I never thought I’d say this on a security-related subject, but I disagree with Bruce Schneier (and Michelle Malkin, which doesn’t surprise me so much) about the significance of this prank:
These guys have done the Virginia DMV–and the nation– a big favor. Many of us have tried to argue how much of a joke these agencies and our homeland security remain after 9/11–particularly the issuance of driver’s licenses (it was the Virginia DMV that issued state photo ID to several 9/11 hijackers who were aided by illegal aliens). But few dissertations and policy analyses drive the message home more effectively than these two damning videos.
If the point is simply that employees at the DMV should be more attentive, it’s hard to disagree with that. But it’s hard to see how this illustrates any particular of security hole in our identification system. I suppose if one’s goal were to allow a buck-toothed Asian guy to hijack an airplane while passing himself off as you, this would allow you to do that. But if that were the goal, you could just as easily give the Asian guy your birth certificate, Social Security number, etc and have him go into the DMV himself.
But getting an ID with his real name and bogus face doesn’t do terrorists any good. What terrorists would care about (to the extent that checking IDs deters terrorist attacks at all, which I think is doubtful) is doing the opposite: getting their real face on an ID with someone else’s name on it. I don’t see how this stunt, or any conceivable variation on it, makes that possible.
I do, however, agree with Schneier’s final paragraph:
I honestly don’t know if she realizes that REAL ID won’t solve this kind of problem, though. Nor will it solve the problem of people getting legitimate IDs in the names of people whose identity they stole, or real IDs in fake names by bribing DMV employees. (Several of the 9/11 hijackers did this, in Virginia.)
I would go a step further: it’s not clear to me that checking photo IDs serve any useful purpose at all when it comes to fighting terrorism. As Jim Harper has argued, “watch listing and identification checking [are] like posting a most-wanted list at a post office and then waiting for criminals to come to the post office.” If we have good reasons to think someone is likely a terrorist, we should be taking active steps–bugging their phones, tracking their financial transactions, monitoring who they meet with–to make sure we catch them before they act. (And we should get warrants from an impartial judge before doing any of these things, of course) If we’re doing that properly, ID checking is redundant, because law enforcement should already know a suspect planning on taking a trip from phone and email conversations, credit card transactions to buy the ticket, etc.
On the other hand, if we don’t have any particular evidence that someone is a terrorist, then it’s not clear what purpose is served by checking his ID. Someone who’s planning to blow up an airplane doesn’t have any reason to hide his identity, since he’s not going to be around to face punishment afterwards.