Where rubber meets the road in privacy debate - Special Projects - MSNBC.com:

“The Real ID Act is a direct implementation of one of the 9/11 Commission recommendations,” said Jeff Lungren, spokesman for House Judiciary Chairman Rep. James Sensenbrenner, R-Wisc., the legislation’s key sponsor. “There’s a ton of misconceptions that have been promulgated by the opponents from the get-go. It’s unfortunate that they’re continuing to do so.”

Okay. He's not really the Devil. At least, I don't think he is. I'm not really an authority on such matters.

As far as I can tell, this is the 9/11 Commission recommendation that the Real ID Act implements:

Recommendation: Secure identification should begin in the United States. The federal government should set standards for the issuance of birth certificates and sources of identification, such as drivers licenses. Fraud in identification documents is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are and to check whether they are terrorists.

See Chapter 12, Immigration Law and Enforcement.

Now, Jeff Lundgren, what about this recommendation:

First, as we will discuss in chapter 13, to open up the sharing of information across so many agencies and with the private sector, the President should take responsibility for determining what information can be shared by which agencies and under what conditions. Protection of privacy rights should be one key element of this determination.

Recommendation: As the President determines the guidelines for information sharing among government agencies and by those agencies with the private sector, he should safeguard the privacy of individuals about whom information is shared.

Perhaps they simply for got about that? No. It's worse than that. Section 7212 of the Intelligence Reform and Terrorism Prevention Act of 2004 implemented the same top-level recommendation of the 9/11 Commission Report to bring more control to the issuance of driver's licenses. In fact, the Department of Transportation, in conjunction with the states and the Department of Homeland Security were already working on the new standards. Among the differences? Section 7212 had a requirement that privacy concerns be considered in the development of regulations; that nagging little piece was omitted from the Real ID Act Sensenbrenner is so proud of ramming through. Second, § 7212 required negotiated rulemaking, so that affected and interested parties could take part in the process of formulating the regulations. Oops. That got dropped from Real ID, too.

Here's a snippet from a work in progress of mine that goes into more detail on the important pieces of § 7212 that were tossed aside for the Real ID Act:

Section 206 of Real ID[1] repeals § 7212 of the Intelligence Reform and Terrorism Prevention Act of 2004.[2]  Section 7212 imposed many similar data and identity verification constraints on the states as does Real ID.[3]   Beyond intentionally trying to increase information collection, enhance capabilities for information processing, and increase information dissemination, it’s unclear why § 7212 should have been repealed.

Generally, § 7212 is very similar to Real ID, so much so that the casual observer might not notice the differences.[4]  Both impose their restrictions only if the state-issued identification will be used by federal agencies as authentic identification for official purposes.[5]  Both require similar types of information to be collected applicants for driver’s licenses or identification cards.[6]  Both suggest at offers of grants to help the states get themselves into compliance.[7]  Both provide timelines for implementation and mechanisms to extend those timelines.[8]  That’s roughly where the similarities end.

Section 7212 calls for negotiated rulemaking, while Real ID doesn’t address the rulemaking process at all.[9]

 

1.     The Privacy Requirements of § 7212

 

For information privacy, the most important piece of § 7212 that was not carried forward to Real ID is the requirement for regulations to protect the privacy of individuals.[10]  Section 7212 required that the regulations “shall include procedures and requirements to protect the privacy rights of individuals who apply for and hold driver’s licenses and personal identification cards.”[11]  There is no such provision in Real ID.

This may not merely be trimming some fat from a process that might have been a government smokescreen in forming such regulations.  Development of the regulations for driver’s licenses under § 7212 was required to be done by a committee using federal negotiated rulemaking guidelines.[12]  The statute laid out the minimum categories of individuals that would have representatives on the committee drafting the regulations: 1) officials from state agencies that issue driver’s licenses or identification cards;[13] 3) elected officials from the states; 4) representatives of the Department of Homeland Security; and 5) other interested parties.[14]

State officials would have vested interests, both political and legal, in ensuring that the regulations protected the privacy of their constituents.[15]  Other interested parties would no doubt consist of civil liberties groups interested in protecting privacy rights.[16]  Even companies that sell privacy protection software or advanced identification technologies would probably get involved.[17]  Regardless of the motives of the various parties included in the negotiated rulemaking, there would surely by more public input and oversight to protect the privacy rights of individuals than there will be in an otherwise undefined privacy regulation context, as that which exists in Real ID.

 

2.     Specific § 7212 Steps to Avoid the National ID Card Issue

 

The repeal of § 7212 also removed some measures that appeared to avoid the institution of a national identity card.[18]  Americans have long been opposed to the concept of a national identity card, feeling that such a card is too great an intrusion into their personal privacy.[19]  Some commentators have even suggested that such a system, giving someone a single national identity, robs that person of individual political identity that many Americans cherish.[20]

Richard Sobel has put forth some suggestions about what a national identity system might look like. He proffers that such a system would require all citizens and documented immigrants to: 1) be issued an identifying number; 2) at a certain age, every individual would be issued a card that identified the person and was tied to the identification number; and 3) those numbers would be entered into a nationwide databank collecting disparate personal information.[21]  As Prof. Sobel points out, with the issuance of a Social Security Number at birth, the first step of that process is already complete.[22]

Section 7212 prevented the execution of the other two components of Prof. Sobel’s national identity system prerequisites.  First, it allowed states to forego certain requirements, including the requirement that an individual have a social security number, or even that a person be a citizen or documented immigrant to drive.[23]  Second, it allowed no requirement that states force their cards to conform to a national appearance standard.[24]  Third, it did not impose the open database access requirement of Real ID.[25]

Real ID, on the other hand, virtually meets all of these prerequisites.  It relies upon Social Security Numbers, which are now issued at birth.  It will allow the issuance of a standardized card at the time when a person needs to access federal resources.  Finally, Real ID mandates that all of that information be put into a databank of disparate information, that can all be tied together by the national identifier.[26]

---

[1] Real ID Act § 206.

