ipod Download a podcast of Jim Harper’s testimony

Chairman Akaka, Ranking Member Voinovich, and Members of the Committee:

It is a pleasure to speak with you today. I am director of information policy studies at the Cato Institute, a non-profit research foundation dedicated to preserving the traditional American principles of limited government, individual liberty, free markets, and peace. In that role, I study the unique problems in adapting law and policy to the information age. I also serve as a member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, which advises the DHS Privacy Office and the Secretary of Homeland Security.

My most recent book is entitled Identity Crisis: How Identification Is Overused and Misunderstood. I am also editor of Pri​vac​il​la​.org, a Web-based think tank devoted exclusively to privacy, and I maintain an online resource about federal legislation and spending called Wash​ing​ton​Watch​.com. I speak only for myself today and not for any of the organizations with which I am affiliated or for any colleague.

* * * *

Mr. Chairman, the REAL ID Act is a dead letter. All that remains is for Congress to declare it so.

The proposed regulations issued by the Department of Homeland Security on March 9th “punted” on REAL ID’s most important technology, security, and privacy problems. At the same time, the Department’s own analysis helps reveal that REAL ID is a loser — it would cost more to implement than it would add to our country’s protections.

Of utmost importance, the DHS proposal lays the groundwork for systematic tracking of Americans based on their race. The bar code system standard that DHS calls for in the regulation includes machine-readable information about race and ethnicity. This is deeply concerning and unwise. Federal law and regulation should not promote a nationalID system that can track people by race. History has too many devastating examples of identification systems used to divide people based on religion, tribe, and race.

Though the Department of Homeland Security failed to “fix it in the regs,” this is not the agency’s fault. Regulations cannot make this law work, and neither can delay. The real problem is the REAL ID law itself.

There are highly meritorious bills pending in the Senate and House to repeal the REAL ID Act. They would restore the identification security provisions that were passed in the 9/11-Commission-inspired Intelligence Reform and Terrorism Prevention Act. Congratulations, Mr. Chairman — and I salute Senator Sununu as well — for leading the way on this issue.

These bills would be improved if they were to chart a path to government use of emerging digital identity and credentialing systems that are diverse, competitive, and privacy protective. We can have identification and credentialing systems that maximize security and minimize surveillance. REAL ID is the ugly alternative to getting it right.

DHS Punted on the Hard Issues

Though many states have already voted to refuse the REAL ID Act, some have been waiting to see what they would find in the regulations issued by the Department of Homeland Security. Now that the regulations are out, it is clear that the states have been left holding the bag.

Were they to comply with the REAL ID Act, states would have to cross a mine-field of complicated and expensive technology decisions. They would face enormous, possibly insurmountable privacy and data security challenges. But the Department of Homeland Security avoided these issues by carefully observing the constraints of federalism even though the REAL ID law was crafted specifically to destroy the distinctions between state and federal responsibilities.

The Federalism Issue

The Constitution established a federal government with limited, enumerated powers, leaving the powers not delegated to the federal government to the states and people.1 Because direct regulation of the states would be unconstitutional,2 the REAL ID Act conditions federal acceptance of state-issued identification cards and drivers’ licenses on their meeting certain federal standards.

This statutory structure — using state machinery to implement a federal program — is unfortunate. It blurs the lines of authority and obscures the workings of government from citizens and taxpayers. But it does draw federalism into play as a potential limit on the Department’s ability to regulate.

As the Notice of Proposed Rulemaking (“NPRM”) notes,3 Executive Order 13132 says that “issues that are not national in scope or significance are most appropriately addressed by the level of government closest to the people.“4 Laying out the criteria for policymaking when federalism is implicated, the Executive Order says, “National action limiting the policymaking discretion of the States shall be taken only where there is constitutional and statutory authority for the action and the national activity is appropriate in light of the presence of a problem of national significance.“5

In support of a federal function — national security — the REAL ID Act conditions federal acceptance of state identification cards and drivers’ licenses on their meeting federal standards for documentation, issuance, evidence of lawful status, verification of documents, security practices, and maintenance of driver databases. The federal government has equal power — and the Department of Homeland Security had discretion in this rule — to condition acceptance of identification cards and drivers’ licenses on closely related priorities, including meeting standards for privacy and data security.

