Date: Wed, 5 Aug 1998 05:18:11 -0700 (PDT) From: jd@scn.org (SCN User) To: local-computer-activists@scn.org Subject: National ID--Need a Sample Letter? Reply-To: jd@scn.org Sender: owner-local-computer-activists@scn.org Need ideas for your letter to the Department of Transportation on the National ID card? There is much to commend here. I do believe the law (Section 656(b) of Public Law 104-208) itself is a problem, even if the regulations are modified. Express Mail to Washington, DC is under $11.00. Letters received by 3pm Thursday at Seattle post offices should be delivered the next day. Janeane Dubuar August 3, 1998 Docket Management, Room PL-401 National Highway Traffic Safety Administration Nassif Building 400 Seventh Street, SW Washington, DC 20590 Re: Comments of Electronic Privacy Information Center and Privacy International on Proposed Rules on "State Issued Driver's Licenses and Comparable Identification Documents", Docket No. NHTSA-98-3945 To whom it may concern, We are writing to you today to urge you to withdraw the proposed rules on "State Issued Driver's Licenses and Comparable Identification Documents" (63 Fed. Reg. 33220, June 17, 1998). We believe that the DOT has exceeded its legislated authority under the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (P.L. 104-208) in issuing the rules. We further believe that if these rules are adopted as currently proposed, they would have a significant detrimental impact on the privacy of Americans and increase fraud and identity theft. The DOT has Exceeded Its Authority Under the IIIPA The Department has exceeded its authority under Section 656 of the Illegal Immigration and Immigrant Responsibility Act of 1996 (P.L. 104-208) in the issuance of a proposed rule on state issued drivers licenses and identification cards. In the guise of setting standards on what documents a federal agency can accept, the DOT seeks to usurp authority that properly resides with state governments to issue drivers licenses. Section 656(b) of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 does not grant the Department of Transportation (DOT) rule making authority over states' issuance of driver's licenses and comparable identification. The purpose of Section 656(b) is to establish reliable personal identification standards for Federal agencies. Under this provision a Federal agency may not accept for identification-related purpose state-issued driver's license or comparable identification unless it conforms to standards enumerated under this section. Sec. 656(b)(1)(A) authorizes the Secretary of Transportation to promulgate rules for establishing standards for Federally acceptable personal identification. Nowhere in Section 656(b) does it state that the Secretary of Transportation has rule-making authority over the states on this matter. The legislative history makes it clear that Section 656 was not intended to give the Secretary of Transportation such authority. "Without placing mandates on states, this section [656(b)] establishes grant programs to encourage states to develop more counterfeit-resistant birth certificates and driver's licenses." Conference Report 104-828 at 251. Under the provision DOT is only authorized to encourage state compliance with licensing standards through granting awards. This Congressional intent was reaffirmed just last week when Rep. Lamar Smith, Chairman of the Subcommittee on Immigration of the House Judiciary Committee and co-author of the language in §656 reiterated that the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 does not authorize the National Highway Traffic Safety Administration from issuing rules to force states to create a National ID card. He said in a floor debate that "the legislation we passed was designed only to address necessary steps to deal with a specific problem, such as illegal immigration in the United States. It was not the intention of the bill or the Congress to establish a national ID, or to require that states issue only drivers licenses in a format required by the Federal government." Cong. Rec. H 6736 (daily ed. July 29, 1998). However the regulations now under consideration from the Department of Transportation create several new mandates for the states to comply with. Section 1331.5 and 1331.6 set out extensive requirements that states "shall follow". Under Section 1331.8, states are also required to certify that they are in compliance with the requirements. These mandates go beyond the Congressional authority and should be withdrawn. The Proposal Has Serious Implications For Privacy (a) Creates Defacto National ID Card Through Backdoor Regulations The proposed rules creates a defacto national ID card by requiring states to adopt essentially identical cards for personal identification. Proposals for a national ID card has been consistently rejected in the United States as an infringement of personal liberty. Americans have constantly rejected the idea of a national id card. Extension of the Social Security Number to the status of an ID card was rejected in 1971 by the Social Security Administration task force on the SSN. In 1973, the Health, Education and Welfare (HEW) Secretary's Advisory Committee on Automated Personal