Spotlight on Surveillance
Federal REAL ID Proposal Threatens Privacy and Security
EPIC’s “Spotlight on Surveillance” project scrutinizes federal government programs that affect individual privacy. For more information, see previous Spotlights on Surveillance. This month, Spotlight scrutinizes the proposed regulations for the national identification scheme created under the REAL ID Act. More than two years after Congress rushed through passage of the REAL ID Act, the Department of Homeland Security (“DHS”) announced on March 1 proposed regulations that would turn the state driver’s license into a national identity card. The estimated cost of the plan could be as high as $23.1 billion, according to the federal government.
THE DHS REGULATIONS FOR REAL ID
The Department of Homeland Security regulations for Real ID would (1) impose more difficult standards for acceptable identification documents that could limit the ability of individuals to get a state drivers license; (2) compel data verification procedures that the federal government itself is not capable of following; (3) mandate minimum data elements required on the face of and in the machine readable zone of the card; (4) require changes to the design of licenses and identification cards (5) expand schedules and procedures for retention and distribution of identification documents and other personal data; and (6) dictate state collection of personal data and documents without setting adequate security standards for the card, state motor vehicle facilities, or state motor vehicle databases.
Congress is debating legislation to repeal the REAL ID Act in the House and Senate. Maine and Idaho have passed legislation refusing to implement REAL ID. Below is a list of states where anti-REAL ID legislation is pending.
- New Hampshire
- New Mexico
- Rhode Island
- South Carolina
- West Virginia
The federal agency is imposing more difficult standards for acceptable identification documents. According to the DHS, the only documents that could be accepted by the states to issue these new identity cards would be: valid unexpired U.S. passport or the proposed passport card under the Western Hemisphere Travel Initiative; certified copy of a birth certificate; consular report of birth abroad; unexpired permanent resident card; unexpired employment authorization document; unexpired foreign passport with valid U.S. visa affixed; U.S. certificate of citizenship; U.S. certificate of naturalization; or REAL ID driver’s license or identification card.
DHS is also proposing to require the states to change their procedures to verify these identification documents. The states must contact the issuing agency to verify the “issuance, validity, and completeness of each document required to be presented.” The federal agency requires that state DMV workers must physically inspect the identification document and verify the data in the document “with an authoritative or reference database.”
The DHS proposal would mandate minimum data elements required on the face of and in the machine readable zone of the card. The following amount of information, at a minimum, must be on the REAL ID card. (1) full legal name; (2) date of birth; (3) gender; (4) driver's license or identification card number; (5) digital photograph of the person; (6) address of principle residence; and (7) signature.
The federal agency would also require changes to the design of licenses and identification cards. The card must include “Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purpose” and “common [machine-readable technology], with defined minimum data elements.” DHS is also reviewing card design standardization, “whether uniform design/color should be implemented nationwide for non-REAL ID driver’s licenses and identification cards,” so that non-REAL ID cards will be easy to spot.
DHS is also expanding schedules and procedures for retention and distribution of identification documents and other personal data. Under the proposed regulations, DHS imposes new requirements on state motor vehicle agencies so that the federal government can link together their databases to distribute license and cardholders’ personal data. The states are compelled to begin maintaining paper copies or digital images of important identity documents, such as birth certificates or naturalized citizenship papers, for seven to 10 years. DHS is mandating the increase of both the type of documents that need to be retained and the length of data retention.
But on security and privacy standards for the card, state motor vehicle facilities, and the personal data and documents collected in state motor vehicle databases, DHS shows little interest and proposes that states prepare a “comprehensive security plan” for REAL ID implementation. The vague plan proposes that states would include 1) an “approach to conducting background checks of certain federal employees”; 2) an approach to ensuring the “physical security of the locations where driver’s licenses and identification cards are produced”; 3) an approach to ensuring the “security of document materials and papers from which driver’s licenses and identification cards are produced”; 4) a description of the “security features incorporated into the driver’s licenses and identification cards”; and 5) if the state decides to use biometrics as a part of its security plan, the state must “describe this use in its security plan and present the technology standard the State intends to use to DHS for approval.”