The decision not to do this is a policy question that, according to the federalism Executive Order, turns on whether there is constitutional and statutory authority and whether national action is appropriate. The Department’s decision to abandon these issues to the states is an implicit finding that privacy and data security are not problems of national significance. That finding is wrong. Privacy is a problem of national significance.

Many different federal laws and policies seek to foster privacy and data security, even in the context of national security programs. The Executive Order establishing the President’s board on safeguarding Americans’ civil liberties, for example, states in its very first section:

The United States Government has a solemn obligation, and shall continue fully, to protect the legal rights of all Americans, including freedoms, civil liberties, and information privacy guaranteed by Federal law, in the effective performance of national security and homeland security functions.6

Among the many federal laws that are relevant is the Privacy Act of 1974.7 The Privacy Act requires federal agencies to undertake a variety of information practices, and it accords individuals a number of rights intended to protect privacy and similar interests. The law requires agencies to extend these protections to systems of records operated “by or on behalf of the agency … to accomplish an agency function” when that is done by contract.8

The Privacy Act apparently did not contemplate that states would maintain systems of records in furtherance of federal functions. However, Office of Management and Budget guidelines issued after the Privacy Act’s passage say that the Act is intended to cover “de facto as well as de jure Federal agency systems.“9

Another relevant law is FISMA, the Federal Information Security Management Act of 2002.10 FISMA seeks to bolster information security within the federal government and for federal government functions by mandating yearly security audits. FISMA makes the head of each agency responsible for information security protections with regard to information systems and “information collected or maintained by or on behalf of the agency.“11

REAL ID’s Legislative History

The legislative history of the REAL ID Act suggests Congress’ intention that the Department should implement REAL ID consistent with federal government policies on privacy. The Department of Homeland Security’s Privacy Impact Assessment reviews relevant portions of that history:

The House Conference Report for the REAL ID Act includes several key statements of Congressional intent regarding privacy. For example, in its discussion of section 202(d)(12) of the Act, which requires each state to provide electronic access to the information in its motor vehicle databases to all of the other states, the Conference Report makes clear that Congress recognized the need for the regulations to address privacy and security and that those protections should be at least the equivalent of existing federal protections. The Conference Report reads in relevant part:

DHS will be expected to establish regulations which adequately protect the privacy of the holders of licenses and ID cards which meet the standards for federal identification and federal purposes.

In addition, the Conference Report discussion of Section 202(b)(9) of the Act, which calls for using “a common machine-readable technology, with defined minimum data elements,” clearly indicates that Congress wanted privacy to be a consideration in implementing the technology. The Conference Report states:

There has been little research on methods to secure the privacy of the data contained on the machine readable strip. Improvements in the machine readable technology would allow for less data being present on the face of the card in the future, with other data stored securely and only able to be read by law enforcement officials.12

REAL ID has Formidable Privacy and Data Security Problems

The privacy and data security consequences arising from REAL ID are immense, increasingly well understood, and probably insurmountable.

The increased data collection and data retention required of states is concerning. Requiring states to maintain databases of foundational identity documents will create an incredibly attractive target to criminal organizations, hackers, and other wrongdoers. The breach of a state’s entire database, containing copies of birth certificates and various other documents and information, could topple the identity system we use in the United States today. The best data security is not creating large databases of sensitive and valuable information in the first place.

The requirement that states transfer information from their databases to each other is concerning. This exposes the security weaknesses of each state to the security weaknesses of all the others. There are ways to limit the consequences of having a logical national database of driver information, but there is no way to ameliorate all the consequences of the REAL ID Act requirement that information about every American driver be made available to every other state.

There are serious concerns with the creation of a nationally uniform identity system. Converting from a system of many similar cards to a system of uniform cards is a major change. It is not just another in a series of small steps.

Economists know well that standards create efficiencies and economies of scale. When all the railroad tracks in the United States were converted to the same gauge, for example rail became a more efficient method of transportation. Because the same train car could travel on tracks anywhere in the country, more goods and people traveled by rail. Uniform ID cards would have the same influence on the uses of ID cards.

