In 2021, the Department of Homeland Security started a process of adopting regulations for mobile driver’s licenses. The Transportation Security Administration (TSA) has since begun allowing mobile driver’s licenses as identification at airports, and several states jumped on the bandwagon, offering mobile driver’s licenses through state-sponsored apps or via Apple and Google Wallet. Now, the TSA has proposed new regulations that would waive REAL ID requirements for state-issued mobile driver’s licenses, but privacy advocates including the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) warn this move may put consumers’ personal information at risk.
For instance, they have pointed to the history of digital records for COVID vaccinations, where many government agencies relied on private companies, some of which had terms of service that permitted sharing users’ information with third parties. There is also concern that having disparate systems for storing sensitive identification information would make it easier for bad actors to hack or otherwise improperly use information from mobile driver’s licenses.
These developments undoubtedly mean more convenience for travelers. Yet, the potential applications of mobile driver’s licenses extend far beyond airport security lines. The ACLU, EFF and other organizations have raised concerns, saying the process has been unnecessarily rushed and lacks transparency. These organizations complain that the proposed regulations do not have adequate privacy safeguards, and also, that the privacy standards being cited by the TSA are not generally accessible to the public.
Standards bodies like the International Organization for Standardization and the American Association of Motor Vehicle Administrators have laid down frameworks for mobile driver’s licenses. However, they are far from comprehensive, failing to address what some say are critical issues, such as the potential for mobile driver’s licenses to “phone home” whenever they are scanned. “Phoning home” refers to the automatic sending of data from a device to a remote server, often without the user’s explicit knowledge or consent. At a minimum, this would create a detailed record of a person’s movements and activities, serving as a verified tracking mechanism, potentially infringing upon individual privacy, and also, putting consumers at risk if the servers storing that information are compromised.
The TSA would leave many of those issues concerning the use and storage of information gathered from mobile driver’s licenses up to each state to decide, which could lead to inconsistencies. Adding to their concerns, many of the privacy standards referenced by the TSA were created out of public view and without public scrutiny. All of this, privacy advocates warn, creates opportunities for the misuse and mismanagement of sensitive personal identification information.
Separately, privacy advocates are concerned with the implications of the TSA creating nationwide rules for mobile driver’s licenses. While the TSA has jurisdiction over various transportation systems, its primary and most visible role is in aviation security. Privacy advocates see the TSA’s regulations as an effort to expand its jurisdiction, possibly as a precursor to a national digital identity system, which can create unintended risks.
In sum, several organizations are advocating for a more measured and transparent approach to regulations for mobile driver’s licenses—prioritizing privacy safeguards and including the public in the decision-making process. Now, we will have to wait and see how TSA chooses to proceed.