I really admire these folks for standing on a worthy principle. I also dig the performance art vibe of showing up at the TSA headquarters without an ID to read a deeply nested tree of paper documents about IDs. If you're going to joust windmills, these are some good windmills to joust.
Depending on your perspective on security theater, it might be appropriate to observe that a TSA building as exactly as much security as the TSA is capable providing itself.
I think it's reasonable. Not the exact details of this installation necessarily. The reality is that there are a bunch of people that want to lash out at the government for whatever reason, and the civil servants that just want to do their job shouldn't be put in a dangerous situation by allowing those people to walk into their offices unimpeded. If you believe that the agency shouldn't exist, lobby Congress. Don't take it out on people that just want to do their assigned administrative work for 8 hours a day.
Some security precautions are understandable in my opinion. (I don't think the ID requirement is reasonable. Take and store a photograph, deleted after 3 months, and make people go through a metal detector. Also, put the ID requirement documents online. It's free.)
> These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.
This is really disturbing in a number of different ways. It's bad enough to have the government requiring you to have a government-approved smart phone, but on top of that it's the logging and data analysis wet dream that authoriarian governments the world over could have only dreamed of.
> mDL apps will be required to log each time a digital ID is presented, and to whom. This is described as a measure to protect ID-holders’ privacy, despite the obvious risk posed by police or others being able to know when and to whom you have shown your ID.
Even worse, the whole thing is a cash cow for Idemia and a couple of other companies, who probably alt wrote the secret rules to benefit their company and prevent competition.
It gets worse. In US most of the bigger corps institute some sort of means to authenticate you via cellphone, which means that if you want to be remote, phone is effectively a necessity ( which one usually does ). Only a year ago, it was still possible to avoid having to have a cell ( although that meant you had to be in person -- an interesting trade off in itself ).
At my last workplace, I somehow managed to get away with only Microsoft Authenticator on my phone, with no actual remote management capabilities enabled. That's pretty much exactly where I draw the line: if I have to have a device to perform work functions, the workplace needs to supply it. I'm not going to put work data on my personal machines, and I'm definitely not letting a third party root my phone for me "for sekhurity", and apply work policies on my personal device. I'm okay with work 2FA on my phone, but only without MDM, as an exception for where otherwise there's no reason for me to have a work phone.
A company I previously worked for had a policy that if you had any company data on your phone, they had the right to force you to unlock it and look through it (not sure if they ever actually did but it was in the employee handbook). When IT tried introducing a system that required me to Auth with my phone I refused, citing the policy, and they helped me setup a workaround Yubikey.
Might not be possible everywhere but worth a shot. Also always helps to make friends in IT.
Most places can issue you with a physical token instead, like a Yubikey.
It's just unusual, so the first line in helpdesk don't always know about it. And people seldom want to start a battle with the bureaucracy on their first day on the job...
No need to get worked up. You can get a RealID compliant driver's license (plastic credit card sized item) or state ID (ditto) You don't need a smart phone.
>You can get a RealID compliant driver's license (plastic credit card sized item) or state ID (ditto) You don't need a smart phone.
For now.
You used to be able to pay for parking without downloading an app. You used to be able to buy dynamite without doxing yourself to the feds (something that you don't really think is all that important until you have to clear a lot of forested land and the reality of your options for dealing with stumps and boulders becomes clear).
That's the technological ratchet at work, as it has been since the dawn of humanity. A solution that's convenient or useful enough to gain wide adoption has a way of becoming a soft necessity, and eventually a hard one. Some examples that meaningfully affected our lives[0], in many ways not for the better:
- An accurate clock / watch -- hard necessity. Good luck functioning in society without it. Opening hours, appointments, public transit schedules, are just few among many things synchronized in time, that expect you to have a clock so you can stay in sync too. And no, you can't get away with a rooster or a sundial, like you could 200 years ago - you need precision of at least a minute.
- A car -- somewhere between hard and soft necessity, depending on where you live. The society expects you to be able to commute long distances in short time, for things like work, medical services, or government appointments.
