In this post, “NGI” stands for Non-Governmental Identity

I admit to my biases.

As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.

Because the government is always here to help.

From World War II. By Packer, poster artist, Artist (NARA record: 8467744) – U.S. National Archives and Records Administration, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16929857

What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.

  • Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
  • Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.

However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.

Use of DNA for humanitarian efforts

Take an example that I recently tweeted about.

I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.

One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.

By Nofx221984 – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7429871

Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.

Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.

As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUsUniversity of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).

As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.

And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.

Reluctance to set national standards for mobile driver’s licenses

Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.

Some people are not especially wowed with this use case.

The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.

We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…

You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.

Is a Non-Governmental Identity (NGI) feasible and reliable?

Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).

…others are animated by a vision of “self-sovereign
identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….

DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.

For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.

Who issues Verifiable Credentials?

As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:

There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.

In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)

Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.

Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)

But NGIs are not a cure-all

Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.

Here’s what McKinsey has said:

…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.

Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.

In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several years AFTER 9/11.

And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:

At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.

1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)

Which identiy(ies) will prevail?

Back to governmental recognition of NGI.

Don’t count on it.

Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.

So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.

But frankly, I’m still not sure that I want Facebook to know how much I weigh.

(Although, now that I think about it, Apple already knows.)

Telos enters the touchless fingerprint market

Years before COVID became a thing, the U.S. government had a desire to encourage touchless fingerprint technologies. This began many years ago with a concerted effort to capture a complete set of fingerprints in less than 15 seconds. By 2016, this had evolved to a set of Cooperative Research and Development Agreements (CRADA) entered into by the National Institute of Standards and Technology and several private companies.

For purposes of this post, I’m going to concentrate on just one of the listed mobile fingerprint capture technology solutions. The mobile fingerprint capture technologies from these companies were intended to support the capture of fingerprints from a standard smartphone without any additional capture equipment. (Compare this to the portal/kiosk category, which employed specialized capture equipment.)

One of NIST’s CRADA partners for mobile fingerprint capture was a company called Diamond Fortress Technologies.

Via our CRADA  relationship (Cooperative Research and Development Agreement), Diamond Fortress is currently working with NIST to develop standards dealing with best practices, certification methodology, data formatting and interoperability with legacy contact-based and inked print databases for optical acquisition systems. This will support future certification for purchase on the Government Certified Products lists.

Fast forward a few years, and Diamond Fortress Technologies’ offering is back in the news again.

Telos Corporation has acquired the ONYX touchless fingerprint biometric software and other assets of Diamond Fortress Technologies (DFT), and appears to be targeting new verticals with the technology.

Now that happened to catch my eye for one particular reason.

You see, my former employer IDEMIA used to have a monopoly on the TSA PreCheck program. If you wanted to enroll in TSA PreCheck, you HAD to go to IDEMIA. This provided a nice revenue stream for IDEMIA…well, perhaps not so nice when all of the airports lost traffic due to COVID.

Anyway, the Congress decided that one provider wasn’t optimal for government purposes, so in early 2020 other vendors were approved as TSA PreCheck providers.

WASHINGTON – Transportation Security Administration (TSA) today announced that TSA PreCheck™ enrollment services will now be provided by Alclear, LLC; Telos Identity Management Solutions, LLC; and Idemia Identity & Security USA, LLC, expanding the opportunities that enable travelers to apply for TSA PreCheck.

Just to clarify, the company then known as Alclear is better known to the general public as CLEAR.

And the third company is Telos.

Which is now apparently moving into the touchless fingerprint space.

Now THAT is going to have an impact on enrollment.

The ITIF, digital identity, and federalism

I just read an editorial by Daniel Castro, the vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation. The opinion piece, published in Government Technology, is entitled “Absent Federal IDs, Digital Driver’s Licenses a Good Start.”

You knew I was going to comment on this one.

Why Daniel Castro supports a national digital ID

Let me allow Castro to state his case.

After Castro identifies the various ways in which people prove identity online, and the drawbacks of these methods, here’s what Castro says about the problem that needs to be addressed:

…poor identity verification is one of the reasons that identity theft is such a growing problem as more services move online. The Federal Trade Commission received 1.4 million reports of identity theft last year, double the number in 2019, with one security research firm estimating $56 billion in losses.

Castro then goes on to state his ideal solution:

The best solution to this problem would be for the federal government to develop an interoperable framework for securely issuing and validating electronic IDs and then direct a federal agency to start issuing these electronic IDs upon request. 

