As I previously noted, today (June 30, 2021) was the day for the Department of Homeland Security’s Transportation Security Administration to hold its public meeting on its Request for Comment on “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.” (See PDF or text version. The second link contains the method for providing comments.)
I will not provide a recap of the comments made by participants during the meeting, but will instead provide some general observations.
Incidentally, the list of all meeting participants will be made public at some point, and it’s possible that the chat transcript from the meeting will also be made public at some point.
Agreement and disagreement among the participants
As can be expected, there were a variety of views expressed at the meeting, ranging from industry comments about the items that should be in the DHS standard, to privacy advocates who questioned why DHS was implementing a standard at all. One example:
- Industry participants, such as myself, were enthusiastic about the ability of a mobile driver’s license (mDL) to automatically update itself when new information became available at the DMV. For example, if I move to a new address, the DMV can automatically update the mDL on my smartphone to reflect the new address.
- Privacy participants were, to put it mildly, a bit less enthusiastic about this feature. Physical driver’s licenses are updated as infrequently as every ten years; why should digital driver’s licenses be any different?
But there was apparent agreement between the industry and privacy participants about one possible feature on mDLs – the ability to control the data that leaves the smartphone and is sent to the verifying official. Everyone seemed to agree that this information should be granular, and that the mDL should not automatically send ALL available information on the mDL.
Let me provide an example. When I go to a bar and use my physical driver’s license to prove my age, the verifier (Jane Bartender) is provided access to my name, my address, my date of birth, my height, my (claimed) weight, and all sorts of personal information that would freak out your average privacy advocate. NONE of this information is needed to prove my age, not even my date of birth. All that the verifier needs to know is whether I am over the age of 21. An mDL can be designed to specifically state ONLY that I am over the age of 21 without revealing my birthdate, my address, or my (claimed) weight.
(You’d think that the privacy advocates would be thrilled about this granularity and would urge people to use mDLs because of this privacy benefit, but privacy and security folks are naturally suspicious and have a hunch that all of the information is being provided in the background anyway through double-secret means.)
But are the participants ready to respond to the RFC?
I had one other observation from the meeting. Before sharing it, I should explain that the meeting allowed the participants to ORALLY share the views that they will subsequently express in WRITTEN comments on or before the July 30 deadline.
And based upon the oral comments that I heard, some of the participants are ready to share their written comments…and others are not.
There were participants who spoke to the DHS about their items of interest, not only briefly stating these items, but WHY these items should be important to the DHS and to the general public.
And then there were participants who concentrated on unimportant details that were NOT of interest to the DHS or the general public. I won’t provide specific examples, but let’s just say that some participants talked about themselves rather than about DHS’ needs.
If these participants’ written comments are of the same tone as their oral comments, I can assure you that their comments will not influence the DHS in any way. Although I guess they can go back to their organizations and proudly proclaim, “We told the DHS how important we are!”
The DHS doesn’t care how important you are. In the DHS’ mind, you are not important. Only the DHS is important. (Oh, and the Congresspeople who fund the DHS are important, I guess.)
Perhaps in the next 30 days these other participants will take a look back at their message drafts and ask themselves the “So what?” question. What will motivate the DHS to incorporate desired features into the standard? And why should they?
And, as always, I can help. If nothing else, I can confidentially review your draft comments before submission and provide some suggestions. (Yes, it’s shameless plug time.)
If I can help you with your RFC response:
- Send me an email at firstname.lastname@example.org.
- Or go to calendly.com/bredemarket to book a meeting with me.
- Or go to bredemarket.com/contact/ to use my contact form.
Or perhaps you are ready to respond now. I guess we’ll all find out when the DHS publishes its final standards, which may or may not reflect your priorities.