Testimony to Minnesota Senate Judiciary Committee on REAL ID Act (SF166)

View Full Document as PDF

Chairman Limmer, Vice Chairman Hall, Ranking Member Latz, and Members of the Committee:

I am pleased to speak with you today about the REAL ID Act, which your state is under pressure to implement on behalf of the federal government. In my testimony today, I will share my view that REAL ID is a misdirected policy, both nationally and for the states. It is a weak security measure, creating a national ID that exposes Americans to loss of privacy, hacking, and identity fraud risks. You should not implement REAL ID. Americans and Minnesotans will be worse off if you help steer them into this national ID system.

Seeking to force state compliance, the federal government is again threatening to deny residents of non-compliant states access to airports and other facilities controlled by federal ID requirements. To protect state powers and prerogatives—as well as Minnesotans’ privacy—your state should continue to refuse compliance. After another period of bluster and threat, the federal government will back down again, as it has many times before.

Rather than comply with REAL ID, you should ask Minnesota’s congressional delegation to have all REAL ID deadlines immediately suspended. Your delegation should see that Congress discontinues funding of REAL ID in annual federal appropriations, and that Congress repeals the REAL ID Act. Congress and the U.S. Department of Homeland Security (DHS) are responsible for fixing the mess they have created by passing and pressing for REAL ID. This should not be the Minnesota legislature’s or governor’s problem.

Introduction

I am a vice president at the Competitive Enterprise Institute and formerly a senior fellow at the Cato Institute. Both are think tanks in Washington, D.C. dedicated to our nation’s founding principles of limited government, individual liberty, free markets, and peace. REAL ID is a topic I have focused on for more than a decade.

My 2006 book, Identity Crisis: How Identification is Overused and Misunderstood, examined identification processes and policies, including the REAL ID Act. I testified at the first legislative hearing on REAL ID, which was not conducted in the U.S. Congress. The first hearing on REAL ID was in the New Mexico legislature in September 2006—more than a year after Congress passed the law.

I have also testified on REAL ID in Congress and numerous other state legislatures around the country. I have monitored the odd, ugly process by which states have been dragged toward implementation of REAL ID against their better judgment and against the interests of their citizens.

REAL ID is against the interest of Americans because it is a poor security measure. That primary consideration cuts against implementation of the federal government’s mandates.

REAL ID Is Bad for Security

REAL ID is often cited as a recommendation of the 9/11 Commission, which implies that implementation of the law would improve Americans’ security. It would not. In fact, REAL ID would undercut Americans’ security against hacking and fraud, and threaten their privacy.

The argument that REAL ID was a key recommendation of the 9/11 Commission is wrong on at least two counts. First, it was not a key recommendation: The 9/11 Commission dedicated just three-quarters of a page to the question of identity security, out of 400-plus substantive pages. Its entire treatment of the subject is on page 390 of that report.[1]

The 9/11 Commission did not articulate how a national ID system would defeat future terror attacks. It did not even articulate how a national ID would have defeated the 9/11 attacks had it been in place at the time. A minor shift in behavior by the 9/11 attackers would have defeated REAL ID. REAL ID would expend billions of our national wealth to produce, at best, a minor inconvenience to bad guys.

And the REAL ID Act did not fulfill a 9/11 Commission recommendation. It repealed legislation Congress had passed earlier in response to the Commission’s report.

In 2004, responding to the 9/11 Commission’s recommendations, Congress included a provision in the Intelligence Reform and Terrorism Prevention Act (IRTPA) establishing a negotiated rulemaking process. That process convened a variety of stakeholders, including states, to consider how state driver licensing and identity card systems could be better secured. This group had met twice when the REAL ID Act passed. It repealed that section of IRTPA, disbanding this group and ending its work. The top-down process you’re experiencing today was not a 9/11 Commission recommendation. It’s what replaced Congress’s response to a 9/11 Commission recommendation.

But claims about the 9/11 Commission are meant to signal that REAL ID would improve security. This is not the case.

Identification is an essential human tool, and it provides a level of security in our everyday interactions. Knowing who someone is makes it easier to track them down. Accordingly, people who are not naturally inclined to do the right thing recognize implicitly that being known will make it costly and difficult to steal from other people or do them other wrongs or harms. But those common rules and understandings do not apply to committed attackers such as terrorists, hardened or smart criminals, and people with impulse control.

There are two ways to defeat an identity-based security system: physical avoidance and logical avoidance. Physical avoidance is accessing targets that are not controlled by identification systems—attacking a movie theater or a mall rather than an airplane. Identity systems might move threats around, but will have only the most minor role in quelling them. Logical avoidance is acquiring whatever ID is needed, either fraudulently or legitimately, to access the facility. Across the country, bribing a motor vehicle bureau employee is one way among many to punch right through identity-based security. REAL ID is a Maginot Line of security—expensive, inflexible, and easy to avoid.

