Oct 16 2023

The TSA wants to put a government tracking app on your smartphone

Today the Identity Project submitted our comments to the Transportation Security Administration (TSA) on the TSA’s proposed rules for “mobile driver’s licenses”.

The term “mobile driver’s license” is highly misleading. The model Electronic Credential Act drafted by the American Association of Motor Vehicle Administrators (AAMVA) to authorize the issuance of these digital credentials and installation (“provisioning”) of government-provided identification and tracking apps on individual’s smartphones provides that, “The Electronic Credential Holder shall be required to have their Physical Credential on their person while operating a motor vehicle.”

So the purpose of “mobile driver’s licenses” isn’t actually licensing of motor vehicle operators, as one might naively assume from the name. Rather, the purpose of the “mobile drivers license” scheme is to create a national digital ID, according to standards controlled by the TSA, AAMVA, and other private parties, to be issued by state motor vehicle agencies but intended for use as an all-purpose government identifier linked to a smartphone and used for purposes unrelated to motor vehicles.

We’ve seen the ways that government-mandated tracking apps on citizens’ smartphones are used by the government of China, and that’s not an example we want the US to follow.

AAMVA’s website is more honest about the purpose and planned scope of the scheme: “The mobile driver’s license (mDL) is the future of licensing and proof of identity.”

As we note in our comments:

The fact that the TSA seeks to require the installation of a government app on a mobile device of a certain type suggests that the government has other purposes than mere “identification”, such as the ability to track devices as well as people. But we don’t know, because we haven’t been able to inspect the source code for any of these apps.

Most of the details of the TSA proposal remain secret, despite our efforts to learn them. So our comments focus on the unanswered questions about the proposal, the deficiencies in the TSA’s “notice”, and the TSA’s failure to comply with the procedural requirements for consideration of proposed regulations and for approval of collections of information from members of the public — which the TSA is already carrying out illegally, without notice or approval, with digital ID apps that state agencies are already installing on smartphones:

By this Notice of Proposed Rulemaking (NPRM), the Transportation Security Administration (TSA) proposes to establish “standards” (which are not included in the NPRM and not available to the public) for a national digital ID to be used by Federal agencies in an unknown range of circumstances for unknown purposes (also not specified in the NPRM, and for which the notices and approvals required by law have not been provided or obtained).

The NPRM, which includes a proposal to incorporate by reference numerous documents which are not included in the NPRM and have not been made available to would-be commenters who have requested them, fails to provide adequate notice of the proposed rule or opportunity to comment on the undisclosed documents proposed to be incorporated by reference. It violates the regulatory requirements for incorporation by reference of unpublished material….

The proposed rule would also implicitly incorporate the Master Specification for State Pointer Exchange Services (SPEXS) published by the American Association of Motor Vehicle Administrators (AAMVA), which is not included or mentioned in the NPRM or publicly available and which AAMVA has actively attempted to remove from public availability….

The NPRM purports to include an analysis, pursuant to the Paperwork Reduction Act (PRA), of “the information collection burdens imposed on the public,” and claims to have requested approval for these information collection from the the Office of Management and Budget (OMB). But both the NPRM and the request for OMB approval omit any mention of the collection of information from individuals that occurs each time a “mobile ID” is “presented” and an app on a mobile device interacts with TSA or other Federal agency devices or servers….

What data fields will be collected when a TSA or other Federal agency device interacts with a mobile ID app on an individual’s device? We don’t know. What code will an individual be required to allow to run on their device, and with what privileges? We don’t know, although this could be critical to the risks and potential costs to individuals if, for example, they are required to allow closed-source code to run on their devices with root privileges.

From which people, how many of them, in what circumstances, and for what purposes, will this information be collected? We don’t know, although all of this is required to be included in an application for OMB approval of a collection of information….

What will individuals be told about whether these collections of information are required? We don’t know this either, although this is a required element of each PRA notice, because the TSA provides no PRA notices to any of those individuals from whom it collects information at its checkpoints, including information collected from mobile IDs.

