Today the Identity Project submitted our comments to the Transportation Security Administration (TSA) on the TSA’s proposed rules for “mobile driver’s licenses”.

The term “mobile driver’s license” is highly misleading. The model Electronic Credential Act drafted by the American Association of Motor Vehicle Administrators (AAMVA) to authorize the issuance of these digital credentials and installation (“provisioning”) of government-provided identification and tracking apps on individual’s smartphones provides that, “The Electronic Credential Holder shall be required to have their Physical Credential on their person while operating a motor vehicle.”

So the purpose of “mobile driver’s licenses” isn’t actually licensing of motor vehicle operators, as one might naively assume from the name. Rather, the purpose of the “mobile drivers license” scheme is to create a national digital ID, according to standards controlled by the TSA, AAMVA, and other private parties, to be issued by state motor vehicle agencies but intended for use as an all-purpose government identifier linked to a smartphone and used for purposes unrelated to motor vehicles.

We’ve seen the ways that government-mandated tracking apps on citizens’ smartphones are used by the government of China, and that’s not an example we want the US to follow.

AAMVA’s website is more honest about the purpose and planned scope of the scheme: “The mobile driver’s license (mDL) is the future of licensing and proof of identity.”

As we note in our comments:

The fact that the TSA seeks to require the installation of a government app on a mobile device of a certain type suggests that the government has other purposes than mere “identification”, such as the ability to track devices as well as people. But we don’t know, because we haven’t been able to inspect the source code for any of these apps.

Most of the details of the TSA proposal remain secret, despite our efforts to learn them. So our comments focus on the unanswered questions about the proposal, the deficiencies in the TSA’s “notice”, and the TSA’s failure to comply with the procedural requirements for consideration of proposed regulations and for approval of collections of information from members of the public — which the TSA is already carrying out illegally, without notice or approval, with digital ID apps that state agencies are already installing on smartphones:

By this Notice of Proposed Rulemaking (NPRM), the Transportation Security Administration (TSA) proposes to establish “standards” (which are not included in the NPRM and not available to the public) for a national digital ID to be used by Federal agencies in an unknown range of circumstances for unknown purposes (also not specified in the NPRM, and for which the notices and approvals required by law have not been provided or obtained).

The NPRM, which includes a proposal to incorporate by reference numerous documents which are not included in the NPRM and have not been made available to would-be commenters who have requested them, fails to provide adequate notice of the proposed rule or opportunity to comment on the undisclosed documents proposed to be incorporated by reference. It violates the regulatory requirements for incorporation by reference of unpublished material….

The proposed rule would also implicitly incorporate the Master Specification for State Pointer Exchange Services (SPEXS) published by the American Association of Motor Vehicle Administrators (AAMVA), which is not included or mentioned in the NPRM or publicly available and which AAMVA has actively attempted to remove from public availability….

The NPRM purports to include an analysis, pursuant to the Paperwork Reduction Act (PRA), of “the information collection burdens imposed on the public,” and claims to have requested approval for these information collection from the the Office of Management and Budget (OMB). But both the NPRM and the request for OMB approval omit any mention of the collection of information from individuals that occurs each time a “mobile ID” is “presented” and an app on a mobile device interacts with TSA or other Federal agency devices or servers….

What data fields will be collected when a TSA or other Federal agency device interacts with a mobile ID app on an individual’s device? We don’t know. What code will an individual be required to allow to run on their device, and with what privileges? We don’t know, although this could be critical to the risks and potential costs to individuals if, for example, they are required to allow closed-source code to run on their devices with root privileges.

From which people, how many of them, in what circumstances, and for what purposes, will this information be collected? We don’t know, although all of this is required to be included in an application for OMB approval of a collection of information….

What will individuals be told about whether these collections of information are required? We don’t know this either, although this is a required element of each PRA notice, because the TSA provides no PRA notices to any of those individuals from whom it collects information at its checkpoints, including information collected from mobile IDs.

