Cyber Eye: National ID standards could create “ID theft kit”

I wrote last month that the State Department was making a mistake by leaving personal data stored on electronic passports unprotected. Congress is contemplating a similar mistake in its national standards for state ID cards.Title II of the Real ID Act of 2005 (HR 418, passed by the House in February and now pending in the Senate) establishes minimum requirements for driver’s licenses and state-issued ID cards. The usual personal data, including name, address, identification number and digital photo, must be put in a machine-readable format. What is missing are any requirements for encryption or other security on the data, or any restrictions on who could access it or how it could be used.The bill also would require any state that wanted to receive federal grants to pay for the program (and what state doesn’t want federal money?) to make databases of this information available to all other states. Again, there are no requirements for security or restrictions on how the data could be used.Richard Hunter, research director and Executive Program fellow of Gartner Inc. of Stamford, Conn., said the new card would amount to an “ID theft kit.”“In 2005 it is a bad idea to demand data from a person without stipulating how that data can be used,” Hunter said. “That is just not acceptable.”The data is not that different from what already is included on most driver’s licenses. But cards today usually have this data only in printed form, with maybe some supplemental information on a magnetic strip. Making all of the data, including a digital photo, machine-readable means all of the data will be available to anyone with a reader.Digital data is different from printed information. Printed information can be verified with a glance. Reading digital data provides the reader with a copy of the data.Handing a bank teller or a bartender a driver’s license to verify your identity or age is minimally invasive. But if someone swipes the card to verify it, all of your personal data could be captured. It now is out of your control or the control of the state that issued the card.The difference between looking and machine reading is not trivial. You might become uneasy if you saw the bartender copying your personal information from your driver’s license by hand—and that would not be an efficient way to gather data. But a quick swipe of customers’ cards could rapidly build a database with real value. Enough value to tempt a company to collect the data and sell it. To anybody who wants it. For any reason at all.That scenario would be completely legitimate under the Real ID Act, which doesn’t begin to address the potential for theft and abuse of this data. Recent high-profile cases of the loss, theft and fraudulent acquisition of personal information that has been legitimately collected underscore the risks of this type of business.Maybe the Bank of America, ChoicePoint and LexisNexis incidents only show that the genie already is out of the bottle. But I prefer a more optimistic view. I don’t think it is too late to protect personal information, and an essential place to do this is our driver’s licenses. If Congress is ready to make these licenses a de facto national ID, it must at a minimum en- crypt the data, define who can use it and take steps to ensure that the data is not misused.