Federally mandated $11 Billion boondoggle

From Newsweek:

COLUMBUS, Ohio – New federal security rules for issuing driver’s licenses could cost $11 billion to implement, raising concerns among states about paying for the changes, according to a national survey of states released Thursday.

“There’s no question that state legislators believe driver’s licenses should be as secure as is possible,” said William Pound, executive director of the National Conference of State Legislatures which helped conduct the survey. “The $11 billion question is, ‘Who’s going to pay for it?”’

Actually that’s not the question. The question is, “What will you get from spending $11 billion dollars?” The answer is, “Nothing of value.”

Here’s why:

The law requires states to incorporate common security features to prevent tampering or counterfeiting, such as using standard materials in every state to print the cards. States will have to verify the legitimacy of documents used to obtain a license and buy equipment to digitally store those documents.

The problem is that with a document that is common to 300 million people (coordination with Canada is supposed to be occurring too), and highly regarded/valued the efforts put into forging the document will be quite high. What they erroneously believe is that with the biometric identifier used on the document is that they can catch (nearly) all efforts of creating a duplicate identity for someone. There are only two biometrics that have a chance of this kind of quality. They are DNA and fingerprints. A duplicate iris scan shows up about once for every 200,000 people and that particular biometric has other issues as well (think specialty contact lenses for example). Voice and facial recognition biometrics don’t even come close to meeting the bar.

DNA testing as a biometric used on this wide of scale “isn’t ready for prime time” and may never be.  No matter how many times you watch Gattaca it’s still just a movie. Sometimes legislators have a difficult time distinguishing Hollywood from reality and I suspect this is one of those times. And even if were “ready for prime time” the character played by Ethan Hawke in Gattaca shows us how it is defeated it.

Fingerprints have been on California drivers licenses for something like 20 years (I wish I still had the notes from my biometrics class, but the people at PNNL didn’t return those to me after they committed their felony and wrongfully terminated me). Of those fingerprints on all those licenses only about 40% are actually usable. They were obtained at the DMV by people that were inadequately trained and motivated to get good fingerprints. Even if they were properly trained and motivated there will have to be thousands of people with authorization to enter and edit data in the system. With that large of an attack surface (read this to understand attack surfaces) and with the value of the document so high there will be lots of opportunity and motivation for obtaining an authentic, but fraudulent, document. See also my thoughts on an universal biometric ID which this is “a good first step” toward.

Since the terrorists, which this document is aimed at defeating, only need to find one hole in the system to “win” that particular battle we will have spent $11,000,000,000 on virtually nothing and it could have been invested in real security.

I’m thinking the UltiMAK school of charm would be a good place for some of those dollars.