As the TSA itself has argued in litigation, no Federal statute or regulation requires airline passengers to show ID. And hundreds of people pass through TSA checkpoints and board flights without showing ID every day. An accurate submission to OMB, and an accurate PRA notice (if approved by OMB), would inform all individuals passing through TSA checkpoints that ID is not required for passage. But instead of providing OMB-approved PRA notices at its checkpoints in airports, the TSA has posted or caused to be posted knowingly false signage claiming that all airline passengers are “required” to show government-issued ID credentials. Individuals incur substantial costs as a result of these false notices, particularly when individuals without ID forego valuable travel in reliance on deliberately misleading signs that ID is required.

Where did this TSA proposal come from? In 2021, the TSA’s parent agency, the Department of Homeland Security (DHS), published a request for information about mobile IDs from potential vendors and other interested parties.

Comments criticizing the concept were submitted by, among others, the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) & Electronic Privacy Information Center (EPIC) and the National Immigration Law Center (NILC) and others. The ACLU also released a detailed white paper on the dangers of mobile IDs.

Much of the content of the proposal consisted of third-party “standards” which the DHS proposed to incorporate by reference. If incorporated by reference into Federal regulations, those standards would have the same force of law as the rest of the regulations. But many of the standards proposed for incorporation by reference weren’t publicly available.

The DHS re-opened the comment period and made some of the non-public standards available for inspection (but not copying), under restrictive conditions, for a limited time.  In response, NILC submitted follow-up comments detailing and criticizing the difficulty of accessing the material proposed to be incorporated by reference.

Following this 2021 trial balloon, the DHS assigned the project to the TSA , or at least the TSA now claims that it did so. The delegation by the DHS to the TSA of authority to issue REAL-ID Act regulations has not been made public, and would be of questionable validity.

Undeterred by the procedural and substantive criticisms of the DHS proposal, the TSA has now proposed regulations that would formalize the incorporation by reference of numerous non-public standards into the binding rules for digital IDs.

According to the Notice of Proposed Rulemaking (NPRM) by the TSA:

[T]his rulemaking proposes to amend § 37.4 by incorporating by reference… nineteen standards and guidelines. All proposed incorporation by reference material is available for inspection at DHS Headquarters in Washington DC, please email requesttoreviewstandards@hq.dhs.gov.

However, as we report in our comments:

In a diligent effort to obtain the material proposed to be incorporated by reference, we sent email messages requesting access to this material to requesttoreviewstandards@hq.dhs.gov on September 8, September 20, September 29, and October 9, 2023.

We have to date received no response whatsoever to any of these messages.

The claim in the NPRM that, “All proposed incorporation by reference material is available for inspection at DHS Headquarters in Washington DC”, is unverifiable, vague, and unhelpful. It does not specify at which of the many DHS locations in Washington, DC, the material proposed for incorporation by reference might be available, during what hours, or through what procedures. Most DHS building are not open to the public, or are open only by appointment and on condition of showing ID deemed compliant with the REAL-ID Act of 2005….

Individuals seeking to review this material can’t simply go the specified address, since no address is specified, even if they would be allowed in the door, which they probably wouldn’t. The only way members of the public are instructed to try to obtain this material or find out where or how to inspect it is to send an email message to requesttoreviewstandards@hq.dhs.gov. But… all of our messages to that address have gone unanswered.

In our comments, we recommend that the TSA withdraw its entire proposal. In the meantime:

[T]he TSA has neither sought nor obtained approval from OMB for any collection of mobile ID information from individuals….

In the absence of OMB approval or PRA [Paperwork Reduction Act] notices, all current collections of information from physical or mobile IDs by the TSA, other DHS components, or other Federal agencies are being carried out in violation of the PRA, and must be ended immediately.

Pursuant to the PRA, 44 USC § 3512, and implementing regulations at 5 CFR § 1320.6, individuals have the right to ignore these information collections and to go about their business without responding. And the PRA provides a complete bar to the imposition of any form of penalty or sanction, at any time, for not responding to such an information collection.

The government doesn’t (yet) have the authority to force you to carry a smartphone, or to install tracking apps on it. It has to trick you or scare you into installing them yourself.

Our comments to the TSA are a public service announcement and reminder: You aren’t required to show any ID to travel by common carrier or pass through TSA checkpoints, and you have the right to “Just say no” to any request for information by Federal agents that isn’t accompanied by a notice at the point of information collection that includes a valid OMB Control Number and informs you of whether the collection of information is required.