- Mobile phones, Internet, credit/debit cards -- soft necessities. You can sort of still live without them even in the big cities, but it's going to be a pain, as everything is optimized on the assumptions everyone owns a smartphone, has Internet access, bank account with a card, and increasingly often, means of contactless payments (think e.g. public transit). There's a reason even the poorest people without a roof over their heads still own iPhones, and it's not entertainment.
- Government ID app, electronic IDs, other means to do official errands fully on-line - convenience for now. I feel they'll transition into soft necessities within next 10 years, simply because interacting with government is always very annoying, and those tools simplify that process and save you some trips.
--
[0] - All in context of the developed/industrialized/western societies; of course this does not apply to societies that did not embrace a particular technology (yet).
> If there's any one lesson to draw from the last several years, it's that the executive branch can do anything they goddamn well please.
You can agree or disagree with the goals and priorities of the Biden administration, but surely their interactions with the legislative and judicial branches demonstrate that, despite the high concentration of power there, the executive branch definitely still cannot act unchecked unilaterally.
> One of your staff asked me yesterday how I had traveled to the DC area, whether I had traveled by air, and whether I has shown any ID to do so. As a matter of principle and personal security, I do not wish to discuss my travel history, modes, or plans with you, and I am not required to do so. But the consistent position of your agency in litigation has been that no Federal law or regulation requires airline passengers to have, to carry, or to show ID. The responses by your agency to some of our FOIA requests confirm that, as you know, people fly without ID every day.
> The TSA officer may ask you to complete an identity verification process which includes collecting information such as your name and current address to confirm your identity. If your identity is confirmed, you will be allowed to enter the screening checkpoint, where you may be subject to additional screening.
> You will not be allowed to enter the security checkpoint if you choose to not provide acceptable identification, you decline to cooperate with the identity verification process, or your identity cannot be confirmed.
Every time I’ve flown for the past few years, my ID fails to scan at TSA. Don’t know why but every time it’s happened, the TSA agent will just call over another TSA rep, they will look at it, and then say I’m good to go ahead. Never knew these other methods existed, I’ve never been asked to confirm my identity a different way.
My mother forgot her ID once and she told me there are two ways:
- They can verify identify through something like a credit card, bank statements, etc.
- Even if you do not have this, they can phone someone that will verify your identity over the phone after getting some info from you. From what I heard you are only allowed to use this method twice per year.
While I completely agree that any individual should have access to the laws and texts that govern us, I have a problem with:
> “Access procedures are especially critical with respect to this proposed rule because ‘the class of persons affected’ – the relevant category pursuant to 1 CFR § 51.7(3), as quoted above – obviously includes individuals who do not have ID deemed compliant with the REAL-ID Act.
These laws "apply" to platform makers who are attempting to create Real ID mDLs, not people who want a REAL ID in the abstract. Someone without a REAL ID cannot get an mDL, regardless of the text of these rules.
1 CFR § 51.7(3) [0] is laying out the requirements by which a reference is eligible for being included in rulemaking?
The 5 U.S.C. 552(a) [1] it modifies notes that "Except to the extent that a person has actual and timely notice of the terms thereof, a person may not in any manner be required to resort to, or be adversely affected by, a matter required to be published in the Federal Register and not so published."
Which seems to be a pretty broad definition of affected person.
I'd certainly consider myself to be affected if in order to avail myself of one option of TSA identification for air travel I had to use an app that did... (reference not openly available)
But that’s not what this is. None of this precludes regular REAL IDs so the class of people arguably is only people with REAL IDs who are interested in making them an mDL. (Well, and companies implementing the specification)
These laws "belong" to the citizens. If the government is not applying it's rules correctly who is there to monitor that? Do I not have that _basic right_?
Someone (with or without ID) may very much suspect that there are legal issues with gating any federal or governmental behaviors behind real ID, or not allowing open source Real ID mDLs or various similar things.
Real-ID is such a farce. I have had an ID since I was 15, and presented my birth certificate and ssn as a minor to do so. There is no instance where I am not "real".
I have a US Passport that took less effort and paperwork to get than a Real-ID. I will never submit.