As the TSA itself has argued in litigation, no Federal statute or regulation requires airline passengers to show ID. And hundreds of people pass through TSA checkpoints and board flights without showing ID every day. An accurate submission to OMB, and an accurate PRA notice (if approved by OMB), would inform all individuals passing through TSA checkpoints that ID is not required for passage. But instead of providing OMB-approved PRA notices at its checkpoints in airports, the TSA has posted or caused to be posted knowingly false signage claiming that all airline passengers are “required” to show government-issued ID credentials. Individuals incur substantial costs as a result of these false notices, particularly when individuals without ID forego valuable travel in reliance on deliberately misleading signs that ID is required.

Read More

Dec 05 2022

DHS resets the clock on its threat to stop flyers without ID

 

Soccer fans have been noticing unusually large amounts of stoppage time added on to extend the final whistle in many of this year’s World Cup matches. But FIFA and World Cup referees have nothing on the US Department of Homeland Security when it comes to extending the end of the game of REAL-ID chicken that the DHS has been playing with air travelers.

Just a few months after adding a countdown clock to its website to add artistic verisimilitude to its threat to start “enforcing” a nonexistent law prohibiting flying without ID, the DHS has set that clock back by two more years.

The change announced today — only the most recent in a seemingly endless series of postponed empty REAL-ID threats — again postpones, but does not withdraw, the DHS threat to start preventing people without ID from traveling by airline within the US.

The DHS says it plans to promulgate another set of amendments to its regulations implementing the REAL-ID Act of 2005, postponing “enforcement” of the REAL-ID Act at airports until May 7, 2025. Conveniently for current Federal officials, that punts the problem of how to respond to the inevitable resistance to an attempted ban on flying without ID into the next Presidential administration.

Today’s press release from the DHS says, in part:

Under the new regulations, beginning May 7, 2025, every traveler 18 years of age or older will need a REAL ID-compliant driver’s license or identification card, state-issued enhanced driver’s license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.

We  doubt, however, that the revised regulations will contain any such provision. None of the previous versions of the REAL-ID regulations contained any provision requiring air travelers to identify themselves, and any such regulatory provision would exceed the implementing authority granted to the DHS by the REAL-ID statute.

The REAL-ID Act restricts what ID credentials a Federal agency can accept, in circumstances where ID is required by some other Federal law or regulation. But neither the REAL-ID Act nor any other current or proposed Federal law or regulation requires travelers to show any ID to pass through Transportation Security Administration checkpoints or board domestic flights within the US — as the TSA itself has argued whenever ID to fly has become an issue in court.

It should go without saying that one doesn’t have to take a “flying test” to obtain a drivers license. A drivers license is not a permit to fly, and possession (or not) of a valid drivers license is entirely unrelated to entitlement to travel by common carrier. The REAL-ID Act has done nothing to make flying safer, any more than preventing people without ID from flying would make flying safer. The only real impact of the REAL-ID Act  has been the creation of an (outsourced, privately held, opaque and uncontrolled) national ID database  (SPEXS) aggregated from state and territorial driver’s license records.

By the time the two more years of added “stoppage time” runs out on the DHS threat clock, twenty years will have passed since the REAL-ID Act was rushed through Congress in post-9/11 panic, without debate and with hardly time for legislators to read the bill.

Time is running out on the REAL-ID Act. It’s time for Congress to admit that the REAL-ID Act was wrong from the start, has enabled the creation of a de facto national ID database  overwhelmingly opposed by the American public, and should be repealed.

Sep 22 2022

Freedom to travel to get an abortion

[Arrows indicate populations of states where abortion is, or is likely to become, illegal, and directions and distances to the nearest states where abortion is legal. Note that some of the routes shown are more likely to be followed than others, since abortion is more or less heavily restricted in some states where it is shown on this map as legal. Diagram by Bloomberg News based on data from the Guttmacher Institute.]

Increasing variations between state laws related to abortion are prompting an increase in the already large numbers of women who travel across state lines to obtain abortions.

For women in many states, bans on abortion are making the right to interstate travel an essential prerequisite to the right to obtain an abortion.

