This past March, the Department of Homeland Security posted its Notice of Proposed Rule-Making (NPRM) for the implementation of the Real ID Act of 2005. The NPRM has been open to the public for comments, but that comments period is slated to end on May 8. If you're concerned about the implications of a national ID card and a national database with tons of your sensitive data in it, and you'd like to join the growing revolt against the Act by an ideologically diverse array of states and citizens' groups, then you can find instructions and aids for submitting your comments to DHS at the following links:

At least one of the links provides a sample letter that you can modify and submit, but if you really want your voice heard then it's best to write some comments from scratch. It took me less than five minutes to put together a quick, two-paragraph e-mail to Congress and DHS based on the talking points given at the above links, so I urge you to do the same.

Now, none of the links above make clear what this round of comments is about, and if you've been following Real ID you may be thinking, "Didn't this already pass... what's this about 'stopping' it?" To understand what the NPRM is about, and what you can do to stop Real ID, you need a bit of historical context.

Congress passed the Real ID Act back in 2005 by burying it so deep within a "must-pass" military appropriations bill that it wasn't discovered by privacy advocates until just a few days before the bill came up for a vote. With such short notice, there wasn't time to rally enough opposition to the Act to get it stripped from the bill—and that's in spite of the fact that it contained an unprecedented and supremely odd "Trojan horse" type A3S2 provision that apparently guts judicial review for a really obscure reason.

The states have pushed back against Real ID, because many of them simply don't have the money to comply with the Act's requirements by the proposed deadlines. Meanwhile, DHS has submitted a proposal for public comment that outlines how the agency plans to actually implement the Act's legislative requirements. The rules laid out in this NPRM document are designed to be followed by DHS and the states, in order to bring them into compliance with the Act. This NPRM is what must be commented on by the public before May 8.

In writing to oppose the Real ID Act, you'll be joining a broad-based coalition that includes organizations from across the entire political spectrum... except for the NRA, an organization of which I used to be a card-carrying member. (Literally, I had one in my wallet, and in my first year at Harvard Divinity School I used to delight in freaking out the Unitarians with it.)

A look through the NRA's site turned up a lengthy argument against the proposed inclusion of polar bears on the endangered species list—an issue that has to do with global warming but not guns or "freedom"—but no mention of Real ID anywhere. Google couldn't help either. This is especially odd, given that Democratic minority at the time of the Act's passage added language to the bill that would explicitly prevent Real ID's provisions from being used to create a national database of gun owners, language that was then struck down by the majority in a party line vote. I'm totally compelled to point out this bizarre episode at every opportunity, because in the NRA mythology on which I was raised, a national gun database is the first horseman of the black-helicopter apocalypse. First, they make us all register our guns... then, they come and take them away. See this quote by former NRA president Marion Hammer, for instance.

Actually, I did find a 2002 speech in which the NRA's CEO, Wayne LaPierre, stated his opposition to a national ID card scheme that involves DNA sequences, ATM withdrawal histories, credit history, turnpike use, movie rentals, pharmacy prescriptions, phone records, etc. all encoded into a hologram. This is super scary—especially the hologram part—but it's not Real ID. But all kookiness aside, it's worth taking a closer look at the national ID and citizen database objections to Real ID, and at DHS' attempts to evade criticism on this front.

DHS either doesn't understand databases, or they think that we don't

One of the most important criticisms of Real ID is that it will create a national ID card that's backed by a national citizen database containing all sorts of info that identity thieves, some of whom may even manage to score a job at a DMV, would love to get their hands on. But DHS explicitly denies that Real ID will be either a national ID card or that it will result in "a national database of driver information." Indeed, this denial is repeated multiple times in the NPRM document.

I want to zero in specifically on the "national database" portion of the problem, because DHS's insistence that Real ID doesn't create a national database hinges on a somewhat lawyerly definition of the term "database."

In reading through the NPRM, especially section II.E.6 and following, it becomes clear that DHS has bent over backwards to avoid the creation of a single, federally maintained database of DMV data, while still providing all of the functionality of such a database (with none of the potential security advantages that you'd get from centralization). In lieu of such a centralized, federally maintained database, they've created a set of carefully crafted rules and standards that would have the effect of creating a national DMV database, but this database will be distributed, and it will be built and maintained by the states. Different states will have different levels of security for who can access this distributed database, with DMV personnel screening requirements and actual technological implementations differing from state to state.

What do I mean by a "distributed database"? First, all the state DMV databases, which are implemented variously, will be linked together, so that they can talk both to each other and to the federal databases to which they already have some amount of access. Then, DHS will support the development of a "federated query service" that each state DMV can use to pull data from all state DMVs and federal databases with a single query.

Now, notice the sleight of hand here: DHS won't be developing this federated query service itself—that's the states' job. DHS also will not operate this service, nor will the agency require that states use it. The states run the service in their DMVs, and one state can still query another state's database directly, if it chooses.

The end result of the Real ID Act's database connectivity requirements and the federated query service is that someone sitting in a DMV can use a single query to pull a citizen's data from all state DMVs and federal databases. This is functionally a national citizen database, even if citizens' data is physically spread out over multiple records in multiple databases at multiple sites with multiple levels of access control, logging, and oversight. So like I said above: all of the functionality of a centralized database, but with none of the attendant security, oversight, and auditing benefits of a single, locked-down implementation.

Ultimately, DHS's objection that Real ID does not create a "national database" is only sustainable using a narrow definition of "database." But if by "database" you mean, "I can write one query to pull data from multiple records," then the Act and DHS's proposed interpretation of it will indeed create a "national database." With the NPRM, DHS has taken the already terrible idea of a national citizen database, and then made it infinitely worse in the name of appeasing privacy advocates.