May 17 2021

ACLU: “Digital IDs Could Be a Nightmare”

As the U.S. Department of Homeland Security is soliciting proposals from vendors for how to put digital versions of drivers licenses and other ID credentials on smartphones, the ACLU has released a timely and insightful white paper, Identity Crisis: What Digital Driver’s Licenses Could Mean for Privacy, Equity, and Freedom, by Jay Stanley of the ACLU Speech, Privacy, and Technology Project, along with an executive summary in the form of a blog post, Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare.

The ACLU white paper links to some of our research and reporting and highlights many of our concerns with compelled identification, the REAL-ID Act, invisible virtual checkpoints, ID-based blacklists and controls on what we are and aren’t allowed to do, and the role of AAMVA and other “private” entities as outsourced, opaque, unaccountable, creators of ID “standards” that function as de facto laws and regulations that govern our movements and activities, but that are adopted in secret, exempt from the Freedom Of Information Act or other transparency laws, and lack basic privacy protections. or respect for rights recognized by the U.S. Constitution and international human rights treaties.

We encourage readers interested in these issues to read the ACLU white paper in full. But here’s an excerpt form the introduction to the white paper, framing the issue:

Read More

Apr 27 2021

DHS extends REAL-ID airport enforcement “deadline” again

The Department of Homeland Security has once again postponed its self-proclaimed “deadline” for enforcement of the REAL-ID Act at airports, this time from October 1, 2021, to May 3, 2023.

The latest postponement proves, once again, that the dates of the DHS threats to begin “enforcing” the REAL-ID Act at airports are as changeable as the dates in any of the threats made by extortionists or kidnappers. Today’s DHS press release is more like a ransom note than a legal notice: “If you get an ID we deem acceptable, we might not harass you as much when you fly, and we might allow you to exercise your right to travel.”

It remains unclear what enforcement of the REAL-ID Act at airports might mean. No law requires air travelers to have any ID, and the REAL-ID Act doesn’t change that.  The Transportation Security Administration recently posted a video showing how you can fly without ID.  But today’s DHS press release implies that the DHS is contemplating denying passage through TSA checkpoints at airports to travelers who don’t have, don’t carry, or don’t chose to show ID credentials that the DHS and TSA deem “compliant” or “acceptable”:

Beginning May 3, 2023, every air traveler 18 years of age and older will need a REAL ID-compliant driver’s license or identification card, state-issued enhanced driver’s license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.

Since this is a press release, not a bill proposing new legislation or a notice of proposed new regulations, it doesn’t need to say what legal basis there might be for this claim. But so far as we call tell, there is none.

The DHS recently tried to get Congress to exempt its implementaton of the REAL-ID Act from standard Federal rules notice and approval. But Congress turned down the DHS proposal for exemption of REAL-ID implementation from the Administrative Procedure Act and the Paperwork Reduction Act. The DHS has not yet begun any of the notice and approval procedures which would be required before it could impose new restrictions or requirements for air travel on the basis of the REAL-ID Act.

We expect that today’s press release will be followed by a formal rulemaking notice that merely changes the REAL-ID threat date. But such a rulemaking will neither clarify what action is really being threatened  (i.e what the TSA will really do when travelers continue to show up at TSA checkpoints without “compliant” ID), clarify what the purported legal basis would be for that action, nor, in itself, create a legal basis for any such action.

Today’s DHS press release says that the change in the “deadline” will give states and individuals more time to “comply” with the REAL-ID Act. But compliance with the REAL-ID Act was, and still is, optional for both states and individuals. What the postponement by the DHS of its self-imposed “deadline” really does is give the DHS itself more time to come up with a legal justification for its threatened actions — or to withdraw its baseless threats. It also gives Congress more time to repeal the REAL-ID Act.

Don’t be intimidated by DHS and TSA threats. Regardless of what self-imposed DHS deadlines come and go, with how many more postponements, you will still have the same right to travel without ID that you have now.

Apr 21 2021

DHS wants to put REAL-ID drivers licenses on smartphones

The Department of Homeland Security has published a Request For Information (RFI) from vendors and other stakeholders regarding standards for drivers licenses and other IDs stored on smartphones or other mobile devices to be considered compliant with the REAL-ID Act of 2005.

Responses to the RFI are due by June 18, 2021.

