Cyber eye: And the worst security idea of 2005 was . . .
- By William Jackson
- Dec 07, 2005
'Tis the season for looking back and recognizing landmark accomplishments of the past year. Any number of awards for IT achievement are being handed out, but we shouldn't ignore failures. After all, we learn from our mistakes.
So the first Bonehead Award for Notable Failures in IT Security goes to the 360 senators and congressmen who voted for the Real ID Act of 2005, and to the president who signed it into law.
The Real ID Act, now a part of Public Law 109-13, may not be the worst piece of legislation passed during the year, but it certainly is a model for how not to do information security.
I'm talking specifically about the part of the act establishing minimum requirements for state-issued driver's licenses and ID cards, which falls prey to one of the most dangerous IT errors: designing a system to handle sensitive information without considering security requirements.
Under the law, the new cards must contain, in machine-readable format (read: digital), the holder's name, date of birth, address, ID number, signature and photo. The act not only fails to require any encryption or other security for data stored on the cards, but also mandates the creation of shared state databases of sensitive information with no security or access restrictions.
This is particularly disturbing given the type and amount of data the act requires states to gather on citizens. States must 'capture digital images of identity source documents so that the images can be maintained in electronic storage in transferable format' for 10 years. Each state must provide all other states electronic access to this data.
The ability of any Tom, Dick or Harry with a card reader to capture a copy of your vital statistics from your driver's license is worrisome. The creation of unsecured databases containing digital images of your birth certificate and other documents is even more so.
Under the terms of this act, every bartender, bank teller or cop who swipes your electronic card is free to do as he or she pleases with the information that is captured. States are free to sell their databases to anyone for any reason, and even to access other states' databases and sell that data.
Given that Congress now is considering legislation that would require companies to tighten security on personal data, it is particularly boneheaded to ignore this issue in government databases.
Congress no doubt will say it is up to states to determine the proper security measures and access controls for this data; but that is wrong. If the federal government mandates collection of personal data, the proper place for security requirements on that data is in the federal law.Making the problem worse
With the glut of personal information already being exposed through the actions of hackers, thieves and entrepreneurs, you could argue that it is too late to worry about the privacy of data held by the government. But even if we cannot expect the government to completely solve the problems of identity theft and invasion of privacy, the least we can ask for is that government not make the problems worse.
But apparently that's more than we can hope for.William Jackson is a GCN senior writer. E-mail him at firstname.lastname@example.org.