Brushing off objections from the Identity Project and others, the US Transportation Security Administration (TSA) has issued regulations creating the framework for an all-purpose smartphone-based national digital ID and tracking system.

The TSA’s new rules are piggybacked on the REAL-ID Act of 2005, and are ostensibly standards for what states will have to do to issue digital versions of driver’s licenses or ID cards that the TSA and other Federal agencies will accept for Federal purposes, in circumstances where ID is required by other Federal laws. This doesn’t include airline travel, for which no ID is legally required, although the TSA keeps lying about this.

The TSA’s new rules provide that acceptable digital IDs can only be issued to individuals who already have physical driver’s licenses or state-issued ID cards. And individuals are still required by standard state laws to “have their Physical Credential on their person while operating a motor vehicle”, even if they also have a digital ID on their smartphone. So this regulatory scheme isn’t really about driver’s licenses at all. It’s about pressuring states to move from uploading information about all their residents to a national ID database to putting a digital tracking app with a state-issued identifier on each resident’s smartphone.

We’ll have more to say in our next article about some of the ways this might be used for surveillance and control of individuals’ activities in the physical and online realms.

The TSA dismissed out of hand our suggestion that an individual could be provided with a digitally-signed file (signed by a government agency) containing the same information as is contained on a physical license or ID card. Such a  file could be carried on any sort of device and presented over any sort of connection. Instead, the TSA’s new rules require that a digital ID must be “provisioned” through an app on a smartphone. The smartphone must be “bound” to an individual (how is this possible?) and must have bluetooth-low energy (BTE) radio connectivity enabled so that the app containing the digital ID can be remotely interrogated by the government (perhaps without the user’s knowledge).

How will this work? What else will these apps do? In what situations, and for what purposes, will these apps and digital IDs be required? We don’t really know.

Many of the details of the new Federal standards for smartphone-based government ID and tracking apps remain secret. The TSA’s new rules incorporate by reference thousands of pages of standards issued by nongovernmental entities, which now have the force of Federal regulations but which haven’t been published in the Federal Register. 

These third-party documents incorporated by reference into the TSA’s regulations include versions of the specifications for machine-readable passports adopted by the International Civil Aviation Administration (ICAO), and specifications for driver’s licenses adopted by the American Association of Motor Vehicle Administrators (AAMVA).

ICAO and AAMVA have routinely been used by the US and other governments as outsourced, opaque venues for policy laundering of ID requirements that evades transparency and accountability rules applicable  to rulemaking by government agencies. AAMVA has fought to prevent public access to its specifications for the REAL-ID database.

The TSA falsely claimed in its Notice of Proposed Rulemaking (NPRM), and again falsely claims in its final rule, that these documents are available from AAMVA and ICAO through their respective websites. But in both cases, the versions incorporated by reference into the TSA’s regulations are obsolete versions (one was adopted in 2006) that have been rescinded, revised, or replaced. These out-of-print versions are no longer available from AAMVA or ICAO, either in digital or printed form, even to those willing to pay. Organizations like AAMVA and ICAO typically promote and distribute only their current standards.

Some of the URLs in  the Federal Register notice for material incorporated by reference into the rules give “file not found” errors. Others URLs in the notice lead to different versions (typically more recent ones) than those incorporated into the rules. All this is, of course, normal. Web content is dynamic, and there’s no reason to expect that the same content will be retrieved each time one revisits the same URL, perhaps months or years later.

In its NPRM, the TSA claimed that “All proposed incorporation by reference material is available for inspection at DHS Headquarters in Washington DC, please email requesttoreviewstandards@hq.dhs.gov.” It would have been extraordinarily burdensome to have to travel to Washington, DC, to find out what the TSA was proposing. But even that wasn’t possible: our repeated requests sent to the email address in the NPRM all went unanswered, and we never found out at which DHS building this material was supposedly available. We strongly suspect that it was never made available at any DHS facility.

In its final rule, the TSA acknowledges that our requests for access to the content incorporated by reference in the proposed rule weren’t answered. But the Director of the Federal Register, apparently not bothering to test the veracity of the TSA’s claims, and ignoring the comments we filed pointing out their falsehood, wrongly certified that all of this material was “reasonably available” to those who might be affected.

In its final rule, the TSA now claims that, “All approved incorporation by reference (IBR) material is available for inspection at the Transportation Security Administration (TSA) and at the National Archives and Records Administration (NARA).” We’ve contacted both the TSA and NARA to find out if this is true, and if so what the provisions for access are.

We’d like to know, and to tell you, what these rules require. Last year, the Court of Appeals for the D.C. Circuit upheld a ruling that it was fair use to copy standards incorporated by reference into laws, and distribute them online. But we can’t assess, much less copy or distribute, these rules unless we can get access to them in the first place. As of now, it’s unclear whether the out-of-print documents incorporated into the TSA’s new rules, defining with the force of law what ID will be acceptable, are available anywhere.

The uncertainty as to what information the government will collect through these ID apps is exacerbated by the TSA’s failure to go though the notice and approval process required by the Paperwork Reduction Act before any systematic collection of information by a Federal agency from members of the public.

We pointed out this requirement in our comments on the proposed rule. You can show an ID card to a government agent, and they can inspect it, without them recording any of the information on it. But when the government retrieves personally identifying information from a smartphone or other digital device, that necessarily constitutes a “collection of information”. The TSA dismissed this objection, howevere, claiming without explanation that retrieving an individual’s unique identifier and other personally identified data from their smartphone is not a “collection of information”.

The only substantive change made by the TSA from the rules it proposed a year ago to those it has now finalized is that states will be allowed to issue digital IDs corresponding to physical REAL-ID compliant cards, and acceptable for Federal purposes, even if they also issue digital IDs flagged as corresponding to noncompliant cards. But to comply with the REAL-ID act, states will still be required to upload information about holders of all IDS, incluidng noncompliant IDs, to the national REAL-ID database. Trying to opt out of REAL-ID by getting a noncompliant license or state ID remains a deceptive sham — information about you will still be included in the national REAL-ID database.