The amendments to the REAL-ID Act signed into law at the end of 2021 included provisions authorizing the DHS to certify digital ID credentials as “REAL-ID compliant”. That certification can’t happen, though, until the DHS promulgates new regulations.

The RFI published in the Federal Register this week is not formerly part of such a rulemaking, but appears to be part of the preparations for it.

A “mobile ID” would consist of a certificate digitally signed by a state department of motor vehicles. The RFI contemplates a process through which “individuals would electronically send identity verification information to the DMV to establish their identities and ownership of the target device.” No explanation or justification is provided for why or how a digitally-signed certificate would be, or should be, bound to a specific device, rather than simply provided as a file that can be stored on any digital device or storage medium.

It’s just as easy to loan a smartphone or other mobile device to another person whose appearance is similar as it is to loan a physical ID card to another person.

A drivers license rarely needs to be displayed, and in the form of a wallet-sized plastic card it  can be kept in a relatively secure pocket or compartment of a purse. A smartphone, in marked contrast, is likely to be frequently consulted and carried in a location on one’s person that is much more exposed and vulnerable to snatch-thieves than one’s wallet.

A smartphone is already, for many people, vulnerable as a single point of failure for identity and password management. Binding a digital ID to a specific smartphone appears likely to increase the risk and exacerbate the consequences of smartphone theft as a method of identity theft.

The RFI says that the DHS is considering incorporating the American Association of Motor Vehicle Administrators Mobile Driver License (mDL) Implementation Guidelines (April 2019) in the DHS standards and regulations, and the DHS seeks comments on those AAMVA guidelines. But those AAMVA guidelines are posted only on the “members-only” portion of the AAMVA website, and aren’t available to the public.

In the past, when we reposted specifications for the AAMVA’s national REAL-ID database that AAMVA had posted for years on the public portion of its website, AAMVA not only moved those specifications to to the members-only portion of its website, but asserted their copyright and threatened us with litigation to get us to take them off our site.

The DHS notice purporting to invite the public to submit comments on a secret document, not available to the public, that might be incorporated into DHS regulations, exemplifies everything that is wrong with both secret law and the outsourcing of “lawmaking” to entities such as AAMVA that are nominally private and not subject  to Federal or state freedom of information, public records, or open meetings laws.

There’s no indication in the RFI as to when or how the DHS plans to move forward with the separate rulemaking and approval procedures that will be required if it is to follow through on its threats to start turning away would-be air travelers at TSA checkpoints if they don’t have REAL-ID approved ID or don’t have or show any ID.

Apr 08 2021

TSA posts video showing how you can fly without ID

For years Transportation Security Administration (TSA) and Department of Homeland Security (DHS) officials and their state government collaborators have been repeating the big lie that all airline passengers must have government-issued ID credentials. That lie has been included in TSA and DHS press releases, airport signage, and Tweets from the official DHS and TSA accounts.

This public relations lie has been disclaimed, over and over, in TSA and DHS court filings and sworn testimony. But now it has been contradicted on the TSA’s official Twitter feed.

Tonight the TSA Tweeted a video showing some of the ways you can fly without “acceptable” ID or without any ID at all.

If the TSA deems your ID “unacceptable”, you can still fly if you can show two or more pieces of suitable (according to the TSA’s secret non-rules) although “unacceptable” ID.

The TSA video also shows that even if you have no ID at all, you can fly if your answers to questions relayed by phone by the TSA’s ID Verification Call Center match the information in the (secret) file of information that has been linked to you by the commercial data aggregator Accurint (originally part of the discredited “Total Information Awareness” program but now a division of Lexis-Nexis).

No ID at all, much less “acceptable” ID,  is actually required to fly. So changes in REAL-ID Act regulations or TSA/DHS orders to airlines as to what ID is “acceptable” are irrelevant to whether you have right to fly without ID. Nothing in the REAL-ID Act negates this right.

In the screengrab above (one minute in), the video shows a traveler filling out a copy of TSA Form 415, “Certification of Identity”. The TSA has been using versions of this form illegally since at least 2008, without ever having obtained the approval from the Office of Management and Budget (OMB) required before any collection of information such as this by a Federal agency. The TSA has twice said it intends to seek approval from OMB for Form 415. But in the face of our objections, the TSA has yet to request, much less obtain, that approval. It’s unclear whether when the TSA will actually do so.

