There's an interesting story in next month’s National Defense magazine on the long gestation of the REAL ID Act.
As you may remember, eight years ago the U.S. Congress passed the REAL ID Act of 2005. It would have forced states to start issuing tamper-proof driver licenses and identify cards by 11 May 2008. The reason for the act, a brainchild of Congressman Jim Sensenbrenner of Wisconsin, was to make it harder for terrorists and other criminals to be able to pass off fake IDs in the commission of their crimes. And a REAL ID card would be required to enter a federal building or board a commercial airline flight.
After an outcry from state governors over the projected cost—upwards to US $12 billion they claimed—and from privacy advocates over this creation of a de facto national identity card, the Department of Homeland Security (DHS) decided in March 2007 to move the act's compliance date to December 2009. Then, in January 2008, DHS decided again to postpone the deadline for states to the 11 May 2011 and also changed some of the documentation requirements needed to get a REAL ID in hopes of quieting the critics. DHS estimated then that the states’ implementation costs would not be any greater than $3.9 billion, which DHS would help cover with $280 million in state grants.
After continued grumbling by the states about the cost, and some two dozen state legislatures passing laws or resolutions refusing to comply with the REAL ID requirements, in March 2011, DHS postponed the compliance deadline yet again, this time to 15 January 2013. And then, as this deadline approached and with most states still in non-compliance, late last month DHS for the fourth time delayed the compliance deadline. It will apparently be to sometime in 2015; the department won't announce the exact date until later this year.
A DHS press release announcing this latest delay praised the 13 states that it says have met REAL ID standards: Colorado, Connecticut, Delaware, Georgia, Iowa, Indiana, Maryland, Ohio, South Dakota, Tennessee, West Virginia, Wisconsin, and Wyoming. However, as the National Defense magazine article points out, the Real ID act requires that there exist “five different national databases for states to tap into to verify identities [but those] are not up and running.”
Hmm, I guess meeting the REAL ID standard all depends what you mean by “standard.” Or maybe the word "is."
In addition, as noted in an acerbic post at the CATO Institute, there are pretty good odds that the states who haven’t complied with the REAL ID act will probably never have to, making suckers out of those that did. As CATO points out, it is highly unlikely that the federal government is going to tell the citizens of 37 states they can’t fly in planes or enter federal buildings. How will federal judges feel about all those empty jury boxes? As it happens, I've been called to federal court jury duty next week, in a state that doesn’t meet the REAL ID act.
The pleasure of watching the endless tug of war over federal (unfunded) mandates versus states’ rights exposed by the REAL ID act is compounded by the risible and ever-changing cost estimates to the states of implementing it. Sensenbrenner originally estimated (i.e., pulled out of the air if not another place) that the cost to change state department of motor vehicle computer systems would be about $2 million per state over 5 years, or $100 million overall. The Congressional Budget Office, sharing the same fantasy, generally concurred, estimating that it would be closer to $120 million over the 5 years total.
However, a 2006 study by the National Conference of State Legislatures (NCSL), the National Governors Association (NGA), and the American Association of Motor Vehicle Administrators (AAMVA) said that Sensenbrenner and the CBO were way off, and did not account for the vast majority of costs that would be incurred. This group estimated that the REAL ID act could cost states more than $11 billion over five years (pdf).
That number was thought to be way off until the DHS admitted in March 2007 that its own estimates of the REAL ID act implementation costs would be from $10.7 billion to $14.6 billion—with another $7.8 billion or so in costs borne by individuals in fees—over ten years.
After its January 2008 changes to the REAL ID requirements, DHS revised its own estimate and claimed that compliance would now cost the states a mere $3.9 billion or so over ten years. In 2011, the Center for Immigration Studies, an advocate for REAL ID, estimated the cost to the states would be even less: somewhere between $350 million and $750 million. That seems remarkably low, given that DHS has said that it has already awarded $263 million in grants from FY 2008 to FY 2011 to states to help them meet the REAL ID requirements—and three-fourths of the states aren't done yet.
Exactly how much money the states have spent so far on top of this DHS grant amount is unknown, but even the DHS knows that meeting the Real ID “standards” aren't cheap. One reason for the latest delay, DHS says, is that “in a period of declining state revenues,” the states are having a hard time finding the money to implement the act's requirements.
My guess is that the DHS will continue to set Real ID compliance deadlines only to postpone them at the last moment, and hope that over time, the vast majority of states will ultimately albeit grudgingly implement REAL ID as they eventually replace their DMV legacy systems. Me, I'm rooting for some genuine enforcement of compliance by 2015. I probably wouldn't ever have to report for federal jury duty again.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.