Wednesday, September 26, 2012

The so-called Coalition for a Secure Driver's License

The second blog post this morning inspired by the article "Fake Drivers Licenses Still a Threat, GAO Finds" has to do with the Coalition for a Secure Driver's License.

My previous blog entry goes over the canard that the 9/11 terrorists had fictitious licenses, which was repeated by Brian Zimmer, President of the Coalition for a Secure Driver's License.

So who are these people?

My suspicion of them stems from the fact that their interest is quite narrow. Just look at their name. Coalition for a "secure driver's license." They do define exactly what that is (which I'll discuss below) but it strikes me as unbelievably narrow.

"CSDL is a 501 (c) (3), non-partisan, not for profit, crime prevention, educational charity based in Washington, D.C."

Ok, they are a non-profit, and not a lobbying group.

"Its central purpose is to raise public awareness that weak state systems for issuing driver's licenses and IDs increase the risk from foreign terrorists and domestic criminals who can fraudulently assume new identities to escape detection by law enforcement."

Again, it's the narrowness of this organization's objectives that bugs me. Let me state it this way: who exactly would contribute money to such an organization? Yeah, I know, you're on a website written buy a guy who takes a very strong interest in ID card issues. But there aren't many of me in this world, certainly not enough (on either side of ID card issues) to support a non-profit organization with a staffed office in Washington DC. (I have called them in the past and asked who their donors were, and all they could tell me was "individuals.")

The only reason that I could imagine someone caring so much about this issue that they would contribute was because they had a strong stance on immigration, and they felt that a secure driver's license was a tool to control immigration. However...

"CSDL does not take a position on federal immigration policy..."

They are staying out of the immigration debate. They do add, rather snarkily in my opinion...

"while recognizing that those who oppose immigration law enforcement often also oppose state procedures that confirm the authentic identities of applicants before issuing driver’s licenses and ID cards. "

The CSDL doesn't take a position on immigration, but does see some pro-immigration types as being the enemy of the CSDL.

So what does the Coalition for a Secure Driver's License believe in?

"CSDL played a key role in public education to gain Congressional support for the REAL ID Act, now entitled Public Law 109-13."

Ok, they support and played a role in the creation of the REAL ID Act.

"After the passage of the REAL ID Act, many thought the battle was over. To the contrary, even while a 2007 ITAA poll shows 85% of American adults favor a secure driver’s license, implementation of the REAL ID regulations for licenses is being vigorously opposed by well-funded special interest and extremist groups campaigning against it at the state level."

They continue to support the REAL ID Act, and they are working to make sure all states enact it.

"However, national security is not the only benefit of states complying with Public Law 109 -13. Authenticating identity of driver's license applicants will keep drunks and reckless drivers from getting new licenses under assumed or changed names, help prevent underage drinking and smoking, reduce voter fraud, help protect against identity theft, help law enforcement find deadbeat dads, and unmask sexual predators using fraudulent identities to hide from arrest warrants and sex offender requirements."

Whatever the problem is in society, a secure driver's license is the solution. I am particularly amused that they specifically mentioned sexual predators as a problem that could be solved with REAL ID Act compliant ID cards. The reason why sexual predators can't be found? Lack of REAL ID. Too funny.

Since they do call themselves a "coalition", it does beg the question who are the members of the coalition. Strictly speaking they could just be a coalition of interested individuals. However one would normally expect a group espousing a view that could solve so many different problems to have affiliations with other groups interested in the same issues, but the only affiliations shown are with ANSI and the Document Security Alliance.

ANSI is just the American National Standards Institute, a body that collect and coordinates standards.

The Document Security Alliance mission is "is a public/private partnership dedicated to improving security documents and related security document procedures by drawing upon the knowledge and detailed technical disciplines of its members." It consists of "over 40 companies, representing card and smart card manufacturers, biometric providers, system integration houses, security laminate/document providers, encryption organizations, data processing companies, proximity card providers, card printer manufacturers and law enforcement agencies were in attendance to share their experiences and examples of fraudulent documents."

Whereas the DSA appears to be a standards making body (in that it coordinates between different parties for standards on ID card issuance) the CSDL works more on the educational side on the need for, very specifically, the national ID card standard espoused in the REAL ID Act.

I would add that the wikipedia article on the CSDL says the "CSDL was established in November, 2001, by concerned New Yorkers and 9/11 family members who were concerned because of the apparent indifference by state and federal officials to this security vulnerability." The citation footnote for that goes to a defunct about us page on the CSDL website. The current CSDL website doesn't have any information about 9/11 families. If the 9/11 families part were true, I couldn't fathom any reason why they wouldn't want to mention it, it's exactly the type of fact which would give the CSDL some type of legitimacy.

The CSDL about us page still includes the line that it was formed in November 2001 because of the "apparent indifference by state and federal officials to this security vulnerability." That's a peculiar line because as anyone who was alive and conscious in November 2001 could attest, *everybody* was deeply concerned with even the most insignificant security vulnerabilities. The idea that this organization needed to be formed in November 2001 due to indifference in ID card security is absurd.