To avoid having to give public notice of its planned information collection or respond to our objections, the TSA tried to get Congress to enact a special airport exception from  the Paperwork Reduction Act (PRA). But Congress declined to do so.  It’s unclear whether and if so when the TSA will actually apply to OMB for the required approval, or what additional illegal actions it may try to take in the meantime.

All use of both Form 415 and the associated questioning of travelers continues to be in violation of the PRA. As we noted in 2008 when the TSA first started asking travelers to fill out the form later labeled Form 415, the PRA provides an absolute defense against any sanctions the TSA might try to impose for refusing to fill out this unapproved form or cooperate with the TSA’s “20 questions” game of ID verification security theater.

Travelers can and should say no. Fly without ID, and exercise your right to remain silent.

Mar 18 2021

Laundering Federal funding for the national ID database

The latest response to one of our Freedom Of Information Act (FOIA) requests shows the lengths to which the Federal government has gone to obscure its underwriting of the construction of a national ID database.

Supporters of  a national ID database know that there is resistance to exactly that idea. So they try to pretend that there is no such thing.

They can’t credibly claim that the SPEXS database doesn’t exist, so they try to pretend (1) that this isn’t a national database but merely a distributed national network of state drivers license and ID databases (which it could be, but isn’t, since it includes a national “pointer” database with a record of personal information for each drivers’ license or state-issued ID card), (2) that this State-to-State  network isn’t mandated by Federal law (a clearly false claim, since the Federal REAL-ID Act of 2005 requires that to be “compliant”, each state  must “Provide electronic access to all other States to information contained in the motor vehicle database of the State”), and (3) that this network and database are being built by states, not by the Feds.

The problem with this third and last line of rhetorical defense against opposition to the creation of a national ID database is that much of the funding actually is coming from the Federal government. But the Feds have gone to great lengths to obscure their role in funding the creation of the infrastructure for a national ID scheme.

Here’s how it works:

Read More

Jan 03 2021

REAL-ID Act amended, but DHS doesn’t get the exemptions it wanted

Amendments to the REAL-ID Act of 2005 were included in the Consolidated Appropriations Act of 2021, which was signed into law by President Trump on December 27, 2020.

But somewhere in the sausage-making that saw the REAL-ID Modernization Act and numerous other unrelated measures inserted into the 2,124-page omnibus pandemic relief and appropriations bill, the key provisions sought by the Department of Homeland Security (DHS) were removed from the final bill.

That leaves the DHS still required by existing Federal laws to respond to our objections, to request and obtain approval from the White House Office of Management and Budget (OMB), and to post OMB-approved notices at TSA checkpoints explaining what is required, and on what legal basis, before it can try to deny anyone passage through a checkpoint or travel by common carrier on the basis of their failure or refusal to show ID. Read More

Nov 10 2020

What does REAL-ID Act “enforcement” really mean?

For the last fifteen years, as both Republican and Democratic administrations have come and gone, the US Department of Homeland Security (DHS) has been using the threat of “enforcement” of the REAL-ID Act of 2005 to extort state legislators, governors, and driver licensing agencies into complying with the REAL-ID Act of 2005 and uploading their residents’ drivers license and state-issued ID card data to the national REAL-ID database, “SPEXS”.

The threat has been that the DHS and/or its components (such as the Transportation Security Agency) will harass or turn away residents of noncompliant states when they try to pass through TSA or other Federal checkpoints or enter Federal facilities.

Not wanting to provoke riots or protests at airports, the DHS has repeatedly postponed its arbitrarily self-imposed “deadlines” for REAL-ID enforcement at TSA checkpoints, most recently until October 1, 2021.  And the TSA, despite repeated trial balloons suggesting what new rules it might try to adopt to require ID to fly, has not yet tried to finalize such a  rule. So we don’t really know what, if anything, REAL-ID Act enforcement at airports might mean.

However, the REAL-ID Act has supposedly been being enforced for access to some other Federal facilities for more than five years, starting on October 15, 2015.

We’ve been trying for almost that long to find out what that “enforcement” has really meant, so that we and the public can assess the meaning and impact of the DHS threats.

How many people have been turned away for lack of acceptable or compliant ID, or ID issued by a “compliant” state, when they tried to enter Federal facilities? At what types of facilities has this happened? And for what purposes were these people seeking entry?