> These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.
This is utterly ridiculous, at least for driving. Anyone who needs to validate that someone’s driver’s license is authentic should be well-equipped to query the relevant state’s database and look it up. Just like how they would search for outstanding warrants, Amber Alerts, etc.
With that in mind, surely it should be legal to drive with a photo of one’s driver’s license, a copy of one’s license, any app whatsoever that can display a license, etc. There is basically no security added by a fancy add by an approved contractor — at most they can do some “device posture” crap to sort of prove to a reader that the app thinks that the phone it’s on really does belong to the owner of the license, which is a silly form of security by overcomplication. If I want to pretend to be my friend, I can borrow their phone or their actual drivers license just fine.
I'm with you in spirit, but I think the threat model they're trying to address is someone passing as you and needing only biometrics or a little personal information to succeed. Maybe your sibling looks enough like you, or someone acquired your ID and then alters their appearance to match. If your one true ID is a single physical token, then this threat is harder to pull off.
This is also why IDs are not accepted when they expire -- if they were accepted, then my underage brother might take my old one to buy beer. I've been in the ridiculous situation of saying "I know my ID has expired, but I assure you I have not. I'm still me."
Readit News
Remember that someone was so mad at the IRS that they filled their airplane with gas cans and flew it into an IRS building, killing an employee: https://en.wikipedia.org/wiki/2010_Austin_suicide_attack
Some security precautions are understandable in my opinion. (I don't think the ID requirement is reasonable. Take and store a photograph, deleted after 3 months, and make people go through a metal detector. Also, put the ID requirement documents online. It's free.)
This is really disturbing in a number of different ways. It's bad enough to have the government requiring you to have a government-approved smart phone, but on top of that it's the logging and data analysis wet dream that authoriarian governments the world over could have only dreamed of.
> mDL apps will be required to log each time a digital ID is presented, and to whom. This is described as a measure to protect ID-holders’ privacy, despite the obvious risk posed by police or others being able to know when and to whom you have shown your ID.
That's down right horrifying.
Anyway, I hate the now.
A company I previously worked for had a policy that if you had any company data on your phone, they had the right to force you to unlock it and look through it (not sure if they ever actually did but it was in the employee handbook). When IT tried introducing a system that required me to Auth with my phone I refused, citing the policy, and they helped me setup a workaround Yubikey.
Might not be possible everywhere but worth a shot. Also always helps to make friends in IT.
I have one for that reason, and it lives in the office alongside my work issued laptop.
It's just unusual, so the first line in helpdesk don't always know about it. And people seldom want to start a battle with the bureaucracy on their first day on the job...
Discussed earlier
https://news.ycombinator.com/item?id=41608810
For now.
You used to be able to pay for parking without downloading an app. You used to be able to buy dynamite without doxing yourself to the feds (something that you don't really think is all that important until you have to clear a lot of forested land and the reality of your options for dealing with stumps and boulders becomes clear).
The government isn't requiring that.
It's not forcing you to get a mobile ID.
Your physical ID continues to be just fine. Mobile device ID's are simply for people who want the convenience of not carrying the physical one.
Edit: geez, what's with the downvotes? I wasn't even defending anything. Just trying to keep things factually accurate here.
That's the technological ratchet at work, as it has been since the dawn of humanity. A solution that's convenient or useful enough to gain wide adoption has a way of becoming a soft necessity, and eventually a hard one. Some examples that meaningfully affected our lives[0], in many ways not for the better:
- An accurate clock / watch -- hard necessity. Good luck functioning in society without it. Opening hours, appointments, public transit schedules, are just few among many things synchronized in time, that expect you to have a clock so you can stay in sync too. And no, you can't get away with a rooster or a sundial, like you could 200 years ago - you need precision of at least a minute.
- A car -- somewhere between hard and soft necessity, depending on where you live. The society expects you to be able to commute long distances in short time, for things like work, medical services, or government appointments.
