TSA proposes allowing federal acceptance of digital IDs while future requirements are crafted
The coming rulemaking would waive REAL ID Act requirements so that federal agencies can still accept mobile driver's licenses when the law’s implementation starts in 2025.
The Transportation Security Administration will publish a new proposed rule on Wednesday that would temporarily waive requirements that mobile driver’s licenses be compliant with the REAL ID Act in order for federal agencies to accept them when enforcement starts in 2025.
The rule is meant to prevent a situation where federal agencies wouldn’t be able to accept digital driver’s licenses unless they complied with REAL ID Act requirements — something that currently isn’t possible in the absence of federal regulations on the intersection of that 2005 law and the increased use of mobile identification.
The proposed rule would allow agencies to accept mobile driver's licenses — or mDL’s — for official purposes, like boarding airplanes or accessing federal facilities, if states get a TSA waiver certifying the states’ mDLs meet certain requirements.
The new proposed rule is part of a broader, “incremental” set of rules that will ultimately include “comprehensive requirements for mDLs,” TSA says.
The REAL ID Act was passed in 2005 to set up minimum requirements for state-issued driver’s licenses and identification cards, but enforcement has been delayed several times and is currently scheduled to start in 2025. Congress amended the law in 2020 to note that mDLs are also subject to REAL ID Act requirements.
In the proposed rule, TSA states that issuing mDL regulations before 2025 would be “premature… due to the need for emerging industry standards and government guidelines to be finalized.”
The International Organization for Standardization and the International Electrotechnical Commission are currently jointly working on two specifications for mDL’s and digital identity, the rule says.
The National Institute of Standards and Technology is also currently updating its guidance on digital identity and has signaled it will include updates on mDLs.
Still, demand for such digital forms of identification is growing, the proposed rule says.
So far, at least eight states have begun issuing mDLs, according to a July report from the White House’s Office of Information and Regulatory Affairs that previewed the newly proposed rule.
TSA itself is accepting mDLs from some states at select pre-check checkpoints at over 20 airports as part of testing it started in 2022.
The hope is that the proposed rule would not only prevent individuals from arriving at airports and being told that their digital driver’s license can’t be used, for example, but also that the interim waiver requirements give states guideposts so that they don’t invest in mDLs that don’t meet forthcoming REAL ID requirements.
Jeremy Grant — managing director of technology business strategy at Venable and coordinator of the Better Identity Coalition — told Nextgov/FCW via email that although it’s “inspiring” to see TSA doing a “thorough and thoughtful job on the applications of mDLs that are relevant to TSA use cases, namely, using a digital version of your driver’s license to go through a TSA checkpoint,” the proposed regulations are also “frustrating” because of the focus on in-person use cases for mDLs.
“Meanwhile in the online world, we have the equivalent of a raging wildfire of cybercrime and identity theft — with millions of victims and tens of billions of dollars in losses every year — that is being fueled by the lack of any way for Americans to easily prove who they are online,” he continued. “It’s the online applications of mDLs that are critical to stopping this crime — and that, if architected correctly, can not only enhance security but also do it in a way that enhances privacy and equity — but none of those use cases are addressed here.”
Ultimately, “this is not a TSA problem to solve — it's a national one,” Grant said. “The U.S. government needs a comprehensive digital identity strategy.”
Meanwhile, some privacy advocates have urged DHS to move cautiously.
The Electronic Privacy Information Center, or EPIC, wrote in a comment to a 2021 request for information on mDLs that DHS “should take a cautious approach to establishing an mDL standard to ensure that these new systems improve, rather than diminish, individual privacy and autonomy.”
It’s important for DHS to ensure that mDL systems have the “best cryptographic and data security standards to prevent tracking of identity or verification data by third parties,” the comment notes, arguing that standards for mDL systems should “require the minimum necessary amount of information for verification” — a feature that could be an improvement over physical ID’s through the ability to provide the minimum amount of information necessary for a given interaction.
TSA is accepting comments on its new proposed rule through Oct. 14.