There are machine-readable components like magnetic strips and bar codes on many licenses today. Their types, locations, designs, and the information they carry differs from state to state. For this reason, they are not used very often. If all identification cards and licenses were the same, there would be economies of scale in producing card readers, software, and databases to capture and use this information. Americans would inevitably be asked more and more often to produce a REAL ID card, and share the data from it, when they engaged in various governmental and commercial transactions.

In turn, others will capitalize on the information collected in state databases and harvested using REAL ID cards. Speaking to the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee last week, Anne Collins, the Registrar of Motor Vehicles for the Commonwealth of Massachusetts said, “If you build it they will come.” Massed personal information will be an irresistible attraction to the Department of Homeland Security and many other governmental entities, who will dip into data about us for an endless variety of purposes.

Sure enough, the NPRM cites some other uses that governments are likely to make of REAL ID, including controlling “unlawful employment,” gun ownership, drinking, and smoking. Uniform ID systems are a powerful tool. If we build it, they will come. REAL ID will be used for many purposes beyond what are contemplated today.

But the NPRM “punts” on even small steps to control these privacy concerns. It says for example that it “does not create a national database, because it leaves the decision of how to conduct the exchanges in the hands of the States.“13 My car didn’t hit you — the bumper did!

As to security and privacy of the information in state databases, the NPRM proposes paperwork. Under the proposed rules, states must prepare a “comprehensive security plan” covering information collected, disseminated, or stored in connection with the issuance of REAL ID licenses from unauthorized access, misuse, fraud, and identity theft. Requiring production of a plan is not nothing, and the NPRM refers to various “fair information practices.” However, preparing a plan is not a standard. The NPRM does not even condition federal acceptance of state cards on meeting the low standards of the federal Privacy Act or FISMA.

The REAL ID Act provided the Department of Homeland Security with very little opportunity to “fix it in the regs.” And DHS did not fix it in the regs.

REAL ID Fails Cost-Benefit Analysis

The privacy and dollar costs of REAL ID would be easy to bear if this national ID system would add significantly to our country’s protections. But the cost-benefit analysis provided in the NPRM helps show that it does not. Implementation of REAL ID would impose more costs on our society than it would provide in security or other benefits.

Executive Order 1286614 requires agencies to assess the costs and benefits of the requirements they propose. The Department found that implementing REAL ID would cost over $17 billion.15 This is 50% higher than the $11 billion estimate put forward by the National Conference of State Legislators. Again, these costs would be worth it — if the REAL ID Act had net benefits. It does not.

On the question of benefits, the regulatory analysis in the NPRM essentially punts:16

It is impossible to quantify or monetize the benefits of REAL ID using standard economic accounting techniques. However, though difficult to quantify, everyone understands the benefits of secure and trusted identification. The proposed minimum standards seek to improve the security and trustworthiness of a key enabler of public and commercial life — state-used driver’s licenses and identification cards. As detailed below, these standards will impose additional burdens on individuals, States, and even the Federal government. These costs, however, must be weighed against the intangible but no less real benefits to both public and commercial activities achieved by secure and trustworthy identification.

This is not analysis, of course. It is surmise. A few paragraphs later:

The proposed REAL ID regulation would strengthen the security of personal identification. Though difficult to quantify, nearly all people understand the benefits of secure and trusted identification and the economic, social, and personal costs of stolen or fictitious identities. The proposed REAL ID NPRM seeks to improve the security and trustworthiness of a key enabler of public and commercial life — state-issued driver’s licenses and identification cards.

The primary benefit of REAL ID is to improve the security and lessen the vulnerability of federal buildings, nuclear facilities, and aircraft to terrorist attack. The rule would give states, local governments, or private sector entities an option to choose to require the use of REAL IDs for activities beyond the official purposes defined in this regulation. To the extent that states, local governments, and private sector entities make this choice, the rule may facilitate processes which depend on licenses and cards for identification and may benefit from the enhanced security procedures and characteristics put in place as a result of this proposed rule.

The assessment goes on to imagine what protection-rates would cost-justify the REAL ID Act regulations.17 According to the assessment, if REAL ID lowers by 3.6% per year the annual probability of a terrorist attack causing immediate impacts of $63.9 billion, the rules would have net benefits. If REAL ID lowers by 0.61% per year the annual probability of a terrorist attack causing both immediate and longer run impacts of $374.7 billion, the rules would have net benefits.