DHS would establish new requirements that states conduct background checks on “certain employees working in State DMVs who have the ability to affect the identity information that appears on the driver’s license or identification card, who have access to the production process, or who are involved in the manufacture of the driver’s licenses and identification cards.” DHS would mandate that these employees must submit fingerprints and undergo financial and criminal background checks, and lists the disqualifying offenses. DHS also sets out standards for “security of document materials and papers from which driver’s licenses and identification cards are produced,” such as the “use of offset lithography in place of dye sublimation printing,” The agency does not list minimum requirements for states to meet in their plans to ensure “physical security of the locations where driver’s licenses and identification cards are produced.”
The Department of Homeland Security will require states to include information “as to how the State will protect the privacy of the data collected, used, and maintained in connection with REAL ID, including all the source documents.” However, DHS does not require states to meet minimum standards to safeguard the privacy of individuals’ data.
Source: California State Government
On security and privacy standards, DHS shows little interest and proposes that states prepare a “comprehensive security plan” for REAL ID implementation.
As for the mandate that “security features incorporated into the driver’s licenses and identification cards,” the agency is “lean[ing] toward” approving a two-dimensional bar code with encryption as the “common machine readable technology” standard, but it does not require secure encryption. Though Homeland Security lays out the privacy and security problems associated with creating an unencrypted machine readable zone on the license, it does not require encryption because there are concerns about “operational complexity.”
Homeland Security may also require the use of radio frequency identification (RFID) technology in the cards as part of the “common machine readable technology,” which means the sensitive data would be transmitted wirelessly and vulnerable to interception by third parties. The agency is considering “vicinity read” or “long range” RFID tags even though the longer distance increases the risks of security and privacy problems associated with the wireless technology: clandestine tracking, loss of control of data by cardholder, and interception of data by unauthorized individuals.
The mandates that DHS has imposed upon the states are questionable. The federal agency imposes more difficult standards for acceptable identification documents that could limit the ability of individuals to get a state drivers license. However, there are questions as to whether some citizens could produce these documents – such as victims of natural disasters or elderly individuals. The federal agency will require the states to create an exceptions process for such individuals, but does not set standards for eligibility, length of process, cost of process or any other piece of the exceptions process.
DHS compels the states to complete data verification procedures that the federal government itself is not capable of following. The federal agency dictates that the states must verify the “issuance, validity, and completeness of each document required to be presented.”  States must verify the data in identification requirements “with an authoritative or reference database.” However, it is questionable whether certain databases even exist. In the draft regulations, DHS concedes that it still needs to “ensure that the reference databases meet the standards for data quality, reliability, integrity, and completeness required to support REAL ID data verification.” In fact, DHS admits some of these reference databases “are still under development and need investment of resources.” Even though DHS mandates state verification of identification documents through these reference databases, the federal government has not yet created reliable systems for the states to use.
The federal agency requires changes to the design of state licenses and identification cards. The card must include “Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purpose” and “common [machine-readable technology], with defined minimum data elements.” The federal agency will require the use of a two-dimensional bar code, but will not require the use of encryption. The Department of Homeland Security’s own Privacy Office has urged the use of encryption in REAL ID cards. In its Privacy Impact Assessment of the draft regulations, the Privacy Office supported encryption “because 2D bar code readers are extremely common, the data could be captured from the driver’s licenses and identification cards and accessed by unauthorized third parties by simply reading the 2D bar code on the credential” if the data is left unencrypted. DHS says that, “while cognizant of this problem, DHS believes that it would be outside its authority to address this issue within this rulemaking.” Imposing a requirement for the states to use unencrypted machine readable technology renders the cardholder unable to control who receives her data.
