Proposed laws on ID tech take privacy to the extreme
State ID bills are disruptive -- and unenforceable
Backlash against the REAL ID act, which sets national standards for state-issued drivers’ licenses and ID cards, has resulted in some extreme prohibitions being introduced in state legislatures.
REAL ID is not a good law and does not adequately provide for the security of sensitive data that it requires states to collect and share. But some misguided legislators are attacking the law indirectly by proposing the banning of broad classes of technology that would be used in the cards and licenses. Although concerns about privacy are understandable, bills introduced in New Hampshire and Oklahoma would throw out the baby with the bathwater by prohibiting the use, respectively, of all biometrics and of Radio Frequency ID.
The bills’ authors show a fundamental lack of understanding about biometrics and RFID, and their legislation is at best unnecessary and at worst disruptive and unenforceable.
The most egregious is New Hampshire's HB 244, “An act restricting the collection of biometric data by state agencies and private entities,” introduced by Rep. Neal Kurk, which is so broad in its definitions and application as to be completely impractical. It defines biometrics to include not only such things as fingerprints, voice prints, retina scans and DNA, but also “facial feature patter characteristics” and the shape of handwritten signatures. The bill would prohibit any government or private entity from gathering such data, except for employee ID cards, and would ban any requirement of such biometrics as a condition of doing business with the entity.
Cyber bill's FISMA mandate could be a step backward
As written, this would effectively ban the use of traditional signatures in the course of doing business and prohibit the use of photos for identification. Kurk no doubt would deny that this is the intent of the bill, but that’s what it says.
The Oklahoma bill, HB 1399, introduced by Paul Wesselhoft, would prohibit the use of any radio frequency identification tag or RFID ink on state drivers’ licenses or ID cards. Wesselhoft explained his concerns in a 2010 press release for a similar bill:
“Through technology, governments, corporate and private entities can track a person’s location and personal information if one’s driver’s license is embedded with a Radio Frequency Identification (RFID) chip or special ink,” he said. “They can be tracked by satellites, radio towers and even through doors in buildings as ones walks through them.”
There might be some legitimate concerns about personal tracking via RFID, but it is hard to imagine a state tracking its citizens via satellite or cell towers with a properly implemented RFID chip.
Earlier versions of both the Kurk and Wesselhoft bills failed in their previous legislative sessions; Kurk’s was defeated by a lopsided vote 267 to 39 and Wesselhoft’s was vetoed.
Privacy issues in the Real ID law, and in the implementation of any public or private identity verification scheme, should be addressed. The gathering, retention, management and disposal of personally identifiable information are serious concerns and there is no reason why states should not address those concerns with reasonable and enforceable standards and requirements.
But the problem is not the technology being used. Biometrics such as facial recognition and handwriting have been used for centuries and even millennia, and RFID can be a cost- and time-effective tool for sharing and validating information. It would make a lot more sense to focus on the real issues than on technophobic prohibitions that miss the point.