Yes. That was an April Fool.

by on April 2, 2007

Leave it to the blogosphere (in the person of one David McElroy) to instantaneously debunk my ham-handed April Fool’s Day post claiming a security breach in the the NAPHSIS EVVE system. Congratulations, David. (Who says it’s such a good thing to have smart readers?!)

The National Association for Public Health Statistics and Information Systems has developed and implemented the Electronic Verification of Vital Events system to allow immediate confirmation of the information on a birth certificate presented by an applicant to a government office anywhere in the nation irrespective of the place or date of issuance.

That sounds neat, but it is being incorporated into the REAL ID national ID system apparently without regard to the security issues involved. If we are going to use driver’s licenses for security purposes, each link in the chain of issuance is then a potential vulnerability.

What if the NAPHSIS EVVE system and others like it were comprimised and made to confirm the issuance of birth certificates that didn’t actually exist? We could have untold numbers of licenses issued based on fraud. The system we have now, which provides a modicum of security, could collapse as fraudulently acquired driver’s licenses proliferate.

Two weeks ago, at the meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, I asked Stewart Baker, Assistant Secretary for Policy at DHS, what counter-measures might be employed by attackers on the REAL ID national ID system. He said, “We have done some thinking about that . . .” I’m not sure our confidence should be inspired by that.

Every weakness in the system should be explored carefully. I summarized some of them in Appendix A of my testimony at the Homeland Security and Governmental Affairs Committee last week.

Comments on this entry are closed.

Previous post:

Next post: