Security

REAL ID in a nutshell

The REAL ID Act has sparked a lot of controversy -- but what is it? Chad Perrin looks at the opposition to REAL ID and discusses some of the primary issues with its adoption.

The REAL ID Act of 2005 enshrines in law a set of federal standards for state ID and driver's license authentication, issuance, and security protocols. Identification cards that do not meet these standards cannot, according to this law, be accepted by the federal government for "official purposes". Those official purposes are defined by the Secretary of Homeland Security, who at present lists as "official purposes":

  • boarding commercial airline flights
  • entering federal buildings that require identification
  • entering nuclear power plants

Additional regulations were signed into law as part of the REAL ID Act, which itself was passed as a rider on the Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005.

Judging by all that, it sounds like most of us shouldn't be able to board commercial flights at all — but such a restriction hasn't happened yet. Initially, a transitional period was prescribed setting a deadline of 11 May 2008 for compliance. In 2007, that deadline was extended to December 2009, and a subsequent extension of that grace period pushed the enforcement deadline for the REAL ID Act requirements back to 2011.

As of 2 April 2008, all 50 states had either applied for extensions beyond the deadline or received extensions from the federal government without asking.

This is where the controversy comes in. Several state legislatures have passed resolutions (in some cases, like Colorado, non-binding resolutions) refusing participation in the program and several are currently considering such resolutions. In March 2008, New Hampshire became the second of four states to acquire an extension without asking, after Montana, by the trick of simply telling the Department of Homeland Security how secure its state ID and driver's license program already is, which the DHS accepts as an informal request for an extension to "save face" while still backing down from threatening to punish the state's citizens for non-compliance.

Of course, while the polite letters forwarded to the Department of Homeland Security by several states informing it of their estimation that REAL ID Act compliance is not necessary at this time, not all statements made by state officials are offered in a strictly polite tone. Montana's Governor Brian Schweitzer famously said, in an NPR interview, literally said that his state's position on issues like the REAL ID Act, when push comes to shove, is to "Tell 'em to go to Hell".

But . . . why?

Isn't greater security important? Doesn't a set of national standards set a minimum bar for security, bringing nationwide compliance up to at least a tolerable level? Aren't standards — especially for something as important as security — good things?

The answer is complex, but key points include:

  • effectiveness: As Governor Schweitzer points out in the above-linked interview, most of the identified 9/11 hijackers would have qualified to be issued an ID under the requirements of the REAL ID Act.
  • privacy: Among other issues of privacy, this Act aims to create a national database, available to many federal and state agencies, tracking personally identifying information about carriers of REAL ID compliant identification cards — which could also contribute to increased risk of identity fraud.
  • risks: Some of the requirements of the Act may actually increase security risks, rather than reducing them. This is a common problem with broadly applied standards enacted by people (like Congress) who have no security expertise. Among the problems is the mandate for RFID chips in your wallet — a source of security vulnerability about which I've already written, in What to do about RFID chips in your wallet.
  • legality: The law created by the passage of the REAL ID Act may itself be illegal. Specifically, it has been argued that it is unconstitutional, violating the 10th Amendment.

Bruce Schneier, the closest thing to a rockstar in the security industry today, eloquently points out some of the problems and fallacious thinking that underlie the REAL ID Act in Schneier on Security: REAL ID.

Not all hope is lost for those who oppose the Act, even though it has already been signed into law. Not only are states making headway in opposing the federal push for adoption and compliance, but President-elect Obama has announced his selection of Janet Napolitano as head of the Department of Homeland Security. Napolitano has proven a vocal and prominent opponent of the REAL ID Act program in the past.

There's a lot more to be learned about the REAL ID Act, its implications (as regards not only matters of security, but other subjects as well), and the controversy that surrounds it. A good place to start, of course, is Wikipedia's REAL ID Act article.

About Chad Perrin

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks

Free Newsletters, In your Inbox