Both anti-abortion vigilantes and state laws criminalizing actions related to abortion, including facilitating abortion-related travel, are prompting women seeking abortions as well as those who support abortion rights to think about how to protect abortion travelers and their supporters against identification, surveillance, stalking, harassment, or legal sanctions.

In this context, the right to anonymous travel has acquired new importance and urgency. If you’ve wondered, “Why would anyone want to travel anonymously?” now you know one of the reasons.  But what’s needed is “right to travel” legislation, not just “privacy” legislation. Current Federal “privacy” bills would do little to protect abortion travelers.

What are the patterns of abortion-related travel? How could state authorities or private vigilantes identify or track the travels of these women — whether they drive or take buses, trains, planes, or automobiles? What, if anything, can women traveling across state lines to obtain abortions do to protect themselves against being identified, tracked, and potentially prosecuted or subjected to retaliation, harassment, or other sanctions?  What could the Federal government do to protect these women’s right to travel, and to do so privately and safely?

As discussed in detail below, the possibilities for technical self-defense against threats to the right to travel are limited. Congress needs to act to include protection for the right to travel — regardless of the purpose for which you  travel — in any abortion rights legislation.

Read More

Sep 16 2022

Countdown to a crackdown on flying without ID

The Department of Homeland Security has added a Countdown to REAL ID Enforcement at airports to its website. But questions remain as to what this really means, despite our best efforts to find out.

What — if anything — will really change at Transportation Security Administration checkpoints when this countdown clock runs out on May 3, 2023?

Nothing in the law will change on that date. The REAL-ID Act of 2005 established criteria for which ID credentials can be “accepted” by Federal government agencies, in circumstances where individuals are required by Federal law or regulations to possess and/or show some evidence of their identity. But the consistent position of the DHS and TSA in litigation has been that no law or regulation requires air travelers to possess or show any ID. And the REAL-ID Act did not create any new requirement to have or show ID to fly.

Since the REAL-ID Act applies only to which IDs are accepted from those who choose to show ID to fly, it should have no effect, now or at at any date in the future, on those who don’t have, or choose not to show, ID to fly. They still have the right to fly without ID — as more than a hundred thousand people do every year — subject at most to a more intrusive administrative search of their person and baggage.

The “deadline” announced by the DHS and TSA might indicate plans for new regulations that would impose a requirement for air travelers to have or to show ID. But no such regulations have been proposed or included in DHS or TSA agendas of planned rulemaking.

Despite the lack of any apparent legal authority, however, it appears from the latest extrajudicial DHS and TSA rulemaking-by-press-release that these agencies plan to begin preventing anyone from flying without ID on or after May 3, 2023, on unknown grounds.

The following statement now appears on the DHS and TSA websites:

What happens if I show up without a valid driver’s license or state ID?

Starting May 3, 2023, every traveler will need to present a REAL ID-compliant license or an acceptable form of identification to fly within the U.S. Passengers who do not present an acceptable form of identification will not be permitted through the security checkpoint.

This would be a major change, with no legal basis, from current practice or any previously disclosed DHS or TSA plans.

Read More

Mar 17 2022

Alaska may end its compliance with the REAL-ID Act

A bill introduced in the current session of the Alaska state legislature, HB 389, would end the issuance by the state of Alaska of driver’s licenses that comply with the Federal REAL-ID Act of 2005.

In addition, HB 389 would give Alaska residents “the option of having the applicant’s driver’s license photograph captured with a camera that produces a photograph in a format or with a resolution that renders the image quality insufficient for facial recognition.” The bill would require that the state Department of Administration and its Division of Motor Vehicles “shall destroy or render unusable for facial recognition purposes any photograph captured as a result of an application for a driver’s license ,” and prohibit “bulk sharing of facial images captured a result of an application for a driver’s license.”