So here's my theory: the main winners of 50 state REAL ID Act compliance are ID manufacturing companies. The standards of the REAL ID Act (supported and likely written with a lot of input from CSDL) require a document issued with very different manufacturing processes, back-end software systems, DMV training, etc. REAL ID Act implementation is a significant boon to ID manufacturing companies, which handle the soup to nuts implementation of ID systems for states, and are only now enjoying the big money from the few states which have pushed ahead with REAL ID Act implementation.

For the reasons outlined above, I believe the Coalition for a Secure Driver's License to be a non-profit front for ID manufacturing companies and their concerns. I would ask that journalists who are quoting from the CSDL to take into account its mysterious background and bizarrely narrow interests.

9/11 terrorists and their driver's licenses

An article on this morning ("Fake Drivers Licenses Still a Threat, GAO Finds") is inspiring two separate blog posts.

This first one is about the following statement:

"Quick to respond to the GAO's report was Brian Zimmer, President of the Coalition for a Secure Driver's License, who noted in a press release that GAO investigators used "the same techniques used by the 9/11 terrorists" to obtain fictitious licenses."

This is a false statement.

The 9/11 terrorists had DMV-issued licenses which had their real names and their real dates of birth. That means the documents would be completely valid and legitimate in 99% of transactions that most people would use a photo ID for (age verification, name verification for banking/financial transactions, matching name to airplane ticket, etc.)

There were some procedural problems involved with proof of residency. This article goes into the mind-numbing details involved with how the terrorists used some fishy behavior to prove residence. The result is that the terrorists' licenses had addresses on them which were not accurate.

That to me is irrelevant and insignificant. Lots of people have licenses with the wrong address on them, and in 99% of situations it doesn't matter; it certainly doesn't for flying an airplane.

Issuance procedures have changed since 9/11. Had they been in place when the terrorists were getting their documents, those new procedures would have changed the effort the terrorists would have gone through in order to get the licenses, but not by much. That is because, again, they got licenses with their real identities on them.

The most irritating thing about the 9/11 terrorist fictitious license canard is that the terrorists could have just used their Saudi Arabian/Egyptian/UAE/Lebanese passports. It couldn't have made any difference then, and it's difficult to imagine it making a difference now. A Saudi Arabian with an Arab sounding name would be just as likely as a Virginian with an Arab sounding name to get the same security treatment.

By virtue of using real licenses, the 9/11 terrorists proved is that driver's licenses play little to no role in airport security. The fact that some people don't get this, and that we are investing huge time and effort in revising licensing issuance because we have come to the wrong conclusion is shameful, wasteful and most of all, embarrassing.

Philadelphia Daily News Letter to the Editor

The Philadelphia Daily News printed my letter to the editor about the solution to the no-smiling requirement that some states (like New Jersey) have for driver's license photos.

I was a little bit nicer to the NJ Motor Vehicle Commission in my letter than on my blog. I hope the MVC appreciates that.

Sunday, September 23, 2012

No smiling please, this is the DMV

The big news in the driver's license world was the collective annoyance at the fact that New Jersey driver's can't smile in their driver's license photographs. Now there is a solution to this problem, which I'll discuss below but let's go over the basics.

Some jurisdictions use a facial recognition system which can't process strong facial expressions particularly well. It's not just a problem confined to the US, for instance you can't smile in Canadian passport photos either. 

Hypothetically the facial recognition system can take a photo and run it in the database of existing photos, to see if the person has applied for/received a license in the past. Facial recognition on this scale is complex and difficult. False positives are major problem of course...if you want to increase reliability, you increase false positives, and it takes time (from a human) to sort through and analyze the system's mistakes. Decreasing false positives means the system may miss out on true copies. The quantity of photographs obviously makes a big difference, running facial recognition on the California driver's license database is quite different from running it on Delaware's database. As far as I know, they don't run facial recognition on all 50 states' database, and it's an open secret that the technology couldn't handle that many photos.

This means the only thing the facial recognition system can catch is people applying for a fraudulent ID card in the same state they already have one. Facial recognition is therefore a complex, not particularly reliable system to detect fraudsters who are too lazy to drive over the state border.

Most states have facial recognition systems that can handle strong expressions (like smiling.) A few states, like New Jersey don't. I'm not sure why they would purchase such a system, the fact that it can't handle smiling implies to me that it's not very good and is probably best avoided. I mean, how much cheaper could the no-smile system have been? (Alternatively, the system which tolerates smiling might even be worse in terms of reliability.)  

I can't help but be curious about the company and the people who would make a facial recognition system that can't deal with smiles. Talk about compromises to push a mediocre product out the door. For that matter, I'd be amused to watch a software engineer say to a child "I make software that takes pictures of people that they can't smile in." Not something to be proud of.

