According to the Associated Press:
State motor vehicle officials nationwide who will have to carry out the Real ID Act say its authors grossly underestimated its logistical, technological and financial demands.
In a comprehensive survey obtained by The Associated Press and in follow-up interviews, officials cast doubt on the states’ ability to comply with the law on time and fretted that it will be a budget buster.
I’ve already written about REAL ID, including the obscene costs:
REAL ID is expensive. It’s an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I’ve seen estimates that the cost to the states of complying with REAL ID will be $120 million. That’s $120 million that can’t be spent on actual security.
According to the AP, I was way off:
Pennsylvania alone estimated a hit of up to $85 million. Washington state projected at least $46 million annually in the first several years.
Separately, a December report to Virginia’s governor pegged the potential price tag for that state as high as $169 million, with $63 million annually in successive years. Of the initial cost, $33 million would be just to redesign computing systems.
Remember, security is a trade-off. REAL ID is a bad idea primarily because the security gained is not worth the enormous expense.
See also the ACLU’s site on REAL ID.
Posted on January 13, 2006 at 1:23 PM •
Unforeseen security effects of weak ID cards:
It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like ‘photo ID’, it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents.
During the Commons ID card debates this kind of process was described by Tory MP Patrick Mercer, drawing on his experience as a soldier in Northern Ireland, where photo driving licences were first introduced as an anti-terror measure. This “quasi-identity card… I think—had a converse effect to that which the Government sought… anybody who had such a card or driving licence on their person had a pass, which, if shown to police or soldiers, gave them free passage. So, it had precisely the opposite effect to that which was intended.”
Effectively – as security experts frequently point out – apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. A similar effect has been observed following the introduction of chip and PIN credit cards, where ownership of the card and knowledge of the PIN is now almost always viewed as conclusive.
Posted on December 30, 2005 at 1:51 PM •
They actually think this is a good idea:
Miami police announced Monday they will stage random shows of force at hotels, banks and other public places to keep terrorists guessing and remind people to be vigilant.
Deputy Police Chief Frank Fernandez said officers might, for example, surround a bank building, check the IDs of everyone going in and out and hand out leaflets about terror threats.
“This is an in-your-face type of strategy. It’s letting the terrorists know we are out there,” Fernandez said.
The operations will keep terrorists off guard, Fernandez said. He said al-Qaida and other terrorist groups plot attacks by putting places under surveillance and watching for flaws and patterns in security.
Boy, is this one a mess. How does “in-your-face” affect getting the people on your side? What happens if someone refuses to show an ID? What good is demanding an ID in the first place? And if I were writing a movie plot, I would plan my terrorist attack for a different part of town when the police were out playing pretend.
The response from the ACLU of Florida is puzzling, though. Let’s hope he just didn’t understand what was being planned.
EDITED TO ADD (11/29): This article is in error.
EDITED TO ADD (11/30): more info.
Posted on November 29, 2005 at 1:07 PM •
The case for identity cards has been branded “bogus” after an ex-MI5 chief said they might not help fight terror.
Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”.
She said: “ID cards have possibly some purpose.
“But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards.
“My angle on ID cards is that they may be of some use but only if they can be made unforgeable – and all our other documentation is quite easy to forge.
“If we have ID cards at vast expense and people can go into a back room and forge them they are going to be absolutely useless.
“ID cards may be helpful in all kinds of things but I don’t think they are necessarily going to make us any safer.”
Posted on November 18, 2005 at 6:48 AM •
Here’s an Illinois bill that:
Provides that it is unlawful to possess, use, or allow to be used, any materials, hardware, or software specifically designed or primarily used for the reading of encrypted language from the bar code or magnetic strip of an official Illinois Identification Card, Disabled Person Identification Card, driver’s license, or permit.
Full text is here.
Posted on November 11, 2005 at 11:45 AM •
I think this is a harbinger of the future:
A high roller walks into the casino, ever so mindful of the constant surveillance cameras. Wanting to avoid sales pitches and other unwanted attention, he pays cash at each table and anonymously moves around frequently to discourage people who are trying to track his movements.
After a few hours of losses, he goes to the cashier and asks for a cash advance off of his credit card. The card tells the casino his name, but not much else. As is required by card issuers, the cashier asks for some other identification, such as a driver’s license. That license offers the casino a ton of CRM identification goodies, but the cashier is only supposed to glance at the picture and the name to verify identity and hand the license–and its info treasure trove–back to the gambler.
Not any more, at least if a Minneapolis company called Cash Systems Inc. has anything to say about it. The firm was recently awarded a U.S. patent for a device that can grab all of the data of almost any U.S. driver’s license in seconds and instantly dump it into a casino’s CRM system.
On the one hand, the technology isn’t very interesting; it’s probably just a camera and some OCR software optimized for driver’s licenses. But what is interesting is that the technology is available as a mass-market product.
Where else do you routinely show your ID? Who else might want all that information for marketing purposes?
Posted on November 7, 2005 at 7:45 AM •
My fifth column for Wired:
The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn’t have enough of the expertise it needed to do this right.
Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don’t know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.
The State Department’s plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it’s already committed to a scheme before knowing if it even works or if it protects privacy.
My previous entries on RFID passports are here, here, and here.
Posted on November 3, 2005 at 8:30 AM •
Reuters on the trade-offs of Real ID:
Nobody yet knows how much the Real ID Act will cost to implement or how much money Congress will provide for it. The state of Washington, which has done the most thorough cost analysis, put the bill in that state alone at $97 million in the first two years and believes it will have to raise the price of a driver’s license to $58 from $25.
On the other hand, a secure ID system could save millions in Medicare and Medicaid fraud and combat identity theft.
Why does Reuters think that a better ID card will protect against identity theft? The problem with identity theft isn’t that ID cards are forgeable, it’s that financial institutions don’t check them before authorizing transactions.
Posted on October 14, 2005 at 11:20 AM •
Excellent editorial from The New York Times. (Here’s EPIC’s comments on the issue.)
The ID solves a problem that doesn’t exist.
Posted on September 19, 2005 at 12:31 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.