HB 389 was introduced by Rep. David Eastman (R-Mat-Su) and is co-sponsored by Rep. Ronald Gilham (R-Kenai/Soldotna). We look forward to its consideration in the state legislature in Juneau, and to the opportunity to testify on this issue, as we did when the Alaska Legislature first debated whether to comply with the REAL-ID Act in 2006, 2007, and 2008, and again in 2017 when it reconsidered its initial choice not to comply.

HB 389 reflects longstanding sentiment in Alaska against compliance with Federal mandates  for ID credentials and sharing of personal information with “outside” entities.

Even the highest official of the Transportation Security Administration in Alaska, the Federal Security Director for the state, has pointed out to his superiors in Washington that many Alaskans live off the road system and don’t need or have drivers licenses. They may be more likely to fly, and to need to fly, than to need to drive. They don’t want to have to show government-issued papers, which they might not have, in order to do so.

In 2008, Alaska enacted a law that prohibited spending any state funds on implementation of the REAL-ID Act.

Nine years later, though, the Alaska DMV defied the law by uploading information about every Alaskan with a driver’s license or state ID to the SPEXS national ID database that was created as a way  for states to comply with the REAL-ID Act.

That action by the DMV to move Alaska toward REAL-ID compliance was taken “without permission from the legislature,” as Rep. Chris Tuck, Majority Leader in the Alaska House of Representatives, noted in an op-ed published in newspapers throughout the state after the batch upload of Alaskan driver’s license data to SPECS became public. The batch upload took place just as the legislature was scheduled to again consider REAL-ID compliance, and appears to have been an executive and administrative effort to preempt legislative debate.

Officials from the Alaska DMV and the U.S Department of Homeland Security claimed that REAL-ID “compliant” ID would soon be required in order to travel by air, but were unable to provide any basis for this false claim. At one of the legislative committee meeting in 2008, Rep. Tuck himself testified to his colleagues about how he had flown between Juneau and Anchorage with  no ID at all when he accidentally left his wallet in his office.

The Identity Project provided extensive testimony and FAQ’s fact-checking the claims being made by the DHS and the Alaska DMV in support of REAL-ID Act compliance.

A week after we provided Alaska legislators with written testimony about the right to fly without ID, Rep. Jonathan Kreiss-Tomkins, Chair of the State Affairs Committee, passed on a very similar set of questions to TSA officials in Alaska and in Washington, DC. More than a decade after the fact, when the TSA finally responded to one of our FOIA requests, we received copies of TSA internal e-mail messages discussing how to respond to Rep. Kreiss-Tomkins’ questions — but no indication of what, if any, answer was ever provided.

At the end of the 2017 legislative session, however, Alaska legislators reversed their 2008 decision, and authorized the DMV to begin issuing driver’s licenses and ID cards that “comply” with the REAL-ID Act.

From discussion at the public committee meetings we attended, it seemed clear that legislators didn’t like the REAL-ID Act or want Alaska to comply. They didn’t like it that the Alaska DMV had taken matters into its own hands by sending information about all Alaskan drivers and ID card-holders to a private database that’s stored outside Alaska and outside the jurisdiction of any government transparency or oversight laws. But legislators felt powerless to stand up to threats — even illegal threats — from Federal officials.

We welcome the opportunity provided by HB 389 for the Alaska legislature to reconsider its 2017 capitulation to Federal extortion, and reassert Alaskans’ freedom to travel without ID.

Mar 15 2022

How many people fly without REAL-ID?

[Slide from internal TSA presentation, Identity Verification Staffing Support Overview, March 2017, released in response to FOIA request by the Identity Project.]

As of 2016, almost 2,000 people a day were allowed through TSA checkpoints at US airports either without showing any ID at all, or with other forms of ID that the TSA or its contractors initially considered “unacceptable”. 

According to an internal TSA presentation, there were 149,068 calls (an average of 407 per day) for “ID Verification” to the TSA’s ID Verification Call Center (IVCC) in 2016.

The previous year, 2015, there were 112,016 such calls (an average of 306 per day).

Each of these calls presumably corresponds to a person seeking to fly without ID, or with ID that was initially deemed unacceptable by checkpoint staff.