If you're trying to get to grips with why the smile is important and why people care, I believe it's because the DMV is a dehumanizing place. You're lining up to get entered into a massive population database, you have to prove your identity (something really basic and fundamental about you) in multiple awkward ways, if a failure occurs you find yourself denied basic requirements of life--such as driving a car. It is a position of enormous vulnerability that humans rarely have to endure (the most analogous experience is airport security.) Some people are quite sensitive to this dehumanization. In fact, I believe that sometimes DMV customer service is actually normal, but because you're coming from such an awkward, dehumanized place, you feel more sensitive to minor customer service failures.

So you try to make the best of it, be as human as possible, smile, and pray that you have a halfway nice picture to reward yourself from all the effort.

Oh and the solution? Just take two pictures. One for the database, and a smiling one for the license. I'm not surprised that several state DMVs (and the system vendor) have missed this simple solution, but it's so painfully obvious that even my worst assumptions about their competence can't explain why they've missed it.

Primer on the development of photo ID cards in the United States

By all means photo ID cards existed in some way since the very early 20th century. However the ubiquity of ID cards for Americans didn't begin until the 1960s, with the invention of instant color photography by Polaroid in 1964.

Polaroid's invention was a clever but expensive breakthrough. It simply was too expensive for most consumers, and there was little chance of it becoming as popular as its instant black and white cameras. 

In 1964,  almost all states issued non-photo licenses, with the basic description of the individual (the height, weight, eye color info still found on licenses today) serving as the identifier of the driver. (The two exceptions were California and Colorado, which issued black and white photo licenses, with Polaroid equipment.) 

But Polaroid saw an opportunity, and began aggressively lobbying state legislatures: color photo licenses meant "better identification." Citizens shouldn't worry about having to bring their photos in, so the state should take the photos at the DMV. And ideally, issuance would occur immediately, so the driver walked out of the DMV the same day with their color photo license.

Ironically black and white photographs are better for identification, as the features of the face pop out better than they do in black and white. While it's true that citizens didn't have to worry about bringing in their photos if the state took the photo, it also meant that citizens were often not happy with the results because they couldn't select a photograph that they liked. And while immediate issuance was convenient, instant technology was a lot more expensive than taking a shot on film that needed to be developed, and mailing the license home to the driver. 

Nevertheless almost all states bought into all three requirements of the Polaroid model and the company created a lucrative market for themselves and their color instant technology. Most states issued color photo licenses by 1975. Almost all states did by 1980, and Polaroid was the vendor in at least 2/3rds of the states.

Surprising to us today, the historical record shows that license fraud wasn't a problem with the non-photo licenses. The identification information was really only good enough to ensure that someone didn't use a random license for ID that they picked up off the sidewalk. It wasn't trusted all on its own for much more than that, and besides, we didn't use them for ID anyway, so having a counterfeit one or someone else's wasn't all that useful. Polaroid said the color photo licenses provided for "better identification" but in my research I never found any citation of fraud. It was actually unimaginable to the people of that time. 

ID card fraud happened almost immediately after the photo was added. The photo license became a trusted, universally accepted document, and uses for that document started to appear. Once that occurred there became an incentive to have a fraudulent document. 

The main incentive for fraud was (and still is) underage drinking. Photo licenses enabled states to strictly enforce minimum age to drink laws (the national 21 year old drinking age could not have occurred without nearly ubiquitous photo ID, it's no surprise that it appeared in 1984, a few years after almost all states had photo ID.) Before photo ID, drinking age enforcement was loose and approximate. After photo ID, alcohol could be denied to a 20 year old just one hour before they officially turn 21. That's a level of micromanagement which we are now accustomed that would have seemed ridiculous and absurd to most of humanity. 

Considering the fact that the strictly enforced 21 year old drinking age was probably the biggest change to happen because of photo licenses, it's funny to note that it wasn't a use for photo licenses that Polaroid dreamt up when they lobbied state legislatures to require color photographs on licenses. 

Of course Polaroid didn't foresee fraud problems with their color ID cards either. It is ironic to think that ID fraud didn't really begin until the ID became a photo ID. But it's particularly ironic that the fraud problem became so lucrative for the people who caused it--Polaroid. Fraud meant that states needed to be continuously updating their equipment in order to make more difficult to counterfeit ID cards. The cards are however too ubiquitous to go long without being counterfeited, so the counterfeit-upgrade-counterfeit-upgrade cycle happens quite quickly, and it's happening even faster now, because counterfeiters are becoming more and more sophisticated. The only winners of this un-winnable war against license fraud are the ID making companies, who are constantly upgrading ID cards which will be outdated in just a couple of years. The fact that people don't realize that they are selling an inherently defective product is a tragedy. 

Polaroid survived the best it could on its ID card division. That division was spun off and today it is Morpho, a subsidiary of the French company Safran. It still provides most states with ID cards, as well as US passports.