April 26, 2007 9:16 AM PDT

Real ID creator: Law's been misunderstood

ARLINGTON, Va.--One of the chief Republican architects of the controversial federal Real ID law on Thursday said the forthcoming nationalized identification cards are not an "unfunded mandate" and called for hearings to dispel myths about the proposed system.

Rep. Tom Davis (R-Va.), the ranking member of a U.S. House of Representatives government oversight panel, said he has asked committee chairman Henry Waxman (D-Calif.) to hold hearings to explore questions related to the requirements, which were approved by Congress as part of an emergency military-spending bill two years ago.

"States don't have to participate," Davis told attendees at a meeting here organized by the Information Technology Association of America. "They can issue driver's licenses to whoever they want under whatever standards."

But he acknowledged that only a Real ID-compliant license will allow Americans to do things like board airplanes or enter federal buildings. (A U.S. passport issued by the State Department--new ones have RFID tracking chips embedded--could be a substitute.) He emphasized the importance of pushing ahead with the new standards, which supporters say are necessary to keep terrorists and other dangerous people out of spaces where they could do harm.

Davis said he was confident that after thorough hearings, which he hopes will occur in the "not-too-distant future," "naysayers will have fewer specious arguments to hide behind."

The congressman's remarks come as The proposed plan for the cards published last month by the U.S. Department of Homeland Security also continues to attract concern from privacy and security experts--even some within the federal agency.

They have balked at the idea, for instance, that the information on the licenses' mandatory bar codes, which could be scanned by banks, bars and other businesses, is not currently required to be encrypted.

Two-dimensional bar codes can be easily photocopied and redistributed, so they are likely to become the "weakest link" in the system, said Kelly Emerick, executive director of the Secure ID Coalition, a group that pushes for greater adoption of secure "smart card" chips.

And even if bar code data is encrypted, it could be hacked by a brute force attack, subsequently allowing break-ins on every other card that's in the system, she said.

Toby Levin, a senior adviser to the Homeland Security Privacy Office, said she shared concerns about the use of that technique.

"The fact of the matter is that the 2D bar code does not protect privacy," she said.

But the department believes it cannot prohibit third parties from scanning information off the cards because Congress did not give it "express authorization" to do so in the law governing Real ID, Levin said.

She said the department's privacy advisers are nonetheless very concerned about protecting the information on the bar code and are exploring ways to limit the data stored there or encrypt it in a way that would not be objectionable to law enforcement authorities. If encryption isn't rejected, she suggested that a "huge educational campaign" will be needed to make sure Americans are aware of what information can be swiped from their cards by anyone with the proper reader.

Homeland Security's assistant secretary for policy development, Richard Barth, continued to defend the program at Thursday's event, saying he has grown to become "very passionate" about the cause. "A good ID, a driver's license, is virtually a weapon in the hands of a terrorist," he said.

Barth said he did not believe the new cards would diminish privacy at all. He also bristled at what he called a "misperception problem" that the Real ID-compatible cards would be required to contain any sort of radio-frequency identification chip that can be read without contact with a machine.

"RFID chip has nothing, nothing, nothing to do with the proposed rule, nor, I believe, the final rule for Real ID," he said. "Real ID and the word chip do not appear in the same sentence in anything I intend to implement."

The department believes data shared among states through their individual driver's license databases should be encrypted in transit, but it's still wary of encrypting the data on the bar codes, Barth said. That's because law enforcement officers want to be able to read the data at traffic stops, he said, and it would be too costly for them to carry special readers that had to be "rekeyed" frequently.

Department officials urged the public to submit comments about proposed rules for the cards until the May 8 deadline because the department is "in a very high listening mode." The department has also scheduled a "nationwide town hall" in Sacramento, Calif., on Tuesday and will allow people outside the area to participate in that forum by submitting questions and comments via the Web or a toll-free phone number.

After reviewing those comments, the department plans to release a final rule sometime during the summer, which Barth admitted could mean as soon as July or as late as September 21.

See more CNET content tagged:
Real ID Act, bar code, hearing, law, homeland security

17 comments

Join the conversation!
Add your comment
Interesting
I think it will probably happen one way or another. If people are concerned, they should probably ensure that whatever privacy and security concerns they have are addressed in the ID and get stuff taken care of before and not after something goes wrong. Even then, some technologies are already in ID cards and drivers licenses. My Lincense has a barcode on the back which i have had scanned at least once by a store when I returned some product.
Posted by BeamerMT (64 comments )
Reply Link Flag
No way
It ain't happening to me. I don't need to fly and if necessary, I can walk or bike to work. But then my state has already officially rejected it.

When the airlines lose half their customers, do they expect us who don't support it to bail them out? Fat chance!
Posted by freemarket--2008 (5058 comments )
Link Flag
No way
It ain't happening to me. I don't need to fly and if necessary, I can walk or bike to work. But then my state has already officially rejected it.

