, not only wastes
investigative resources that might be better spent elsewhere, but it
also causes grave harm to those innocents who fit the profile.

Enough of terrorism; what about more mundane concerns like identity
theft? Perversely, a hard-to-forge ID card can actually increase the
risk of identity theft. A single ubiquitous ID card will be trusted more
and used in more applications. Therefore, someone who does manage to
forge one -- or get one issued in someone else's name -- can commit much
more fraud with it. A centralized ID system is a far greater security
risk than a decentralized one with various organizations issuing ID
cards according to their own rules for their own purposes.

Security is always a trade-off; it must be balanced with the cost. We
all do this intuitively. Few of us walk around wearing bulletproof
vests. It's not because they're ineffective, it's because for most of us
the trade-off isn't worth it. It's not worth the cost, the
inconvenience, or the loss of fashion sense. If we were living in a
war-torn country like Iraq, we might make a different trade-off.

Real ID is another lousy security trade-off. It'll cost the United
States at least $11 billion, and we won't get much security in return.
The report suggests a variety of measures designed to ease the financial
burden on the states: extend compliance deadlines, allow manual
verification systems, and so on. But what it doesn't suggest is the
simple change that would do the most good: scrap the Real ID program
altogether. For the price, we're not getting anywhere near the security
we should.

This essay will appear in the March/April issue of "The Bulletin of
Atomic Scientists."


The REAL-ID Act: National Impact Analysis:

There's REAL-ID news. Maine became the first state to reject REAL-ID.
This means that a Maine state driver's license will not be recognized as
valid for federal purposes, although I'm sure the Feds will back down
over this. My guess is that Montana will become the second state to
reject REAL-ID, and New Mexico will be the third.

More info on REAL-ID:
nemein is offline  
Old 03-02-07, 11:47 AM
Join Date: Dec 2006
Posts: 74
Big Brother is watching. I already dislike it when business such as Best Buy ask me for my home phone number when I'm paying cash. They don't need it, and won't get it. We appear to be giving away too much in the name of security and safety, and will this measure really help in that regard anyway? We're giving into fear. It looks like the terrorists are winning this particular war.

It's really too bad that we chose to fight Iraq, rather then terrorism.
Disc Jockey is offline  
Old 03-02-07, 12:13 PM
DVD Talk Legend
Join Date: Jan 2001
Location: is everything
Posts: 17,990
The Real ID cards must include all drivers' home addresses and other personal information printed on the front and in a two-dimensional barcode on the back. The barcode will not be encrypted because of "operational complexity," which means that businesses like bars and banks that require ID would be capable of scanning and recording customers' home addresses.
are you fucking kidding me?

Now any jackass with a cellphone camera will be able to steal my identity
Iron Chef is offline  
Old 03-02-07, 12:19 PM
Thread Starter
nemein's Avatar
Join Date: Sep 1999
Location: 1bit away from total disaster
Posts: 34,141
Actually if your DL has a 2d barcode on it chances are it's already on there. The address atleast. Check this out
nemein is offline  
Old 03-02-07, 12:21 PM
DVD Talk Legend
Join Date: Jan 2000
Location: Work. Or commuting. Certainly not at home.
Posts: 17,816
This is even worse than I thought it would be when I heard they were coming out with rules. It's fucking nuts. And, as pointed out above, it's going to be just as suceptible to fakery as our current system is, so what's the point? So they look like they're doing something?

This all doesn't take into account the nightmare that will be the DMV offices over the period when everyone is supposed to "transition" into the National ID Card.
wildcatlh is offline  
Old 03-02-07, 12:23 PM
DVD Talk Legend
Join Date: Jan 2001
Location: is everything
Posts: 17,990
This will not make our country safer by any means because it will only be a matter of time before these IDs are faked in massive quantities.

How long will it be before we're required to show our papers anytime we're told to?

How long before there are ID checkpoints at state borders?

If the Democratically controlled congress really wanted to, they could stop this.

As a side note, here is a page all about 2D barcodes:
Iron Chef is offline  
Old 03-02-07, 12:33 PM
DVD Talk Limited Edition
Nazgul's Avatar
Join Date: Jan 2001
Location: Jayhawk Central, Kansas
Posts: 7,125
Originally Posted by Iron Chef
How long will it be before we're required to show our papers anytime we're told to?

How long before there are ID checkpoints at state borders?
Nazgul is offline  
Old 03-02-07, 12:45 PM
DVD Talk Godfather
DVD Polizei's Avatar
Join Date: Jan 2002
Posts: 52,513
Why not just make a border with guards on it. Oh wait, that's racist. Let's just cattle-ize everyone.

Ok, Bush has been called a Nazi many times by the Left,'s getting harder to retort that argument.

Last edited by DVD Polizei; 03-02-07 at 12:49 PM.
DVD Polizei is offline  
Old 03-02-07, 01:48 PM
Mod Emeritus
Join Date: Feb 1999
Location: Gone to the islands - 'til we meet again.
Posts: 19,053
Originally Posted by Iron Chef
are you fucking kidding me?

Now any jackass with a cellphone camera will be able to steal my identity
According to the article, the barcode will duplicate the information on the front of the card. If that's correct, then anyone with a camera could already steal that information.
Dead is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.