November 29, 2021

Why RealID Will Actually Decrease Security

When our founding fathers set up our government, they purposely chose to make 3 separate branches: Executive, Legislative, and Judicial. Even then, they further separated the divisions. For example, they gave us the house and senate.

The reason they did this was to avoid any possibility of corruption leading to a totalitarian state. Assuming somebody managed to corrupt and control the house, they’d still have to worry about the senate and the president. If we ever reelected a corrupt president, he’d still have the house and senate to contend with. The system works, for the most part.

That’s how the current ID system works. Your state manages your drivers license, the social security administration handles your SSN, the Government handles your passport, the state handles your criminal record, and the transportation security administration does something – supposedly. Each piece of your identity has its own department.

A couple of weeks ago I blogged about the problems with RealID and why it’s a bad idea.The goal of RealID is to combine all of these into one magical ID card. One license that will serve as your license, ID, passport, and social security card, as well as storing all kinds of information about you.

Many people are in favor of this simply because it will lighten their wallets and purses – but that’s where the benefits stop.

Earlier today I read an ARS Technica article that applied Metcalfe’s law to the RealID database. If you’re not familiar with it, Metcalfe’s law simply states that the value of a network is proportional to the square of the number of users in the system. You’ve probably seen it applied to cell phone companies, the internet in general, or even websites like MySpace or Facebook. Put simply, it says that the more users you have, the more valuable you are.

In this case though we’re not talking about value in the sense of billion dollar Facebook price tags, we’re talking about value in the sense of what can be done with access to the network.

If you don’t believe me, go read the article and look at the example they give – an example that’s already happened with the old system, that would be much easier under the new one.

Think about it. It only takes 1 bad apple with access to the RealID database to cause a lot of harm. Currently, an attacker or corrupt employee would need to access multiple state and federal agencies to gather all this information about you. When RealID goes into effect, he’ll be able to get it all with one login.

This is a scary thought, especially if you think of all the people who could potentially have access to the network. We’re talking 7-11 clerks who scan your ID every time you buy alcohol and casino security who scan your ID for admittance (not to mention the super secret check for warrants program.. that’s another topic.)

We’re also potentially talking about airport security, border security, police officers, bankers, employers, insurance agents, and even car dealerships who copy your license before a test drive. All of these people would have access to your social security information, criminal record, medical record, financial record, etc.

Is this what we want? Privacy and Security are NOT a zero sum game. Anybody who continues to take this approach is destined for failure. Remember Franklin’s quote “Anyone who trades liberty for security deserves neither…” I could fill up many pages about this, but that’s another topic. (If you’re interested though, check out a post I did on the demoxi blog.)

For now, I urge you to contact your state and ask them to reject RealID like Montana and Maine have already done.

About Ryan Jones

Ryan Jones is an SEO from Detroit. By day he works as a manager of SEO & Analytics at SapientNitro where his team performs SEO for Fortune500 clients. By night he's either playing hockey or attempting to take over the world with his own websites - which he would have already succeeded in doing had it not been for those meddling kids and their dog. The views expressed here have not been paid for and belong only to Ryan, not any of his employers or clients. Follow Ryan on Twitter at: @RyanJones, add him on Google+ or visit his personal website: www.RyanMJones.com