Data Systems concluded that a national identifier was not desirable. In 1976, the Federal Advisory Committee on false Identification rejected the idea of an identifier. In 1977, the Carter Administration reiterated that the SSN was not to become an identifier, and in 1981 the Reagan Administration stated that it was "explicitly opposed" to the creation of an ID card. Throughout the debates over health care reform, the Clinton Administration has also constantly stressed that it is opposed to a national identifier. Sensitivity about the issue is high. When Congress enacted the IIIRA, they deliberately left out provisions that they feared could be used to create a national id card. In a vote on HR 2202, The House of Representatives declined to approve an amendment (HA 964, March 19, 1996) introduced by Rep. McCollum to create a tamperproof Social Security Card. This rule making proposes to undermine the intent of Congress by requiring that all states issue an uniform driver's license. It requires that all licenses must be "in a form consistent with requirements set . . . by the Secretary of Transportation." Under Section 1331.5, every state must adopt twelve features on each identity card that contain personal information. Actual security features such as holograms, security laminate, and security fonts that were the apparent intent of Congress to be employed are relegated to an appendix. Taken in conjunction with the recommendations of the NHTC's The Highway Safety Desk Book on the promotion of magnetic strip technologies for easier linking to computerized records and the development of a national (and even international) database of digitized photographs, this appears to be an effort to expand the use of licenses for law enforcement purposes and use the data collected for licenses into a national system for law enforcement. (http://www.nhtsa.dot.gov/people/injury/enforce/deskbk.html) (b) Expanded Dissemination of SSN will Threaten Privacy and Increase Fraud The requirement that each license contain either in visual or electronic form the individuals' Social Security Number (SSN) unless the state goes through a burdensome and invasive checking procedure is extremely problematic. This provision will greatly expand the dissemination and misuse of the SSN at a time that Congress, the states and the public are actively working on efforts to limit its dissemination because of concerns over fraud and privacy. (1) The Social Security Number and Privacy The widespread use of the SSN as a single personal identifier has made it much easier than ever before to piece together information about an individual, if one has access to the number. The SSN effectively acts as a "password," allowing access to personal information in a databank. If one has possession of another person's SSN, one can gain access to highly personal, even embarrassing, information about that person. In 1974, Senator Charles Percy, speaking in favor of passage of the federal Privacy Act, accurately characterized the danger to personal privacy threatened by widespread use of the SSN: [N]ow hundreds of Government computer systems and thousands of private computer systems use the social security number in the indexing and identification of individuals. The possibility is growing that anyone with access to the proper computer terminal could type in a social security number and thereby order the computer to print out details concerning what cars we own, and what our driving record is like, how we spend our money and how we pay our bills, how we did in school, what we tell our doctor and what he tells us in return. 120 Cong. Rec. 36,905 (1974). Today, the threat to privacy from misuse of the SSN and the danger in creating a "central data bank" are even more serious than they were when Senator Percy and Congressman Horton spoke. As a congressional oversight committee noted several years ago: The extensive use of computers has resulted in the wide-spread private sector use of the social security number as an identifier. Many merchants require a customer to provide a social security number as a condition of doing business. Credit bureaus use the social security number to maintain individual credit files and routinely sell the information to almost anyone who requests it. The ability of the private sector to gather information such as credit history, grocery store purchases, medical records (including pre-natal information), family medical histories and genetic makeup has raised fears that in the near future unregulated companies will serve as national identity bureaus collecting and dispersing an individual's most private information. Use of Social Security Number as a National Identifier: Hearing Before the Subcomm. on Social Security of the House Comm. on Ways and Means, 102d Cong., 1st Sess. 2-3 (1991) ["SSN as National Identifier"]. In 1993, Congress' Office of Technology Assessment reiterated these warnings about the threat to privacy from unrestricted dissemination of the SSN: Concerns about the proliferation of the use of the Social Security number for purposes unrelated to the administration of the Social Security system, and the power of the number to act as a key to uncovering