AnalysisThe Real ID Act poses serious challenges

By May next year all fifty states will have to include an individual’s biometric information on the dirver license of that individual, and equip the licnese with an RFID technology so it may read by a scanner. To be precise, states do not have to that, but if they do not, their citizens will not be able to enter federal buildings, open bank accounts, or buy an airline ticket. It is thus safe to assume that faced with this offer that they cannot really refuse, most, if not all, states will adhere to this congressional mandate.

Analysts Ed Adams does not think the Real ID Act is such a good idea. Forget, for now, the serious issue of administration, technology, and cost. The fact is, the Real ID wil create, even if this was not the intention of Congress, a national ID which would become mana from heaven for hackers, criminals, and terrorists. “A national card identity system, as specified in the Real ID Act, would create a series of state-wide databases linked together forming a de facto central repository of 300 million identities” — data bases, moreover, which would be managed by a mix of untrained state workers, private companies, and staff with no knowledge of proper data access controls or sensitive information processing.

The problem lies in the fact that the Real ID Act does set forth a number of national standards for ID cards, but it does not set any standards for the issuance and management of the cards, information entry, and maintenance, which means that each of the fifty states and the District of Columbia will fashion their own standards on these aspects of the program. More than that, government administrators will not be the only ones having t set stnadrads and implement them, as companies will also need to store this data and upload it with payroll and investment records. With dozens of states setting their own protocols, and with thousands of companies doing the same, the sheer number of the points of entry into this nationalized data base is staggering, and so is the number of possibilities for mishandling or abusing such entry points.

Adams notes that there are four groups which will benefit from the Real ID Act:

* Tech companies which sell systems to support digital ID, authentication, or encryption. These companies are also among the most active lobbyists for the Act.

* Intelligence agencies and law enforcement authorities hoping to be able better to track individuals’ movements and activities

* Terrorist organizations which can use forged ID cards to hide their identity or blame someone else for a crime they commit

* Organized crime and the hacking community, both of which will now have many more points of entry into a national database of birth records and other identity documents

Which groups will most suffer from the Act?

* Government agenciesa at all levels, becasue they will have to shoulder the extra costs, training, and infrastructure changes entailed by the Act

* Consumers and individuals who will now have to worry even more about the safety of their personal data

* Enterprises across the United States which would have to adopt systems to accept the new National ID number/letter combination

We said earlier that it appears likely that most states would follow the congressional mandate. In fact, Maine and New Hampshire have voted to opt out of it. If more states follow, then Congress may well have to midify the Act. Stay tuned.

-read more in Ed Adams’s CSO discussion