The agency is considering using RFID technology in the REAL ID cards even though it has just abandoned a plan to include long-range RFID chips in border identification documents because the pilot test was a failure. In 2005, the Department of Homeland Security began testing RFID-enabled I-94 forms in its United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program to track the entry and exit of visitors. The RFID-enabled forms stored a unique identification number, which is linked to data files containing foreign visitor’s biographic information, including name, date of birth, country of citizenship, passport number and country of issuance, complete U.S. destination address, and digital fingerscans. EPIC warned that this flawed proposal would endanger personal privacy and security, citing the plan’s lack of basic privacy and security safeguards. In October 2005 comments to the Department of Homeland Security, EPIC explained use of the wireless technology meant anytime a person carried his I-94 RFID-enabled form, unauthorized individuals could access his unique identification number, and thus the biographic information linked to that number.
In a July 2006 report, the Department of Homeland Security’s Inspector General echoed EPIC’s warnings. His report found “security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data” associated with people who carried the RFID-enabled I-94 forms. A report released by the Government Accountability Office in late January identified numerous performance and reliability issues in Department of Homeland Security’s 15-month test. The many problems with the RFID-enabled identification system led Homeland Security Secretary Michael Chertoff to admit in Congressional testimony on February 9th that the pilot program had failed, stating “yes, we're abandoning it. That's not going to be a solution” for border security.
Homeland Security’s failure with the US-VISIT pilot test is just one of several instances where the agency has stumbled with identification systems. The Transportation Security Administration said recently that Secure Flight, a federal passenger screening program, would be delayed until 2010, at least five years behind schedule. Secure Flight was suspended a year ago after two government reports detailed security and privacy problems. One report found 144 security vulnerabilities. About $140 million has been spent on the program, and the TSA is seeking another $80 million for proposed changes. Homeland Security also has problems with its bloated watch lists. More than 30,000 people who are not terrorists have asked the Transportation Security Administration to remove their names from the lists since September 11, 2001. In January, the head of TSA said that the watch lists were being reviewed, and he expected to cut in half the watch lists (estimated to contain about 325,000 names).
DHS may compel card design standardization, “whether uniform design/color should be implemented nationwide for non-REAL ID driver’s licenses and identification cards,” so that non-REAL ID cards will be easy to spot. This combined with the mandate to “provide electronic access to all other States to information contained in the motor vehicle database of the State” would create a national database of sensitive personal information that would be a tempting target for identity thieves or other criminals hoping to subvert the national ID system.
The federal agency dictates the expansion of schedules and procedures for retention and distribution of identification documents and other personal data. It creates a massive database with the personal data and copies of identification documents of 245 million state license and identification cardholders nationwide. Yet DHS has chosen not to mandate minimum privacy standards for either the database or the card itself.
DHS sets out standards for background checks on employees and for the type of paper the identification cards will use, yet it does not mandate any minimum standards of security for the national database of sensitive personal information. The creation of this massive database comes at a time when security breaches and identity theft are on the rise. State DMVs already are the victims of inside and outside attackers. For the seventh year in a row, identity theft is the No. 1 concern of U.S. consumers, according to the Federal Trade Commission’s annual report. Over 104 million data records of U.S. residents have been exposed due to security breaches since January 2005, according to a report from the Privacy Rights Clearinghouse.
In a recent analysis of the REAL ID Act, EPIC Executive Director Marc Rotenberg explained that “[s]ystems of identification remain central to many forms of security. But designing secure systems that do not introduce new risks is proving more difficult than many policymakers had imagined.” The theory that the REAL ID Act will prevent terrorism is predicated on the belief that, “if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer,” explained Bruce Schneier, security expert and member of the EPIC Board of Directors. This is impossible, because you cannot predict intent based on identification, Schneier said. Upon the release of the draft regulations, Schneier said, “The REAL ID regulations do not solve problems of the national ID card, which will fail when used by someone intent on subverting that system. Evildoers will be able steal the identity -- and profile -- of an honest person, doing an end-run around the REAL ID system.”
