Today the Identity Project submitted our comments to the Transportation Security Administration (TSA) on the TSA’s proposed rules for “mobile driver’s licenses”.

The term “mobile driver’s license” is highly misleading. The model Electronic Credential Act drafted by the American Association of Motor Vehicle Administrators (AAMVA) to authorize the issuance of these digital credentials and installation (“provisioning”) of government-provided identification and tracking apps on individual’s smartphones provides that, “The Electronic Credential Holder shall be required to have their Physical Credential on their person while operating a motor vehicle.”

So the purpose of “mobile driver’s licenses” isn’t actually licensing of motor vehicle operators, as one might naively assume from the name. Rather, the purpose of the “mobile drivers license” scheme is to create a national digital ID, according to standards controlled by the TSA, AAMVA, and other private parties, to be issued by state motor vehicle agencies but intended for use as an all-purpose government identifier linked to a smartphone and used for purposes unrelated to motor vehicles.

We’ve seen the ways that government-mandated tracking apps on citizens’ smartphones are used by the government of China, and that’s not an example we want the US to follow.

AAMVA’s website is more honest about the purpose and planned scope of the scheme: “The mobile driver’s license (mDL) is the future of licensing and proof of identity.”

As we note in our comments:

The fact that the TSA seeks to require the installation of a government app on a mobile device of a certain type suggests that the government has other purposes than mere “identification”, such as the ability to track devices as well as people. But we don’t know, because we haven’t been able to inspect the source code for any of these apps.

Most of the details of the TSA proposal remain secret, despite our efforts to learn them. So our comments focus on the unanswered questions about the proposal, the deficiencies in the TSA’s “notice”, and the TSA’s failure to comply with the procedural requirements for consideration of proposed regulations and for approval of collections of information from members of the public — which the TSA is already carrying out illegally, without notice or approval, with digital ID apps that state agencies are already installing on smartphones:

By this Notice of Proposed Rulemaking (NPRM), the Transportation Security Administration (TSA) proposes to establish “standards” (which are not included in the NPRM and not available to the public) for a national digital ID to be used by Federal agencies in an unknown range of circumstances for unknown purposes (also not specified in the NPRM, and for which the notices and approvals required by law have not been provided or obtained).

The NPRM, which includes a proposal to incorporate by reference numerous documents which are not included in the NPRM and have not been made available to would-be commenters who have requested them, fails to provide adequate notice of the proposed rule or opportunity to comment on the undisclosed documents proposed to be incorporated by reference. It violates the regulatory requirements for incorporation by reference of unpublished material….

The proposed rule would also implicitly incorporate the Master Specification for State Pointer Exchange Services (SPEXS) published by the American Association of Motor Vehicle Administrators (AAMVA), which is not included or mentioned in the NPRM or publicly available and which AAMVA has actively attempted to remove from public availability….

The NPRM purports to include an analysis, pursuant to the Paperwork Reduction Act (PRA), of “the information collection burdens imposed on the public,” and claims to have requested approval for these information collection from the the Office of Management and Budget (OMB). But both the NPRM and the request for OMB approval omit any mention of the collection of information from individuals that occurs each time a “mobile ID” is “presented” and an app on a mobile device interacts with TSA or other Federal agency devices or servers….

What data fields will be collected when a TSA or other Federal agency device interacts with a mobile ID app on an individual’s device? We don’t know. What code will an individual be required to allow to run on their device, and with what privileges? We don’t know, although this could be critical to the risks and potential costs to individuals if, for example, they are required to allow closed-source code to run on their devices with root privileges.

From which people, how many of them, in what circumstances, and for what purposes, will this information be collected? We don’t know, although all of this is required to be included in an application for OMB approval of a collection of information….

What will individuals be told about whether these collections of information are required? We don’t know this either, although this is a required element of each PRA notice, because the TSA provides no PRA notices to any of those individuals from whom it collects information at its checkpoints, including information collected from mobile IDs.

As the TSA itself has argued in litigation, no Federal statute or regulation requires airline passengers to show ID. And hundreds of people pass through TSA checkpoints and board flights without showing ID every day. An accurate submission to OMB, and an accurate PRA notice (if approved by OMB), would inform all individuals passing through TSA checkpoints that ID is not required for passage. But instead of providing OMB-approved PRA notices at its checkpoints in airports, the TSA has posted or caused to be posted knowingly false signage claiming that all airline passengers are “required” to show government-issued ID credentials. Individuals incur substantial costs as a result of these false notices, particularly when individuals without ID forego valuable travel in reliance on deliberately misleading signs that ID is required.

Read More →