THE MAGAZINE

Driver's License Rule Improved, but Imperfect

By Joseph Straw

States that want their citizens to be able to use driver’s licenses as federal identification for boarding airplanes and entering federal buildings now have a limited timeframe in which to institute far more thorough methods for vetting the vital documents used to apply for those licenses and to take other steps to ensure that the entire process is more secure.

The changes, for which final guidelines were issued earlier this year, were mandated by the Real ID Act passed in response to recommendations by the 9/11 Commission. The law restricts the issuance of state driver’s licenses to legal U.S. residents and aims to ensure that applicants are who they claim to be, primarily to prevent criminals and terrorists from obtaining licenses fraudulently for nefarious purposes.

There is general agreement on the law’s objective but not on the means of achieving it as laid out in the guidelines from the Department of Homeland Security (DHS). DHS did attempt in the final version of its guidelines to address concerns about privacy and the cost of implementation, among other issues. States have more time to comply and, as discussed ahead, some concerns over a central database are alleviated .

But the rule does not go as far as critics had hoped. It does not, for example, require that personal data in bar codes on cards be encrypted. The agency said that it wanted law enforcement agents to be able to read the bar codes without having to deal with decryption issues. Critics worry that thieves could steal the data from the cards. Critics express similar concerns about the requirement that state divisions of motor vehicles (DMVs) will be required to scan and digitally store the birth certificates and other documents that applicants will have to present to prove their identity (called breeder documents). Those DMV databases may become tempting targets for data thieves.

States have until late 2009 to verify applicants’ legal residence; some states, such as Virginia, have already taken steps to do so. But by 2011, they must go further and check the veracity of breeder documents with the issuing agency, and check for licenses issued by other states. In addition, license applicants will be photographed at the beginning of the application process rather than on issuance of their license, so issuing agencies will have photographs in cases where applicants are investigated for fraud.

Existing systems run by government agencies, together with nonprofit, nongovernmental administrative associations, will likely provide the systems, or at least the blueprints, for verification of breeder documents. Each system would rely on a “hub” model, by which state DMVs seeking to verify data on a specific document would send in the driver’s stated information to query, or “ping” the hub. The hub administrator then queries the issuing agency, which either confirms or denies the data’s accuracy.

The method, according to DHS, obviates the need for a single national database. That was a sticking point in earlier proposals because it raised concerns among civil libertarians and security experts alike.

DMVs are expected to rely on different systems for different documents. The American Association of Motor Vehicle Administrators (AAMVA) already runs AAMVAnet, which states use as a link to the Social Security Administration to check applicants’ numbers against names and birth dates. The National Association of Public Health Statistics and Information Systems (NAPHSIS) operates Electronic Verification of Vital Events (EVVE) for verification of birth certificate data.

State DMVs verifying legal aliens are expected to develop a single hub for accessing U.S. Citizenship and Immigration Service’s Systematic Alien Verification for Entitlements (SAVE) system, according to the rule.

Remarkably, no single system exists for states to ensure that vetted license applicants are not already licensed by another state. That’s a concern because criminals often are found with multiple licenses, which help them run scams or handle some of the logistics that lay the groundwork for a terrorist attack. Many of the 9-11 terrorists had multiple licenses.

A model for doing this is the commercial drivers database maintained by AAMVA, in cooperation with the U.S. Department of Transportation. DHS’s final rule indicates that it will probably work with AAMVA to build a verification system for all drivers that mirrors this model.

The rule also requires that states conduct criminal background checks on all employees involved in applicant vetting and license production to minimize the risk of insider crimes, which might include collusion in providing fraudulent licenses to applicants or abuse of the personal data that people will have to provide to obtain a license.

Only 29 states currently conduct criminal background checks on employees involved in issuing a driver’s license, and only two check workers’ credit status. DHS’s final rule would not require employee credit checks to determine workers’ susceptibility to bribery.

NAPHSIS project manager Rose Trasatti says that her group does not set minimum security standards for agencies that query EVVE. While they vary by state and location, she says, “in most instances the agencies are very thorough in what users they allow onto their own internal systems.”

State DMVs have until late 2009 to present DHS with a plan for the entire license-issuing process, encompassing physical, data, and personnel security. States can opt out of the process, and many have, but after the implementation date, noncompliant licenses will not be accepted for federal purposes.

Congress may step into the fray to resolve some of the remaining privacy and funding concerns or to completely reverse the process. Already, two companion bills (S. 717 and H.R. 1117) have been introduced to repeal the REAL ID Act.

While states and civil libertarians focus on the cost of REAL ID and its potential threat to civil liberties, terrorism experts focus on the benefits. Don Hamilton, executive director of the Memorial Institute for the Prevention of Terrorism,  says that once implemented, the law would make it more difficult for terrorists seeking to operate in the United States.

“Effectively, it forces a bad guy to pick one identity and stay with it,” Hamilton says. “I have no love affair with how we’re getting there, but we need to have verifiable ID.”

Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.