This is an unsound way of judging the anti-terrorism benefits of REAL ID, and it reflects almost no thinking about how REAL ID might work as a security tool. I have attached as Appendix A a rudimentary analysis of the REAL ID Act in terms of risk management, using the framework put forward by the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.18

Creating a national identification scheme does not just attach a known, accurate identity to everyone. It causes wrongdoers to change their behavior. Sometimes this controls risks, sometimes this shifts risks from one place to another, and sometimes this creates even greater risks. Rather than being evaluated on its ability to prevent attacks outright, as the NPRM did, the REAL ID Act should be assessed in terms of its ability to delay attacks or change their character.

Assuming, for example, that a future attack would be on the scale of a 9/11 — probably an exaggerated assumption — REAL ID might be assumed (generously) to delay such an attack by six months. The value of delaying such an attack, and thus the security value of REAL ID, ranges from $2.24 billion to $13.1 billion.19 REAL ID offers less in benefits than it does at costs — even using very generous assumptions.

The information published NPRM concludes with this:

The potential ancillary benefits of REAL ID are numerous, as it would be more difficult to fraudulently obtain a legitimate license and would be substantially more costly to create a false license. These other benefits include reducing identity theft, unqualified driving, and fraudulent activities facilitated by less secure driver’s licenses such as fraudulent access to government subsidies and welfare programs, illegal immigration, unlawful employment, unlawful access to firearms, voter fraud, and possibly underage drinking and smoking. DHS assumes that REAL ID would bring about changes on the margin that would potentially increase security and reduce illegal behavior. Because the size of the economic costs that REAL ID serves to reduce on the margin are so large, however, a relatively small impact of REAL ID may lead to significant benefits.

The actual economic analysis produced by DHS and placed in the rulemaking docket has some more specific information about “ancillary benefits.” It estimates that REAL ID could reduce the costs of identity theft by merely $1.6 billion during 2007–16. No other benefits are estimated.

In summary, implementation of REAL ID would cost over $17 billion dollars. Its security benefits, under generous assumptions, might reach about $15 billion. REAL ID promises 88 cents worth of national security for every national security dollar we spend. These dollars would be taken from children’s health care, from American families’ food budgets, and from security programs that actually work. Implementing REAL ID would harm the country.

These practical considerations are very important, but there are long-term, principled reasons why Congress should reconsider the REAL ID Act immediately.

REAL ID: The Race Card

The “machine-readable technology” required for every REAL ID-compliant card has been a subject of much worry and speculation. This is not without reason. A nationally uniform ID card will make it very likely that cards will be requested, and the data on them collected and used, by governments and corporations alike. DHS was wise to resist the use of radio frequency identification tags in REAL ID.20

But even more significant issues have been created by the DHS’s choice of technical standards. The standard for the 2D barcode selected by the Department includes the cardholder’s race as one of the data elements.

If the REAL ID card is implemented, Americans transacting business using the REAL ID card may well be filling government and corporate databases with information that ties their race to records of their transactions and movements. Students of history should find the prospect sickening.

For the machine readable portion of the card, the technology standard proposed by DHS in the NPRM is the PDF-417 two-dimensional bar code. According to DHS, the PDF-417 barcode can be read by a standard 2D barcode scanner.21 This is a more highly developed version of the barcode scanning that is done in grocery stores across the country.

The version selected by DHS is the 2005 AAMVA Driver’s License/​Identification Card Design Specifications, Annex D. This is a standardized format for putting information in the bar code.

A summary of the data elements from the standard is attached as Appendix B, but briefly, white people would carry the designation “W”; black people would carry the designation “BK”; people of Hispanic origin would be designated “H”; Asian or Pacific Islanders would be “AP”; and Alaskan or American Indians would be “AI.”

DHS does not require all the data elements from the standard, and it does not require the “race/​ethnicity” data element, but the standard it has chosen will likely be adopted in its entirety by state driver licensing bureaus. The DHS has done nothing to prevent or even discourage the placement of race and ethnicity in the machine readable zones of this national ID card.

