The move toward more secure issuance of state identification documents may be in jeopardy. The most recent iteration of the National Governors Association secure ID bill circulating the Senate for signatures for possible introduction, the “Providing for Additional Security in States’ Identification Act of 2009” or PASS ID Act, gives the appearance of security for drivers licenses and non-driver IDs (DL/ID) when, in fact, security does not exist. The PASS ID Act would provide for insecure issuance practices by the states that, for the most part, were in place prior to 9/11. In many ways, the PASS ID Act is a step backward for most states, or at least an endorsement of the status quo, because nearly all states are implementing elements of the REAL ID Act1 — the 2005 measure designed to raise state ID standards in response to the 9/11 attacks — even in states that have passed legislation that precludes REAL ID implementation. However the new bill’s mandate to verify an ID applicant’s legal presence in the United States by 2013 is voluntary, as any state can opt out of PASS ID Act requirements.
In addition, the proposed bill pulls back on nearly all key recommendations included in the American Association of Motor Vehicle Administrators’ 2004 AAMVA DL/ID Security Framework,2 while undoing or leaving unanswered issues already resolved through the arduous comment process that led to the 2008 REAL ID regulations in operation today. In addition, the PASS ID Act leaves the 9/11 Commission secure ID recommendations in the dust, setting minimum standards that the 9/11 hijackers could easily have bypassed.
In essence, the PASS ID Act creates an atmosphere where an applicant’s identity du jour can pass muster and be issued a legitimate drivers license/ID with a “unique symbol” indicating the issuing state has complied with federal DL/ID issuance standards. This ID would then have expanded use, enabling not only access to federal national security facilities, boarding commercial aircraft, or entering nuclear power plants, but also for use in establishing identity for employment with programs such as E-Verify.
The PASS ID Act would have a result for state drivers license issuance similar to that uncovered by the March 2009 GAO report3 revealing the poor vetting processes for U.S. passports, weaknesses that enabled government investigators to acquire fast-track U.S. passports based on phony Social Security and residence data, illegitimately obtained drivers licenses, and stolen birth record information.
In contrast to the current REAL ID Act regulations now in effect, the PASS ID Act would:
- Create new rulemaking that would not be completed for at least a year from enactment, leaving unclear the status of current REAL ID rules;
- Duplicate grant-making, leaving unclear the status of current REAL ID grant-making; and
- Push full compliance out until 2021, 20 years after 9/11 and four years past REAL ID.
The PASS ID Act does not repeal REAL ID, but instead replaces its substance by deleting identity verification and document authentication and replacing them with what is, for the most part, the status quo in most states, or standards that are less rigorous than those now in place. Certification that a state has complied with federal standards would not require a security plan to protect data or to protect against corrupt employee access to private data or production facilities. Moreover, there is no requirement that any state comply with the proposed law; state laws would pre-empt the PASS ID Act. If a state does choose to comply, there is little it has to do to prove compliance. For states well on their way toward REAL ID compliance, a simple letter from someone in the state (the bill even leaves the issue open of who) claiming compliance and seeking compliance certification from the DHS Secretary may be sufficient to have all licenses and IDs issued receive a federal stamp (“unique symbol”) of approval.
There is no requirement to electronically verify date of birth, Social Security number, or lawful residence status — merely that questions be resolved with “appropriate action.” Known weaknesses such as those used by the 9/11 hijackers — such as multiple licenses or IDs in different states and use of a single document to show principal residence — are either pushed into demonstration projects for the next six years (the one driver/one license rule) or returned to pre-9/11 requirements (proof of residence). The proposed bill would likely lead to increased identity theft and license shopping.
AAMVA DL/ID Security Framework
In February 2004, the American Association of Motor Vehicle Associations (AAMVA) released to their membership a 36-page AAMVA DL/ID Security Framework agreed upon by all North American Motor Vehicle Associations (MVAs). The Framework resulted from a two-year review by a special task force that covered all aspects of drivers license/ID issuance in the wake of the 9/11 attacks. The executive summary describes the purpose of the Framework:4
The license is now readily accepted as an official document for both licensed drivers, and, in most jurisdictions, for non-drivers. The Motor Vehicle Administrations (MVAs) who issue these documents have unique, continuous, and long-lasting contact with most of their constituents from the individual’s teenage years onward....
This document provides minimum standards of security, interoperability, and reciprocity agreed upon by all North American MVAs regarding drivers license/identification card (DL/ID) issuance. Each MVA shall:
- Either meet or exceed the requirements of the Security Framework based on risk analysis and resource availability.
- Determine that all individuals granted a DL/ID “are who they say they are.”
- Ensure that each individual issued a DL/ID “remains the same person” throughout subsequent dealings both with itself or any other MVA.
Simply expressed, this means:
One license document; and
One driver control record
throughout an individual’s lifetime. Only a systematic and thorough approach ensures that minimum security standards and practices are met in each jurisdiction. Partial adherence [to AAMVA’s 2004 DL/ID Security Framework] may cause more harm than good, providing the appearance of security where in fact security does not exist. [emphasis added]
Proposed PASS ID Act Changes
Below is a review of how the proposed PASS ID Act would change current REAL ID regulations currently in effect. This analysis is based on a legal summary of the REAL ID regulations I released in February 2008, “REAL ID Final Rules: A Summary,”5 compared to a line-by-line analysis of the proposed PASS ID Act. The boxes contain AAMVA’s DL/ID Security Framework recommendations.
- States that issue non-compliant DL/IDs need not delineate (with a marker) these DL/IDs from compliant cards for federal purposes, ensuring confusion for those determining acceptability of documents for federal purposes
- Deletes benchmarks and timetable for compliance
- States may file a justification for noncompliance and receive an extension
- State laws pre-empt the PASS ID Act, including privacy laws
- Pushes off compliance for use of electronic verification of lawful status (via the Department of Homeland Security’s SAVE Program) until January 1, 2013
- Deletes states’ submission of a Security Plan by February 11, 2011, to support certification of compliance