Privacy: Notes from the EPIC Real ID conference

Last week, EPIC hosted a conference on the recently signed REAL ID Act, which effectively mandates a National ID card. This should make any minimalist nervous, since it will almost certainly mean more databasing of our lives, worse identity theft (since one ID will be linked to everything), and abuse through expanding scope. Yes, in theory a National ID card has advantages – potentially less paperwork (after you get the card), less to carry, possibly less of certain types of fraud, etc. However, the cost of implementing the ID will be enormous, it will not solve the problems many supporters think it will, it will have large unintended consequences, and it will be hacked and abused. Bruce Schneier gave the most compelling presentation of the day, outlining all the complex ways that the entire system will fail.

The sole voice of support for Real ID was Dennis Bailey, a sheep in the lion’s den despite the kind words to the contrary on his blog. Although the panelists were quite civil, every time he made a point the woman next to me smirked and made a snarky comment. It was good he was there, but I always feel bad for the sole dissenting voice at these events – perhaps they ought to get at least two from the opposition so the abuse is shared opposing faction has fairer representation.

When I signed up for this event, I was pretty excited. I have a vague unease about Real ID and other privacy issues that are coming into the spotlight, but I don’t have much in the way of data or statistics to support that unease. Apparently other folks in the audience have the same problem, as the issue came up several times in questions to the panelists. The final panel moderator exhorted the panelists to close with one concrete thing audience members should do. I don’t even remember any of them except for “continue discussing the issue.” Well, discussing is good, but it won’t be enough to keep privacy from being eaten away.

Hence the letdown. Yes, Bruce’s talk was good. Some panelist points were interesting and valid. But unless the privacy movement can clearly articulate concrete examples where everyone agrees there is a big, pressing problem, privacy will continue to be stripped away. On both sides, there is a great deal of speculation and anecdote, but not enough in the way of careful analysis. Not everyone agrees that privacy is inherently a good thing, so arguing it from the standpoint of “I want it – and I can’t believe you don’t” doesn’t work to convince many folks – who are often the same people who think that our airport security makes sense. There was no argument that made my stomach flutter with dread since it would impact me personally in a large and obvious way. I didn’t learn much new that I’ll be bringing up at the next family get-together, beyond perhaps some of the surprising (to me) impacts on immigration.

Another big issue at the conference was the lack of any substantial recognition of the other side. Sometimes, an opposing side does not deserve an equal platform, since it is just plain wrong and has no redeeming qualities. This is not one of those cases. Although some panelists were more balanced, many of the speakers, along with most of the audience, refused to even entertain the idea that we should do something about ID fraud, as our current system is indeed flawed. I believe that the Real ID is not worth the cost, but I don’t dispute that it would have some practical advantages, such as at least some improvement in casual counterfeiting resistance. This should be a discussion of tradeoffs, not in terms of “do we want privacy or not,” but rather in terms of questions like, “Is this the best we can do for that amount of money?” or “Can we accomplish the same security goal without compromising privacy?” I think the answers may surprise both sides.

Here’s the crux of the question for me: would the Real ID supporters still be in favor of the current legislation if we could get the same safety for less money using other mechanisms? If they would still prefer Real ID, then there must be some other agenda, which frightens me – and unfortunately, my cynical side fears this is the case. However, on the flip side, would the privacy crowd be willing to accept some flaws in a system that really does make us safer? Or actually give up some privacy? Israel has a very developed and apparently effective system for preventing airline hijacking, but from what I hear, they ask some pretty intrusive questions during their interviews. Their interrogators apparently have wide leeway in profiling people, which I’m sure is abused. Is that security worth the intrusiveness and potential abuse?

In the end, I would have liked to have heard more discussion of solutions rather than ranting about problems. Privacy advocates must propose detailed alternatives to meet the goals that items like Real ID propose to solve. It would have been great to see a list of the items that Real ID proposes to remedy, a brief explanation of why that effort is sure to fail, and a list of detailed proposals that does help to solve the issues using the same budget, and points out how it helps make the system better for everyone. This needs to be crisp and well articulated. I don’t want to ding EPIC – they do great work in pointing out flaws and bringing issues to the forefront, but the ball seems to be stalled there. One of the three goals of the conference was “An organized response to REAL ID.” A response cannot be only focused on derailing the act, but must also seek to address the same set of issues. Perhaps the first step is to really get both sides to agree on what the real issues are, so that there is some metric for whether a proposed solution is likely to succeed.

Am I missing an organization, site, study, or something else that goes beyond pointing out flaws to propose detailed alternatives? For example, this morning Wired is making some recommendations for what Congress should be doing about ID Theft. Likewise, this abstract linked from the EPIC website provides A Model Regime of Privacy Protection. Any other resources or groups I should know about?

Leave a Reply