Real-ID: Costs And Benefits
The argument was so obvious it hardly needed repeating. Some thought we would all be safer -- ≠from terrorism, from crime, even from inconvenience -- ≠if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and itís ridiculous that a modern country like the United States doesnít have one.
Still, most Americans have been and continue to be opposed to a national ID card. Even just after 9/11, polls showed a bare majority (51%) in favor -- ≠and that quickly became a minority opinion again. As such, both political parties came out against the card, which meant that the only way it could become law was to sneak it through.
Republican Cong. F. James Sensenbrenner of Wisconsin did just that. In February 2005, he attached the Real ID Act to a defense appropriations bill. No one was willing to risk not supporting the troops by holding up the bill, and it became law. No hearings. No floor debate. With nary a whisper, the United States had a national ID.
By forcing all states to conform to common and more stringent rules for issuing driverís licenses, the Real ID Act turns these licenses into a de facto national ID. Itís a massive, unfunded mandate imposed on the states, and -- ≠naturally -- ≠the states have resisted. The detailed rules and timetables are still being worked out by the Department of Homeland Security, and itís the details that will determine exactly how expensive and onerous the program actually is.
It is against this backdrop that the National Governors Association, the National Conference of State Legislatures, and the American Association of Motor Vehicle Administrators together tried to estimate the cost of this initiative. "The Real ID Act: National Impact Analysis" is a methodical and detailed report, and everything after the executive summary is likely to bore anyone but the most dedicated bean counters. But rigor is important because states want to use this document to influence both the technical details and timetable of Real ID. The estimates are conservative, leaving no room for problems, delays, or unforeseen costs, and yet the total cost is $11 billion over the first five years of the program.
If anything, itís surprisingly cheap: Only $37 each for an estimated 295 million people who would get a new ID under this program. But itís still an enormous amount of money. The question to ask is, of course: Is the security benefit we all get worth the $11 billion price tag? We have a cost estimate; all we need now is a security estimate.
Iím going to take a crack at it.
When most people think of ID cards, they think of a small plastic card with their name and photograph. This isnít wrong, but itís only a small piece of any ID program. What starts out as a seemingly simple security device -- ≠a card that binds a photograph with a name -- ≠rapidly becomes a complex security system.
It doesnít really matter how well a Real ID works when used by the hundreds of millions of honest people who would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.
The first problem is the card itself. No matter how unforgeable we make it, it will be forged. We can raise the price of forgery, but we canít make it impossible. Real IDs will be forged.
Even worse, people will get legitimate cards in fraudulent names. Two of the 9/11 terrorists had valid Virginia driverís licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldnít be bribed, cards are issued based on other identity documents -- ≠all of which are easier to forge.
And we canít assume that everyone will always have a Real ID. Currently about 20% of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself would be susceptible to abuse.
Additionally, any ID system involves people: people who regularly make mistakes. Weíve all heard stories of bartenders falling for obviously fake IDs, or sloppy ID checks at airports and government buildings. Itís not simply a matter of training; checking IDs is a mind-numbingly boring task, one that is guaranteed to have failures. Biometrics such as thumbprints could help, but bring with them their own set of exploitable failure modes.
All of these problems demonstrate that identification checks based on Real ID wonít be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American -- ≠one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.
The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists donít know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
But even if we could solve all these problems, and within the putative $11 billion budget, we still wouldnít be getting very much security. A reliance on ID cards is based on a dangerous security myth, that if only we knew who everyone was, we could pick the bad guys out of the crowd.
In an ideal world, what we would want is some kind of ID that denoted intention. We'd want all terrorists to carry a card that said "evildoer" and everyone else to carry a card that said "honest person who won't try to hijack or blow up anything." Then security would be easy. We could just look at peopleís IDs, and, if they were evildoers, we wouldnít let them on the airplane or into the building.
This is, of course, ridiculous; so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether youíre likely to be an evildoer. But thatís almost as ridiculous.
Even worse, as soon as you divide people into two categories -- ≠more trusted and less trusted people -- ≠you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity -- ≠and profile -- ≠of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.
Thereís another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm. Think of all the problems with the governmentís no-fly list. That list, which is what Real IDs will be checked against, not only wastes investigative resources that might be better spent elsewhere, but it also causes grave harm to those innocents who fit the profile.
Enough of terrorism; what about more mundane concerns like identity theft? Perversely, a hard-to-forge ID card can actually increase the risk of identity theft. A single ubiquitous ID card will be trusted more and used in more applications. Therefore, someone who does manage to forge one -- ≠or get one issued in someone elseís name -- ≠can commit much more fraud with it. A centralized ID system is a far greater security risk than a decentralized one with various organizations issuing ID cards according to their own rules for their own purposes.
Security is always a trade-off; it must be balanced with the cost. We all do this intuitively. Few of us walk around wearing bulletproof vests. Itís not because theyíre ineffective, itís because for most of us the trade-off isnít worth it. Itís not worth the cost, the inconvenience, or the loss of fashion sense. If we were living in a war-torn country like Iraq, we might make a different trade-off.
Real ID is another lousy security trade-off. Itíll cost the United States at least $11 billion, and we wonít get much security in return. The report suggests a variety of measures designed to ease the financial burden on the states: extend compliance deadlines, allow manual verification systems, and so on. But what it doesnít suggest is the simple change that would do the most good: scrap the Real ID program altogether. For the price, weíre not getting anywhere near the security we should.
This essay will appear in the March/April issue of The Bulletin of Atomic Scientists.
EDITED TO ADD (1/30): There's REAL-ID news this week. Maine became the first state to reject REAL-ID. This means that a Maine state driver's license will not be recognized as valid for federal purposes, although I'm sure the Feds will back down over this. And other states will follow:
"As Maine goes, so goes the nation," said Charlie Mitchell, director of the ACLU State Legislative Department. "Already bills have been filed in Montana, New Hampshire, New Mexico, Georgia and Washington, which would follow Maine's lead in saying no to Real ID, with many mores states on the verge of similar action. Across the nation, local lawmakers are rejecting the federal government's demand that they curtail their constituents' privacy through this giant unfunded boondoggle."
More info on REAL-ID here.
EDITED TO ADD (1/31): More information on Montana. My guess is that Montana will become the second state ro reject REAL-ID, and New Mexico will be the third.
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator.
The opinions expressed in this article do not necessarily reflect the opinion of ILW.COM.