Statement of the ACLU's Gregory T. Nojeim on the Impact of National ID Cards on Civil Liberties
Make a Difference
Your support helps the ACLU defend privacy rights and a broad range of civil liberties.
American Civil Liberties Union, Washington National Office
A NATIONAL ID CARD, NATIONAL ID SYSTEMS, AND
THEIR IMPACT ON CIVIL LIBERTIES
House of Representatives
Committee on Government Reform and Oversight
Subcommittee On National Economic Growth, Natural Resources And Regulatory Affairs
September 17, 1998
Mr. Chairman and Members of the Subcommittee:
I appreciate the opportunity to testify before the Subcommittee on National Economic Growth, Natural Resources, and Regulatory Affairs of the House Committee on Government Reform and Oversight about national ID on behalf of the American Civil Liberties Union (ACLU). The ACLU is a nationwide, non-profit, non-partisan organization of more than 275,000 members devoted to protecting the principles of freedom set forth in the Bill of Rights. The ACLU has not received any grants or contracts from the federal government in the current fiscal year.
The ACLU vigorously opposes the creation of a national ID card, whether the card is embodied in plastic, or whether the "card" is intangible -- sort of a "virtual reality" card consisting instead of a government-mandated computerized data base containing information linked by a government-issued identifier about most people in the United States. A national ID card or system of identification would substantially infringe upon the privacy rights of all U.S. citizens and is unnecessary to administer programs of the federal government.
Over the past few decades, proposals for a national identification card or national ID system have appeared a tempting (but ultimately ineffective) "quick fix" to a national problem of tracking one segment of the population or another. Lately, these proposals have accelerated.
In 1996 Congress enacted welfare and immigration "reform" legislation establishing nationwide data bases of workers to track parents who have not paid child support and to prevent undocumented people from working. This year, we applauded when Congress rejected a proposal to create a national data base of registered voters. A nation-wide patient identifier number was proposed to facilitate the matching of sensitive medical records to patients, and is currently on hold for privacy reasons. My colleague, Ms. Solange Bitol, will discuss that proposal in some detail.
Now, Congress considers a proposal by the Department of Transportation that the federal government require states to obtain a social security number ("SSN") from every driver, as well as a physical description and photograph of the driver that could be referenced to the SSN. To our knowledge, this would be the first time in history that the federal government mandated that the SSN of virtually every adult in the nation be tied to a physical description or photograph of the person in records unprotected by the Privacy Act of 1974. Worse still, the statutory mandate on which the proposed rule is based would coerce states to facilitate ID theft by putting drivers' SSNs on driving licenses.
The ACLU believes this an unfortunate proposal to federalize all state identification documents and tie them to one identifying number, the SSN. In essence, it requires states to issue federalized, national ID cards. The cure to this ill is not a tinker with the DOT's proposed rule; but rather repeal of the underlying statutory authority for the rule.
Background. Section 656(b) of the Illegal Immigration and Immigrant Responsibility Reform Act of 1996 requires the Department of Transportation to issue regulations that would effectively coerce every state to place every driver's social security number on the license or other identification card the state issues. Any state that did not comply with this federal mandate would be required to verify the social security number with the Social Security Administration ("SSA"), or, in the alternative, the driver's license or other ID card the state issues would not be acceptable for federal identification purposes. Section 656(b) also requires that these state-issued driver's licenses and ID cards follow a "form" dictated by the federal government. The DOT has proposed that the "form" of the document include a physical description of person to whom it pertains, which may include gender, height, weight, eye and hair color, a color photograph or image of the person, and his or her address.
Make no mistake. This statute requires states to issue ID cards that conform to an exacting federal standard including a photograph and physical description, and which would be supported by systems of records that would be linked or matched to other records by reference to the SSN of the driver. This is a national ID system. It is supported by state-issued identification documents that are federalized because they must comport with the federal standard. Section 656(b) reduces states to mere tools of federal government for purposes of issuing ID documents because the content and form of documents they issue are dictated by the federal government. Because the federal government dictates what goes on the ID card, and because it effectively requires that records of the identifying data be tied to a federal identifying number, states would henceforth issue what are in essence national ID cards.
