Hidráulica

The PIA related to the NPRM clearly states that nothing in REAL ID required DHS to promulgate regulations setting federal standards for the protection of the privacy of individuals who apply for and receive driver’s licenses or state identification cards.¹⁹⁶ Nevertheless, the Chief Privacy Officer, through the PIA, noted that several references in the legislative history indicated that Congress intended for protection to be afforded.¹⁹⁷ The PIA noted that Congress expected this issue with respect to information contained in the MRZ, citing the following language from the Conference Report:

There has been little research on methods to secure the privacy of the data contained on the machine-readable strip. Improvements in the machine readable technology would allow for less data being present on the face of the card in the future, with other data stored securely and only able to be read by law enforcement official.¹⁹⁸

According to the Chief Privacy Officer, this statement suggests that Congress wanted to secure the privacy of the data contained on the MRZ of the credential, and make it accessible only to law enforcement officials.

DHS considered the findings of the Chief Privacy Officer, but determined that REAL ID does not authorize DHS to limit third-party private sector uses of the information appearing in the front of the REAL ID document or in the MRZ. It further recognized that the 2D Barcode might have vulnerabilities and technology limitations compared to other available technologies. It explained that it nevertheless selected the 2D Barcode because it was already in use by 45 jurisdictions and law enforcement across the country, and making a different technology choice could hamper law enforcement and prove to be an additional financial burden on the states. Instead, DHS emphasized that states could take action, through their own laws, to limit third-party use, citing the example of California, Nebraska, New Hampshire, and Texas, which had taken action to

196 Department of Homeland Security, Privacy Impact Assessment for the REAL ID Act: In Conjunction with the Notice of Proposed Rulemaking, Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes, 3–4.

197 Ibid., 5.

198 Ibid., 4. (citing H.R. Rep. No 109–72 (2005) (Conf. Rep.).

limit third-party use of the MRZ.¹⁹⁹ It further noted that the AAMVA had issued a model act limiting such use. That model legislation authorized the use of 2d bar code scanners by third-party users only for the limited purposes of age verification.²⁰⁰

The PIA notes that the DHS Privacy Officer had “urged DHS to adopt encryption to protect PII on the MRZ from skimming by third parties other than law enforcement or DMVs.”²⁰¹ Nevertheless, the NPRM PIA noted that to encrypt the data to prevent unauthorized third party access, it would be necessary to establish a cryptographic key to decrypt, and to provide that key to permitted parties to access the information. “The need for a key infrastructure to support access to encrypted 2D bar code data raises an important challenge for implementation of encryption.”²⁰²

The NPRM had asked for public comment on the issues of: 1) whether implementing encryption was feasible from an operational and cost perspective, and 2) whether encryption could be deployed in a manner that would ensure access to the information by law enforcement.²⁰³ The PIA noted it was recognized that to implement encryption, it would be necessary to establish a “complex and comprehensive” exchange of encryption keys among all 56 jurisdictions involved in issuing and accessing REAL ID driver’s licenses and identification cards.²⁰⁴ Footnote 50 of the NPRM PIA describes the complexity as follows.

With 2D bar codes, a symmetric cryptographic key system would need to be implemented. With a symmetric system, a multi-key or single key implementation could be used. In a multi-key implementation, although a larger the number of keys creates a more secure system, because a single key compromise does not compromise the entire system, this large number

199 Department of Homeland Security, Privacy Impact Assessment for the REAL ID Act: In Conjunction with the Notice of Proposed Rulemaking, Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes, 4. (citing H.R. Rep. No 109–72 (2005) (Conf. Rep.).