Castro then notes that the federal government has NOT done this:

But in the absence of federal action, a number of states have already begun this work on their own by creating digital driver’s licenses that provide a secure digital alternative to a physical identity document.

Feel free to read the rest of the story.

“Page two.” By Shealah Craighead – The original was formerly from here and is now archived at georgewbush-whitehouse.archives.gov., Public Domain, https://commons.wikimedia.org/w/index.php?curid=943922

But for me I’m going to stop right there.

Why Americans oppose mandatory national physical and digital IDs

Castro’s proposal, while ideal from a technological standpoint, doesn’t fully account for the realities of American politics.

Many Americans (regardless of political leanings) are strongly opposed to ANY mandatory national ID system. For example, many Americans don’t want our Social Security Numbers to become mandatory national IDs (even though they are de facto national IDs today). And while the federal government does issue passports, it isn’t mandatory that people GET them.

And many Americans don’t want state driver’s licenses to become mandatory national IDs. I went into this whole issue in great detail in my prior post “How 6 CFR 37 (REAL IDs) exhibits…federalism,” which made the following points:

  1. States are NOT mandated to issue REAL IDs. (And, no citizen is mandated to GET a REAL ID.)
  2. The federal government CAN mandate which IDs are accepted for federal purposes.
  3. Because the federal government can mandate the IDs to use when entering a federal facility or flying at a commercial airport, ALL of the states were eventually “persuaded” to issue REAL IDs. (Of course, it has take nearly two decades, so far, for that persuasion to work, and it won’t work until 2023, or later.)

So, considering all of the background regarding the difficulties in mandating a national PHYSICAL ID, imagine how things would erupt if the federal government mandated a national DIGITAL ID.

It wouldn’t…um…fly.

Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

And this is why some states are moving ahead on their own with mobile driver’s licenses.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

However, there’s a teeny tiny catch: while the states can choose to mandate that their mDLs be accepted at the STATE level, states cannot mandate that their digital identities be used for FEDERAL purposes.

Here we go again.

Of course, federal government agencies are starting to look at the issues with a mobile version of a “REAL ID,” including the standard(s) to which any mobile ID used for federal purposes must adhere.

Improving Digital Identity Act of 2020, or 2021, or 2025…

While the government agencies are doing this work, another government agency (the U.S. Congress) is also working on this. Castro mentions Rep. Bill Foster’s H.R. 8215, introduced in the last Congress. I’m not sure why he bothered to introduce it in September 2020, when Congress wasn’t going to do anything with it. As you may have heard, we had an election at that time.

Of course, he just reintroduced it last month, so now there’s more of a chance that it will be considered. Or maybe not.

Regardless, the “Improving Digital Identity Act” proposes the creation of a task force at the federal level with federal, state participants, and local participants. It also mandates that NIST create a digital identity “framework,” with an interim version available 240 days after the Act is passed. Among other things, the ACT also mandates that NIST Special Publication 800-63 become “binding operational directives” for federal agencies.

(Does that mean that it will be illegal to mandate password changes every 90 days? Woo hoo!)

Should this Act actually pass at some point, its directives will need to be harmonized with what the Department of Homeland Security is already doing, and of course with what the states are already doing.

Oh, and remember my reference to the DHS’ work in this area? Among those who have submitted verbal and/or written comments, several (primarily from privacy organizations) have stated that the government should NOT be promoting ANY digital ID at all. The sentiments in this written comment, submitted anonymously, are all too common.

There are a lot of security and privacy concerns with accepting digital ID’s. First and foremost, drivers licenses contain a lot of sensitive information. If digital ID’s are accepted, then it could potentially leak that info to hackers if it is not secured properly. Plus, there is the added concern that using digital ID’s will lead to extra surveillance where unnecesary. Finally, digital ID will not allow individuals who are poorer to be abele to submit an ID because they might not have access to the same facilities. I am strongly against this rule and I do NOT think that digital ID should be an option.

I expect other privacy organizations to submit comments that may be better-written, but they echo the same sentiment.

DHS TSA mDL Public Meeting general observations

As I previously noted, today (June 30, 2021) was the day for the Department of Homeland Security’s Transportation Security Administration to hold its public meeting on its Request for Comment on “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.” (See PDF or text version. The second link contains the method for providing comments.)

