Phil Libin | Getting real
GCN Interview with Phil Libin, president of CoreStreet, a provider infrastructure and software for smart-card credentials
- By William Jackson
- May 04, 2007
I think an important first step is a system of IDs that at the very least proves who you are. - Phil Libin
Phil Libin, president and co-founder of CoreStreet, has found himself a somewhat lonely defender of an unpopular law. He is a fervent believer in the Real ID Act, the 2005 law establishing standards for state driver's licenses and identification cards. 'Popular opinion is so strongly against it,' he said. That has not stopped him from speaking his mind on the subject, and he agreed to discuss his position with GCN. Libin's company ' Cambridge, Mass.-based CoreStreet ' provides infrastructure and software for smart-card credentials. Libin founded CoreStreet in 2001 after selling his previous start-up, Engine 5.GCN: Should we have some form of national ID, or is it too late to ask that question?LIBIN:
It is always worthwhile to ask. 'National' is maybe a scary word for people. I think the ultimate goal is not necessarily to have a system of national ID cards that can prove who you are.
The goal is to have a system to prove what attributes or privileges you have. If you are getting on a plane, that you have a right to get on the plane; if you are driving, that you have a right to drive. And if this can be done without leaving traces of who you actually are, then all the better.
There are ways of doing that, but it will take several years for the technology to become good enough so that every citizen can have some kind of an ID card that doesn't necessarily say who they are, but only what they are allowed to be doing.
That is the ultimate goal, but I think an important first step is a system of IDs that at the very least proves who you are.GCN: What is wrong with the current system of IDs?LIBIN:
Pretty much everything. All of the problems that people are saying we are going to have with Real ID ' bad security and bad privacy, and data being everywhere ' all of those problems exist today.
Relatively few people have passports, so a culture has evolved that you use your driver's license [for identity]. Functionally, they're all the same, and yet everything about them varies from state to state ' how difficult they are to get, how easy they are to forge, the backgrounds of the people who handle the licenses, how the data is protected, who is allowed to use it, what kind of databases tie into it. So we pretty much have the worst possible situation right now.GCN: What are the strengths of the Real ID?LIBIN:
The most important thing about the act is that it is an attempt to establish some standards and best practices in the way identities should be created and used. This concept that there should be standards is important, because right now it is all de facto. We are saying, 'Here [is] the minimum set of requirements for who is allowed to handle this data and for how the cards are created.'GCN: What are the weaknesses of Real ID?LIBIN:
I really wish Real ID had more explicit privacy language in there. I think that was a missed opportunity that has opened the door for a lot of criticism, which is not entirely unjustified. It would be completely appropriate for Real ID to say that the flip side of security is privacy, and we are going to enact standards for both the security and privacy sides of it.
[Also], a lot of the technology choices are pretty weak. There's not a lot of high tech; it's not really a smart card. I think a smart card with asymmetrical cryptography could go a long way toward improving security and privacy. I'd like to see better standards for who can access data and what they can do with it. The government has models for this.
The Defense Department's Common Access Card program addresses a lot of these issues, but Common Access Cards are also much more expensive.GCN: The government traditionally is not technology-specific in its requirements, focusing on results rather than specifying technology. Should they be more specific on the technology here?LIBIN:
I am always in favor of being technology agnostic and focusing on results, but I think people could be a little more technically literate about how they write the desired results. You don't have to specify cards from a particular vendor or with a particular algorithm, but you can specify things that will lead you to a technology.
I like the idea of starting out with a high-level set of standards and requirements and specify the technology as much as we can as time goes on.GCN: Should we drop the law as it now stands and start over?LIBIN:
I'm glad that privacy and security advocates came out of the woodwork and started pointing out all of the problems with Real ID, because all of these problems exist today without Real ID.
What I hope is, if Real ID dies, that they don't take that as a victory and go away leaving a completely broken system that already has everything wrong with it. I want them to stick around and [ask], 'How do we fix it?' If that's the case, I don't really care whether we have Real ID this year or something else in 12 months.
From a purely practical perspective, I think if Real ID were to die completely it would probably entrench the status quo even further, because the political will to do something probably wouldn't exist until there was another major disaster or attack. So I'd rather it not die.GCN: How should we address concerns about inadequate protection of data on cards and in databases?LIBIN:
That's a central issue, one not separable at all from security issues. The biggest problem with the current system is [that] we don't have particularly good laws defining what a privacy violation is, unlike some other countries. In the U.S., a privacy violation is a very subjective thing, and there aren't really good guidelines about that. So I'd like to see a set of standards and best practices and, eventually, laws saying specifically what we are trying to protect and what is a violation. There are models in other countries we can look at and learn from.GCN: Are legislators and regulators paying attention to and responding to concerns about Real ID?LIBIN:
I think the regulators historically do pay attention to suggestions and recommendations, and I expect that to continue with Real ID. I know that's a bit contrary to what people tend to assume.
Legislators and politicians, I think, are paying attention now. I'm not sure how long that attention span lasts.GCN: As a provider of smart-card products, don't you have a stake in this argument?LIBIN:
We definitely have a stake here. Our business is to provide technology for identity cards, for the Defense Department, the Homeland Security Department and for a few foreign governments.
We are not an unbiased party, but hopefully we are knowledgeable.
William Jackson is a Maryland-based freelance writer.