Archive for the ‘centralized hub’ Category

BTC-  The PASS Act is a new legislation.  In every new potential law there are dynamics for unintended consequences and nuance that need to be explored.   

Even for watchdogs like us, we are still discovering problems for both privacy and civil liberty. Initially we thought the PASS Act’s pilot program was a “good idea”.   That was until we learned it was supplemental development for States to play into a centralized hub. Poorer states like Mississippi can’t afford to build their own versions of fusion centers.  So the federal government would give them money for the build, with all the strings attached.  

Anti-national ID Governor’s, like Mark Sanford,  found fault with the potential run on personal information in the pilot program’s hub development.   In this Privacy Digest article, more reservations are bubbling to the surface over exactly how much integrity the privacy considerations had in the PASS Act.  We managed to gather that it wasn’t that big of a change from Real ID.

Concerns Surface About Some PASS ID Amendments

c/o Privacy Digest -MacRonin


Last Wednesday, the Senate Homeland Security and Governmental Affairs Committee agreed on several amendments to the PASS ID bill [S. 1261] andsent the legislation on to the Senate.

Let’s take a look at some of the changes:

• Exceptions to the anti-skimming provision:

A key privacy protection we support in PASS ID restricts the collection and use of information scanned from the machine-readable zone on your driver’s license or ID card. However, in response to the concerns of retailers and other third party users of driver’s license information, the committee introduced an amendment that directs the Federal Trade Commission (FTC) to issue regulations establishing exceptions to this anti-skimming provision.

While CDT recognizes that there are legitimate uses for data scanned from licenses, we are concerned by how broadly some of the proposed exceptions are described. The FTC can and should protect the privacy and security of cardholders even under these acceptable uses; otherwise, we risk gutting the anti-skimming provision entirely. As a general matter, the privacy protections the FTC could build in to protect this information will only be more effective if Congress provides specific statutory guidance now for addressing the types of secondary uses of specific information we are most concerned about.

In particular, allowing third parties to store information to “prevent consumer fraud” without building in limits on how long information can be stored and how it could be further shared, aggregated, and used would create a massive loophole in this otherwise much needed protection. We have seen how bars and sellers of tobacco products have collected information from licenses and ID cards ostensibly to verify age, but then go on to use and share that information for marketing and other purposes—often with no notice to the cardholder.

Just as worrisome is the very real possibility that states will begin to store much more information in the machine-readable portion of driver’s licenses than what is already visible on the face of the card, including data elements like race or ethnicity. Given the potential for abuse and misuse of such sensitive information if stored and aggregated, CDT strongly urges further limiting any exemptions to only information that is also visible on the face of the card.

• Boarding a plane without a PASS ID-compliant driver’s license or ID card:

The committee struck language from the bill that would have prevented individuals from being turned away at the airport solely on the basis of failure to present a PASS ID-compliant driver’s license or ID card. While the stated justification behind this change is to preserve the status quo—that is, maintaining the Transportation Security Administration’s (TSA’s) discretion to deny access to airplanes for good reason—the status quo isn’t so great from a civil liberties standpoint to begin with. There is scant transparency around how TSA officials exercise this discretion, leading to potential abuse or discrimination in its application while offering no redress for those whose rights may be violated. Keeping such policies secret also doesn’t inspire much confidence in the flying public that we are any safer for them since there is little ability to assess their effectiveness or relevance.

• Funding the digitization of “breeder documents” and birth record verification:

The amended bill also now requires birth records to be verified with the issuing agency no later than six years after the final regulations are issued, so long as the electronic system enabling such verification (i.e., the Electronic Verification of Vital Events (EVVE)) is up and running by that deadline. The bill also provides funds to states to digitize remaining birth records and connect state records to the electronic verification system.

This change takes us one step back towards REAL ID, which required birth certificate verification through the EVVE system. While the bill gives the DHS Secretary room to make sure any such system includes adequate privacy protections, EVVE still centralizes highly valuable personal information and would become a magnet for internal fraud and identity thieves.

• Abbreviated rulemaking timeline:

Finally, the amended bill authorizes DHS to issue an interim final rule to implement PASS ID, bypassing the full Notice of Proposed Rulemaking (NPRM) process. While there is considerable pressure from many corners to not delay implementation of PASS ID, this change is curious considering the contentiousness of the REAL ID debate of the past four years. Taking into account the concerns of affected stakeholders from the outset of the program seems imperative to help avoid the same kind of impasse that REAL ID has engendered.

CDT is concerned about these changes and will work with members to address them as this issue moves to the floor. Stay tuned for more updates as the bill moves forward.