I will not provide a recap of the comments made by participants during the meeting, but will instead provide some general observations.

Incidentally, the list of all meeting participants will be made public at some point, and it’s possible that the chat transcript from the meeting will also be made public at some point.

Agreement and disagreement among the participants

As can be expected, there were a variety of views expressed at the meeting, ranging from industry comments about the items that should be in the DHS standard, to privacy advocates who questioned why DHS was implementing a standard at all. One example:

  • Industry participants, such as myself, were enthusiastic about the ability of a mobile driver’s license (mDL) to automatically update itself when new information became available at the DMV. For example, if I move to a new address, the DMV can automatically update the mDL on my smartphone to reflect the new address.
  • Privacy participants were, to put it mildly, a bit less enthusiastic about this feature. Physical driver’s licenses are updated as infrequently as every ten years; why should digital driver’s licenses be any different?

But there was apparent agreement between the industry and privacy participants about one possible feature on mDLs – the ability to control the data that leaves the smartphone and is sent to the verifying official. Everyone seemed to agree that this information should be granular, and that the mDL should not automatically send ALL available information on the mDL.

Let me provide an example. When I go to a bar and use my physical driver’s license to prove my age, the verifier (Jane Bartender) is provided access to my name, my address, my date of birth, my height, my (claimed) weight, and all sorts of personal information that would freak out your average privacy advocate. NONE of this information is needed to prove my age, not even my date of birth. All that the verifier needs to know is whether I am over the age of 21. An mDL can be designed to specifically state ONLY that I am over the age of 21 without revealing my birthdate, my address, or my (claimed) weight.

(You’d think that the privacy advocates would be thrilled about this granularity and would urge people to use mDLs because of this privacy benefit, but privacy and security folks are naturally suspicious and have a hunch that all of the information is being provided in the background anyway through double-secret means.)

But are the participants ready to respond to the RFC?

I had one other observation from the meeting. Before sharing it, I should explain that the meeting allowed the participants to ORALLY share the views that they will subsequently express in WRITTEN comments on or before the July 30 deadline.

And based upon the oral comments that I heard, some of the participants are ready to share their written comments…and others are not.

There were participants who spoke to the DHS about their items of interest, not only briefly stating these items, but WHY these items should be important to the DHS and to the general public.

And then there were participants who concentrated on unimportant details that were NOT of interest to the DHS or the general public. I won’t provide specific examples, but let’s just say that some participants talked about themselves rather than about DHS’ needs.

If these participants’ written comments are of the same tone as their oral comments, I can assure you that their comments will not influence the DHS in any way. Although I guess they can go back to their organizations and proudly proclaim, “We told the DHS how important we are!”

The DHS doesn’t care how important you are. In the DHS’ mind, you are not important. Only the DHS is important. (Oh, and the Congresspeople who fund the DHS are important, I guess.)

Perhaps in the next 30 days these other participants will take a look back at their message drafts and ask themselves the “So what?” question. What will motivate the DHS to incorporate desired features into the standard? And why should they?

And, as always, I can help. If nothing else, I can confidentially review your draft comments before submission and provide some suggestions. (Yes, it’s shameless plug time.)

If I can help you with your RFC response:

Or perhaps you are ready to respond now. I guess we’ll all find out when the DHS publishes its final standards, which may or may not reflect your priorities.

The DHS RFI “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses” is NOT due on June 18 (it’s now due July 30)

Back in April I wrote about a Request for Information that was issued by the Department of Homeland Security. Its title: “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.”

The information was due to DHS on June 18 (tomorrow), and my post included a “shameless plug” offering to help companies with their responses.

No company requested my assistance.

But all is not lost, because you can STILL request Bredemarket’s assistance in composing your responses, because, according to Jason Lim, the due date has been extended.

DHS will hold a virtual public meeting on June 30, 2021 on mDL REAL ID RFI to answer questions regarding the RFI and to provide an additional forum for comments by stakeholders and other interested persons regarding the issues identified in the RFI.

DHS is also extending the comment period for the RFI by 42 calendar days to provide an additional period for comments to be submitted after the public meeting. New deadline is July 30, 2021.

If you want to register for the public meeting, click on the link at the bottom of Jason Lim’s LinkedIn post. I’ve already registered myself (the meeting starts at 7:00 am PDT, but at least I don’t have to commute to go to the meeting).