and linking a vast amount of information held by both the government and private companies, have been voiced in a number of contexts. . . . As a result of this increased use of the Social Security number, the number now facilitates the ability of large institutions to compare databases. It allows outsiders (including private detectives, hackers, or other strangers) to move from database to database, from credit bureau to insurance company to grocery store to publisher, to find out detailed marketing, financial, and medical information about an individual, so that a very detailed dossier on the individual can be created. Office of Technology Assessment, Protecting Privacy in Computerized Medical Information 64-65 (1993). (2) The Collection of the SSN Increases Fraud Not only does unrestricted disclosure of the SSN open up the individual to greater invasion of privacy; it also opens up the possibility the individual will become the victim of fraud, with severe financial, emotional, and reputational damage as a consequence. The Deputy Inspector General of the Department of Health and Human Services testified in 1992 about the threat of fraud that may result from the SSN falling into the wrong hands: The SSN is a critical element of identification used in nearly every sector of American society. As such, it has been targeted for abuse in a wide variety of criminal activities. The SSN can be used to obtain Social Security or other government benefits, driver's licenses, credit cards, and passports. We often see persons who commit a wide range of credit fraud and other crimes using false SSNs to conceal their true identity.... * * * * Of the 1,066 criminal convictions the [Office of Inspector General] obtained in fiscal year 1991 relating to fraud in Social Security programs, 590 involved unlawful use of SSNs. Privacy of Social Security Records: Hearing Before the Subcomm. on Social Security and Family Policy of the Senate Committee on Finance, 102d Cong., 2d Sess. 63 (1992). Action to Restrict the Use of SSNs In the 105th Congress, several bills have been introduced to restrict the use of the SSN. Of particular relevance is S. 600, the Personal Information Privacy Act of 1997, introduced by Senators Feinstein and Grassley. The bill places strict limitations on the use of the SSN by commercial entities. Recently, The House of Representatives approved H.R. 4250, the Patient Protection Act of 1998 on July 24 stopping the creation of a national identification number for health care purposes. The White House also announced just last week that it agreed with those concerns and agreed to delay the creation of the number and also create a new office for privacy within the Office of Management and Budget. The states are also taking steps to limit disclosure of SSN. Many states are taking measures to reduce the use of SSNs as the drivers identity number. The Ohio state legislature in 1998 enacted a bill removing SSN from drivers licenses. In New Jersey, the state legislature rejected an effort to adopt a smart card that would allow access to extensive personal information because of concerns over privacy. Several courts has also recognized the dangers and have made efforts to restrict the dissemination of SSNs. In 1993, the United States Court of Appeals for the Fourth Circuit held that Virginia had violated its citizens' constitutional right to vote by requiring that voters write their SSNs on their voter registration applications, which were made available to the public. Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993). As the Fourth Circuit emphasized, "the harm that can be inflicted from the disclosure of a SSN to an unscrupulous individual is alarming and potentially financially ruinous." Id. at 1354. In 1994, The Ohio Supreme Court rejected releasing the SSNs of public employees, ruling in State ex rel. Beacon Journal Publishing Co. v. Akron, 70 Ohio St. 3d 605 (1994) that: We find today that the high potential for fraud and victimization caused by the unchecked release of city employee SSNs outweighs the minimal information about governmental processes gained through the release of the SSNs. The public has also been concerned about the use of the SSN. Last year, a LEXIS-NEXIS locator service called P-TRAK allowed subscribers to search by Social Security number to find individuals. The display of the SSN was eventually discontinued after thousands of individuals demanded that they be removed from the database. Conclusion The Department of Transportation should withdraw the proposal. The revised rule should focus more on the adoption and development of new security technologies such as holograms, papers and fonts that make it difficult to duplicate or counterfeit rather than promoting more personally identifiable information, as Congress intended when it enacted Section 656 of the IIIRA. David Banisar Simon Davies Policy Director Director General Electronic Privacy Information Center Privacy International References 1. http://www.epic.org/ * * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * * . To unsubscribe from this list, send a message to: majordomo@scn.org In the body of the message, type: unsubscribe local-computer-activists END