Source: Department of Homeland Security
Before the REAL ID Act’s passage in 2005, the Congressional Budget Office estimated its cost to be around $100 million. In September, the National Conference of State Legislatures released a report estimating the cost to be $11 billion over the first five years. Now, the Department of Homeland Security has admitted that REAL ID will cost states and individuals from $17.2 billion to $23.1 billion over ten years.
When it created the Department of Homeland Security, Congress made clear in the enabling legislation that the agency could not create a national ID system. In September 2004, then-Department of Homeland Security Secretary Tom Ridge reiterated, “[t]he legislation that created the Department of Homeland Security was very specific on the question of a national ID card. They said there will be no national ID card.” The REAL ID Act creates a de facto national ID card.
The requirement for non-REAL ID driver’s license or ID card to have explicit “invalid for federal purposes” designations turns this “voluntary” card into a mandatory national ID card. Anyone with a different license or ID card would be instantly suspicious. It will be easy for insurance companies, credit card companies, even video stores, to demand a REAL ID driver’s license or ID card in order to receive services. Significant delay, complication and possibly harassment or discrimination would fall upon those without a REAL ID card.
Third parties such as insurance companies are not the only ones who will try to broaden the use of the REAL ID card. State licenses and identification cards must meet standards set out in the regulations to be accepted for federal use. Such federal purposes include entering buildings, boarding commercial aircraft, entering nuclear power plants, and “any other purposes that the Secretary shall determine.” The Department of Homeland Security, via the draft regulations and Homeland Security Secretary Michael Chertoff, discusses expanding the use of the national identification card. The federal agency seeks comments on “how DHS could expand [the card’s official purposes] to other federal activities.” In a speech last month, Secretary Chertoff said the REAL ID Act licenses might “do double-duty or triple-duty.” These REAL ID cards would “be used for a whole host of other purposes where you now have to carry different identification.” Security expert Bruce Schneier, EPIC and others have explained that it decreases security to have one ID card for many purposes, as there will be a substantial amount of harm when the card is compromised. Using a national ID card would be as if you used one key to open your house, your car, your safe deposit box, your office, and more. “The problem is that security doesn’t come through identification; security comes through measures -- airport screening, walls and door locks -- that work without relying on identification,” therefore a national identification card would not increase national security Schneier said.
A recent case illustrates Schneier’s point. According to court documents, earlier this week in Florida, two men entered restricted areas, bypassed security screeners and carried a duffel bag containing 14 guns and drugs onto a commercial plane, They avoided detection, because they are airline baggage handlers who used their uniforms and legally issued identification cards. Both men had passed federal background checks before they were hired, according to a spokesman for Comair, the airline that employed the men. The men were only investigated and caught after receiving an anonymous tip. If the airport had identification-neutral security systems, such as requiring all fliers go through metal detectors, then the men could not have walked past them. But the identification-based security – allowing some fliers to skip screening because they are presumed to have no evil intent – failed, and the men transported weapons and contraband aboard a commercial flight.
The estimated cost of REAL ID implementation has spiraled. Before the Act’s passage in 2005, the Congressional Budget Office estimated its cost to be around $100 million. In September, the National Conference of State Legislatures released a report estimating the cost to be $11 billion over the first five years. Now, the Department of Homeland Security has admitted that REAL ID will cost states and individuals from $17.2 billion to $23.1 billion over ten years. Congress has appropriated only $40 million for REAL ID implementation. The Department of Homeland Security now says that a state can use up to 20% of its Homeland Security Grant Program funding for REAL ID implementation, which total about $100 million for 2007. Implementation costs for the state of California alone would be about $500 million. Diverting grant money to REAL ID means that funding originally budgeted by the states for other homeland security projects, including training and equipment for rescue and first responder personnel. Even if the states received $100 million per year for 10 years, that would still amount to only $1.04 billion in federal funds, a fraction of the $17.2 billion to $23.1 billion price tag. The rest of the cost would be borne by states and their residents.
