The title of Alaska HB389, introduced last month, sounds grandiose:
“An Act repealing the implementation of the federal REAL ID Act of 2005; relating to identification cards; relating to drivers’ licenses; and providing for an effective date.”
Does HB389 prevent Alaska from issuing REAL IDs?
When you read the title of the bill, alarms go off in your head.
If the title is true, it’s a true setback. After many years, the entire country (perhaps minus a territory or two) has finally gotten on board with REAL ID in advance of the due date, and now one of the states is pulling out.
Except that when you read the detail of the bill (at least as originally written; it could change in committee), it doesn’t repeal Alaska’s compliance of REAL ID.
As Chris Burt notes in a Biometric Updatre post, it only provides an option for the Alaska Division of Motor Vehicles to issue an identification card that is non-REAL ID compliant. This is not different from any other state (for example, California) that issues non-REAL ID cards that are “not for federal purposes” or “not for federal identification” or “federal limits apply.”
So Alaskans, don’t panic. If you want to get a REAL ID to board a plane, you can still do this. Note the [BRACKETED ALL CAPS] text in Section 1 of HB389 as originally written, illustrated below.
So Alaska can still issue “federally compliant” (i.e., REAL ID) driver’s licenses.
But what about foreign ownership?
But as long as I was reading the text of the bill, I thought I’d see what else it proposed to change, and ran across this text in Section 4.
Now THAT caught my eye. (Alaska Statutes Chapter 15 is the portion of the statutes that governs driver’s licenses in general, so this clause affects EVERYTHING.)
If your company is 94% U.S.-owned, that’s not good enough in Alaska.
(Well, at least until Putin decides that Edouard de Stoeckl’s 1867 sale of Alaska was illegal…)
Most if not all U.S. state agencies do not produce driver’s licenses themselves, but instead contract with private companies to do the work. These private companies either produce the licenses at state agency offices, or produce them as a service (DLaaS) at a secure production center (which may produce licenses for multiple states). To my knowledge, all of the production centers for U.S. driver’s licenses are located within the United States.
But who are the “private entities” that provide driver’s license manufacturing services? Let’s look at the major ones and see if they’re affected by Section 4 of the draft of Alaska HB389.
It is a matter of public record that the majority of U.S. states use IDEMIA to produce their driver’s licenses, either within agency offices or in secure IDEMIA production centers. When I was an employee of IDEMIA, I did not have the necessary security clearance to enter any of these production centers. Employees should only have the security permissions that they need, and my job had no need for me to access the PII of IDEMIA’s driver’s license customers, or to enter the facilities in which these secure documents are manufactured. There are security requirements governing this.
…our state-of-the-art central issuance facilities…are highly secure and meet North American Security Products Organization (NASPO) Level I security requirements.From https://na.idemia.com/dmv/physical-drivers-licenses-and-id-cards/
We’ll return to NASPO later in this post.
As I’ve noted before, IDEMIA is (currently) majority owned by Advent International, a U.S. based investment firm. IDEMIA entered the U.S. driver’s license market by acquiring Morpho (French), which had previously acquired MorphoTrust/L-1 Identity Solutions (U.S.), which had previously acquired Digimarc’s ID Systems business (also U.S.).
And, as I’ve noted, Advent International will probably choose to sell IDEMIA at some point in the future.
However, Advent International is not the exclusive owner of IDEMIA, because part of the company is owned by Bpifrance, which is (drumroll) French.
Alaska’s HB389, if passed in its original form, would prohibit the state from “communicating” personally identifying information (PII) to a private entity with more than five percent foreign ownership. I do not know the percentage that Bpifrance owns (all of the press releases failed to include that little tidbit), so I don’t know if IDEMIA would run afoul of the law or not.
HB389, if unmodified, is just one thing that any company that purchases IDEMIA must keep in mind.
IDEMIA doesn’t produce Alaska driver’s licenses. Who does?
But that doesn’t matter, because IDEMIA isn’t the Alaska driver’s license vendor anyway. That contract is controlled by another company.
Austin, TX – October 31, 2018 – Gemalto (Euronext NL0000400653 GTO), and Alaska’s Division of Motor Vehicles will continue their work of providing credentials to citizens with the additional goal of helping the state become Real ID compliant by increasing security of the state’s driver’s license and identification cards.From https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/press-release/alaska-extends-contract-with-gemalto-to-enhance-drivers-license-security
Gemalto (a Dutch company) was subsequently acquired by Thales, which is a French company. Gemalto entered the U.S. driver’s license market when it acquired Marquis ID Systems.
Now I do not know the details of Alaska’s contract with Thales, but it stands to reason that if Thales is “providing credentials to citizens” (implying a service bureau relationship), then at some point the state is going to have to “convey, distribute, or communicate” PII to Thales.
But don’t worry. IDEMIA and Thales are not the only driver’s license manufacturers out there, so you don’t have to worry about foreigners getting your data. Just select an American company!
For example, Veridos can provide driver’s licenses. Veridos is a joint venture between Giesecke+Devrient and Bundesdruckerei…whoops, that’s not a U.S. company.
And there’s another driver’s license manufacturer out there. It’s called…Canadian Bank Note.
There’s also Valid, which is…Brazilian.
Let’s look at NASPO
Despite the fact that these entities are foreign-owned, all of them (either on their own, or through parents or acquired companies) are members of NASPO, and many of them have NASPO certification.
NASPO international was formed as the North American Security Products Organization. The non-profit organization was founded in 2002 by companies and individuals in industry that recognized the need for security focused standards to prevent fraudulent acts that support criminal and terrorist activity….
NASPO INTERNATIONAL was formed to combat the ever increasing amount of fraud within the areas of brand protection, document security, and identity. Our focus is to produce credible, structured, and, when appropriate, certifiable standards. NASPO INTERNATIONAL has created a risk reduction standard and auditing process to certify security focused organizations. This structure also provides the end user with the ability to create a secure supply chain from supplier to end users.From https://naspo.info/about-us/faq/
From my point of view, NASPO tries to achieve what HB389 clumsily tries to achieve by its “minimal foreign ownership” clause. 100% U.S. ownership does not guarantee the security of your data, and 94% U.S. ownership does not guarantee that your data will wind up in a foreign capital.
So what happens next?
I have no idea whether HB389 will get passed, but unless it is substantially amended, Alaskans can still get REAL ID driver’s licenses so that they can board planes, enter secure federal facilities, and the like without getting a passport or other authorized document.
But I’m not sure what’s going to happen regarding the foreign ownership clause. Maybe people at some of the firms listed above are already looking into this.
But if my assumptions on HB389 are correct, and it passes with Section 4 intact, perhaps Alaska may not be able to rely on a private entity to provide driver’s licenses as a service (DLaaS). In that case, the state will have to produce its own driver’s licenses, free from foreign influence.