Coercing the States to Comply, and To Threaten Privacy. States have no real choice but to issue documents that meet the federal standard. If they fail to do so, their drivers will be unable to secure federal benefits including Social Security, enter many federal buildings, sit for the civil service exam, serve on a jury in a federal case, register for the Selective Service, or obtain passports that allow them to exercise their right to travel. Imagine going to the Post Office to get a passport so you can travel to Europe on your honeymoon, and being told that the federal government will not accept your state-issued driver's license as ID. No resident would stand for it; no state would risk it. To avoid citizen complaints, all states will issue documents that conform to the federal mandate and procedures.
In addition, many states will be coerced into putting the SSN on every driver's license and identification card. In various comments the states have filed with the Department of Transportation, state departments of motor vehicles ("DMVs") have made it clear that verifying the SSN would inconvenience drivers and cost millions of dollars to the states. States would have to hire data entry clerks tasked with verifying SSNs. Many drivers would be compelled to wait in line at the state DMV, then go to the nearest office of federal Social Security Administration to wait in line again because their SSN did not exactly match their name. Then they would have to go back to the DMV to wait in line again, in the hopes that now their SSN would be verified. Lines at DMVs would lengthen and drivers' tempers would flare. DMVs would have to serve many drivers twice during the renewal process. It would be less expensive for the states, and more convenient for drivers and for the states, if the SSN was simply put on the driver's license.
The statute thus builds in an incentive for the states to do what most of them have recently decided not to do: compromise privacy interests by putting drivers' SSNs on driver's licenses. Currently, only six states require SSNs on the driver's licenses they issue. Most of the large states have moved away from such a requirement in order to protect their drivers' privacy, reduce fraud, and inhibit ID theft. Section 656(b) would effectively require many states to change course.
It is not difficult to anticipate the next federal demands on the federalized driver's licenses. Soon, the Federal Aviation Administration, which already requires air carriers to solicit state-issued ID from air passengers, will tell air carriers that only state-issued ID's meeting the Transportation Department's standard are sufficient and that anyone who produces anything else should be treated as a potential terrorist. (This is how the FAA currently directs carriers to treat passengers who produce no ID.) Then, the Department of Health and Human Services will tell state agencies that distribute federally-funded benefits that only the federalized-ID's will do. Then, the Department of Justice will tell employers that they cannot hire any employee who presents a state-issued ID document that does not meet the federal standard. This is not a fanciful jump; it is a logical application of the mandate of Section 656(b) to existing federal identification mandates. In no time, Americans would have to produce the federalized ID to engage in everyday life activities that should not be subject to federal governmental interference, such as getting on an airplane, obtaining a benefit from their state, or getting a job.
Some believe that the way to deal with the problem of undocumented aliens who seek work is for the federal government to threaten the privacy rights of every U.S. citizen. The ACLU believes that Big Brother, and bigger government, are not the answers to this problem.
A national ID system and the nationalized identification cards that would support it would inevitably violate the most basic of American liberties: the right to be left alone. Unlike children and workers in Nazi Germany, Soviet Russia, apartheid South Africa, Castro's Cuba or Saddam's Iraq, no American need fear the demand, "Identity papers!" We are a free people who cherish our right to be individuals, to be left alone, and to start over, free from the prying eyes (and grasping hands) of both Big Brother bureaucrats and snooping commercial interests.
Existing Privacy Protections, Including the Driver's Privacy Protection Act. It is important that the Subcommittee step back and measure Section 656(b) against the existing privacy regime -- such as it is -- in the United States. The Fourth Amendment is the cornerstone of personal privacy in this country. It prohibits the government for conducting a search without probable cause, and in most cases, a judicial warrant. But the Fourth Amendment does nothing to protect personal privacy in this context. When a person "voluntarily" divulges personal information to a state DMV in order to secure a driver's license, there is no governmental seizure to be prohibited or controlled by the warrant or probable cause requirements. Any privacy protection must therefore be statutory.
Twenty-five years ago, a Democratic Congress enacted, and a Republican President signed Congress feared that if the ""use of the SSN as an identifier continues to expand, the incentives to link records and broaden access are likely to increase.""
The Senate Committee report described the growing use of the SSN as ""one of the most serious manifestations of privacy concerns in the nation,"" including the risk that ""the number may become a means of violating civil liberties by easing the way for indexing or locating the person."" Senator Barry Goldwater (R-AZ) spoke on the Senate floor in vehement opposition to the increasing use of the SSN, calling on his colleagues ""to stop this drift toward reducing each person to a number.""