REAL ID doesn’t just fail to address risks cost-effectively. It creates new security risks that are greater and more direct: risks from hacking and identity fraud.

Among the requirements REAL ID imposes on states is to “capture digital images of identity source documents so that the images can be retained in electronic storage in a transferable format.”[2] That means scanned copies of birth certificates and Social Security cards in motor vehicle databases.

The Act also requires states to “[r]etain … images of source documents presented for a minimum of 10 years.”[3] That means that any time for at least ten years after a person gets or renews a license or ID, these documents may be gathered by hackers and exposed or used in identity frauds.

But the risk comes not just from break-ins to Minnesota’s computer systems. REAL ID requires states to “[p]rovide electronic access to all other States to information contained in the motor vehicle database of the State.”[4] When Minnesotans’ data is shared through the nationwide network of databases envisioned by REAL ID, they will be at risk from hacking attacks or insider corruption at any motor vehicle department in the entire country.

We’re all familiar with the massive data breaches that have afflicted both private companies and government agencies in recent years. The risks from having digital copies of identity source documents purposefully shared among motor vehicle bureaus across the country is great, and it may lead to far greater consequences to Minnesotans if and when the basic building blocks of their identities are compromised, potentially en masse.

When the U.S. national ID system is broken, that may be a privacy and security threat to every American. Because it is a national ID, the risk is national in scope.

REAL ID Is a National ID

The U.S. Department of Homeland Security denies that REAL ID is a national ID. This is probably because most Americans reject a national ID in light of the privacy consequences and our natural inclination toward freedom. Political leaders on both sides of the aisle have long rejected a U.S. national ID. REAL ID is exactly that.

A second justification for REAL ID, which is less often emphasized than national security, is that it exists to support a national employment background check system for the purpose of immigration control. This requires a national identity system because such a thing is essential to running distinct identities past federal databases. REAL ID compliance would create that national ID system.

In the abstract, a national ID system has three elements: First, it is used for identification. This is obviously true of driver’s licenses and state-issued ID cards. Second, it is nationally uniform in its key elements. REAL ID-compliant licenses would have standard data elements on the card, a nationally standardized “machine-readable zone” on the back of the card, and nationwide personal-data-sharing. Third, its possession is either practically or legally required. A driver’s license or ID card is in that category.

A national ID has long been regarded as contrary to the American character, and it has been opposed by leading American political figures whenever it has been proposed. For example, when President Ronald Reagan’s attorney general William French Smith advocated in a cabinet meeting for support of a national ID card for illegal immigration control, the president reportedly scoffed, “Maybe we should just brand all the babies.”[5]

In the same context, Democratic presidential candidate Walter Mondale said: “We’ve never had citizenship tests in our country before. And I don’t think we should have a citizenship card today. That is counterproductive.”

Democratic Speaker of the House Thomas P. “Tip” O’Neill Jr. (D-MA) called out the ills of national ID systems in a 1987 debate over immigration reform, saying: “Hitler did this to the Jews, you know. He made them wear a dog tag.”

A decade before that, Sen. Barry Goldwater (R-AZ) recognized and objected to the surveillance consequences caused by national ID systems. In a debate on the Privacy Act of 1974, he said:

Once the social security number is set as a universal identifier, each person would leave a trail of personal data behind him for all his life which could be immediately reassembled to confront him. Once we can be identified to the administration in government or in business by an exclusive number, we can be pinpointed wherever we are, we can be more easily manipulated, we can be more easily conditioned and we can be more easily coerced.

Senator Goldwater captured how a national ID system transfers power from individuals to institutions. Identity systems determine arrangements of power in society.[6] But the closely related issue of privacy is a main objection to national ID systems like REAL ID. In two ways, REAL ID implementation would undercut Americans’ privacy.

The first is by making it more likely that people would be asked to scan their IDs and driver’s licenses, putting digital records of their comings and goings in the hands of both corporate and governmental entities. The economics of this process are simple: with uniform, machine-readable cards in place nationwide, it will be cheaper to build systems for swiping and scanning those cards. You may expect to see card swipes required more often when you cash checks  or use credit cards, pick up prescriptions, enter office buildings, and so on. The data from the cards will be correlated with the purposes of the scans, creating even more detailed digital records about all of us.

The second privacy threat from REAL ID involves the back-end data-sharing systems discussed earlier. The requirement to share data nationwide doesn’t just threaten privacy through hacking and identity fraud risks. There are also no guarantees that the data-sharing requirements will not be expanded to other uses deemed mandatory by the Department of Homeland Security or Congress.

