ACLU Says Enhanced Driver’s Licenses Are Insecure, Fail to Protect Personal Information

December 12, 2007
FOR IMMEDIATE RELEASE
CONTACT: media@aclu.org

PHOENIX  -- Citing serious privacy concerns with the state’s proposal to “enhance” Arizona driver’s licenses with tiny computer chips that collect personal information, the American Civil Liberties Union of Arizona today urged state lawmakers to protect Arizona residents from identity fraud and reject efforts to introduce new driver’s licenses with controversial radio frequency identification technology.

“U.S. citizens carrying these enhanced driver's license will be at risk of having their every movements tracked,” said Alessandra Soler Meetze, Executive Director of the ACLU of Arizona.  “These new enhanced driver’s licenses will turn Arizonans into sitting ducks for identity thieves who’ll be able to remotely scan anyone’s electronic identity with inexpensive handheld readers that pick up data emitting from these licenses.”

The ACLU’s criticism of the program comes at the heels of a recent announcement by Governor Janet Napolitano that Arizona and the Department of Homeland Security (DHS) have entered into an agreement to implement the enhanced driver’s licenses in response to the mandate of the Western Hemisphere Travel Initiative, which was passed by Congress in 2004, and requires that anyone crossing the land borders of Canada and Mexico after January 31, 2008 present a passport or similar documentation of citizenship.

As part of the agreement with the federal government, Governor Napolitano also pledges to comply with the Real ID Act, despite the fact that the Arizona Senate last year approved legislation opting out of the federal law because of serious privacy concerns.  A total of 17 states have passed legislation against the REAL ID Act, with 7 of those states opting out of the legislation completely. The ACLU argues that REAL ID creates serious identity theft risks by creating a single interlinked database containing copies of birth certificates and other personal information. It also will serve as a national identity or “internal passport” that will increasingly be used to track and control individuals’ movements and activities.

“REAL ID is a hopeless program that is in its final death throws and DHS is trying to use this “enhanced” driver’s license plan to revive it,” added Meetze. “Governor Napolitano should not sign up Arizona to be the guinea pig for this failed and unfunded federal mandate.”

The ACLU argues the privacy risks posed by new RFID driver’s licenses are significant, especially considering the controversial chips can be read from up to 30 feet away and the information stored on them can be accessed by touching the chip with an inexpensive handheld electronic reader.  Even if the personal data, including name, home address, date of birth and social security number, is linked to a key or unique identifying number, it can still be accessed by people who can do serious harm, the ACLU said.

“Any wireless signal is inherently insecure,” added Meetze. “Even encrypted signals with unique identification numbers will inevitably be hacked and you’ll create as much demand for the unique identifier as you do for actual Social Security numbers.”

Within DHS, there is even controversy over whether RFID technology should be applied to ID cards. In February, Department of Homeland Security abandoned the idea of using RFID tags to track foreign visitors leaving the country because of insurmountable technology hurdles. In addition, on Dec. 6, 2006, the Data Privacy & Integrity Advisory Committee advised DHS against the use of RFID for tracking and monitoring of people because of security risks of “skimming” and intercepting the signal, and the potential for broader tracking of individuals’ movements and activities.

“The enhanced driver’s license proposal will do exactly what DHS’s own privacy committee warned against,” added Meetze.

The proposed new driver’s licenses also would be equipped with error-prone face recognition technology. In fact, numerous studies by knowledgeable biometrics and security experts have discredited the use of face recognition technology because it had less than a 10% chance of successfully identifying a person in its database who appeared before the camera and false-positives averaged around 1% or one in a thousand.

Statistics image