For the most part, the Privacy Act only applies to threats to privacy by federal agencies and does not stop state agencies and commercial interests from threatening personal privacy. In a sense, Section 656(b) makes an end run around the Privacy Act by parking the personal information that would be disclosed at the state, instead of at the federal level. In fact, Section 656(b) would apparently represent the first time that the federal government had ever mandated that the SSN of virtually every adult in the nation be tied to a physical description or photograph of the person in records unprotected by the Privacy Act.
Twenty years after the it passed the Privacy Act, Congress became troubled that state DMVs were selling to commercial interests personal information about drivers for as little as $20 per inquiry. In one case, a stalker used information in state DMV records to find his victim. In 1994, Congress enacted the Driver's Privacy Protection Act to establish rules to protect the privacy of the wealth of information drivers license applicants submit to their states in order to obtain a license to drive. 18 U.S.C. Sections 2721-5.
The Driver's Privacy Protection Act cannot be relied upon to protect the privacy of drivers' personal information, such as their SSNs. Though it would bar DMVs from disclosing certain personal information (SSN, photo, address, name, phone number, medical information, but not physical description) about the driver, and threatens violators with civil and criminal fines and creates a civil cause of action for anyone whose privacy is violated, the statute lists 14 exceptions to its protective provisions. It gives law enforcement at all levels of government, and insurance companies and private investigators blanket exceptions, allows states to provide personal information to mass marketers and solicitors unless the driver affirmatively requests that it do not, and it allows any legitimate business to obtain a driver's personal information to verify the accuracy the individual submitted to it.
More importantly, the statute has been successfully challenged on 10th Amendment grounds in at least three jurisdictions. Two weeks ago, a three-judge panel of the Fourth Circuit struck the Driver's Privacy Protection Act as an invalid exercise of Congress's power under the Commerce Clause in violation of the Tenth Amendment. Condon v. Reno, 97-2554, U.S. App. LEXIS 21557 (4th Cir. September 3, 1998). The federal government argued that drivers possess a right to privacy in the information maintained in state motor vehicle records that Congress can secure under the 14th Amendment. The court rejected federal government's privacy argument because: (i) the Supreme Court has never found a constitutional right to privacy with respect to the type of information found in motor vehicle records, which traditionally have been open to the public; (ii) the type of information in motor vehicle records is available from other public records such as property tax records; and (iii) the information in the records is commonly put on the driver's license and provided to strangers when a person cashes a check, boards and airplane, or purchases alcohol. Federal courts reached similar conclusions in Wisconsin (Travis v. Reno, No. 97-C-701-C, U.S. Dist. LEXIS 8570 (W.D. Wisc. June 9, 1998) (appeal pending)) and in Oklahoma (State of Oklahoma v. U.S., 994 F. Supp. 1358 (W.D. Okla. 1997)), and reached the opposite conclusion in Alabama (Pryor v. Reno, 998 F. Supp. 1317 (M.D. Ala. 1998).
In many states, the state "open government" laws permit disclosure of personal information in the state driver's data base to a great degree. ACLU is a strong proponent of openness in government and favors many such laws because openness sheds light on secret governmental activity that could violate civil liberties. Suppression of information of public interest infringes on First Amendment rights by narrowing the range of information that enters the marketplace of ideas.
The Driver's Privacy Protection Act cannot be relied upon to protect the privacy of drivers' t it does illustrate that the best way to protect the privacy of such information is to prohibit (or to remove incentives to) collection of the SSN in the first place, rather than to control and punish disclosure after the SSN has already been put in a system of records maintained by a state. Section 7 of the Privacy Act originally prohibited states that did not already do so in 1974 from denying drivers licenses to applicants who refused to provide their SSN. This protection was reversed in 1976. 42 U.S.C. Section 405(c)(2)(C)(i). Section 656(b) does much more than permit states to demand the SSN of their drivers for their DMV records; it coerces states to put the SSN on the license itself.
Potential for Misuse. Using the SSN as an identifier on federalized drivers licenses, as is contemplated in Section 656(b), would subject people to privacy intrusions, such as government surveillance and increased data collection and sharing.
There are clear examples of how government-collected information has been used for a purpose other than that for which it was initially intended. Call these "cases of authorized misuse" to distinguish these abuses from criminal activity, such as fraudulent activity from ID theft.