200 Ibid.

201 Ibid.

202 Department of Homeland Security, Notice of Proposed Rulemaking: Privacy Impact Assessment, March 1, 2007, 16.

203 Ibid.

204 Ibid.

of cryptographic keys would need to be accessible to the law enforcement personnel wherever they would be reading the driver’s license. A single key implementation would avoid the complexities of needing a key infrastructure, but his greatly increases the risk that this single key could be compromised. Although employing a single key greatly simplifies the procedure to make available the cryptographic key to law enforcement personnel, the compromise of this single cryptographic key would compromise all driver’s licenses created with it. In this case, encryption could create a false sense of security if a license holder thought his or her information was truly secure and it was not, because an unauthorized third party compromised the key. Not only do these implementation operations present operational and security risks, they also factor into the privacy risks with the selection of an implementation.²⁰⁵

The NPRM PIA noted that under principles of data minimization protections, if encryption were to be used, then the MRZ should have fewer data elements and more limited personal information, especially the credential holder’s address.²⁰⁶

Many comments were received both for and against encryption. DHS acknowledged that the potential to skim PII from the MRZ raises important privacy concerns, but it struck the balance in favor of the need for law enforcement to have easy access to the information, as well as complexities and costs of implementing an encryption infrastructure.²⁰⁷ Thus, DHS did not require encryption “at this time.” It noted, however, “if the States collectively determine that it is feasible to introduce encryption in the future, DHS will consider such an effort, so long as the encryption program enables law enforcement easy access to the information in the MRZ.” The PIA that accompanied the final rule indicates that DHS supports efforts to find technological improvements to protect the personal information on the MRZ, as well as state efforts to limit skimming of personal information from the cards.²⁰⁸

205 Department of Homeland Security, Privacy Impact Assessment for the REAL ID Act: In Conjunction with the Notice of Proposed Rulemaking, Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes, 4.

206 Ibid., 17.

207 Department of Homeland Security, Privacy Impact Assessment for the REAL ID Final Rule,” 14–

15.

208 Ibid., 15.

Among those dissatisfied with the DHS response regarding how it sought to protect the personal information on the cards, was EPIC, which was among the commenters urging DHS to adopt encryption as a means of protecting information stored on the MRZ. In its report on REAL ID’s implementation issued in May 2008, EPIC expressed its disagreement with DHS’ decision to leave the information on the cards unencrypted. It noted that DHS did so notwithstanding the recommendations of

“independent privacy and security experts and the agency’s own Privacy Office,” and thereby, created unnecessary security risks to individual privacy.²⁰⁹ EPIC’s report cited examples of cases in which unencrypted information had been accessed by unauthorized users, and indicated that while it anticipated DHS’ responses regarding the difficulties with the use of encryption.²¹⁰ It criticized DHS for failing to consider an alternative that EPIC had proposed, which was to not enter any personal information onto the MRZ, but instead, embed a unique identifier into the MRZ, which would “point” to the records in a national database. Those records, in turn, would only be accessible via the use of a password or encryption.²¹¹ However, as DHS had noted in its responses to comments, such an approach would suggest the need for a national database, which DHS did not want to establish given concerns about creating a national registry or national ID.

In addition to EPIC, the New York American Civil Liberties Union (NYCLU), has also been a vocal opponent of storing information in the MRZ, and raised concerns beyond those raised by EPIC. In its 2009 report setting forth its opposition to REAL ID, the NYCLU raised a wide-ranging, but arguably unsupported criticism, of the use of the MRZs on privacy grounds, including: 1) the MRZ makes the information readily accessible and able to be used by thousands of state and local officials, as well as private entities to easily track individuals; 2) the failure to encrypt the information allows anyone with a reader to access the information; 3) the unencrypted information contained in the databases and the MRZ is a treasure trove for identity thieves creating one-stop shopping for access to a wide variety of documents, including SSNs; and 4) the information

209 EPIC: Real ID Implementation Review, 12.

210 Ibid., 13.

211 Ibid.

contained in the MRZ was of concern to labor organizations which claimed it could be used to do intrusive monitoring of workers including monitoring their trips to the restroom; and 5) the MRZ poses specific concerns for lesbian, gay, bisexual, and transgender (LGBT) individuals whose entry into clubs and purchases could be used to expose their sexuality or discriminate against them.²¹² The NYCLU’s recitation of problems with the MRZ largely comes down to a concern about the absence of encryption, which DHS addressed in its rulemaking documents. It also tends to exaggerate the threat given that 2D Barcodes are unlike RFIDs that can be read from distances of a few inches, up to 20 to 30 feet away for “passive” tags, or as far away as a mile or more for some “active” tags.