A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY
CONTENTS:
(1) Privacy and Security Risks in Driver's License Proposals
(2) CDT Calls for Moratorium on New Uses of Driver's License
(3) Fraud Common at State DMVs
(4) Japanese Privacy Protests Offer Lesson for U.S.
(5) Congressional Proposals on Driver's Licenses
The state driver's license has become much more than a license to drive. It is now used as a primary means of authenticating identity in a wide range of commercial and governmental transactions having nothing to do with operating a motor vehicle.
In the wake of the horrific attacks of September 11, some have suggested that we should standardize the design of the state driver's license, add more features to the card and create data systems linked to the card. The new functionality of the card would lead to further reliance on it, including for access control and security screening purposes. Yet, the policy structure for issuance and use of driver's licenses has not kept pace with the increased weight already being placed upon the cards and is totally inadequate for the expansions proposed in the name of fighting terrorism.
One year after the September 11 attacks, there is no evidence that flaws in the design and security of drivers' licenses themselves facilitated the hijackers in carrying out their plans. From what we know, most of the hijackers were not using stolen, counterfeit or altered ID cards. Rather, they were using legitimate state driver's licenses or non-driver ID cards obtained from Department of Motor Vehicle (DMV) offices. The hijackers appear to have obtained these cards using methods that highlight basic problems in the process of issuing ID cards, ranging from weak laws and procedures to the bribery of DMV employees. These problems are not ones that could be cured by introducing more biometrics in the cards themselves or by linking driver's licenses to other state or commercial databases.
CDT Associate Director Ari Schwartz testified today before the House Subcommittee on Highways and Transit on these concerns. Schwartz's full testimony can be found at: http://www.cdt.org/testimony/020805schwartz.shtml
The National Research Council issued a report in April 2002 entitled "IDs -- Not That Easy: Questions About Nationwide Identity Systems": http://www.nap.edu/catalog/10346.html?opi_newsdoc041102
In February, CDT was part of a large coalition urging President Bush not to create a National ID Card: http://www.aclu.org/congress/l021102a.html
Building a linked database of information and adding new functionality to state driver's licenses (chips with financial or biometric information) would add to the demands on use of the driver's licenses and exacerbate the known security problems. Instead, Congress and the states should take four steps:
While the DMVs have spent time and effort on technologies such as laminates to make counterfeiting more difficult, other forms of fraud have arisen that are of equal or greater consequence. In particular, the fraudulent obtaining of legitimate driver's licenses calls into question the utility of many of the newly suggested biometric features.
The most alarming case of illegally obtained driver's licenses involves the September 11 hijackings. It has been reported that at least 13 of the 19 hijackers obtained valid licenses or non-driver ID cards from Florida, New Jersey or Virginia.
While the Virginia cases have been well documented and involved laws that were immediately changed by the Virginia legislature, many other problems in the issuance process remain across the country. In particular, multiple recent cases involve the bribing of DMV personnel point to a disturbing trend.
These bribery cases show that the current driver's license and driver's license information are not being adequately protected. Adding new features to the card, such as a smart chip, a biometric identifier and/or a uniform ID number, would increase the value of the card to society and in the marketplace with the result that fraud will increase even as the use of the card increases.
Last month, Japanese citizens took to the streets to protest a new government identification system, called Juki Net. In a society that Westerners sometimes assume does not care about privacy, the project touched a nerve.
Juki Net is based on a national database in Tokyo, intended to link a set of personal information--the 11-digit ID number already assigned to all Japanese citizens, plus name, date of birth, sex and address. The goal of the network, in the short term, is to make it easier for individuals to apply for residency cards from anywhere in the country.
But identity theft is a fast-growing crime in Japan. Opponents of Juki Net warned that creating a network that concentrates sensitive information without respect to fair information principles creates a juicy target for identity thieves.
Furthermore, Japan has no comprehensive privacy law for the commercial sector. This means that as essential information, such as the ID number, becomes more centralized and more commonly used, it can be collected, stored, sold and combined with other information with no notice, consent or access and correction rights afforded the individual.
In the face of growing public outcry, several major cities have backed away from involvement. Yokahama, a city of 3.4 million people, has decided to let each resident choose whether to include personal information in the database. The mayor of Kokubnji held an official "disconnecting" ceremony to show the residents of his city that they would not be included in the database at all.
The state of privacy in Japan and the U.S. is strikingly similar. Identity theft has been considered by some officials to be the fastest growing crime in the U.S. Like Japan, the U.S. has no comprehensive law to protect individual privacy in the commercial sector. Marketers have increasingly relied on government-issued identifiers to build and link databases.
For more on Juki Net and its relevance to debates in the U.S., see Ari Schwartz's op-ed in the 8/23/02 Chicago Tribune -- http://www.chicagotribune.com/news/opinion/oped/chi-0208230229aug23.story?coll=chi%2Dnewsopinioncommentary%2Dhed (Registration Required)
English Language Web site of a Japanese national ID system opposition group: http://nationalid.hantai.jp/
In May, Representatives Jim Moran (D-VA) and Tom Davis (R-VA) introduced the "Driver's License Modernization Act of 2002" (H. R. 4633). The bill would require states to turn the driver's license into a "smart card" by including a computer chip on each card. The chip would hold biometric data on the license or cardholder, such as fingerprint information. The chips would be based on private sector standards so that commercial vendors could utilize information and perhaps put their own data on the card. A program would be created to link state motor vehicle databases electronically. Each state would implement procedures for accurately documenting the identity and residence of an individual before issuing a license or card.
This bill mirrors a proposals put forward by the American Association of Motor Vehicle Administrators (AAMVA) and the Progressive Policy Institute (PPI). Senator Richard Durbin (D-IL) is said to be drafting less ambitious, but similar legislation.
The Moran/Davis "Driver's License Modernization Act of 2002" (H. R. 4633): http://thomas.loc.gov/cgi-bin/bdquery/z?d107:hr4633:
AAMVA's "Special Task Force on Motor Vehicle Security" Executive Summary: http://www.aamva.org/IDSecurity/idsExecutiveSummary.asp
The PPI's "Using Technology to Detect and Prevent Terrorism": http://www.ppionline.org/ppi_ci.cfm?knlgAreaID=124&subsecid=307&contentid=250070
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_8.17.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 8.17 Copyright 2002 Center for Democracy and Technology
