• United States



Chief Executive Officer, Security Innovation

Real ID Act – a National Headache

Mar 01, 20073 mins
CareersData and Information SecurityIT Leadership

The Real ID Act is setting up to be a National Headache from both an administrative and cost perspective, but worse yet it could be a Hacker’s Goldmine. A national card identity system, as specified in the Real ID Act, would create a series of state-wide databases linked together forming a de facto central repository of 300 million identities, and all of it would be managed by a mix of untrained state workers, private companies, and staff with no knowledge of proper data access controls or sensitive information processing.

The Act has set forth a set of national standards for ID cards, but it leaves the issuance and management of the cards, information entry, and maintenance of the 51 databases in each state’s hands (including D.C.)  And does anyone reading this have any concern about the vast cost and potential abuse of smartcards and embedded identity info? But government administrators aren’t the only ones with additional burden.  Companies will need to store this data and upload it with payroll and investment records. As we have seen from recent events at Stop & Shop and TJX, there are many points of entry or mishandling for personal ID info — even for well-fortified and companies diligent about meeting security standards like PCI (I believe Stop & Shop falls into this category.)

We already have too many personal identifiers, each one a point of failure for identity loss or fraud — social security numbers, passports, drivers licenses, credit and debit cards, student IDs, medical insurance cards, and so on.

There are four groups who will benefit from the Real ID Act:

  1. The tech companies who sell systems to support digital ID, authentication, or encryption. No surprise they were the biggest lobbyists for the Act. There is nothing wrong with these companies benefiting, mind you; after all, we live in a commercial money-driven economy. 
  2. Intelligence Agencies who could track individuals movements and activities (assuming the database was implemented correctly and not tampered with.. yeah, right!)
  3. Terrorist organizations who can use forged ID cards to hide their identity and, even worse, blame someone else for a crime they commit.
  4. Organized crime and the hacking community who will now have multiple points of entry into a national database of birth records and identity docs

And which groups would suffer?

  1. Government: state, federal, and municipal, all of whom would have burdensome cost, training, and infrastructure changes to adopt. Since US Congress mandated but did not _fund this program states must bear the cost of re-making their ID cards and drivers licenses.
  2. Consumers/Individuals who would have yet another document to manage and carry, while worrying that their personal data can be compromised. We will also have to suffer long lines and more expenses at places like our local RMV.
  3. Corporate America who would have to adopt systems to accept the new National ID number/letter combination (remember the Year 2000 spending? Phew! Glad we did that, eh?). We would also have to purge our systems of old identifiable information to make sure we aren’t leaving sensitive data behind… and we’ve been very good at doing this to date…not!

New Hampshire and Maine have already voted that they will not partake in the national ID program (and lose their federal funds in the process). I think the rest of the states should follow because doing so will save them, their residents, and their businesses a lot of money, pain, and digital identity risk.

This is a bureaucratic nightmare with very little upside from the Curmudgeon’s point of view.

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.