United States residents: On Jan. 22, 2018, will you be able to board a plane with your driver’s license? Depending on what state issued your license, it may not be as easy to board as it is today. You may need a passport to fly from Kentucky to Nebraska, or from Minnesota to Wisconsin. Lawmakers in several states are concerned with the various requirements of the REAL ID Act of 2005, which they claim risks their citizens’ personal information. Some citizens will be affected earlier if they need to access secured federal areas, like military bases, because enforcement of the REAL ID Act begins Jan. 30, 2017 in these locations. 

This does not, of course, affect anyone's ability to go to the Post Office or other unsecured federal buildings.

In Maine, for example, the database requirement seems to be a major sticking point. REAL ID dictates that, in every state and territory, applicants for IDs will have the documents used to verify their residency scanned and stored in a database that may include birth certificates and Social Security cards. Maine, along with several states, has gone as far as to pass statutes that prohibit the state from complying with the Real ID requirements and, without new legislation, these states cannot comply with the federal law, making their state-issued driver’s licenses ineligible for use to access those federal areas, or, next year, to get past the TSA agent.

Other state concerns include using biometric technology like fingerprinting and facial recognition software and adding this information to the database.

Along with Maine, South Carolina and Pennsylvania have most aggressively refused to comply with REAL ID. Oklahoma and Kentucky are working toward compliance, and Minnesota, Washington, and Missouri were denied their most recent extension requests. Guam and Montana are under review now and 22 other states and territories were granted either limited extensions until June 6, 2017 or until Oct. 10, 2017. This means that, instead of enforcement beginning on Jan. 30, 2017, it will not begin until the respective extension that was granted. For example, if you have a driver’s license from Louisiana, then your ID will be accepted at federal secured areas until Oct. 10, 2017.

If your state was not granted an extension, then the enforcement begins on January 30, 2017.

How did we get here?

On May 11, 2005, the ‘‘Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005,” Public Law 109-13, was enacted. The law appropriated funding for the “Global War on Terror,” addressed various topics concerning the State Department, allocated funding for tsunami relief, and created a requirement that states comply with the Real ID Act of 2005.

The U.S. Department of Homeland Security website states that REAL ID is a coordinated effort by the states and the federal government to improve the reliability and accuracy of state-issued identification documents, which should inhibit terrorists’ ability to evade detection by using fraudulent identification. The Secretary of Homeland Security reviews each state’s IDs and determines if they meet the minimum standard, and then the Secretary certifies the state as compliant.

The requirements include things we expect to see on an ID, like name, address, gender, signature, and a digital photo. The Act also requires that before a state issues an ID, they must verify the person’s lawful status in order to prevent undocumented aliens from receiving IDs. States are required to use a federal system called the “Systematic Alien Verification for Entitlements” to verify a person’s status.

The Act also lists specific requirements the states must adhere to in order to have their IDs certified: States must take digital photos and store an electronic copy of the photo in a transferable format. They must retain paper source documents for seven years and electronic copies for 10 years. It is now mandatory to use facial recognition image capture for all applicants and the image will be stored even if the applicant is denied an ID. States must verify Social Security numbers, verify that applicants gave up their driver’s license in their prior state of residence, ensure physical security of the location where IDs are produced, and require appropriate security clearances for anyone who produces the IDs.

If a state does not meet the minimum requirement, new licenses issued after the deadline must clearly state on their face that they may not be accepted for federal identification. The color of the ID must also alert federal agents that the ID is not acceptable.

The root of the resistance

Some states have objected to the database requirement and the requirement to make this database available to the federal government and other states. The obvious fear is someone hacking into any or every state’s database and gaining access to personal information on every person that has ever applied for a license or state ID. According to Jim Harper, a senior fellow at the Cato Institute, “In summary, it’s a national ID system. Everyone in your state will be at risk of identity fraud.” DHS refutes this interpretation of the law on the DHS website, stating that “REAL ID does not build a national database nor does it grant the Federal Government or another state access to a state’s driver’s license data.”

The text of the law seems to contradict DHS’s claim. Section 202(d)(12) requires states to “provide electronic access to all other States to information contained in the motor vehicle database of the State.” Section 202(d)(13) mandates that states “maintain a State motor vehicle database that contains, at a minimum — (A) all data fields printed on drivers’ licenses and identification cards issued by the State; and (B) motor vehicle drivers’ histories, including motor vehicle violations, suspensions, and points on licenses.” It seems that the states are required to maintain a database with personal information on its citizens and that other states will have access to that information.

