May 13, 2005

Wesley Goo
DMV Licensing Systems Manager


RE: STAKEHOLDER DISCUSSION POINTS 4/6/05

Dear Wesley:

Thank you for the opportunity to comment on the Stakeholder Discussion Points to help develop a comprehensive policy to secure identity and protect privacy for the California driver's license via the use of biometrics.

As you know, the Real ID Act just passed this week, and of course, you will be required to meet the standards of Section 202 Minimum Document Requirements and Issue and Standards for Federal Recognition.

One of their requirements will be to capture digital images (which you already do) so that the images can be retained in electronic storage in a transferable format. The key issue with regard to this for privacy concerns is to whom will you be transferring this digital photo? It is understandable that Homeland Security or law enforcement may want to have access to this, but there is a serious concern about sharing this with commercial entities, retailers, and other non-law enforcement agencies. Who will have access? We would hope that you would not share this by selling this information to commercial entities to help fund.

Your offices will be charged with increased accountability for security of the data, the documents, the papers, the licenses, and the manufacturing of these drivers' licenses. I applaud you for all the increased fraudulent document training programs that you've implemented for your employees, and it looks like you will be required to continue to do so. I understand that this new law requires that your data base be available for transfer to all other DMV databases, so that must be in a secure manner and I hope encrypted.

Within these minimum standards I applaud you for your proactive approach to wanting to insure privacy while at the same time insure security of these documents.

Policy Issue 1 - As you know, I just returned from testifying at the US Senate on Wednesday evening.

It's been a bit tough catching up, but I wanted to just give you some general guidelines about my thoughts regarding the various issues that you've brought up about privacy. Presently some portions of the DMV files which include medical information and social security numbers are considered confidential. We would hope that any biometric information such as a fingerprint, thumbprint, or face scan would also be listed as the confidential portion of the file. For privacy concerns it would not make sense to include the biometric information in the magnetic strip since it would be easy for merchants to add that to their computerized data banks and pose a threat to the personal privacy of the citizens. I do not believe that the biometric identifier should be placed on the drivers' license card itself unless it is in an encrypted format. The only state agencies that should have access to the database where the biometric data is stored would be other state DMVs that adhere to the privacy policies set up by the California Department of Motor Vehicles, and of course law enforcement agencies at the local, state and federal levels.

Policy Issue 2 - Technology best suited to meet the needs and system features.

I'm not a biometric expert, however, it is my understanding that the present method of thumbprints is unreliable as far as matching. As methods are changing it has been very challenging to automatically access and compare. Since all DMVs will be required to establish a digital photo, perhaps it would just make more sense to focus on matching the digital photo and the thumbprint that you presently have without greater expense of biometric information that has so many false positives, and false negatives. For privacy purposes, it would make economic sense to implement the present methods that you have which are less invasive and perhaps provide a more accurate thumbprint procedure. To make it easier for citizens it would be most helpful if the biometric information that's going to be used for the DMV, be set up at the DMV sites rather than cause extreme hardship for citizens to travel to various agencies to meet the various requirements of the DMV. From a privacy perspective the biometric data should be stored at the most secure place, and never with the vendor. Since the DMV is going to be held accountable for its data collection, accuracy, and security, it is the best place to hold the data.

Policy Issue 3 - Privacy Protection and System Security

I am not a security expert as far as the technological aspects, however I would suggest that there be limited access, audit trails for anyone who does access the data base, encryption used for social security numbers, biometric information, and digital photos when stored or transferred. Only authorized personal who have a need to see or know should have an access to it. All data bases in which it is shared should also have the same standards that California has set up as to security and authorized access. There should be outside audits of the security procedures, strict enforcement and training.

Policy Issue 4 - Privacy and Security policies

From my perspective the biometric data should never be shared with marketers or any commercial entity whatsoever, and the only other governmental agencies that should be able to get this information without the permission of the individual or by court order, would be the other state Departments of Motor Vehicles (which is required by federal law) and state, local and federal law enforcement agencies. Biometric data along with other confidential data such as medical information and social security numbers should be stored separately from the other less confidential information.

Notification

An individual should be clearly notified of the purpose and use of the disclosure of the biometric data. The Federal Privacy Act gives the individual the right to see and copy files that the federal government maintains on him/her, and provides that individual the right to know who has had access to that information and would have the right to request a change in any information that is not correct or relevant. The right to access and notification should be compliant with Federal Law and the California Information Practices Act.

Access to Data

Only law enforcement agencies, courts and other states DMV should have access to this data. Individuals should have access to their own biometric data and related personal information so that they would have the opportunity to see it, correct it, and update the data. Especially with regard identity theft victims there is a big concern that someone may initially go in and establish themselves as an identity that is not his own. When the real "John Smith" arrives to say who he is, he'll have tremendous problems proving who he is unless he has opportunity to view biometric data, dispute it, and correct it. Even with biometric data someone can establish himself or herself with his/her own biometric data claiming to have a different name. That name could be used fraudulently to impersonate someone, and that person would have a tremendous problem trying to prove who he is if he doesn't have access to the biometric data of his file.