These are just the people who were required to go through the TSA’s “ID verification” questioning for people with no ID. The TSA estimates — based on a smaller sample of incident reports for a 13-day period in February 2016 — that  an additional 1575 people per day are allowed to fly with “other forms of” ID that are initially deemed unacceptable, for a total of just under 2,000 people per day who fly with no ID or unacceptable ID.

These numbers are from records recently released by the Transportation Security Administration in response to one of our Freedom Of Information Act requests.

This is a substantial increase from the most recent figures previously released by the TSA.

Read More

Sep 15 2021

DHS must explain failure to release e-mail files

In a victory for the Freedom Of Information Act (FOIA), an Administrative Law Judge (ALJ) has ruled that the Department of Homeland Security (DHS) must either disclose records of e-mail messages which we requested in the “native” file formats in which they are held on DHS servers or archival storage media, or must “demonstrate with sufficient justification that they cannot produce the documents in their original fully digital version.”

This ruling was made in response to an administrative appeal by the Identity Project of the DHS (non)-response to a FOIA request we made in 2016 for the reports submitted to the DHS each month on how may people attempted to enter Federal facilities without ID or with ID deemed “noncompliant” with the REAL-ID Act of 2005, and what happened to these people. How many were eventually allowed to enter, and how many were turned away?

Read More

May 17 2021

ACLU: “Digital IDs Could Be a Nightmare”

As the U.S. Department of Homeland Security is soliciting proposals from vendors for how to put digital versions of drivers licenses and other ID credentials on smartphones, the ACLU has released a timely and insightful white paper, Identity Crisis: What Digital Driver’s Licenses Could Mean for Privacy, Equity, and Freedom, by Jay Stanley of the ACLU Speech, Privacy, and Technology Project, along with an executive summary in the form of a blog post, Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare.

The ACLU white paper links to some of our research and reporting and highlights many of our concerns with compelled identification, the REAL-ID Act, invisible virtual checkpoints, ID-based blacklists and controls on what we are and aren’t allowed to do, and the role of AAMVA and other “private” entities as outsourced, opaque, unaccountable, creators of ID “standards” that function as de facto laws and regulations that govern our movements and activities, but that are adopted in secret, exempt from the Freedom Of Information Act or other transparency laws, and lack basic privacy protections. or respect for rights recognized by the U.S. Constitution and international human rights treaties.

We encourage readers interested in these issues to read the ACLU white paper in full. But here’s an excerpt form the introduction to the white paper, framing the issue:

Read More

Apr 27 2021

DHS extends REAL-ID airport enforcement “deadline” again

The Department of Homeland Security has once again postponed its self-proclaimed “deadline” for enforcement of the REAL-ID Act at airports, this time from October 1, 2021, to May 3, 2023.

The latest postponement proves, once again, that the dates of the DHS threats to begin “enforcing” the REAL-ID Act at airports are as changeable as the dates in any of the threats made by extortionists or kidnappers. Today’s DHS press release is more like a ransom note than a legal notice: “If you get an ID we deem acceptable, we might not harass you as much when you fly, and we might allow you to exercise your right to travel.”

It remains unclear what enforcement of the REAL-ID Act at airports might mean. No law requires air travelers to have any ID, and the REAL-ID Act doesn’t change that.  The Transportation Security Administration recently posted a video showing how you can fly without ID.  But today’s DHS press release implies that the DHS is contemplating denying passage through TSA checkpoints at airports to travelers who don’t have, don’t carry, or don’t chose to show ID credentials that the DHS and TSA deem “compliant” or “acceptable”:

Beginning May 3, 2023, every air traveler 18 years of age and older will need a REAL ID-compliant driver’s license or identification card, state-issued enhanced driver’s license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.

Since this is a press release, not a bill proposing new legislation or a notice of proposed new regulations, it doesn’t need to say what legal basis there might be for this claim. But so far as we call tell, there is none.

