Federal ID Act May Be Flawed

The Real ID Act, attached to a crucial bill for military spending and tsunami relief that was signed by President Bush on May 11, sets new rules for issuing driver's licenses and requires states to share electronic access to their records.

The standards are intended to weed out impostors applying for licenses, in part by requiring state employees to check on the validity of birth certificates and other supporting documents. After states adopt the necessary changes, anyone applying for or renewing a license will get one reflecting the new standards.

But once the law takes full effect three years from now, it will also give many more bureaucrats access to personal information on people nationwide. And it will add more data to each file -- including digital copies of documents with birth and address information.

To some industry experts and activists concerned about the fast-growing crime of identity theft, putting so much data before more eyes guarantees abuse at a time when people are increasingly concerned about who sees their personal information and how it gets used.

"It's a gigantic treasure trove for those who are bent on obtaining data for the purpose of creating fake identities," said Beth Givens of the nonprofit Privacy Rights Clearinghouse. Armed with a stranger's name, Social Security number and date of birth, it's not hard for fraudsters to take out bogus loans that can wreck a victim's credit record.

The new licenses themselves must contain some data -- as yet unspecified -- that can be scanned electronically by a device like a credit card reader. Virtually all states make machine-readable cards now, but they use differing technologies.

Critics predict the standardization will prompt many more merchants to scan customer licenses and then pass on the information to such data brokers as ChoicePoint Inc. and LexisNexis. The databases of both ChoicePoint and LexisNexis have been exploited by identity thieves.

"There's no data-protection law, so it can be sold to companies like ChoicePoint," said Bruce Schneier, the author of several books on security technology. "It would be silly not to, since it's a revenue stream."

The concerns of privacy advocates got little airing before the bill became law, and some are already working to overturn it with new legislation of their own.