- Mobile phones, Internet, credit/debit cards -- soft necessities. You can sort of still live without them even in the big cities, but it's going to be a pain, as everything is optimized on the assumptions everyone owns a smartphone, has Internet access, bank account with a card, and increasingly often, means of contactless payments (think e.g. public transit). There's a reason even the poorest people without a roof over their heads still own iPhones, and it's not entertainment.
- Government ID app, electronic IDs, other means to do official errands fully on-line - convenience for now. I feel they'll transition into soft necessities within next 10 years, simply because interacting with government is always very annoying, and those tools simplify that process and save you some trips.
--
[0] - All in context of the developed/industrialized/western societies; of course this does not apply to societies that did not embrace a particular technology (yet).
You can't have a law, and also keep it secret.
You can agree or disagree with the goals and priorities of the Biden administration, but surely their interactions with the legislative and judicial branches demonstrate that, despite the high concentration of power there, the executive branch definitely still cannot act unchecked unilaterally.
> One of your staff asked me yesterday how I had traveled to the DC area, whether I had traveled by air, and whether I has shown any ID to do so. As a matter of principle and personal security, I do not wish to discuss my travel history, modes, or plans with you, and I am not required to do so. But the consistent position of your agency in litigation has been that no Federal law or regulation requires airline passengers to have, to carry, or to show ID. The responses by your agency to some of our FOIA requests confirm that, as you know, people fly without ID every day.
How does one go about this process?
> The TSA officer may ask you to complete an identity verification process which includes collecting information such as your name and current address to confirm your identity. If your identity is confirmed, you will be allowed to enter the screening checkpoint, where you may be subject to additional screening.
> You will not be allowed to enter the security checkpoint if you choose to not provide acceptable identification, you decline to cooperate with the identity verification process, or your identity cannot be confirmed.
TSA ID verification procedures (redacted) for people without ID: https://papersplease.org/wp/2018/05/08/tsa-releases-redacted...
records of how the TSA decides whether to let you fly without ID: https://papersplease.org/wp/2016/06/09/how-does-the-tsa-deci...
- They can verify identify through something like a credit card, bank statements, etc.
- Even if you do not have this, they can phone someone that will verify your identity over the phone after getting some info from you. From what I heard you are only allowed to use this method twice per year.
> “Access procedures are especially critical with respect to this proposed rule because ‘the class of persons affected’ – the relevant category pursuant to 1 CFR § 51.7(3), as quoted above – obviously includes individuals who do not have ID deemed compliant with the REAL-ID Act.
These laws "apply" to platform makers who are attempting to create Real ID mDLs, not people who want a REAL ID in the abstract. Someone without a REAL ID cannot get an mDL, regardless of the text of these rules.
The 5 U.S.C. 552(a) [1] it modifies notes that "Except to the extent that a person has actual and timely notice of the terms thereof, a person may not in any manner be required to resort to, or be adversely affected by, a matter required to be published in the Federal Register and not so published."
Which seems to be a pretty broad definition of affected person.
I'd certainly consider myself to be affected if in order to avail myself of one option of TSA identification for air travel I had to use an app that did... (reference not openly available)
[0] https://www.ecfr.gov/current/title-1/part-51/section-51.7#p-...
[1] https://www.govinfo.gov/link/uscode/5/552
I have a US Passport that took less effort and paperwork to get than a Real-ID. I will never submit.
This is utterly ridiculous, at least for driving. Anyone who needs to validate that someone’s driver’s license is authentic should be well-equipped to query the relevant state’s database and look it up. Just like how they would search for outstanding warrants, Amber Alerts, etc.
With that in mind, surely it should be legal to drive with a photo of one’s driver’s license, a copy of one’s license, any app whatsoever that can display a license, etc. There is basically no security added by a fancy add by an approved contractor — at most they can do some “device posture” crap to sort of prove to a reader that the app thinks that the phone it’s on really does belong to the owner of the license, which is a silly form of security by overcomplication. If I want to pretend to be my friend, I can borrow their phone or their actual drivers license just fine.
This is also why IDs are not accepted when they expire -- if they were accepted, then my underage brother might take my old one to buy beer. I've been in the ridiculous situation of saying "I know my ID has expired, but I assure you I have not. I'm still me."