<<< Date Index >>>     <<< Thread Index >>>

[IP] real ID CRYPTO-GRAM, May 15, 2005





Begin forwarded message:

                 CRYPTO-GRAM

                 May 15, 2005

              by Bruce Schneier
               Founder and CTO
      Counterpane Internet Security, Inc.
           schneier@xxxxxxxxxxxxxxx
           <http://www.schneier.com>
          <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/ crypto-gram.html>.

Or you can read this issue on the web at <http://www.schneier.com/ crypto-gram-0505.html>.

Schneier also publishes these same essays in his blog: <http:// www.schneier.com/blog>. An RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
     Blog: Schneier on Security
     REAL ID
     Should Terrorism be Reported in the News?
     New Risks of Automatic Speedtraps
     Crypto-Gram Reprints
     Detecting Nuclear Material in Transport
     The Potential for an SSH Worm
     News
     Biometric Passports in the U.K.
     Lighters Banned on Airplanes
     Counterpane News
     Wi-Fi Minefields
     The PITAC Report on CyberSecurity
     State-Sponsored Identity Theft
     Combating Spam
     Comments from Readers


** *** ***** ******* *********** *************

          Blog: Schneier on Security



For eight months now, I have maintained a blog. It's basically the same stuff you read in Crypto-Gram, only it comes out every day instead of once a month. And I try to revise what I write there when I include it here. Check it out if you're interested.

<http://www.schneier.com/blog>


** *** ***** ******* *********** *************

                   REAL ID



The United States will get a national ID card. The REAL ID Act establishes uniform standards for state driver's licenses, to go into effect in three years, effectively creating a national ID card. It's a bad idea, and is going to make us all less safe. It's also very expensive. And it all happened without any serious debate in Congress.

I've already written about national IDs. I've written about the fallacies of identification as a security tool. I'm not going to repeat myself here, and I urge everyone who is interested to read those essays (links at the end). Remember, the question to ask is not whether a national ID will do any good; the question to ask is whether the good it does is worth the cost. By that measure, a national ID is a lousy security trade-off. And everyone needs to understand why.

Aside from the generalities in my previous essays, there are specifics about REAL ID that make for bad security.

The REAL ID Act requires driver's licenses to include a "common machine-readable technology." This will, of course, make identity theft easier. Already some hotels take photocopies of your ID when you check in, and some bars scan your ID when you try to buy a drink. Since the U.S. has no data protection law, those businesses are free to resell that data to data brokers like ChoicePoint and Acxiom. And they will; it would be bad business not to. It actually doesn't matter how well the states and federal government protect the data on driver's licenses, as there will be parallel commercial databases with the same information.

(Those who point to European countries with national IDs need to pay attention to this point. European countries have a strong legal framework for data privacy and protection. This is why the American experience will be very different than the European experience, and a much more serious danger to society.)

Even worse, there's likely to be an RFID chip in these licenses. The same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver's licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).

REAL ID requires that driver's licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police -- even undercover police officers. This seems like a major unnecessary security risk.

REAL ID also prohibits states from issuing driver's licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses -- which isn't going to help anyone's security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

REAL ID is expensive. It's an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I've seen estimates that the cost to the states of complying with REAL ID will be tens of billions. That's money that can't be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver's licenses, the security measures recommended by the 9/11 Commission Report. That's already done. It's already law.

REAL ID goes way beyond that. It's a huge power-grab by the federal government over the states' systems for issuing driver's licenses.

REAL ID doesn't go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver's license will bring a new level of "show me your papers" checks by the government. Already you can't fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I've already heard rumblings about requiring states to check identities against "government databases" before issuing driver's licenses. I'm sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

Is there anyone who would feel safer under this kind of police state?

Americans overwhelmingly reject national IDs in general, and there's an enormous amount of opposition to the REAL ID Act.

If you haven't heard much about REAL ID in the newspapers, that's not an accident. The politics of REAL ID was almost surreal. It was voted down last fall, but was reintroduced and attached to legislation that funds military actions in Iraq. This was a "must- pass" piece of legislation, which means that there was no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing. And it's now law.

We're not defeated, though. REAL ID can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I'll be there.

Text of the REAL ID Act:
<http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00418:>

Congressional Research Services analysis:
<http://www.eff.org/Activism/realid/analysis.pdf>

My previous writings on identification and national IDs:
<http://www.schneier.com/crypto-gram-0404.html#1>
<http://www.schneier.com/crypto-gram-0402.html#6>
<http://www.schneier.com/crypto-gram-0112.html#1>

Security problems with RFIDs:
<http://www.schneier.com/crypto-gram-0410.html#3>

My previous writings on Secure Flight:
<http://www.schneier.com/crypto-gram-0502.html#1>

Resources:
<http://www.epic.org/privacy/id_cards/>
<http://www.unrealid.com/>

EPIC's Washington DC event:
<http://www.epic.org/events/id/savethedate.html>



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/