Since the September 11 attacks, air travelers have been required to present a government-issued photo ID—typically a driver’s license—before boarding commercial flights in the United States. Agents scrutinize these documents as if they offered some definitive proof of identity. They do not. It remains easy to counterfeit the drivers’ licenses issued by many states.

To address the problem, Congress passed the REAL ID Act in 2005 setting security requirements for the issuance of state drivers’ licenses, but the law has since been mired in controversy over the potential implementation costs and privacy concerns.

States have also been frustrated by the fact that the U.S. Department of Homeland Security (DHS) has taken nearly two years to write the implementation rules directing them in how to meet the security requirements for drivers’ licenses spelled out in the legislation.

In an attempt to placate critics, the proposed DHS rule—issued March 9 and out for comment until May 8—pushes back the initial implementation date by 20 months, from May 2008 to the end of 2009. (States would still have to issue plans for implementation by the original target date of May 11, 2008.)

But pushing off implementation doesn’t get to the heart of critics’ complaints. Concerns have centered on the program’s cost to states, originally estimated at $11 billion, and privacy risks to the volumes of personal data that states would have to obtain.

To address those issues, DHS’s 162-page proposed rule includes a mixed bag of concessions. For example, state officials and identification experts urged DHS to set performance and security standards for licenses but not to mandate specific features. In its proposal, DHS expresses its intent to mandate some features—such as the printing method—while leaving materials such as “cardstock” (the licenses’ base material) to the discretion of individual states.

The agency also proposed to require two-dimensional (2D) checkerboard-style bar codes for the machine-readable feature, rejecting optical stripes, microchips, and RFID technology.

DHS seems to favor encryption of the data because of the prevalence of 2D bar code reader technology but the proposal does not mandate it, citing the challenge of establishing an effective encryption key system.

Scott Carr, an executive vice president with Digimarc, a leading provider of security features for state drivers’ licenses, says that he is encouraged that DHS seems to be proposing performance standards rather than setting entirely hard-and-fast feature requirements.

Carr, however, says he’ll wait and see how DHS handles the section of its final rule regarding licenses’ appearance. Carr adds that general guidelines for license appearance—as opposed to a fixed template—would increase security by challenging counterfeiters. Some experts take the opposite view, however, noting that the existence of so many formats makes it hard to spot fakes.

On the system security side, DHS pledges to divide up informational databases and requires that individual states draft security plans for issuing offices—including measures such as employee background checks, plus physical and data security.

To address costs, DHS has proposed allowing states to use up to 20 percent of their annual federal homeland security grants to implement REAL ID. However, the agency also raised cost estimates to $16 billion in government costs, plus $23.1 billion in costs passed on to licensees, or $28.41 per driver’s license.

The proposed rule rejects cost-saving suggestions from groups like the National Conference of State Legislatures, which asked that the REAL ID Act exempt individuals who already hold federally issued identification, such as military IDs or cards issued through the Transportation Worker Identification Credential Program.

To date, Congress has appropriated $40 million for pilot programs in a handful of states including New Hampshire, where state lawmakers sought to reject the program outright. More than a dozen state legislatures have passed resolutions condemning the program; while other states, such as Oregon and Maryland, have expressed a willingness to cooperate.

The law does not mandate state compliance, but after May 10, 2013, only compliant licenses would be accepted as a required ID for entry into a federal facility or pass federal checkpoints, which would include getting through airport security. There is a phase-in period enabling persons with licenses issued before the implementation date, though they are not compliant with the new rule, to continue to use them until they expire. At that point, the renewed license will have to be compliant.

Critics of the law, including ACLU Legislative Counsel Tim Sparapani, want the law repealed and are not satisfied with DHS’s new proposal. The ACLU, and unlikely partners, such as the libertarian Cato Institute, have joined to call for a new legislative solution, but that has not moved forward on Capitol Hill.

“Congress has yet to recognize the flaws, because Congress has yet to hold a hearing on REAL ID,” says Jim Harper, Cato’s director of information policy studies.real_id0507.pdf