REAL ID is a bad policy on the security and privacy merits. It would make Americans and Minnesotans worse off. But is also raises issues that should concern you specifically as state lawmakers. REAL ID compliance would permanently undercut your power to decide on the policies that best suit your constituents and your state.

REAL ID Compliance Would Undermine State Sovereignty

As state legislators, you are probably familiar with the federal government practice of threatening to withhold federal funds from states that set their own policies. The Supreme Court upheld this practice against a constitutional challenge in 1987, allowing the federal government to penalize states that did not conform their laws to federal policy.[7]

Our constitutional system reserves policies like the drinking age (at issue in the 1987 case) to the states, which are supposed to be independent sovereigns. But by dangling federal funds in front of you and your agencies, the federal government undercuts your authority and your willingness to set the policies that you believe are best for your constituents here in Minnesota. That federal practice demeans your office, as it relegates you to administering federal policy rather than making decisions on behalf of your community.

The Supreme Court recently moved to curtail Congress’s power to undercut states this way. In National Federation of Independent Business v Sebelius,[8] one of the legal challenges to Obamacare, the Court held that it was unconstitutional to threaten states with the withholding of all federal Medicaid funding if they failed to expand coverage as Congress wanted. There are limits on the federal government’s ability to undercut state power using spending, even if we’re not sure exactly where the lines are drawn. But the REAL ID Act represents a new inroad against your power in the Minnesota legislature to set policy for Minnesotans.

The REAL ID Act takes advantage of the Transportation Security Administration’s (TSA) role in airline and airport security to threaten you with inconvenience to travelers the same way the federal government threatens to withhold federal funds. REAL ID says: “Beginning 3 years after the date of the enactment of this division, a Federal agency may not accept, for any official purpose, a driver’s license or identification card issued by a State to any person unless the State is meeting the requirements of this section.”[9] That sets up a game of chicken that encourages you to abandon your authority to federal government control.

Should you hand this authority to the federal government, there is almost no chance that you will get it back. The DHS will return in future years to demand more of you, and to dictate more of the terms of your driver licensing policies. This means, of course, that DHS will set your spending priorities in this area, too. The great likelihood is that DHS mandates will leave fewer dollars in your budgets to allocate to the needs of Minnesotans as determined by you, their elected state representatives.

As you may or may not know, the DHS uses a “material compliance checklist” and not the terms of the actual law to determine whether it treats states as “compliant.” Should Minnesota become a “compliant” state, and all others fall in line, DHS will move the goalposts. In a few short years, DHS will prioritize the information-sharing requirements discussed above, and will you will be pressed to open your state’s databases to the national database network.

You will no longer control what happens with sensitive data about Minnesota drivers. You will no longer decide as state legislators what driver licensing policy will be in Minnesota. You will no longer decide how Minnesotans’ tax dollars are spent on licensing. Those decisions will be made in Washington, D.C., by Department of Homeland Security officials. Your role will be to ratify the decisions of unelected federal officials. This role you should refuse to accept.

Refuse to Implement REAL ID

The practical arguments urging you to obey federal REAL ID mandates may hold some sway now, while the minimized requirements of REAL ID are the only requirements in view. But the direction of REAL ID is toward a full-fledged national ID system that would be extremely damaging to security and privacy. The history and politics of REAL ID show, however, that you can confidently refuse to embrace the federal national ID program.

Deadlines under the REAL ID Act have come and gone many times since the law passed more than ten years ago. As deadlines near, DHS often makes great claims about coming enforcement. A press corps that focuses only rarely on REAL ID tends to amplify DHS messages, raising the specter of problems at the airport and urging REAL ID compliance as the “common sense” step. But DHS deadlines always recede before any such dramatic episode occurs. It’s a game of chicken that states have won several times and will continue to win if they play.

The early history of REAL ID is informative. Congress wrote a three-year statutory compliance deadline into the law. Minnesota, like all other states, was supposed to be compliant by May 11, 2008—and that’s according to a federal statute. But by that date, no state was in compliance with REAL ID. Notably, nobody was turned away at a TSA checkpoint. The threat to refuse people at airports had little effect on promoting state compliance.

This is probably because federal officials recognized that they—not state leaders—would be blamed for TSA-created chaos at airports. When the statutory deadline arrived, instead of enforcing REAL ID, DHS produced a new, non-statutory deadline scheme. The threat to deny Americans their right to travel had not worked, and DHS had lost the first game of chicken.

The litany of deadline extensions that followed is long and complex,[10] but, in summary, DHS has caved repeatedly over many years, making up new deadlines over and over again each time.

At the end of 2013, though, DHS came up with a new strategy that has seen slightly better success. Rather than announce deadline extensions publicly in the Federal Register, as it had been doing, the agency has taken the process offline. It now goes state-by-state, telling the press, driver licensing officials, and legislators like yourselves that TSA will soon deny travelers from their states the right to travel through America’s airports.

