May 10, 2005
SECURITY EXPERT BRUCE SCHNEIER on the Real ID Act:
I've already written about national IDs. I've written about the fallacies of identification as a security tool. I'm not going to repeat myself here, and I urge everyone who is interested to read those two essays (and even this older essay). A national ID is a lousy security trade-off, and everyone needs to understand why.
Aside from those generalities, there are specifics about REAL ID that make for bad security.
The REAL ID Act requires driver's licenses to include a "common machine-readable technology." This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn't matter how well the states and federal government protect the data on driver's licenses, as there will be parallel commercial databases with the same information.
Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver's licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).
REAL ID requires that driver's licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police -- even undercover police officers. This seems like a major unnecessary security risk. . . .
And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver's licenses, the security measures recommended by the 9/11 Commission Report. That's already done. It's already law.
REAL ID goes way beyond that. It's a huge power-grab by the federal government over the states' systems for issuing driver's licenses.
Read the whole thing.
UPDATE: Orin Kerr thinks that Schneier is overstating the case against the Real ID act.