In the Final Rule issued by the Secretary of DHS on Jan. 29, 2008, section (E) also contradicts the DHS website, stating, “the State-to-State data exchange will likely require a software application (likely an index or pointer system) to enable the States to exchange limited information to identify whether an applicant for a card holds a card in another jurisdiction.” Section (F) explains that the requirement is no different than what is already in place. “This requirement is similar to the existing statutory and regulatory requirements for commercial driver's licenses.” 

DHS also changed the title of Section 37.33 from “Database connectivity with other States'' to “DMV Databases.” 

Some of the concerns expressed to DHS during the comment phase, before issuing the Final Rule, included a concern about the information availability to other states. One commenter suggested that the state could send out a query asking if there is another REAL ID issued and the system would simply return a “yes” or “no” answer instead of providing personal information. Many of the comments submitted showed a strong concern with the ability of hackers to gain access to the personal information of over 240 million Americans. One commenter made a point that the system is only as good as its weakest link. DHS responded that there are minimum standards required of the states. 

As a bar owner in a previous life, I think it also bears mentioning that a primary use of government-issued identification is for age verification to buy alcohol and cigarettes (and soon, here in my home state of Maine, marijuana). In addition to the previously mentioned requirements, the Act also requires IDs to have a barcode that can be scanned to provide the information from the ID. Many bars and other locations that have to verify a patron’s age purchase ID card scanning systems. These systems read the barcode on an ID and display personal information for the person using the scanner. Many scanners also store the personal information gathered from the IDs. The more information stored in the barcodes, the more personal information people give up just by going into a bar to get a beer.

How states have responded

On Sept 20, 2007, Maine enacted 29-A MRSA §1411, “An Act To Prohibit Maine from Participating in the Federal REAL ID Act of 2005,” making Maine the first state to push back against the federal requirements. Maine has privacy concerns because of the Act’s requirements to maintain the database on its citizens and having to grant the federal government access to this database. 

It is perhaps ironic that Maine has an unfortunate connection to the events of 9/11, which led to the REAL ID Act of 2005. Portland is where two terrorists boarded a flight for Boston and then continued on to join the other terrorists in the attacks in New York, Virginia, and Pennsylvania. The 9/11 Commission recommended improving the security of identification documents in their report.

In 2011, Maine took another step to protect the personal information of its citizens. 29-A MRSA §1301, sub-§6-A, states that the Secretary of State may not disseminate personal information collected to any entity without specific authorization from the Legislature. 29-A MRSA §1401, sub-§6, mandates that digital photos and signatures are confidential and that these images may only be used to produce licenses. Sec. 6. 29-A MRSA §1401, sub-§9, prohibits the state from using biometric technology to produce IDs, which includes facial recognition, fingerprinting, and retinal scanning. These laws mean that Maine will require more legislation in order to comply with the Act, should that be the will of the legislature.

Since Maine law prohibits the state from complying with the Real ID requirements, the state has not yet begun using facial recognition technology, or fingerprinting Bureau of Motor Vehicle employees, and the state does not use Real ID approved markings on its current IDs.

Maine Secretary of State Matthew Dunlap told the Portland Press Herald in 2014 that it would take six years and around $1 million for the state to come into compliance. It is not just about the cost. Dunlap also said, “You might as well just repeal the Fourth Amendment,” and he noted that the state BMV is not supposed to handle immigration enforcement. The Press Herald also quoted Alison Beyea, executive director of the ACLU of Maine, asking “Why should we be passing laws that intrude on people’s rights to come and go? We should be working on affirming people’s right to privacy, which is guaranteed in the Constitution.”

State Senator Bill Diamond, D-Windham, a former Maine secretary of state, told the Press Herald that most of the legislature’s debate in 2007 revolved around the information collected by the state and then how it could be accessed by the federal government. Another concern is that the Act did not clearly describe what the federal government would use the data for. Unlike other legislators, Sen. Diamond is ready to move forward with compliance, saying, “We can get into these philosophical debates, but people have to get on airplanes.”

In October 2015, Maine was granted an extension by the Department of Homeland Security. On Oct. 1, 2016, Maine was denied another extension to bring their IDs into compliance with the Real ID Act. Beginning Jan. 30, 2017, federal agencies will no longer accept Maine licenses and IDs for official purposes and as of Jan. 22, 2018, a Maine ID or license will no longer be accepted as identification to board a commercial aircraft.

Refusing to comply with the REAL ID Act is not the first time that Maine has enacted a law to protect its citizens’ personal information. In addition to Maine’s breach notification law, for example, 25 MRSA Pt. 12 was enacted in 2015. This law requires that law enforcement agencies obtain a warrant before using a drone for criminal investigations. The agencies may use drones for other reasons, but, in Maine, drones may not be weaponized by the agency and law enforcement may not monitor citizens demonstrating their rights of free speech and assembly. In addition to these prohibitions, the law also creates minimum requirements including putting procedures into place to minimize recording third parties not under investigation, procedures for destroying unnecessary recordings, and it creates restrictions on night vision technology, facial recognition, and high-powered zoom lenses.