Read More

Sep 15 2020

DHS lies again about REAL-ID

As it’s been doing for years, the US Department of Homeland Security (DHS) is still lying about the state of compliance by states with the Federal REAL-ID Act of 2005.

The latest DHS whopper is this DHS press release issued September 10, 2010:

The DHS claims that “All U.S. States [Are] Now Compliant” with the REAL-ID Act. But as we’ve noted many times before, the REAL-ID Act explicitly and unambiguously requires that to be “compliant”, a state must “Provide electronic access to all other States to information contained in the motor vehicle database of the State.”

How many states do that today? At most, 28, not all 50, as shown in the map below:The only mechanism available for states that want to share their drivers’ license databases is the outsourced “State to State” (S2S) system operated by the American Association of Motior Vehicle Administators (AAMVA), a private contractor not subject to the Federal or any state Freedom Of Information Act (FOIA) or other laws proviidng transparency and accountability for government agencies. Despite the misleading name, S2S is not a mechanism for messaging directly from state to state. It’s a centralized system which depends on a central national ID database, SPEXS, aggregated from state drivers’ license and ID data.

Here’s the latest list released by AAMVA of states that are particpating in S2S. Each particpating state has uploaded information about all drivers’  licenses and state ID to SPEXS. Together these 28 states include substantially less than half the U.S. population:

We wish we didn’t have to keep saying, again and again, that the DHS is lying about REAL-ID. But as long as Federal and state agencies keep putting these lies in their headlines, we’re going to keep on pointing out that the emperor (still) has no clothes.

Jul 28 2020

Senate bill would exempt REAL-ID from due process and oversight

Rather than responding to our comments on the latest proposal by the Department of Homeland Security to require ID for airline travel, the DHS has quietly gone to Congress to try to get the law changed so that it doesn’t have to answer us, and to preclude potential litigation to challenge an ID requirement or defend people who try to fly without ID.

A bill introduced earlier this month in the Senate, and already approved in committee, would exempt the implementation and administration of the REAL-ID Act from normal administrative requirements for due process in rulemaking and oversight and transparency in demands by Federal agencies for information.

Included in S. 4133, both as introduced and as amended and reported by the committee, are provisions that would allow the Secretary of Homeland Security, at his or her “discretion”, to issue regulations and administer the REAL-ID Act without regard for the Paperwork Reduction Act (PRA) or the notice-and-comment requirements of the Administrative Procedure Act (APA).

As of now, no comparable bill has been introduced in the House. (Several bills to amend the REAL ID Act are pending in the House, but none of them contain PRA or APA exemptions.) It’s unclear what effect these provisions would have if enacted. All Federal agencies are, of course, still subject to Constitutional requirements for due process. But these provisions of S. 4133  appear to be a direct response to the objections we raised in May 2020 to the latest DHS proposal to impose an ID requirement for airline travel without complying with the PRA or the APA.

Read More

May 19 2020

TSA tries again to impose an ID requirement to fly

Air travel in the US has been reduced by more than 90%, measured by the numbers of people passing through checkpoints at airports operated by the Transportation Security Administration (TSA) and its contractors.

And the Department of Homeland Security (DHS) has postponed its threat to start unlawfully refusing passage to travelers without ID credentials compliant with the REAL-ID Act of 2005 for another year, from October 1, 2020, to October 1, 2021.

So relatively little attention is being paid right now to air travel or TSA requirements — making it the ideal time for the TSA to try to sneak a new ID requirement for air travel (to take effect in 2021) into place without arousing public protest.

Today, in collaboration with nine other organizations concerned with freedom of travel, identification, privacy, human rights, and civil liberties, we filed comments with the TSA in opposition to what is ostensibly a “Notice of intent to request approval from the Office of Mangement and Budget” for a new form, TSA Form 415.

Our comments were joined by the Identity Project, Freedom To Travel USA, Fiat Fiendum, Inc., National Center For Transgender Equality (NCTE), Restore The Fourth, Inc., Patient Privacy Rights, Defending Rights And Dissent, The Constitutional Alliance, Privacy Times, and Just Futures Law.

According to our comments, the TSA is attempting to “use the innocuous-seeming device of a request for approval of an information collection to introduce a fundamental and profoundly controversial change in substantive TSA requirements and the rights of travelers”: Read More