CDT Joins Civil Society Partners in Comments to the TSA on Mobile Driver’s Licenses

This week, CDT joined the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and Electronic Privacy Information Center (EPIC) in filing comments with the Transportation Safety Administration (TSA) on its proposed rules for REAL ID and mobile driver’s licenses (mDLs).

The TSA proposes to grant waivers of REAL ID requirements to states that choose to offer mobile driver’s licenses – a digital version of your state-issued ID, presented with a smartphone – incorporating a set of standards, most notably the International Organization for Standardization (ISO) 18013-5 standard for mDLs presented to other devices. This would let some people present their identification to the TSA in airport security lines with a smartphone app and carry their plastic driver’s license. 

Technical standards may be useful to incorporate by reference, when those standards were developed through an open, multistakeholder process and where that process was procedurally legitimate and included adequate participation from the public and from public interest advocates. CDT regularly engages in such open processes for technical standard-setting for the internet and the web, specifically to bring full review of the implications for privacy and civil liberties of technologies that may be foundational. But neither those procedural nor substantive protections are present in this particular standard that the TSA would effectively endorse. These standards were developed behind closed doors, among a secret group of governments and organizations. They have not received the necessary public review and accountability for a technology that will affect how people interact with their government and use government-issued credentials.

We agree with the TSA that there is a need for strong security, privacy, and interoperability of standards for digital identity credentials. As standards for digital credentials are developed, we plan to be deeply engaged with colleagues in civil society and industry in identifying the necessary protections for privacy and equity for any system for presenting government-issued credentials, whether in-person or online. But as technology here is rapidly evolving, and there is no urgent need to use smartphones as backup driver’s licenses in airport security lines, rulemaking that apparently endorses some particular solution is unnecessary and may inhibit the better digital identity system we would all prefer to see.

In short, these rules are premature, with potential repercussions on privacy and civil liberties, not just in airport security lines, but in how people present identification in every town and city, as well as online.

Read the full comments.