The REAL ID Act was appended to a bill providing tsunami relief and military appropriations, and passed with little debate and no hearings. REAL ID proponents state that the program implements recommendations from the 9/11 Commission. However, REAL ID repealed provisions in a 2004 law that created a negotiated rulemaking process among the states, federal agencies, and concerned parties to implement the Commission’s recommendations. The Intelligence Reform and Terrorism Prevention Act of 2004, which contained “carefully crafted language -- bipartisan language -- to establish standards for States issuing driver’s licenses,” Sen. Richard Durbin said at the time of REAL ID’s passage. In response to the draft regulations, Sen. Patrick Leahy said, “It is ironic that we probably would have stronger drivers’ licenses today if the original shared rulemaking procedures that Congress agreed to in 2004 had been allowed to move forward.” Legislation to repeal REAL ID has been introduced in the House and Senate. Maine and Idaho have passed resolutions rejecting implementation of REAL ID, and 25 other states are debating similar legislation.
DHS is imposing stringent, difficult and, in the case of document verification, impossible requirements upon the states and individual cardholders. The draft regulations are open for comment until May 8, 2007. To take action and talk to Congress about this ill-conceived identification scheme, visit the Electronic Frontier Foundation's Take Action page.
 Pub. L. No. 109-13, 119 Stat. 231 (2005); see generally, EPIC Page on National ID Cards, http://www.epic.org/privacy/id_cards/ and Privacy Int’l Page on National ID Cards, http://www.privacy.org/pi/issues/idcard/index.html (last visited Mar. 7, 2007).
 Dep’t of Homeland Sec., Notice of proposed rulemaking: Minimum Standards for Driver’s licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes (Mar. 1, 2007) [hereinafter “REAL ID Draft Regulations”], available at http://www.dhs.gov/xlibrary/assets/nprm_realid.pdf (last visited Mar. 7, 2007); http://a257.g.akamaitech.net/7/257/2422/01jan20071800/edocket.access.gpo.gov/2007/07-1009.htm (last visited Mar. 12, 2007); http://www.epic.org/privacy/id_cards/nprm_030107.pdf and http://www.epic.org/privacy/id_cards/fr_nprm_071009.pdf.
 Id. at 106.
 Id. at 34-35; for a discussion of why the Western Hemisphere Travel Initiative’s proposed passport card creates an increased security risk, see EPIC, Spotlight on Surveillance, Homeland Security PASS Card: Leave Home Without It (Aug. 2006), http://www.epic.org/privacy/surveillance/spotlight/0806/.
 REAL ID Draft Regulations at 25, supra note 2.
 Id. at 47.
 Id. at 64-65, supra note 2.
 Id. at 65.
 Id. at 91, supra note 2.
 REAL ID Draft Regulations at 25, supra note 2.
 Id. at 27.
 Id. at 83.
 Id. at 15.
 REAL ID Draft Regulations at 85, supra note 2.
 Id. at 72.
 Id. at 27.
 Id. at 31.
 REAL ID Draft Regulations at 12, supra note 2.
 Id. at 25.
 Id. at 47.
 Id. at 58.
 REAL ID Draft Regulations at 65, supra note 2.
 Dep’t of Homeland Sec. Privacy Office, Privacy Impact Assessment for the REAL ID Act 16 (Mar. 1, 2007), available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_realid.pdf (last visited Mar. 7, 2007). and http://www.epic.org/privacy/id_cards/pia_030107.pdf.
 REAL ID Draft Regulations at 73, supra note 2.
 Dep’t of Homeland Sec., Notice With Request For Comments: United States Visitor and Immigrant Status Indicator Technology Notice on Automatic Identification of Certain Nonimmigrants Exiting the United States at Select Land Border Ports-of-Entry, 70 Fed. Reg. 44934 (Aug. 5, 2005), available at http://frwebgate1.access.gpo.gov/cgi- bin/waisgate.cgi?WAISdocID=021420363270+2+0+0&WAISaction=retrieve (last visited Mar. 7, 2007).