In 2012, Pennsylvania also enacted a law to prevent the state from participating in the REAL ID program, P.L. 254, No. 38, the “REAL ID Nonparticipation Act.” The Pennsylvania law is not as specific as Maine’s latest law prohibiting specific activities required by the Real ID Act. Instead, Pennsylvania chose a more general approach, as Maine did in 2007. The “REAL ID Nonparticipation Act” prohibits state officials from participating in the Real ID Act of 2005. The Pennsylvania Act also specifies that the Governor or the Attorney General may file an action challenging the constitutionality of the Real ID Act.

In addition to the privacy issue concerns, there is a very real cost for the state. It is estimated that it will cost Pennsylvania upwards of $300 million to replace their current IDs. State Senator Mike Folmer, R-Lebanon, the chief sponsor of the 2012 legislation, told the Pittsburgh Post-Gazette that, “It’s an unfunded mandate that we can’t afford at a time when we are having budget problems of our own.” Sen. Folmer is not only looking at the dollars and cents, he is also concerned that these requirements will not stop terrorists. “I wish someone would show me how this card would make me safe. The Oklahoma City bomber would have had this kind of card so it wouldn’t have stopped him. I don’t see what it would accomplish.”

Pennsylvania’s privacy law library is relatively extensive, too. Title 18 Chapter 57 §5705 makes it a felony for a non-law enforcement entity to intentionally manufacture, sell, transfer, or use a device that is primarily useful for the purpose of the surreptitious interception of a wire, oral, or electronic communication. Pennsylvania also has several privacy laws related to employment, including an act that limits employers’ ability to record employees’ phone calls, allows individuals the right to inspect their records that contain personal information, and gives employees control over whether the employer may obtain information relating to HIV or drug and alcohol abuse treatment.

Pennsylvania also has a strong breach notification law in place. The Breach of Personal Information Notification Act of 2005, P.L. 474, No. 94, describes what type of personal information, when breached, requires notification. “An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” The law also defines personal information similarly to most states, which in addition to a person’s name, their social security number and state ID numbers are included. All of this information will be maintained in the new database required by the Act.

South Carolina may have been the most direct with their 2007 law. S449 Section 56-1-85 simply states, “The State shall not participate in the implementation of the federal REAL ID Act." Governor Mark Sanford sent a letter to the DHS Secretary in 2008 expressing his concerns about the REAL ID Act. He called this a “de facto national ID system” enacted “without any debate.” Because the REAL ID Act was a rider on a bill providing relief for tsunami victims and funding for the Global War on Terror, Gov. Sanford argued, “essentially no member of Congress voted against it and it passed overwhelmingly.” The Governor also made a point of stating that this bill received “far less scrutiny than steroids in baseball.”

Before ending his letter to the Secretary, Gov. Sanford expressed his concerns about the number of times the federal government systems have been breached and that employees have broken protocol that resulted in compromised personal information of millions of Americans. Connecting every state’s databases will create a large national database that may be compromised. He mentioned a teenager that hacked into the Pentagon’s network for fun and that foreign passports are not subject to these requirements, so a terrorist could just use a foreign passport.

Looking forward

At this point, Maine, Pennsylvania, and South Carolina are the last states that cannot comply with the Act without further legislation to repeal their laws preventing compliance.

In Pennsylvania, cost may be as important as privacy; however, House Bill 2433 was introduced last year and if it is passed and signed by the Governor, it would repeal the 2012 law preventing PA from complying with Real ID. South Carolina was granted an extension during the second week of January, meaning that their driver’s licenses will be accepted at federal facilities until June 6, 2017, giving the State more time to repeal their legislation.

The current Maine legislation session does not include any proposals to repeal the Maine law (though there is a bill that would move Maine to the Atlantic Standard time zone). Hence, Maine’s request for an extension was denied and the state is now alone in facing a very real looming deadline.

With President Trump taking office 10 days before enforcement of the Act goes into effect, it remains to be seen if a change in administration will have any effect on REAL ID and its enforcement. While Trump has a reputation as a law-and-order, security-minded president-elect, he may also object to the “national ID” aspect of REAL ID and that concept’s link in some circles with gun control.

In the meantime, Mainers, at the very least, would be advised to pick up a passport. Just to be safe. Especially if they have any inclination to visit a federal facility.

Photo credit: nikkorsnapper "If we do nothing wrong, we feel victorious." via photopin