Monday, May 18, 2009

RealID: Not a Real ID

At TechRepublic, there is an article entitled Why REAL ID is not Secure ID. I commented there:

I am of two minds on the utility of a national ID card. As a nationalist, I like the idea of distinguishing citizen from non-citizen. But as a lover of liberty, I despise anything that extends power to the federal government. I go back and forth on this one.

But a big problem with RealID is that to obtain one a person need only supply less-secure items such as a Social Security card or State driver's license (which are often based in turn on a birth certificate plus a utility bill or two). It turns items that are easier to forge into a token that is harder to forge, and which will confer on its bearer rights he or she should not have. In security terms, it attenuates trust.

Far from combating identity theft, RealID would make it easier.

It's typical of the pattern we find for the introduction of a new product or service: make it easy to use, to spur adoption, and then play security whack-a-mole as problems are discovered.

While having a national ID card would make it easier for law enforcement officials to distinguish illegal aliens and terrorists from ordinary folks, it would not be a sufficient mechanism for doing so. Further, there is no guarantee that an ID card would be used for that purpose.

The potential for abuse, both by people obtaining false cards and by law enforcement, is staggering.