Security experts have expressed dismay about new legislation that will usher in the nations first national ID system—citing a lack of confidence in the governments ability to employ the technology in such a way as to prevent citizens from being preyed upon by identity thieves.
The Real ID Act of 2005, added on to the $82 billion Emergency Supplemental Appropriations bill, was passed by the House of Representatives on Thursday and is expected to be passed by the Senate next week.
The act was pushed through without hearings or deliberation, over the objections of a coalition of 12 Democratic senators who decried it as a sweeping anti-immigration bill.
Beyond issues of civil liberties, whats disturbing about the imminent passage of the Real ID Act from a technological point of view is that its being done in spite of the growing popularity of state RMVs (Registries of Motor Vehicles) as targets for identity thieves, experts say.
“My feeling is theres a tremendous amount of activity going on right now around data theft,” said Jon Oltsik, an analyst with Enterprise Strategies Group. “The stuff we hear about in the news is dwarfed by the stuff we dont hear about, because people bury it, because they dont want to disclose it. Theyre praying nothing happens.”
The bill dictates that all states collect, at a minimum, personal information from citizens in order to obtain a drivers license, including name, date of birth, gender, drivers license or identification card number, digital photograph, address and signature.
Whereas collection of this particular information is not new, the linkage of states databases is. The bill specifies that states link what are at present discrete databases, creating, in effect, one nationwide database with personal information pertaining to all citizens.
Even with states currently discrete, disconnected databases, thieves increasingly have turned their attention to RMVs.
In March, thieves rammed a car through the back wall of a DMV near Las Vegas and stole computer equipment containing personal information on more than 8,900 people. Police in the past month have arrested DMV examiners in Florida and Maryland for selling fake drivers licenses.
Meanwhile, personal information for thousands of Americans has been compromised through the recent rash of scandals around what were considered secure databases residing with data brokers ChoicePoint and Lexis Nexis.
Government Flunks Its Own
“Gathering that information and putting it into state DMVs with a skyrocketing incident rate of identity thefts is a really bad idea,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, an organization which has long opposed the idea of national IDs.
Its not that the database information cant be encrypted, security experts point out—its that the government has proven untrustworthy in doing so.
“Yes, there are methods to protect the data. There are documented best practices,” Oltsik said. But in determining whether or not to trust government to protect the data, he said, one need look no further than its poor performance to date.
“The metric Id give you is FISMA [the Federal Information Security Management Act],” Oltsik said, referring to legislation that mandates that government agencies be graded on their ability to protect data. “The Department of Homeland Security has gotten four Fs in a row. If theyre not securing data, do we really want to trust state RMVs with this data?”
Indeed, the Nevada DMV initially reassured residents that information stolen from the DMV near Las Vegas was encrypted, making it virtually useless to thieves. State DMV chief Ginny Lewis subsequently told news outlets that Digimarc Corp., which provides digital drivers licenses for the state, had informed her that the information was not encrypted and was easily accessible.
“The practical reality with this issue is the information is already in these databases,” said Ted Julian, vice president of strategy for the database security tools vendor Application Security Inc. “Do you want it in 50 of them or in one of them? I dont know which of those scenarios is better.”
The bigger issue, Julian said, is that databases are directly under attack. “Thats where the goods are,” he said. “[Thieves] are hunting for valuable data they can sell or can otherwise benefit from. Lets face it, that typically sits in a database.”
A roadblock to securing databases is a false sense of security derived from firewalls, Julian said. Obviously, he said, building firewalls on the perimeter doesnt mean the back-end database is safe, given that “every headline of the week, theres a database break-in,” he said. “Which is not to say the perimeter stuff is a waste of time. Its necessary, but no longer sufficient.”
Check out eWEEK.coms for the latest database news, reviews and analysis.