And the shameless plug still applies: if you need assistance in managing, organizing, writing, or checking your response, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail). As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

Water is (literally) critical and needs to smarten up

Presidential Policy Directive 21 (2013), the successor to Homeland Security Presidential Directive 7 (2003), defines 16 critical infrastructure sectors that need to be protected by the U.S. Department of Homeland Security and other entities.

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Some of the critical infrastructure sectors are obvious at first glance, including sectors such as transportation systems, nuclear reactors/materials/waste, and government facilities. But these aren’t the only ones. Take the Water and Wastewater Systems sector, overseen by the Environmental Protection Agency (EPA).

Safe drinking water is a prerequisite for protecting public health and all human activity. Properly treated wastewater is vital for preventing disease and protecting the environment. Thus, ensuring the supply of drinking water and wastewater treatment and service is essential to modern life and the Nation’s economy.

Look at the pain that we’ve suffered because of water issues in Flint, Michigan and other cities. Now imagine what would happen if the water in a larger region, such as the Colorado River valley, were to become undrinkable.

Oh yeah, climate change.

Data show extreme weather events are increasing. This is challenging utility providers who are managing critical infrastructure around the globe. The year 2020 was truly devastating for wildfires. From California to Australia, the world got a firsthand glimpse into how warmer, drier conditions are causing harsher droughts — resulting in longer fire seasons and greater water scarcity.

Most of us don’t make a habit of reading Water Online, but this site published a recent article on the part that technology plays in preserving the water/wastewater critical infrastructure system. These technologies are converting our water infrastructure into “smart” infrastructure, a key part of any smart city.

One of the technologies that is making our water infrastructure “smart” is referred to as “digital twins.”

No, not “Twins is the New Trend” twins.

Here’s what “digital twins” means from the critical infrastructure perspective.

Digital twin technology is providing promise in this regard. Digital twins are software representations of assets and processes that help understand, predict, and optimize performance to achieve improved business outcomes. Digital twins consist of three components — a data model, a set of analytics or algorithms, and knowledge — and are extremely valuable when it comes to predicting the impact of a storm for sewage and stormwater management.

Digital twins, like weather, are revised as more data is gathered and more information becomes available. Like any science, we don’t know everything on day 1, but if we continue to gather information and test hypotheses we will know more on day 2, and then even more on day 145.

The benefit of digital twins? Lower repair costs by better targeting of responses.

For more about smart water, see this article in Water World.

Are you responding to the DHS RFI, “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses”?

I already posted about this Request for Information (RFI) on LinkedIn and Facebook, but I wanted to highlight the details of the Department of Homeland Security’s recent request (see PDF or text version).

The RFI delves into a number of questions about treating mobile (i.e. smartphone) driver’s licenses as REAL ID-compliant. The RFI itself states:

DHS invites comments on any aspect of this RFI, and welcomes any additional comments and information that would promote an understanding of the broader implications of acceptance of mobile or digital driver’s licenses by Federal agencies for official purposes. This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a future rulemaking based on input received as a result of this RFI. In addition, DHS includes specific questions in this RFI immediately following the discussion of the relevant issues.

The RFI can be responded to by any member of the general public, although it is expected that the majority of responses will come from mobile driver’s license vendors and various interest groups. And trust me, there is a wide range of interest groups that are interested in this topic, and in the broader topic of REAL ID in general. Federalism itself is a popular topic when discussing REAL ID.

(Although personally, I believe that if the Federal Government is controlling air travel, and if the Federal Government is…obviously…controlling Federal facilities, then the Federal Government can implement rule-making regarding access. Needless to say, since all 50 states and several territories have adopted REAL ID, the decision has been made.)

While respondents can conceivably talk about anything in their responses, DHS (as noted above) has 15 specific questions to which it is seeking information (see section IV beginning on page 20325). Some are general, such as general questions about security, and some are more specific, such as question 4, which specifically focuses on DHS adoption of requirements derived from “Industry Standard ISO/IEC 18013–5: Communication Interfaces Between mDL Device and Federal Agency, and Federal Agency and DMV.”

Responses to the RFI must be submitted by June 18, and are submitted electronically. (Read the Commenter’s Checklist, and note that DHS prefers that respondents address all 15 questions.) I’m sure that a number of companies and organizations are already starting to think about their responses.

Shameless plug: if you need assistance in managing, organizing, writing, or checking your response, contact me. As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.