Policy Issue 5 Funding and Legislation

I have great concerns about public/private ventures to utilize this biometric data just in order to fund it. We've seen the egregious problems that have occurred with ChoicePoint and Lexus Nexis data brokers who have collected DMV information, public and non-public records, and have compiled them and sold them not only to government officials, private entities but fraudsters themselves (in the most recent ChoicePoint fiasco.) I have included for you an attachment of my written testimony to the Senate Commerce Committee on Data Brokers. As we have seen with the data brokers and the financial industry, there has been an epidemic of identity theft, and it has been facilitated by the data brokers as well as the financial industry who have not been held to strict standards as to limited access, or safe guards to protect customers' data. Statutes and policies need to be developed, just as you are doing here with all of the stakeholders, so that we can collaborate to establish very stringent guidelines as to the protection of this biometric data.

Overall Biometric and Privacy Considerations

With regard to identity theft we know that there is a great deal of identity theft from unscrupulous inside employees. What would happen if administrators of your systems gain access to these data bases unlawfully? What would happen if they would alter or use this information for their own purposes? It's conceivable that the result would be that the records would wrongly indicate biometric authentication when in fact the individual didn't even engage in the event that's recorded.

It's a great undertaking for the California Department of Motor Vehicles to establish a mega data base of biometrics which is not required by the new Real ID federal law. Once a biometric identifier is compromised, there is going to be severe consequences for the individual. If we are talking about identity theft caused by the compromise of a social security number, just imagine what would happen with the compromise of a fingerprint, facial scan, voice print, retina or iris scan? How would the victim regain his life?

I don't believe that biometric identifiers will solve the problem of identity theft especially with regard to "breeder" documents that set up the initial biometric system. When that system fails are you going to have enough humans and resources available to have real-live people available to assist in the authentication process? Biometric data bases are subject to new forms of abuse which would be even more difficult to correct. It will have significant consequences for our citizens when the biometric identifier is compromised.

I strongly suggest that we use the present methods that we have of identifying with a digital photo, and at the inception of the creation of a driver's license; that more care be taken to identify the individual and not to issue duplicate licenses without verification of identity. I believe to create a statewide network of this biometric information is a overwhelming undertaking and would cost far more in the hundreds of millions of dollars than it would to implement and verify the identifiers that we have right now such as the digital photo too. One of the big concerns that I have is for the accuracy of the biometric systems with their false acceptance and false rejection rates. Another big concern I have is when an imposter is trying to be accepted as someone else and gain entry, in the inception. It will cause extreme challenges for an identity theft victim to get his/her real information into the system. A good biometric system can only be as good as the accuracy of any background information that's relied upon. If fraudulent information is used to enroll an individual through a fake birth certificate, stolen social security number, biometrics can only verify that the person is who they said they were at the time of the enrollment. Once a person is in the database, it would be impossible to trace an imposter assuming multiple identities.

The other concern is that the biometric data collection can be affected by changes in the environment such as the positioning of the finger, lighting, shadows, and background noise. Also what about the changes as one changes through aging, injury, disease, etc? Once again the concern for accuracy of all biometric information diminishes over time so I see this as another cost issue for us in California as well.

Other Cost Issues

Although I understand that fingerprints are best known and most studied biometric information, that technology is extremely expensive and the scanners required to read the technology are also extremely expensive. Especially when you have to be accurate enough to not have false positives or negatives with scars, calluses, cracks in the skin, dirt, household cleaners and other variables. If we wanted to go to the most accurate form of biometrics, that would be the retina scan. The retina scan is susceptible to diseases such as glaucoma, cataracts, and other eye problems and it is even more expensive to have those automatic data readers. Aside from the tremendous cost it is most important to recognize that a system of biometric information will create a whole new series of privacy issues that will not necessarily stop identity theft from happening when other breeder documents allow fraudsters to get into the system to begin with.

At this point the accuracy, the regulation, and safe guards for biometrics in my opinion are not "there" yet. Since we are now going to be required to implement tremendous security and link with other state data bases, it seems appropriate that we spend more time on the matching of digital photo and thumbprint that we presently have, before we take on the added expense and privacy invasion of biometrics.

Thank you for the opportunity to share some of these ideas. Of course, I look forward to working collaboratively with all of the stakeholders to hear what other suggestions everyone has. I hope to cooperate with all to assist the Department of Motor Vehicles to comply with the new Federal Act.

As an aside I am also giving you my Senate testimony that just gave this week on ID Theft and Data Brokers because if the data brokers are given access to all of our DMV records including our sensitive information such as our social security number, health data, and the biometric information, the problems that I discussed in my testimony will be further exacerbated with disclosure of biometrics.

Thank you very much for your time and your patience in reviewing this information.

Many good wishes,

Yours truly,



Mari J. Frank

MJF:erf