RSA Report: REAL ID -- Will It Create a De Facto National Identity System, and Will It Lead to Better Security?
Posted by K.M. Das
K.M. is blogging from the RSAConference2006 in San Jose this week.
One of the topics that is being frequently discussed at various sessions at the RSAConference2006 is the erosion of consumer confidence in e-commerce and how, if that erosion continues, it could lead to a crash of the entire e-commerce model. The need for private entities and the government to work together to reverse the trend has been repeated by numerous keynote speakers, including Art Coviello, CEO and President of RSA Security, Inc., Stratton Sclavos, CEO and President of VeriSign, Inc., and John Thompson, CEO of Symantec Corp. One of the possible solutions that speakers at the conference have pointed to is the implementation of a more robust national identification and authentication system, based perhaps on the REAL ID Act.
Some experts at the conference argued that having a robust, national identification card would lead to a decrease in identity theft and thus to increased consumer confidence, as is the case in European nations. Others argued that the European Union's stronger privacy laws, the prohibition on processing personal information, and the lesser use of credit cards contributed just as much, if not more, to the fewer incidents of identity theft in Europe as did the national identification cards.
Officials from the Departments of Motor Vehicles and Offices of Information Technology pointed out that linking the databases of the DMVs for the fifty states and Washington, D.C.—as required by REAL ID—would be a technological nightmare because each of those databases would have to continue to communicate with the other databases within the state. That is, California's DMV database would not only need to be linked and be able to communicate with the DMV databases from Arkansas and Michigan, but it would also need to communicate with California's healthcare system databases and retirement system databases. Given that REAL ID is supposed to go into effect on May 11, 2008, and that the Department of Homeland Security has not finalized the standards for implementing it, these officials expressed serious doubts that the states could cross these technological hurdles in time. At the presentation by these officials, audience members noted that creating a system of linked databases would make each of them as insecure as the least insecure database in the chain.
During a keynote, panel discussion on REAL ID, all of the panel members agreed that we already have a de facto national identification system—our current driver's licenses—and all the REAL ID Act was going to do was create a uniform standard for that system. The issue, as the panel saw it, was not whether we would have a national identification system, but the cost of making it more robust and whether the benefits justified the cost. There was little agreement among the panel members as to whether a unified database would be more secure than a network of linked databases or whether driver's licenses issued under REAL ID should be smartcards with chips imbedded in them. Yet, all of the panel members agreed that these cards would do little to prevent identity theft or terrorism. Additionally, at least one panelist noted that a unified database would be a far more attractive target to hackers and would not address the problem of the shadow databases that information brokers and retailer chains have in place today and would continue to maintain.
The short answer at the conference seems to be that REAL ID will not create a de facto national identification system; we already have such a system in place. All REAL ID will do is to make the system uniform. Unless stronger technological measures are built into the newer driver's licenses, however, REAL ID is not likely to make us more secure.