Schneier's May 2007 testimony before the Senate Judiciary Committee on REAL ID — the federal program to standardize and strengthen state-issued identification cards — is a direct application of the analytical framework of beyond-fear to a specific, contested piece of post-9/11 security legislation.
The Policy Context
REAL ID was passed in 2005 as part of the Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief. It required states to issue standardized, federally compliant driver's licenses and ID cards, with information stored in a networked database accessible across state lines. Proponents argued it would prevent identity fraud and make it harder for terrorists to obtain fraudulent identification. Opponents — including the electronic-frontier-foundation, civil liberties organizations, and a number of state governments — argued it created a de facto national identity card with significant privacy risks and security vulnerabilities.
The Senate Judiciary Committee hearing in May 2007 was part of the ongoing legislative debate over REAL ID's implementation requirements and whether they should be revised or repealed.
The Argument
Schneier's testimony structured its analysis around the same five-step framework from beyond-fear: What problem are we actually trying to solve? What does REAL ID do to address that problem? What new risks does it create? What are the costs?
His assessment was negative on all counts. REAL ID would not have prevented the September 11 attacks — the hijackers were using valid identification. The program's claimed security benefit (preventing fraudulent ID) was marginal against the actual terrorist threat. Meanwhile, the centralized database of identification information created a major new attack surface: a honeypot of personal information that, if compromised, would expose millions of people to identity theft. The privacy costs — creating the infrastructure for pervasive tracking of movements and activities — were large and would persist long after any particular security threat had passed.
This is security-theater analysis applied directly: REAL ID is a visible, politically comprehensible response to a terrorist attack that it would not have prevented, at the cost of creating significant new vulnerabilities and privacy risks. feeling-safe-vs-being-safe is the diagnostic: REAL ID makes people feel more secure by producing something tangible (a standardized ID card) without addressing the actual threat model.
Connection to Civil Liberties Network
The testimony reflects Schneier's relationship with the digital rights and civil liberties community — electronic-frontier-foundation had been a consistent opponent of REAL ID, and Schneier's analytical framework gave the civil liberties arguments a security credibility that pure rights-based arguments sometimes lacked. His ability to argue that REAL ID was bad security — not merely bad policy or a civil liberties violation — gave the opposition a different rhetorical register.