[2] Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-48, Title VII, § 7212 (2004).

[3] See e.g., § 7212(b)(C)(2); Real ID Act § 202(b)-(c).

[4] Section 7212 placed rulemaking and administrative authority under the Secretary of Transportation.  Section 7212(b)(C)(i). Real ID Act substitutes the Secretary for Homeland Security.  The Real ID Act, § 201(4).  Section 7212 requires regular audits of state compliance. 

Section 7212(b)(C)(iii).  Real ID Act, curiously, does not, in spite of it’s supposedly great concern for ensuring states comply.  Real ID Act, § 202(a)(2).

[5] Rather than risk federalism questions, both § 7212 and Real ID Act only purport to lay down standards for what is required of state-issued identification documents if they are to be used for official federal government uses.  See e.g., § 7212(b)(C)(2); Real ID Act § 202(a).

[6] See, e.g. § 7212(b)(C)(2); Real ID Act § 202(c).

[7] See e.g., § 7212(c); Real ID Act § 204.

[8] See e.g., § 7212(d); Real ID Act § 205(b).

[9] See § 7212(b)(4). 

Real ID Act contains no similar requirement for the involvement of affected parties in the crafting of regulations.

[10] See  § 7212(b)(3)(2).

[11] Id.  Real ID Act contains no similar requirement for regulations to ensure information privacy.  There’s no explanation for why it has been removed in the record.  There are certainly inferences that can be drawn.

[12] Section 7212(b)(4).

[13] In other words, those who would be charged with implementing the standards would be involved in developing the regulations.  In contrast, the current approach under the Real ID Act doesn’t prohibit the Department of Homeland Security from involving those charged with implementation, but neither does it require such involvement.  In fact, it would appear that the Department of Homeland Security is well underway in drafting regulations in a vacuum.  See U.S. Driver’s License Standard Still Undefined, Card Technology, http://www.cardtechnology.com/article.html?id=20060613J3I4TARG (last visited Jun. 30, 2006).

[14] Section 7212(b)(4)(B).  It seems reasonable to assume that “interested parties” in 5) would see the involvement of privacy advocates and other civil liberties groups.

[15] See supra Part I.E.

[16] See e.g., EPIC – National ID and Real ID Act, Electronic Information Privacy Center, http://www.epic.org/privacy/id_cards/ (last visited Jun. 30, 2006) (EPIC’s tracking of the latest news regarding Real ID Act issues as well as national identity card issues); American Civil Liberties Union, RealNightmare.org, http://www.realnightmare.org/ (last visited Jun. 30, 2006) (ACLU’s public awareness website for Real ID Act concerns); United States Public Policy Committee of the Association for Computing Machinery, USACM Urges Reconsideration of Real ID Provisions, http://www.acm.org/usacm/weblog/index.php?p=280 (last visited Jun. 30, 2006).

[17] This is not a suggestion that vendors shouldn’t be involved in this process.  Indeed, software companies right now are doing significant work in identity management technologies, and the considerable research being done in that space would almost certainly benefit the development of the requirements the Real ID Act is imposing.  See, e.g., Microosft Corporation, Microsoft CardSpace, http://msdn.microsoft.com/winfx/reference/infocard/default.aspx (last visited Jun. 30, 2006); Network World, Novell Funds Open Source Bandit, http://www.networkworld.com/news/2006/061306-novell-funds-open-source.html?fsrc=rss-security (last visited Jun. 30, 2006) (regarding Novell’s Bandit identity management technology); Liberty Alliance Project, http://www.projectliberty.org/ (last visited Jun. 30, 2006) (website for the Liberty Alliance Project, a federated identity management technology).

[18] There is a long history of rejection of national identity cards in the United States.  See

Richard Sobel, The Demeaning of Identity and Personhood in National Identification Systems, 15 Harv. J.L. & Tech. 319, 382-386.

[19] See Id.

[20] Id at 370 (“Similarly, the presumption and presence of unimpeded individual action protected by the political buffer around personhood and undergirding individual rights clash with a national ID.”).

[21] Richard Sobel, The Degradation Of Political Identity Under A National Identification System, 8 B.U. J. Sci. & Tech. L. 37, 45-47.

[22] Id. at 46.

[23] See § 7212(b)(3), specifiying:

(B) may not infringe on a State's power to set criteria concerning what categories of individuals are eligible to obtain a driver's license or personal identification card from that State;

(C) may not require a State to comply with any such regulation that conflicts with or otherwise interferes with the full enforcement of State criteria concerning the categories of individuals that are eligible to obtain a driver's license or personal identification card from that State;

[24] Id. (“(D) may not require a single design to which driver’s licenses or personal identification cards issued by all States must confirm . . .  .”).

[25] In fact, it requires no information sharing between the states at all.

[26] The national identifier here is the Social Security Number, despite the fact that the Privacy Act of 1974, in part, was aimed at limiting use of the Social Security Number as a national identification number.  Sobel, Demeaning, at 350-351.  The disparate information is the array of drivers records, in all of their various formats, spread throughout the states.