Avoiding race- and ethnicity-based identification systems is an essential bulwark of protection for civil liberties, given our always-uncertain future. In Nazi Germany, in apartheid South Africa, and in the recent genocide in Rwanda, horrible deeds were administered using identification cards that included information about religion, about tribe, and about race. Implementation of the REAL ID Act, which would permit race to be a part of the national identification card scheme, would be a grave error.

Akaka-Sununu is Essential — and it Needs a Vision of the Future

Congratulations again, Mr. Chairman — and I salute Senator Sununu, as well — on your leadership in introducing, for the second Congress in a row, legislation to repeal REAL ID and restore the ID security provisions from the 9/11-Commission-inspired Intelligence Reform and Terrorism Prevention Act.

REAL ID is often touted as a direct response to a strong recommendation of the 9/11 Commission. This is untrue on a number of levels.

The recent push for national ID cards is in reaction to the terrorist attacks of September 11, 2001, of course. An appendix to a report by the Markle Foundation Task Force on National Security in the Information Age recommended various governmental measures to make identification “more reliable.“22 This report was cited by the 9/11 Commission as it recommended “federal government … standards for the issuance of birth certificates and forms of identification, such as drivers licenses.“23 But it is important to know that the 9/11 Commission devoted about ¾ of a page in its 400-page report to identification issues. Identification security was not a “key finding” of the Commission.

Nonetheless, a provision of the Intelligence Reform and Terrorism Prevention Act of 2004, passed in response to the 9/11 Commission Report, established a negotiated rulemaking process for determining minimum standards for federally acceptable driver’s licenses and identification cards.24 This provision — the result of the 9/11 Commission report — was repealed and replaced by the REAL ID Act. Restoring the earlier, more careful provisions would be a step in the right direction.

But the Congress should examine our country’s identification policies and practices even more carefully. Identification systems have many benefits but, as we know from REAL ID, they also carry many threats. We should have a much more careful national discussion about the design of the identity systems we will use in the future.

There are identification systems being devised today by the countries’ brightest technologists that would provide all the security that identification can provide, but that would resist tracking and surveillance. Meanwhile, hundreds of millions — if not billions — of taxpayer dollars are already being spent on ID systems with little regard for their interoperability with emerging open standards, to say nothing of privacy.

It would be unfortunate of the federal government spent so much time and money to build systems that lead in a few decades to very costly dead end. Even worse would be for government systems to predominate, making it a practical requirement that Americans do have to carry a national ID card in order to function.

As it moves forward, I recommend that the Akaka-Sununu legislation include consideration of emerging open standards for government IDs and credentials. Rather than being locked into the unwieldy federal systems now being created, federal agencies should have the flexibility to accept any identification card or credential that meets or exceeds government standards for data accuracy, security, and verifiability.

In Akaka-Sununu, Congress should recognize the emergence of identity and credentialing systems that are diverse, competitive, and — most importantly — privacy protective. These systems can maximize security while minimizing surveillance. REAL ID is the ugly alternative to getting it right.

APPENDIX A

Rudimentary Analysis of REAL ID Act in Terms of Risk Management

Assessing how, and how well, the REAL ID Act regulations benefit the homeland security mission in terms of risk management requires answers to the following questions. Answers available in the NPRM are critiqued here, and sensible or assumed answers are supplied:

  • What are you trying to protect? The NPRM identifies federal buildings, nuclear facilities, and aircraft as the primary beneficiaries of the REAL ID rules, as well as other infrastructure should access to it be conditioned on showing ID. “Ancillary” beneficiaries would be the many segments of the public who would benefit from various types of fraud reduction, public safety law enforcement, and various forms of personal regulation.
  • What are you trying to protect it from? The primary threat articulated by the rule’s brief benefit statement is “terrorist attack,” which can take any number of forms. The assessment does not describe with particularity any vulnerability or the way any of these assets may be harmed, much less how REAL ID would prevent or diminish such harm. As to ancillary beneficiaries, it is well known that fraud, unsafe behavior, and unwise personal choices have a variety of costs. The assessment does not describe how the REAL ID regulations would prevent these ills, though as part of an expanded police and regulatory state, they undoubtedly would.
  • What is the likelihood of each threat occurring and the consequence if it does? The rule’s benefit statement makes no attempt at terrorism risk assessment, positing instead two different “9/11” scenarios, the avoidance of which would cost-justify the rules. The ancillary harms the assessment claims to effect vary widely across the landscape of human action, and have a variety of likelihoods and consequences.
  • What kind of action does the program take in response to the threat — acceptance, prevention, interdiction, or mitigation? The NPRM does not go into this kind of detail, but the REAL ID rules are best characterized as interdiction: a form of confrontation with, or influence exerted on, an attacker to eliminate or limit its movement toward causing harm. A more accurate and secure identification system may interfere with terrorists in a variety of ways.