Divide and conquer works better. DHS is now engaging in brinkmanship with individual states, rather than the states as a whole.

Part of DHS’s game is to misrepresent the status of REAL ID nationally, making it appear to states like Minnesota that you are one of the last hold-outs. The way it does this is complicated, but years ago DHS created a “material compliance checklist,” a pared-back version of the law that it characterizes as full compliance. DHS doesn’t even require full compliance with that list, but calls some states “compliant” if they get close enough. A good lawsuit would probably expose that DHS is picking and choosing the states it calls “compliant” based on factors that are not part of federal law. “Compliance” is a status DHS assigns for its purposes, not because of states’ adherence to federal law.

But even the divide-and-conquer strategy has not been a huge success. In the fall of 2015, for example, DHS pushed the notion that 2016 was the year it would crack down on “non-compliant” states. A Business Insider story was typical of reporting at the time: “[T]he REAL ID Act could soon render your government-issued driver’s license useless as a form of ID at the airport,” the report said. “If you’re a resident of Louisiana, Minnesota, American Samoa, New Hampshire, or New York, you might need to begin traveling with your passport in 2016.”

The Minnesota legislature was impressed by these claims and created a special “Legislative Working Group on Real ID.” Many hours of your and your colleagues’ time were burned on the effort. But predictably, as the DHS’s deadline got close, DHS folded and moved the deadline back again. DHS Secretary Jeh Johnson issued a press release in early January 2016 purporting to announce a new “schedule for the final phase of implementation of the REAL ID Act.”[11] It won’t be the last.

Presently, there is much wringing of hands about the claimed January 22, 2018, deadline. But it is as sure to be moved back as all the others. You can make that happen by declining to implement REAL ID. Knowing where the blame will fall, DHS will move the deadline again.

You can and should protect the privacy and security interests of your constituents, as well as your prerogatives to set policies for Minnesota in Minnesota. You can make the federal government back down, just as the states have been doing since the original REAL ID deadline collapsed almost nine years ago.

Given the relative power you have over the U.S. Department of Homeland Security, you need not and should not implement REAL ID. There are several alternatives you may choose.

Recommendations

As alternatives to implementing REAL ID, I recommend that you, individually and as a legislature, ask Minnesota’s congressional delegation to have all REAL ID deadlines immediately suspended. It is up to your state’s federal delegation to pursue the interests of Minnesota in Washington, D.C., and they should work to quell the agitation that the Department of Homeland Security directs toward Minnesota, directly and through the press.

Invite your congressional delegation to seek the discontinuation of funding for REAL ID in the annual federal appropriations bills. These federal funds—taxpayer dollars that come in part from Minnesotans—are being used to undercut your authority over driver licensing policy in Minnesota. Federal money is being used to herd your state’s residents into a national ID system that threatens their privacy and data security.

Finally, you should appeal to your congressional delegation to seek an outright repeal the REAL ID Act. The problems created by this law are their problems to fix, not yours.

As a response to the Department of Homeland Security’s “divide and conquer” strategy, you might also consider passing a resolution or similar measure that conveys Minnesota’s views opposing REAL ID to all other states and their political leadership. Communicating with other states can help you band together and recognize your substantial mutual interest in beating back unelected federal bureaucrats who seek to take power away from state elected officials.

To the extent you are involved with national state legislator and state government organizations, you should also communicate with them and work with them to oppose REAL ID. The National Conference of State Legislatures, the American Legislative Exchange Council (ALEC), the Council of State Governments, and other groups, such as the National Governors Association, should be defending state prerogatives, as ALEC did with a “Resolution in Opposition to the REAL ID Act” in January 2007. They should not be negotiating the surrender of power to the federal government, as some other groups have done in the past.

Conclusion

The REAL ID Act is a bad federal policy. It fails as a security measure because it creates greater risks to individuals’ data security from hacking and identity fraud than it aids in national security. REAL ID is a national ID law that undercuts the privacy and liberty of law-abiding, native-born American citizens. Americans and Minnesotans will be worse off if you help steer them into this national ID system.

It is important to resist the federal government’s effort to commandeer state compliance using threats about access to airports and federal facilities. Happily, the Department of Homeland Security can be counted on to retreat from its most recent invented deadline when faced with state resistance.

Rather than comply with REAL ID, you should ask Minnesota’s congressional delegation to have all REAL ID deadlines immediately suspended. Congress should discontinue funding for REAL ID in annual federal appropriations, and it should repeal the REAL ID Act. Working with other state legislatures and leaders, as well as state legislative and government groups, you can defend your power as state leaders while protecting your citizens from the intrusions that compliance with the national ID law would produce.

You can and should refuse to implement the REAL ID Act.

Thank you.