When the airlines lose half their customers, do they expect us who don't support it to bail them out? Fat chance!
Posted by freemarket--2008 (5058 comments )
Link Flag
what??
"He emphasized the importance of pushing ahead with the new standards, which supporters say are necessary to keep terrorists and other dangerous people out of spaces where they could do harm."

What? The 911 terrorists apparently had valid credentials, and any 'sleepers' would be able to obtain this new documentation without issue.

Think people! Anything you create will be copied, down to the smallest detail, and it will be used against us. So, if you are working on IDs for US Citizens, it would do us good if you worked on something else; like airport security that is smart, instead of obvious.
Posted by jdw242 (13 comments )
Reply Link Flag
Airport security is flawed
Airport security is fundamentally flawed in some ways. They make the security checkpoints GLARINGLY obvious and if someone gets past them somehow..... we are screwed because no one will notice in most cases!

We do need a national ID, however that could be done with laminated, encrypted Social Security card that you show at places to get through security.

The best national ID program would be one where your national ID is given to you at BIRTH and as you grow up you go somewhere and they bump up the privileges on your card. Say you turn 16 and can be a student driver..... you just go somewhere, they scan and re-encode the chip in your card.... BOOM! Licensed to drive as a student driver!

Of course, there are going to be worries about people cracking the cards..... but that's a problem with driver's licenses in Maryland right now, they have gone to holographic **** and it STILL isn't keeping people from making illegal copies of driver's licenses.
Posted by Leria (585 comments )
Link Flag
fat chance
yes, they do expect us to bail them out, in the form of Government support. Who pays that bill again?
Posted by jdw242 (13 comments )
Reply Link Flag
Indeed
if the information on the card is unencrypted, then what's to stop a terrorist from copying your information onto a "dummy" card that will get him access to a federal building or onto an airplane. You KNOW those systems will be mostly automated.

Terrorists are also REALLY patient, they'll go through all the neccessary paperwork to get where they need to go.

People say "freedom isn't free" are stating a simple truth, but for the wrong reasons. It's not just our service men and women that are the price we pay for freedom, it's also the risk from enemies that we as civilians assume.

From where I sit, I'd rather have a short life as a free man than a long healthy life under a police state. But maybe that's just me.
Posted by mr3vil (42 comments )
Reply Link Flag
Missing the point
I can't help but note that the Representative didn't address the more substantive issues, like the requirement that the state DMVs verify all birth certificates with the issuer, an impossibly tedious task when you consider the thousands of county and local registries that issue them. And, of course, the security will be bogus anyway since its actual level will be determined by the most easily bribed low-level bureaucrat in a DMV office somewhere.

As Bruce Schneier has been saying for years, this sort of brittle system that attempts to build a wall around the good guys to keep the bad guys out is fundementally misconceived. The sooner we get rid of gimmicks like Real ID and think about real security, the better.
Posted by jrlevine (2 comments )
Reply Link Flag
Real security
Real security is a misnomer in this society of today. You cannot have security and still be as open as you need to be to compete with other countries in the world today.

Really, what we need is a national passport, that is verified by people in offices WITHOUT people having to come into those offices.

We also have to loosen our immigration restrictions and ONLY go after people who we know have a connection with terrorist organizations. That would necessitate talking with other countries and having them monitor their own people and ESPECIALLY have Saudi Arabia monitor and shut down the radical mosques that are teaching hatred of America.
Posted by Leria (585 comments )
Link Flag
Real ID
Thank God the former USSR didnt have the guys of police-state mentality in Moscow back then that we now now have in Washington. The evil empire would have been alive and well and probably swallowed up half the earth by now.
Posted by spruceman (38 comments )
Reply Link Flag
Encrypting: pointless
Why bother encrypting the 2D barcode? A basic fact that is often forgotten- the info on the 2D barcode is EXACTLY the same info that's printed on the front of the card! If someone wants the info on the barcode, they can just read it right off the front of the ID! It's true that a 2D barcode it makes it easier to capture the information quickly with a barcode reader, but it's nothing that can't be done with optical character recognition software and a $75 scanner. If the information on the ID (both printed on the front and in the 2D barcode) needs to be private, it shouldn't be listed on the card anywhere; it can be looked up in the state's system using the DL#. A more effective way of protecting personal information than encryption would be to restrict use of DL info (from the barcode or printed on the front) through legislation which includes stiff penalties for unlawful collection and use.
Posted by guinzuz (2 comments )
Reply Link Flag
In China, a high-tech plan to track people
In China, a high-tech plan to track people

Starting this month in a port neighborhood and then spreading across Shenzhen, a city of 12.4 million people, residency cards fitted with powerful computer chips programmed by the same company will be issued to most citizens.

See more: <a class="jive-link-external" href="http://www.rfidglobal.org/news/2007_8/200708131747094867.html" target="_newWindow">http://www.rfidglobal.org/news/2007_8/200708131747094867.html</a>

<a class="jive-link-external" href="http://www.rfidglobal.org" target="_newWindow">http://www.rfidglobal.org</a>
RFIDGlobal.org is an internationally oriented online platform for RFID companies and end users.
Posted by rfidabc (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.