 Dep’t of Homeland Sec., Notice of Availability of Privacy Impact Assessment, 70 Fed. Reg 39300, 39305 (July 7, 2005), available at http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-13371.htm (last visited Mar. 7, 2007).
 EPIC, Comments on Docket No. DHS-2005-0011: Notice With Request For Comments: United States Visitor and Immigrant Status Indicator Technology Notice on Automatic Identification of Certain Nonimmigrants Exiting the United States at Select Land Border Ports-of-Entry (Dec. 8, 2005), available at http://www.epic.org/privacy/us-visit/100305_rfid.pdf.
 Dep’t of Homeland Sec. Inspector Gen., Additional Guidance and Security Controls Are Needed Over Systems Using RFID at DHS (Redacted) 7 (July 2006), available at http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_06-53_Jul06.pdf (last visited Mar. 7, 2007).
 Richard M. Stana, Dir., Homeland Sec. & Justice Issues, Gov’t Accountability Office, Testimony Before the Subcom. on Terrorism, Tech., & Homeland Sec., S. Comm. on the Judiciary, 110th Cong. (Jan. 31, 2007), available at http://www.gao.gov/new.items/d07378t.pdf (last visited Mar. 7, 2007).
 Michael Chertoff, Sec’y, Dep’t of Homeland Sec., Testimony at a Hearing on the Fiscal Year 2008 Dep’t of Homeland Sec. Budget Before the H. Comm. on Homeland Sec., 110th Cong. (Feb. 9, 2007), available at http://www.epic.org/privacy/us-visit/chertoff_020907.pdf.
 Edmund S. “Kip” Hawley, Nominee for Assistant Sec’y of Homeland Sec., Transp. Sec. Admin., Dep’t of Homeland Sec., Testimony at Hearing on TSA’s Secure Flight and Registered Travelers Programs Before the S. Comm. on Commerce, Science & Transp., 109th Cong. (Feb. 9, 2006); for more information, see EPIC’s page on Secure Flight, http://www.epic.org/privacy/airtravel/secureflight.html.
 Cathleen Berrick, Dir., Homeland Sec. & Justice, Gov’t Accountability Office, Statement at a Hearing on TSA’s Secure Flight and Registered Travelers Programs Before the S. Comm. on Commerce, Science & Transp., 109th Cong. (Feb. 9, 2006), available at http://www.gao.gov/new.items/d06374t.pdf (last visited Mar. 7, 2007).
 Press Release, Dep’t of Homeland Sec., Fact Sheet: U.S. Department of Homeland Security Announces Eight Percent Increase in Fiscal Year 2008 Budget Request (Feb. 5, 2007), available at http://www.dhs.gov/xnews/releases/pr_1170702193412.shtm (last visited Mar. 7, 2007).
 Anne Broache, Tens of thousands mistakenly matched to terrorist watch lists, CNet News.com, Dec. 6, 2005.
 Edmund S. “Kip” Hawley, Assistant Sec’y, Transp. Sec. Admin., Dep’t of Homeland Sec., Testimony at Hearing on Aviation Security: Reviewing the Recommendations of the 9/11 Commission Before the S. Comm. on Commerce, Science & Transp., 110th Cong. (Jan. 17, 2007), available at http://commerce.senate.gov/public/_files/TestimonyofMrHawley.pdf (last visited Mar. 7, 2007); Walter Pincus & Dan Eggen, 325,000 Names on Terrorism List, Wash. Post. Feb. 15, 2006..
 REAL ID Draft Regulations at 91, supra note 2.
 Id. at 27.
 Fed. Trade Comm’n, Consumer Fraud and Identity Theft Compliant Data: January – December 2006 (Feb. 7, 2007), available at http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf (last visited Mar. 7, 2007).
 Privacy Rights Clearinghouse, Chronology of Data Breaches, http://www.privacyrights.org/ar/ChronDataBreaches.htm (last visited Mar. 7, 2007).
