The current debate over a "national" ID standard has touched off a fierce debate in the civil liberties community. While such a dustup can be normal, even healthy, the outcome of this one could have serious implications for Americans' privacy.
At the heart of the controversy is the recently introduced "PASS ID Act," which would amend some of the more troubling provisions of the 2005 REAL ID Act. We view PASS ID as an important, if flawed, piece of legislation that will restore some of the key privacy protections eviscerated under REAL ID.
But others in our community suggest that supporting PASS ID is tantamount to supporting the creation of a national ID card, something all of us strongly oppose. Let me repeat that because our detractors have turned a deaf ear to our statements: we oppose the creation of a national ID card.
We respect the ideology of PASS ID opponents, but are deeply concerned that their opposition to the bill is undermining the hopes of enacting very real privacy protections and reversing some of the damage caused by REAL ID.
Passed in response to the findings of the September 11 Commission, the REAL ID Act was -- much like the Patriot Act before it -- a privacy nightmare. The central threat posed by the legislation was that it would create a de facto national ID system (with a massive, centralized database) that could be used by governmental and commercial entities in a wide variety of invasive ways. Neither the Act nor the Department of Homeland Security (DHS) regulations that followed placed any limits on how and when the REAL ID could be used.
PASS ID addresses some of the biggest problems with REAL ID, removing the unilateral authority from DHS to create ad hoc "official purposes" for which a federal agency can require citizens to present an ID; statutorily requiring privacy and security protections for ID card databases; and eliminating a requirement that would have forced states to provide electronic access their ID databases to all other states. PASS ID also introduces new protections against use of information skimmed electronically from the "machine readable zone" on licenses and identification cards.
PASS ID doesn't eliminate the dangers posed by the REAL ID Act, but it does begin to mitigate key privacy threats introduced by the 2005 law. Right now, the biggest obstacle to correcting those privacy threats comes from the unlikely tandem of civil liberties advocates and hardcore congressional supporters of Real ID.
For lawmakers like Lamar Smith (R-Texas), Jim Sensenbrenner (R-Wis.), Peter King (R-N.Y) and Darrell Issa (R-Calif.), the opposition to PASS ID is simple. As they say in their recent Washington Post op-ed they believe that the hard line, privacy invasive provisions of the REAL ID Act are necessary to protect Americans.
While we adamantly disagree with that position -- and have demonstrated the very serious threats that REAL ID poses to the Americans it is intended to protect -- we can at least understand it.
What is harder to fathom is the opposition of our fellow civil liberties advocates, who oppose PASS ID because it falls short of an outright repeal of REAL ID.
However, a repeal does not directly translate into privacy protections. Here's the back of the envelope handicapping on what happens if REAL ID is ever repealed:
1) REAL ID is repealed and replaced with nothing -- Even before REAL ID, the state driver's license has been used as a default national ID with standards set nationally by the quasi-governmental American Association of Motor Vehicle Administrators -- standards not so different than the minimum standards for issuance set forth in PASS ID. The privacy risks posed by increased standardization of an identity credential that the majority of Americans already carry clearly exist whether REAL ID is repealed or stays on the books.
2) REAL ID is repealed and replaced with a negotiated rulemaking that addresses privacy concerns -- The rulemaking would include stakeholders from privacy groups, but also stakeholders from industry and governmental bodies including law enforcement.
3) REAL ID is amended and DHS undertakes a new rulemaking that addresses privacy concerns. DHS Secretary Napolitano would be responsible for updating the regulations that were released under Secretary Chertoff that specifically did not address privacy concerns because, the Department believed, Congress prevented it from doing so. The privacy standards for this rulemaking would be the same or better than those considered in option #2.
4) Congress does not act and the next phase of REAL ID goes into effect in December -- states would have to decide whether to comply. If they do not, DHS will have to decide whether to enforce the law that would not allow residents from those states to board an airplane and to deny those states any federal funds to help implement the law.
Option #1 is simply politically untenable. It would rightly be seen as not addressing the 9/11 Commission's well-documented concerns about driver's license issues and still may not protect privacy. Option #2 is best reflected in a bill introduced by Senator Akaka last year. Many privacy advocates supported this approach and would again if it were introduced. Option #3 is the PASS ID bill. Since it meets the same or better privacy standards as #2, this is an equally good option and more politically acceptable to those who do not want to be accused of repealing a security law. There is nothing to suggest that a negotiated rulemaking under #2 will bring about better regulations than what Secretary Napolitano's DHS may provide. Option #4 is clearly the worst option for privacy advocates, states and DHS alike, but a plausible result if Congress cannot agree on one of the alternatives.
While our friends are digging in their heels, we'd urge them to consider that they may be giving supporters of a national ID card exactly what they want.