For instance, the confidentiality of Census Bureau information was violated during World War II to help the War Department locate Japanese-Americans so they could be forcibly moved to internment camps. During the Vietnam War, the FBI secretly operated the "Stop Index" by using its computerized National Crime Information Center (NCIC) to track and monitor the activities of people opposed to the United States' involvement in the war. The government's thirst for personal data tied to the SSN cannot be quenched. "Trust us with your personal information. We're the government," is not a theme that resonates well with the American people.
Moreover, the government has facilitated private sector abuse of data tied to the SSN. It was discovered nine years ago that the Social Security Administration used to disclose SSNs to the private sector until public outcry halted the activity. Following the public disclosures, the SSA Commissioner announced in April, 1989 that the SSA had decided not to process magnetic tapes containing 140 million names and SSNs submitted by TRW Credit Data, a credit reporting company that has been succeeded by Experian Information Systems. The Senate conducted hearings and learned that the SSA had conducted three million SSN verifications for Citibank and other firms in past years.
The private sector's use of the SSN to access information about individuals has evolved to a point never envisioned by its creators. For example, in a 1990 advertising brochure, Experian (then TRW), which held itself out as the nation's largest provider of consumer credit information and claims to maintain information on nearly 170 million consumers nationwide, advertised a service called Social Search:
In pursuit of those who have disappeared - former customers, college alumni or missing shareholders - TRW brings you Social Search: A state-of-the-art locating tool that puts our expansive databases to work for you . . . All you need are the social security numbers of those you're attempting to locate and you can reach those hard-to-find individuals who may have moved or changed their names.
This history shows the enormity of the temptation to expand the uses of data linked by a common identifier like the SSN, far beyond the purpose for which the data was originally given up. But having succumbed to this temptation in the past is no reason to facilitate such invasions in the future by effectively requiring that states put drivers' SSNs on their licenses.
ID Fraud. Ironically, the more the SSN is used as a personal identifier, the less useful it becomes as an identifier. This is because unscrupulous criminals can steal a person's identity by appropriating their SSN. "ID Fraud" -- the process of obtaining another person's personal identifying information such as the SSN, date of birth and mothers' maiden name, then using that information to fraudulently establish credit, run up debt, or take over existing financial accounts is a growing problem. According to a recent GAO report, there has been a significant increase in identity theft in recent years. GAO, Identity Fraud, GAO/GGD-98-100BR (May 1998). It is estimated that 40,000 victims of identity theft must struggle each year to clear their names and fix their credit histories. Consequently, more and more people are trying to protect the privacy of their SSN.
By coercing states to place drivers' SSNs on driver's licenses, Section 656(b) promotes ID theft. Many times when a person cashes a check at the grocery store, boards an airplane, or buys a beer, they show their license to a stranger who could sell the personal information on it to an ID thief.
Insecure Data. Little needs to be said about how insecure even the most protected systems of data have become. Computer hackers have achieved access even to sensitive defense files. In 1997, the Social Security Administration itself was forced to shut down a service it offered on its web site after reports that it may have provided unauthorized access to information about individuals' personal income and retirement benefits on the Internet.
In fact, the SSN is used as a key to unlock all manner of personal information about consumers. An internet-based industry has sprung up to harvest and sell personal information accessed through the SSN: auto ownership, creditors, criminal records, driving records, bank accounts and work histories are all alleged to be accessible. Since Section 656(b) would make drivers' SSNs more accessible to state workers harvest the number, and to every person who sees the number on a state-issued identification document, it will make this problem of protecting personal privacy much more difficult.
The SSN was never intended to be relied upon as an identifier. Historically, SSNs have been easy to obtain because there was no need for a secure card for purposes of administering the Social Security program. The number was used only to track payments into the Social Security Account. Many duplicate and inaccurate social security numbers are in use.
A national ID system based on the SSN, and the nationalized ID cards that Section 656(b) would require, pose a direct threat to personal privacy and to the security of personal information. To forestall such a threat, we urge members of Congress to support H.R. 4197, the Citizen's Privacy Protection Act of 1998. It would repeal Section 656(b) of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996. We believe that the Big Brother proposal which is represented by Section 656(b) should be stopped now so that further damage to the cause of < privacy, and liberty, is contained.
I will be happy to entertain any questions you might have.