    Requiring REAL ID-compliant identification cards for access to secured areas would limit the field of potential attackers on those areas to only those people that are able to prove their identity and lawful presence in the United States. This would inconvenience foreign terrorist organizations, likely changing their behavior in a number of ways. The REAL ID Act might cause foreign terrorist organizations to target infrastructure that is not secured by identification requirements. It might cause them to select individual attackers who can lawfully enter the U.S. and acquire identification.25 It might cause them to ally with domestic criminals or criminal organizations.

    They may attack the REAL ID system in various ways. The REAL ID regulations might induce foreign terrorist organizations to procure REAL ID-compliant cards through corrupt Department of Motor Vehicles employees. It might cause them to seek counterfeit documents that can fool DMV employees into issuing REAL ID-compliant cards. It might cause them to seek counterfeit REAL ID-compliant cards good enough to fool verifiers at checkpoints. It might cause them to corrupt verifiers at checkpoints.

    Whatever the case, the REAL ID regulations would cause some inconvenience to foreign terrorist organizations seeking to mount an attack on infrastructure secured behind checkpoints.

    A second form of interdiction, also not discussed in the NPRM, is the use of REAL ID in conjunction with watch lists. Again putting aside attacks on the REAL ID system, requiring REAL ID-compliant identification cards for access to secured areas would limit the field of potential attackers on those areas to only those people that are not known to be terrorists by the authorities. Coupled with watch lists, the REAL ID regulations might cause terrorist organizations, foreign and domestic, to target infrastructure that is not secured by identification requirements. It might cause them to select attackers who are not known to have contacts with terrorists.26 It also might cause them to attack the REAL ID system in the ways discussed above.

    Similar to the joining of REAL ID to watch lists in terrorism interdiction, REAL ID may be joined to a variety of commercial, law enforcement, and regulatory programs aimed at reducing fraud, promoting public safety, law enforcement, and various forms of personal regulation. Each of these multitudinous potential uses of REAL ID would alter the behavior of “attackers” in various ways. It would improve their behavior in some cases, inspire avoidance in others, and also in some cases prompt attacks on the REAL ID system like those discussed above, such as by college students seeking a good fake ID.

  • Does the response create new risks to the asset or others? Some of the avoidance behaviors listed above would transfer risks or create new risks. Terrorists may shift from REAL-ID-secured targets to non-REAL-ID-secured targets.27 Foreign terrorist organizations allying themselves with domestic criminal organizations to avoid REAL ID-based security might form more dangerous hybrid organizations. As noted above, there would certainly be attacks on the REAL ID system, in terms of technical security, corruption, fraud, and so on. The techniques developed by “casual” attackers such as college students would accrue to the benefit of the serious threats such as criminal or terrorist organizations. These are just some of the risk transfers and new risks that would result from implementing the REAL ID regulations.

APPENDIX B

From: Personal Identification — AAMVA International Specification — DL/ID Card Design, Annex D: “Mandatory PDF417 Bar Code”

