Phil Libin | Getting real

Phil Libin, president and co-founder of CoreStreet, has found himself a somewhat lonely defender of an unpopular law. He is a fervent believer in the Real ID Act, the 2005 law establishing standards for state driver's licenses and identification cards. 'Popular opinion is so strongly against it,' he said. That has not stopped him from speaking his mind on the subject, and he agreed to discuss his position with GCN. Libin's company ' Cambridge, Mass.-based CoreStreet ' provides infrastructure and software for smart-card credentials. Libin founded CoreStreet in 2001 after selling his previous start-up, Engine 5. It is always worthwhile to ask. 'National' is maybe a scary word for people. I think the ultimate goal is not necessarily to have a system of national ID cards that can prove who you are.The goal is to have a system to prove what attributes or privileges you have. If you are getting on a plane, that you have a right to get on the plane; if you are driving, that you have a right to drive. And if this can be done without leaving traces of who you actually are, then all the better.There are ways of doing that, but it will take several years for the technology to become good enough so that every citizen can have some kind of an ID card that doesn't necessarily say who they are, but only what they are allowed to be doing.That is the ultimate goal, but I think an important first step is a system of IDs that at the very least proves who you are. Pretty much everything. All of the problems that people are saying we are going to have with Real ID ' bad security and bad privacy, and data being everywhere ' all of those problems exist today.Relatively few people have passports, so a culture has evolved that you use your driver's license [for identity]. Functionally, they're all the same, and yet everything about them varies from state to state ' how difficult they are to get, how easy they are to forge, the backgrounds of the people who handle the licenses, how the data is protected, who is allowed to use it, what kind of databases tie into it. So we pretty much have the worst possible situation right now. The most important thing about the act is that it is an attempt to establish some standards and best practices in the way identities should be created and used. This concept that there should be standards is important, because right now it is all de facto. We are saying, 'Here [is] the minimum set of requirements for who is allowed to handle this data and for how the cards are created.' I really wish Real ID had more explicit privacy language in there. I think that was a missed opportunity that has opened the door for a lot of criticism, which is not entirely unjustified. It would be completely appropriate for Real ID to say that the flip side of security is privacy, and we are going to enact standards for both the security and privacy sides of it.[Also], a lot of the technology choices are pretty weak. There's not a lot of high tech; it's not really a smart card. I think a smart card with asymmetrical cryptography could go a long way toward improving security and privacy. I'd like to see better standards for who can access data and what they can do with it. The government has models for this.The Defense Department's Common Access Card program addresses a lot of these issues, but Common Access Cards are also much more expensive. I am always in favor of being technology agnostic and focusing on results, but I think people could be a little more technically literate about how they write the desired results. You don't have to specify cards from a particular vendor or with a particular algorithm, but you can specify things that will lead you to a technology.I like the idea of starting out with a high-level set of standards and requirements and specify the technology as much as we can as time goes on. I'm glad that privacy and security advocates came out of the woodwork and started pointing out all of the problems with Real ID, because all of these problems exist today without Real ID.What I hope is, if Real ID dies, that they don't take that as a victory and go away leaving a completely broken system that already has everything wrong with it. I want them to stick around and [ask], 'How do we fix it?' If that's the case, I don't really care whether we have Real ID this year or something else in 12 months.From a purely practical perspective, I think if Real ID were to die completely it would probably entrench the status quo even further, because the political will to do something probably wouldn't exist until there was another major disaster or attack. So I'd rather it not die. That's a central issue, one not separable at all from security issues. The biggest problem with the current system is [that] we don't have particularly good laws defining what a privacy violation is, unlike some other countries. In the U.S., a privacy violation is a very subjective thing, and there aren't really good guidelines about that. So I'd like to see a set of standards and best practices and, eventually, laws saying specifically what we are trying to protect and what is a violation. There are models in other countries we can look at and learn from. I think the regulators historically do pay attention to suggestions and recommendations, and I expect that to continue with Real ID. I know that's a bit contrary to what people tend to assume.Legislators and politicians, I think, are paying attention now. I'm not sure how long that attention span lasts. We definitely have a stake here. Our business is to provide technology for identity cards, for the Defense Department, the Homeland Security Department and for a few foreign governments.We are not an unbiased party, but hopefully we are knowledgeable.