 Marc Rotenberg, EPIC Exec. Dir., Real ID, Real Trouble?, Communications of the ACM, Mar. 2006, available at http://www.epic.org/privacy/id_cards/mr_cacm0306.pdf.
 Bruce Schneier, Real-ID: Costs and Benefits, Bulletin of Atomic Scientists, Mar./Apr. 2007, available at http://www.schneier.com/blog/archives/2007/01/realid_costs_an.html (last visited Mar. 7, 2007).
 Press Release, EPIC, After Long Delay, Homeland Security Department Issues Regulations For Flawed National ID Plan (Mar. 2, 2007) [hereinafter “EPIC Press Release on Regulations”], available at http://www.epic.org/press/030207.html.
 Pub. L. No. 107-296, 116 Stat. 2135 (2002).
 Tom Ridge, Sec’y, Dep’t of Homeland Sec., Address at the Center for Transatlantic Relations at Johns Hopkins University: “Transatlantic Homeland Security Conference” (Sept. 13, 2004), available at http://www.dhs.gov/xnews/speeches/speech_0206.shtm (last visited Mar. 7, 2007).
 REAL ID Draft Regulations at 17, supra note 2.
 Michael Chertoff, Sec’y, Dep’t of Homeland Sec., Remarks by Secretary Michael Chertoff at the National Emergency Management Association Mid-Year Conference (Feb. 12, 2007), available at http://www.dhs.gov/xnews/speeches/sp_1171376113152.shtm (last visited Mar. 7, 2007).
 Melissa Ngo, Dir., EPIC Identification & Surveillance Project, Prepared Testimony and Statement for the Record at a Hearing on “Maryland Senate Joint Resolution 5” Before the Judicial Proceedings Comm. of the Maryland Senate (Feb. 15, 2007), available at http://www.epic.org/privacy/id_cards/ngo_test_021507.pdf.
 EPIC Press Release on Regulations, supra note 59.
 Jim Ellis, Feds: Bag Of Guns Smuggled Onto Plane, Associated Press, Mar. 9, 2007.
 Cong. Budget Office, Cost Estimate: H.R. 418: REAL ID Act of 2005 (Feb. 9, 2005), available at http://www.cbo.gov/showdoc.cfm?index=6072&sequence=0&from=6 (last visited Mar. 7, 2007).
 Nat’l Conference of State Legislatures, The REAL ID Act: National Impact Analysis (Sept. 19, 2006), available at http://www.ncsl.org/print/statefed/Real_ID_Impact_Report_FINAL_Sept19.pdf (last visited Mar. 7, 2007).
 REAL ID Draft Regulations at 106, supra note 2.
 Press Release, Dep’t of Homeland Sec., DHS Issues Proposal for States to Enhance Driver’s Licenses (Mar. 1, 2007), available at http://www.dhs.gov/xnews/releases/pr_1172765989904.shtm (last visited Mar. 7, 2007).
 Cal. Dep’t of Motor Vehicles, Report to the Legislature on the Status of the REAL ID Act 3 (Dec. 15, 2006), available at http://www.dmv.ca.gov/about/real_id/real_id.pdf (last visited Mar. 7, 2007).
 Pub. L. No. 108-458, 118 Stat. 3638 (2004).
 Sen. Richard Durbin, Speech on Floor During Senate Debate about Emergency Supplemental Appropriations Act of 2005 (April 20, 2005), available at http://www.epic.org/privacy/id-cards/durbin_senate_4_20_05.html.
 Press Release, Office of Sen. Patrick J. Leahy, Comment of Sen. Patrick Leahy On Release of the Draft REAL ID Regulations By the U.S. Department of Homeland Security (Mar. 1, 2007), available at http://leahy.senate.gov/press/200703/030107b.html (last visited Mar. 7, 2007).
 For information on legislation concerning REAL ID, see EPIC Page on National ID Cards, supra note 1.
EPIC Spotlight on Surveillance Page | EPIC Privacy Page | EPIC Home Page