MINIMUM MANDATORY DATA ELEMENTS

Jurisdiction-Specific Vehicle Class Jurisdiction-specific vehicle class / group code, designating the type of vehicle the cardholder has privilege to drive.
Jurisdiction-Specific Restriction Codes Jurisdiction-specific codes that represent restrictions to driving privileges (such as airbrakes, automatic transmission, daylight only, etc.).
Jurisdiction-Specific Endorsement Codes Jurisdiction-specific codes that represent additional privileges granted to the cardholder beyond the vehicle class (such as transportation of passengers, hazardous materials, operation of motorcycles, etc.).
Document Expiration Date Date on which the driving and identification privileges granted by the document are no longer valid. (MMDDCCYY for U.S., CCYYMMDD for Canada)
Customer Family Name Family name of the cardholder. (Family name is sometimes also called “last name” or “surname.”) Collect full name for record, print as many characters as possible on front of DL/ID.
Customer Given Names Given names of the cardholder. (Given names include all names other than the Family Name. This includes all those names sometimes also called “first” and “middle” names.) Collect full name for record, print as many characters as possible on front of DL/ID.
Document Issue Date Date on which the document was first issued. (MMDDCCYY for U.S., CCYYMMDD for Canada)
Date of Birth Date on which the cardholder was born. (MMDDCCYY for U.S., CCYYMMDD for Canada)
Physical Description — Sex Gender of the cardholder. 1 = male, 2 =female.
Physical Description — Eye Color Color of cardholder’s eyes. (ANSI D‑20 codes)
Physical Description — Height Height of cardholder. Inches (in): number of inches followed by ” in” ex. 6′1″ = ” 73 in” Centimeters (cm): number of centimeters followed by ” cm” ex. 181 centimeters=“181 cm”
Address — Street 1 Street portion of the cardholder address.
Address — City City portion of the cardholder address.
Address — Jurisdiction Code State portion of the cardholder address.
Address — Postal Code Postal code portion of the cardholder address in the U.S. and Canada. If the trailing portion of the postal code in the U.S. is not known, zeros will be used to fill the trailing set of numbers.
Customer ID Number The number assigned or calculated by the issuing authority.
Document Discriminator Number must uniquely identify a particular document issued to that customer from others that may have been issued in the past. This number may serve multiple purposes of document discrimination, audit information number, and/​or inventory control.
Country Identification Country in which DL/ID is issued. U.S. = USA, Canada = CAN.
Federal Commercial Vehicle Codes Federally established codes for vehicle categories, endorsements, and restrictions that are generally applicable to commercial motor vehicles. If the vehicle is not a commercial vehicle, “NONE” is to be entered.

OPTIONAL DATA ELEMENTS

Address — Street 2 Second line of street portion of the cardholder address.
Hair color Brown, black, blonde, gray, red/​auburn, sandy, white
Place of birth Country and municipality and/​or state/​province
Audit information A string of letters and/​or numbers that identifies when, where, and by whom a driver license/​ID card was made. If audit information is not used on the card or the MRT, it must be included in the driver record.
Inventory control number A string of letters and/​or numbers that is affixed to the raw materials (card stock, laminate, etc.) used in producing driver licenses and ID cards.
Alias / AKA Family Name Other family name by which cardholder is known.
Alias / AKA Given Name Other given name by which cardholder is known
Alias / AKA Suffix Name Other suffix by which cardholder is known
Name Suffix Name Suffix (If jurisdiction participates in systems requiring name suffix (PDPS, CDLIS, etc.), the suffix must be collected and displayed on the DL/ID and in the MRT). Collect full name for record, print as many characters as possible on front of DL/ID.
Physical Description — Weight Range Indicates the approximate weight range of the cardholder:
0 = up to 31 kg (up to 70 lbs)
1 = 32 — 45 kg (71 — 100 lbs)
2 = 46 — 59 kg (101 — 130 lbs)
3 = 60 — 70 kg (131 — 160 lbs)
4 = 71 — 86 kg (161 — 190 lbs)
5 = 87 — 100 kg (191 — 220 lbs)
6 = 101 — 113 kg (221 — 250 lbs)
7 = 114 — 127 kg (251 — 280 lbs)
8 = 128 — 145 kg (281 — 320 lbs)
9 = 146+ kg (321+ lbs)
Race / ethnicity Codes for race or ethnicity of the cardholder, as defined in ANSI D20.
Standard vehicle classification Standard vehicle classification code(s) for cardholder. This data element is a placeholder for future efforts to standardize vehicle classifications.
Standard endorsement code Standard endorsement code(s) for cardholder. This data element is a placeholder for future efforts to standardize endorsement codes.
Standard restriction code Standard restriction code(s) for cardholder. This data element is a placeholder for future efforts to standardize restriction codes.
Jurisdiction specific vehicle classification description Text that explains the jurisdiction-specific code(s) for types of vehicles cardholder is authorized to drive.
Jurisdiction specific endorsement code description Text that explains the jurisdiction-specific code(s) that indicates additional driving privileges granted to the cardholder beyond the vehicle class.
Jurisdiction specific restriction code description Text describing the jurisdiction-specific restriction code(s) that curtail driving privileges.