The DHS recently tried to get Congress to exempt its implementaton of the REAL-ID Act from standard Federal rules notice and approval. But Congress turned down the DHS proposal for exemption of REAL-ID implementation from the Administrative Procedure Act and the Paperwork Reduction Act. The DHS has not yet begun any of the notice and approval procedures which would be required before it could impose new restrictions or requirements for air travel on the basis of the REAL-ID Act.

We expect that today’s press release will be followed by a formal rulemaking notice that merely changes the REAL-ID threat date. But such a rulemaking will neither clarify what action is really being threatened  (i.e what the TSA will really do when travelers continue to show up at TSA checkpoints without “compliant” ID), clarify what the purported legal basis would be for that action, nor, in itself, create a legal basis for any such action.

Today’s DHS press release says that the change in the “deadline” will give states and individuals more time to “comply” with the REAL-ID Act. But compliance with the REAL-ID Act was, and still is, optional for both states and individuals. What the postponement by the DHS of its self-imposed “deadline” really does is give the DHS itself more time to come up with a legal justification for its threatened actions — or to withdraw its baseless threats. It also gives Congress more time to repeal the REAL-ID Act.

Don’t be intimidated by DHS and TSA threats. Regardless of what self-imposed DHS deadlines come and go, with how many more postponements, you will still have the same right to travel without ID that you have now.

Apr 21 2021

DHS wants to put REAL-ID drivers licenses on smartphones

The Department of Homeland Security has published a Request For Information (RFI) from vendors and other stakeholders regarding standards for drivers licenses and other IDs stored on smartphones or other mobile devices to be considered compliant with the REAL-ID Act of 2005.

Responses to the RFI are due by June 18, 2021.

The amendments to the REAL-ID Act signed into law at the end of 2021 included provisions authorizing the DHS to certify digital ID credentials as “REAL-ID compliant”. That certification can’t happen, though, until the DHS promulgates new regulations.

The RFI published in the Federal Register this week is not formerly part of such a rulemaking, but appears to be part of the preparations for it.

A “mobile ID” would consist of a certificate digitally signed by a state department of motor vehicles. The RFI contemplates a process through which “individuals would electronically send identity verification information to the DMV to establish their identities and ownership of the target device.” No explanation or justification is provided for why or how a digitally-signed certificate would be, or should be, bound to a specific device, rather than simply provided as a file that can be stored on any digital device or storage medium.

It’s just as easy to loan a smartphone or other mobile device to another person whose appearance is similar as it is to loan a physical ID card to another person.

A drivers license rarely needs to be displayed, and in the form of a wallet-sized plastic card it  can be kept in a relatively secure pocket or compartment of a purse. A smartphone, in marked contrast, is likely to be frequently consulted and carried in a location on one’s person that is much more exposed and vulnerable to snatch-thieves than one’s wallet.

A smartphone is already, for many people, vulnerable as a single point of failure for identity and password management. Binding a digital ID to a specific smartphone appears likely to increase the risk and exacerbate the consequences of smartphone theft as a method of identity theft.

The RFI says that the DHS is considering incorporating the American Association of Motor Vehicle Administrators Mobile Driver License (mDL) Implementation Guidelines (April 2019) in the DHS standards and regulations, and the DHS seeks comments on those AAMVA guidelines. But those AAMVA guidelines are posted only on the “members-only” portion of the AAMVA website, and aren’t available to the public.

In the past, when we reposted specifications for the AAMVA’s national REAL-ID database that AAMVA had posted for years on the public portion of its website, AAMVA not only moved those specifications to to the members-only portion of its website, but asserted their copyright and threatened us with litigation to get us to take them off our site.

The DHS notice purporting to invite the public to submit comments on a secret document, not available to the public, that might be incorporated into DHS regulations, exemplifies everything that is wrong with both secret law and the outsourcing of “lawmaking” to entities such as AAMVA that are nominally private and not subject  to Federal or state freedom of information, public records, or open meetings laws.

There’s no indication in the RFI as to when or how the DHS plans to move forward with the separate rulemaking and approval procedures that will be required if it is to follow through on its threats to start turning away would-be air travelers at TSA checkpoints if they don’t have REAL-ID approved ID or don’t have or show any ID.