[IP] Federal ID Act May Be Flawed

[David Farber <dave@xxxxxxxxxx>]

http://www.latimes.com/business/la-fi-realid31may31.story
Federal ID Act May Be Flawed

The new law could actually increase the risk of a person's identity  
being stolen, critics say.

By Joseph Menn
Times Staff Writer

May 31, 2005

A federal law designed to make it harder to assume someone else's  
identity may instead have the opposite effect, critics of the measure  
say.

The Real ID Act, attached to a crucial bill for military spending and  
tsunami relief that was signed by President Bush on May 11, sets new  
rules for issuing driver's licenses and requires states to share  
electronic access to their records.

The standards are intended to weed out impostors applying for  
licenses, in part by requiring state employees to check on the  
validity of birth certificates and other supporting documents. After  
states adopt the necessary changes, anyone applying for or renewing a  
license will get one reflecting the new standards.

But once the law takes full effect three years from now, it will also  
give many more bureaucrats access to personal information on people  
nationwide. And it will add more data to each file — including  
digital copies of documents with birth and address information.

To some industry experts and activists concerned about the fast- 
growing crime of identity theft, putting so much data before more  
eyes guarantees abuse at a time when people are increasingly  
concerned about who sees their personal information and how it gets  
used.

"It's a gigantic treasure trove for those who are bent on obtaining  
data for the purpose of creating fake identities," said Beth Givens  
of the nonprofit Privacy Rights Clearinghouse. Armed with a  
stranger's name, Social Security number and date of birth, it's not  
hard for fraudsters to take out bogus loans that can wreck a victim's  
credit record.

The new licenses themselves must contain some data — as yet  
unspecified — that can be scanned electronically by a device like a  
credit card reader. Virtually all states make machine-readable cards  
now, but they use differing technologies.

Critics predict the standardization will prompt many more merchants  
to scan customer licenses and then pass on the information to such  
data brokers as ChoicePoint Inc. and LexisNexis. The databases of  
both ChoicePoint and LexisNexis have been exploited by identity thieves.

"There's no data-protection law, so it can be sold to companies like  
ChoicePoint," said Bruce Schneier, the author of several books on  
security technology. "It would be silly not to, since it's a revenue  
stream."

The concerns of privacy advocates got little airing before the bill  
became law, and some are already working to overturn it with new  
legislation of their own.

Debate on the measure was sharply limited by political maneuvering,  
and other issues raised by the act drew more fire. Greater attention  
went to the bill's changes in the procedures for people requesting  
political asylum, its treatment of other immigrants, and what some  
decried on civil liberties grounds as a move toward a national  
identification card.

But the more basic provisions in the law might have the most profound  
effect on ordinary Americans already beset by a rising tide of  
identity theft and related credit card fraud.

"We will have all this information in one electronic format, in one  
linked file, and we're giving access to tens of thousands of state  
DMV employees and federal agents," said American Civil Liberties  
Union Legislative Counsel Timothy Sparapani.

Others opposed to the bill include the American Conservative Union,  
the National Organization for Women and the National Governors Assn.,  
which objects to the required increases in state spending.

The bill was introduced by House Judiciary Committee Chairman F.  
James Sensenbrenner Jr. (R-Wis.), following a recommendation of the  
9/11 Commission that the country strengthen its means for identifying  
people. Noting that some of the 9/11 hijackers held fraudulent papers  
that helped them rent cars and board planes, the panel wrote that  
"sources of identification are the last opportunity to ensure that  
people are who they say they are."

Commission member Slade Gorton said the act fulfilled the group's  
objective.

Even some who fault other provisions of the law, including a national  
group of state driver's license officials, agree that it soon will be  
harder for impersonators to get licenses.

Just the new mandatory background checks on DMV employees "can make a  
huge impact," said Jason King, a spokesman for the American Assn. of  
Motor Vehicle Administrators.

But others say that merely making licenses harder to obtain raises a  
new set of problems. Among them: While trust in the new cards will be  
higher, fraud won't be eliminated completely. Applicants still aren't  
required to produce a photo ID to get a license, and foreign  
passports — available in some countries for cash under the table —  
are acceptable as proof of identity.

Real U.S. birth certificates, another common proof of identity, can  
be sent to the wrong person after a modest amount of subterfuge, said  
Joseph Eaton, an emeritus professor at the University of Pittsburgh  
and author of a 2003 book arguing in favor of a national ID.

The National Academy of Sciences concluded in a 2002 study that  
keeping any national ID system secure would be even harder than  
building one.

Yet with more faith placed in the new cards, whoever gets a fake will  
be able to accomplish more with it.

"It builds a purported real identity on a document that we all know  
is built on fragile documents," said Robert Ellis Smith, publisher of  
Privacy Journal. "Without strengthening the supporting documents, you  
don't develop a real ID at all."

Smith opposes any attempt to fashion a national identity card.

Sensenbrenner spokesman Jeff Lungren acknowledged the concern and  
said those who accept the identification should avoid letting their  
guard down. But he said the risk was outweighed by the prospect of  
more secure identification for more people.

Corruption and theft are already big problems at state licensing  
agencies.

In April, for instance, a programmer working for the state of Georgia  
was charged with accessing that state's driver's license database for  
reasons that haven't been disclosed.

In a more dramatic incident a month earlier, someone crashed a  
vehicle through the glass window of a state office in North Las Vegas  
and made off with the physical materials for making licenses plus a  
camera, a printer and a computer containing information on 8,738  
drivers.

More typically, low-level state employees take money to issue  
licenses improperly.

A 2004 survey of the previous year's news accounts by the nonprofit  
Center for Democracy and Technology found licenses-for-bribes schemes  
in Nevada, New York, Pennsylvania, Indiana, Virginia, North Carolina,  
South Carolina, Louisiana, Arkansas, and the District of Columbia. In  
New Jersey, a fraud scheme led to the firing of all 11 DMV employees  
in one Newark office.

Workers also leak address, Social Security and other information for  
cash to private detectives, bill collectors and the like, a problem  
Nevada DMV spokesman Tom Jacobs said probably would increase as  
information became available from other states' databases.

"With the records all connected, there may be more temptation to run  
afoul of the law," Jacobs said.


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/