1 U.S. Const. amend. X.

2New York v. United States, 505 U.S. 144 (1992).

372 Fed. Reg. 10,820 (Mar. 9, 2007).

4E.O. 13132, Federalism (Aug. 4, 1999).

5Id.

6E.O. 13353, Establishing the President’s Board on Safeguarding Americans’ Civil Liberties (Aug 27, 2004).

75 U.S.C. §552a.

8Id. at §552a(m).

9Office of Management and Budget, Privacy Act Implementation: Guidelines and Responsibilities.

1044 U.S.C. § 3541 et seq. (enacted as Title III of the E‑Government Act of 2002, Pub.L. 107–347).

1144 U.S.C. § 3544(a)(1)(A).

12U.S. Department of Homeland Security, Privacy Impact Assessment for the REAL ID Act (Mar. 1, 2007) (footnotes and italics omitted) <>.</>

1372 Fed. Reg. 10,825 (Mar. 9, 2007).

14Executive Order 12866, Regulatory Planning and Review (Sept. 30, 1993), requires “significant regulatory actions,” such as those costing over $100 million annually, to be assessed in terms of benefits, costs, and alternatives.

15Id. at 10,845 (2006 dollars discounted at 7%).

16See 72 Fed. Reg. 10844–46 (Mar. 9, 2007).

17This is permitted by OMB Circular A‑4 when it is difficult to quantify and monetize the benefits of a rulemaking.

18Data Privacy and Integrity Advisory Committee, U.S. Department of Homeland Security, Framework for Privacy Analysis of Programs, Technologies, and Applications, Report No. 2006-01 (Mar. 1, 2006) <>.</>

19Assumed delay from today until 6 months into the future. (Net present value at 3.5%/6 months interest.)

20The NPRM left the door for putting RFID chips in our identification cards in the future. See 72 Fed. Reg. 10,841–2 (Mar. 9, 2007). The DHS Data Privacy and Integrity Advisory Committee concluded recently that RFID is not well suited to the task of identifying people, at least at this stage in the technology’s development. Department of Homeland Security, Data Privacy & Integrity Advisory Committee, The Use of RFID for Human Identify Verification, Report No. 2006-02 (Dec. 6, 2006) <>. The Department has recently cancelled RFID-related projects. See Alice Lipowicz, DHS Tunes Out RFID, Washington Technology (Feb. 12, 2007) <>.</></>

2172 Fed. Reg. 10,837–8 (Mar. 9, 2007).

22Markle Foundation Task Force on National Security in the Information Age, Creating a Trusted Network for Homeland Security (Dec. 2, 2003) . The main body of the report endorsed the finding of the Appendix unconditionally. See id. at 36.

23National Commission on Terrorist Attacks Upon the United States (9–11 Commission), The 9/11 Commission Report (2004) at 390.

24Intelligence Reform and Terrorism Prevention Act, Pub. L. No. 108–458, §7212.

25In general, this was the modus operandi of al Qaeda in the 9/11 attacks.

26As demonstrated by the “Carnival Booth” study, relevant information from watch lists is relatively easy to reverse-engineer. One must simply send an attacker through a checkpoint on a few “dry runs” to determine whether he or she is subject to different treatment. See Samidh Chakrabarti and Aaron Strauss, Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System, 6.806: Law and Ethics on the Electronic Frontier (May 16, 2002) .

27Assuming terrorists aim to sap the economy and vitality of the United States, they could do very well by serially attacking non-ID-controlled targets if that would induce the U.S. to secure them through ID checks. If each of the 240 million licensed drivers in the U.S. were inconvenienced by just one minute per week to show ID at malls, subway stations, bus depots, office buildings, and other public infrastructure, the cost to society in lost time alone (assumed value: $20/​hr.) would be over $4 billion per year — a net present cost of $57 billion (assumed 7% interest).