Delaware CIO Thomas Jarrett bumped into Michael Shahan, director of the state's Division of Motor Vehicles, a few days after Congress passed the Real ID Act last week. The bill, which also was signed by President Bush last week, will set national standards for driver's licenses, raising privacy hackles about a de facto "national ID card" and technology and security worries about how data will be stored and shared among states and with the federal government. Yet there aren't enough details available right now to let those concerned do much more than worry. "I told him we need to have a conversation about it," Jarrett says of his colleague at Motor Vehicles. "But at this point, I'm not exactly sure what needs to be done."
Congress didn't spend much time debating the merits of the measure, which has been discussed in various forms several times since Sept. 11, 2001. This time, it got tacked onto a bill to fund American troops in Afghanistan and Iraq. The key provisions of the bill are that states by 2008 will need to verify data with the feds and other states before issuing driver's licenses, and the cards must include certain minimum data and be "machine readable."
The legislation, primarily aimed at denying illegal immigrants driver's licenses, is vague about how the government should implement technical provisions. It's up to the Homeland Security secretary, in conjunction with the Transportation secretary, to devise regulations for states to follow. Neither department offered any guidance last week.
The most-difficult challenge created by the act will be sharing birth-certificate information, Social Security numbers, and other data found on a driver's license across multiple agencies in the 50 states, territories, tribal jurisdictions, and the federal government. It isn't necessarily cutting-edge IT, says Richard Hunter, a Gartner VP and research director. States will need to restructure existing databases, which is more time-consuming and costly than innovative. What's difficult will be determining rules for access, management, and security for these state records if they're all connected. "The legislation creates a mandate to gather info without specifying controls over the use of that data," Hunter says.
Indeed, securing personal data that will crisscross the country is a major concern for Jarrett. "As technologists, we start getting paranoid when we move information outside our walls," says Jarrett, who also serves as president of the National Association of State CIOs.
Verifying digital-record information is going to be difficult, says Dillinger, Iowa's Driver Services' director.
Photo by Steve Pope
A small, federally funded pilot that uses a simple Web interface--the Electronic Verification of Vital Events--has shown that verifying records such as birth certificates isn't technologically challenging, says Jay Maxwell, CIO of the American Association of Motor Vehicle Administrators. Images can be called up to be checked against the real document but only after they're scanned into a document-management system. "The only way you can get cranking on this system is to get the data in there, and that will take years to do," he says.
The National Conference of State Legislatures estimates it could cost states as much as $750 million to implement measures required by the act, including some $80 million to create links among state databases. Other costs include purchasing equipment to collect, store, and encode data onto the licenses. Anticipating this bill, Iowa has allotted $1.2 million this year--about 3.5% of the Office of Driver Services' annual budget--for compliance, including a major redesign of its driver's license card and the motor-vehicle IT system to support it. The act is billed as voluntary for states and therefore isn't creating a true national ID. But licenses from noncompliant states won't be acceptable ID to get on an airplane or for any other federally regulated use.
For most citizens--and businesses considering how they'll use the new IDs--the biggest unanswered question is what the "machine-readable" technology will be. Iowa's driver's licenses have three pieces of machine-readable technologies: a magnetic strip and a two-dimensional bar code contain the data printed on the face of the card, and a linear bar code contains the cardholder's driver's license number. Dillinger expects those will meet the new requirements.
In last year's Intelligence Reform Act, Congress already had asked the Transportation Department to explore the best technology for use in ID cards, notes Ari Schwartz, associate director of the Center for Democracy and Technology and a member of a Transportation committee that in April started looking into the issue. That effort has been disbanded, because the Real ID Act will supercede it. Still, Schwartz hopes the approach is similar. "One good thing about [the Intelligence Reform Act] is that technology experts were going to have direct input," he says.
Critics seized on the current lack of technology direction to raise the specter of massive privacy invasions. Rep. Ron Paul, R-Texas, said in a speech on the House floor that Homeland Security could require technology such as radio-frequency identification tags on licenses, which in theory could contain far more information on a computer chip than is on a license today, including biometric information such as retina scans, fingerprints, and even DNA information. Apparently envisioning a world of ubiquitous RFID readers to capture such information, Paul warned his House colleagues that "including such technology as RFID would mean that the federal government ... would know where Americans are at all time of the day and night."
That's perhaps a bit far-out. But the feds this summer are experimenting with RFID in passports and visas carried by some foreigners entering the United States at the Los Angeles airport and select border crossings. The objective is to simplify processing and security efforts at borders by automatically capturing arrival and departure information, as well as ensuring that passport holders are who they claim to be.
Homeland Security is exploring the use of RFID at land borders in Arizona, New York, and Washington state. The department plans by the end of July to automate a process for populating the Immigration and Naturalization Service's I-94 arrival-departure form by scanning arriving foreigners' documents, a spokeswoman says. RFID tags would be embedded in a receipt portion of the I-94 form that's distributed to visitors as they enter the country and then scanned as they leave to verify that their departures are in compliance with their visas.
As machine-readable IDs take hold, the private sector could rely on them in new ways and perhaps play a more-direct role in helping verify identities before IDs are issued, says Maxwell of the American Association of Motor Vehicle Administrators. If states allow an electric or gas bill as evidence of residency to issue a driver's license, they might need to link to a utility's customer database to prove the invoice is real. Databases such as those managed by ChoicePoint Inc. and LexisNexis could be checked to verify information provided by a license applicant. Maxwell envisions airport-security personnel or even banks scanning in an ID, then being allowed to link up with state motor-vehicle databases to compare the images and data on driver's licenses before allowing a person to board a plane or open an account.
Those types of applications are likely a few years away. Today, state IT and motor-vehicle officials are just anxious for the government to tell them exactly what they must do now. "We know it's a huge issue," Delaware CIO Jarrett says, "but we don't know how serious it will be yet."
-- with Tony Kontzer