Where rubber meets the road in privacy debate

Hacker's ‘good media stunt’
Real ID opponents aren’t buying it. “Any contactless chip is going to be problematic,” said the ACLU’s Calabrese. “Their purpose is to be read at a distance. It's like trying to make water less wet. … Every day, the industry says, ‘We've defeated all these problems’ and at the next hacker conference someone shows otherwise.”

Case in point: In August, Lukas Grunwald, a German security expert, showed how he could clone a chip in an e-passport at a Las Vegas conference. His feat was dismissed as an “opportunistic” ploy by Pattinson and a “non-issue” but a “good media stunt” by Borchert who say that merely being able to copy a chip is analogous to photocopying the document and doesn’t compromise its security.

Grunwald told MSNBC.com that his critics missed a key point of his demonstration. Because an ID system would read a cloned chip, that means “the computer systems accept data from an untrusted data source,” raising the possibility that “with some additional malware, this could infect the inspection system with a trojan, or attach and shut down the inspection system by making an alert on any passenger and suspecting him as a terrorist.”

But Borchert denied that, saying the system would not activate or read the chip until the card passed three other security tests.

If you don’t believe the bad guys can steal your data with high-tech trickery, you can be sure they’ll get it in some other fashion, say Real ID’s foes.

“Something this valuable, a database of every person in the country who wants a state ID or a driver’s license would be just too tempting to criminals," said Ngo of the Electronic Privacy Information Center, adding that they will either hack the system or bribe state employees.

And commercial users also will be lining up to leverage the technology, said Calabrese. He snort-laughed at the notion that government policies will keep that from happening. “These protections for the most part don’t exist." Industry has “a great incentive to have commercial use of this product."

But criminal or commercial misuse of Real ID cannot be blamed on the technology, said Vanderhoof. "There is no risk when it's implemented properly. … What I object to is the assumption of guilt and the presumption of failure that some of the privacy advocates place on the technology, often because they don’t understand how it is going to be implemented."

Scott Carr of Digimarc, whose equipment and services help produce 50 million of the 72 million driver’s licenses issued each year in the United States, said his firm’s technique of “digital watermarking” is a good example of “incredibly reliable” technology that can increase security for both license holders and those who check them.

By placing “bits of data into content in a way that you or I don’t perceive it but a computer can read it,” digital watermarking creates ID cards that can be checked with "without having to do a database lookup that might compromise your privacy," he said. As explained on Digimarc's Web site, the "watermarks" are "woven into the artwork of the secure ID" and "can easily be read by many commonly available document scanners equipped with special software."

‘Technology isn't static’
Despite assurances by Carr and others, privacy advocates are convinced that technology will eventually fail. They say they’re only basing their concerns on what has happened in the past. “That’s just the nature of technology,” said Ngo. “If you build something, someone else will be able to break into it. Then you can try to make it stronger, then someone else will be able to break into it. Technology isn’t static, so we shouldn’t act as if it is."

Those arguments aside, Real ID’s foes believe they have an ace in the hole: The costs to states for retraining DMV employees, using computer chips, verifying documents and linking databases will be so enormous that the whole plan will collapse before it’s implemented, predicted Cato’s Harper. An estimate from state government organizations last month put the tab at $11 billion, more than 100 times the $100 million quoted by sponsor Sensenbrenner. The states say they simply don’t have the money.

But Lungren, the Sensenbrenner spokesman, said the states have come up with “wild numbers. … We don’t know what DHS is going to require so how do they know what it’s going to cost?”

Any cost is too much, Ngo said. “I want all the billions of dollars that are being spent on this Real ID program to be spent on more cops, more investigators for the FBI and the CIA … and more people for air security.”

Calabrese agreed, pointing out that simply “knowing who someone is just doesn’t tell you whether or not someone's going to be a terrorist.”

“That’s just a really defeatist attitude,” replied Lungren. “The terrorists didn’t have bombs. They had box cutters and driver’s licenses.”

MORE FROM TODAY

Today Section Front

Sad development: The last Kodachrome film lab Mom of boy set afire: ‘His courage is incredible’ Ho-ho-ho! White House Christmas tree arrives Murder, he wrote: Al Roker pens mystery novel Gasp! Babies’ fat rolls being airbrushed away? Your shopping type: Black Friday? Cyber Monday? Stars are out at White House state dinner Once again, first lady’s fashion sense dazzles It's down to the final four on 'Biggest Loser' 60 years of White House meals for India Today Section Front   Add Today headlines to your news reader: