Miss a day, miss a lot. Subscribe to The Defender's Top News of the Day. It's free.

Critics of a Transportation Security Administration (TSA) proposal to waive certain federal law requirements for digital driver’s licenses say the TSA’s plan would rapidly expand the use of digital licenses in the U.S. before appropriate privacy safeguards are in place.

The American Civil Liberties Union (ACLU) and three other leading civil rights and privacy organizations recently filed legal comments objecting to the proposal. Summarizing the groups’ concerns, Jay Stanley — an ACLU senior policy analyst — said:

“The TSA is threatening to prematurely lock in a harmful digital identity system that allows ID card issuers to track where people show their ID, fails to include a number of important privacy protections, and fails to ensure that the system is free from the control of particular private corporations.”

The proposed digital driver’s licenses, commonly called “mobile driver’s licenses” or “mDLs,” would be accepted by federal agencies for official purposes.

Instead of holding digital IDs to rules set by federal law — in this case, the REAL ID Act and the REAL ID Modernization Act — the TSA wants to impose rules “drawn from various federal government information technology standards and standards proposed by private industry groups,” Stanley said.

If the TSA moves forward with what it has proposed, the agency could “force a bad digital ID system on America,” Stanley said. “In short, whatever rules the TSA comes up with for federally compliant digital IDs will force the states to comply and are likely to govern what the nation ends up with.”

Other civil liberties advocates who spoke with The Defender — including attorney John Whitehead — cautioned that any digital ID system adopted in the U.S. would likely be used by the government to control its citizens.

Whitehead said the ACLU and its ally organization were “correct” in urging the TSA to slow down, but that the goal should not be just to slow down the transition to digital IDs.

“Citizens should resist any measure to roll out digital IDs,” Whitehead said, “because governments — and the corporations they partner with — will ultimately use them to take control.”

He added, “Anything we do to fight back against that, I say let’s do it.”

‘What’s the hurry?’

In addition to the ACLU, the other commenting organizations were the Center for Democracy & Technology, the Electronic Privacy Information Center and the Electronic Frontier Foundation.

In their comments, the organizations said U.S. citizens are not pushing for quick adoption of digital IDs:

“We ask: what’s the hurry? There is no popular demand driving TSA adoption of mDLs, and no reason to rush into incorporating them into the airline security process — especially given that doing so will have repercussions far beyond the airport context.”

The TSA is proposing to “shortcut” the process of developing rules that would protect people’s privacy, they said.

The REAL ID Modernization Act requires that “driver’s licenses stored or accessed via electronic means, such as a mobile or digital driver’s licenses” must have been “issued in accordance with regulations prescribed by the Secretary.”

Such regulations have yet to be written, they said.

Rather than waiting for those rules to be written, the TSA is proposing to adopt interim digital ID rules “that run the gamut from secretive privately developed standards and industry guidance to long-standing federal guidance documents that were not written with digital identity systems in mind,” the organizations said.

For example, Stanley said, one of the main standards the TSA is proposing to use “was created behind closed doors by a secretive committee at the International Standards Organization (ISO).”

“So far as I can tell,” he said, the ISO’s committee “was made up of representatives of U.S. security agencies like DHS [U.S. Department of Homeland Security], tech giants and authoritarian governments.”

Stanley said the ISO’s standard is flawed. He noted:

“It would allow for IDs that ‘phone home’ to the DMV [Department of Motor Vehicles] (or its corporate contractor), allowing tracking of where, when, and to whom you are showing your ID, and still lacks many important components that could protect privacy.

“Missing components include, for example, standards governing the design of digital wallets and their privacy protections, protections for data stored on the phone, mechanisms for the ID holder to receive information about the legitimacy of the requester, and provisioning (the process states use to install an mDL in people’s wallets).”

The TSA — which in early 2022 began piloting digital IDs for checking in at some airports — did not respond to a request by The Defender for comment on critics’ concerns.

An Electronic Frontier Foundation spokesperson told The Defender, “We generally don’t expect agency responses in situations like these where many organizations are filing many such comments.”

Attorney Greg Glaser was not surprised the TSA is pushing for a rapid rollout of digital IDs. “The TSA has been a frequent privacy offender ever since the Patriot Act,” he told The Defender.

TSA partnered with Apple for ‘unclear and puzzling’ reasons

Meanwhile, Bloomberg Law this fall reported that states are already “becoming laboratories” for testing various mDLs. For example, California has an mDL with an age-verification capability that gives users the option to show a scannable QR Code when making purchases at certain retailers.

The commenting organizations warned the TSA that expanding the use of digital IDs now would likely give certain corporations a great deal of influence:

“We have grave concerns over reports that the TSA has entered into contracts that give Apple Inc. significant power over the implementation of mDL checkpoints.

Documents obtained by a journalist indicate, for example, that for unclear and puzzling reasons the TSA signed over to Apple the agency’s patents governing the operation of its airport mDL checkpoints.”

If and when the U.S. moves forward with a digital ID system, they said, “there must be no one corporation, or small handful of corporations, that Americans are de facto required to deal with in order to participate.”

Whitehead criticized the TSA for playing a “big money game” in which the government works with corporations to suit its desire for control, at the expense of people’s freedom and privacy.

“They may say it’s for safety,” he said. “They use anything they can to take control.”

Michael Rectenwald, Ph.D., author of “Google Archipelago: The Digital Gulag and the Simulation of Freedom,” agreed. He told The Defender:

“While the ACLU is most concerned with the ‘corporate’ exploitation of digital identity for commercial ends, the most significant danger of digital identity lies in the surveillance, tracking and control functions that it affords the State.

“With digital identities, citizen-subjects would surrender to the State complete transparency over their every move, allowing themselves to be tracked from the cradle to the grave.”

Digital ID is likely subject to what Rectenwald called “function creep.” He said:

“While it may begin as mere identification … new elements can and likely will be added. These functions could include vaccine status, social and political profiles, as well as connection to central bank digital currency (CBDC).”

This could create a situation in which the government not only tracks its citizens but exerts control over people’s money. “Political dissidents could be controlled or even banished from the economy altogether,” Rectenwald said.

‘We need to make sure it remains voluntary’

Indeed, a 2021 ACLU report on what digital driver’s licenses could mean for privacy, equity and freedom said Americans should not assume the potential transition from hardcopy to digital would be “neutral and harmless.”

The report noted:

“As with some other technologies like voting systems — where digital-only is not just inferior but potentially disastrous, and is being phased out in most places — digital IDs can bring distinct disadvantages over old-school hard copies, and those need to be thought through carefully.

“In particular, if we are to accept a digital ID system, we need to make sure it remains voluntary and has the strongest possible privacy protections.

“Although the state of privacy online and off is already pitiful in many ways, there is plenty of room for a poorly constructed digital identity system to make things worse and leave us looking back on today’s world with a feeling of loss over the freedom, anonymity, and lack of regimentation we once had.”

Rectenwald said, “The threat of digital identity is not merely to privacy per se, but to freedom itself.”