The Rise of Digital ID in the United States – A Legal and Privacy Crisis
Republished with permission from Attorney Tom Renz.
The destruction of our privacy rights in the United States is making me sick. It’s happening right under our noses, and it’s getting worse by the day. Most people seem unaware, but digital ID is now the law, and its implementation is moving forward as we speak. This isn’t the work of a single piece of legislation; it’s a slow creep driven by updates to existing regulations, rooted in the post-9/11 “Patriot Act” mindset that trades our freedom for security. Let’s break this down academically, with the relevant laws and texts, so you can see the full scope of what’s at stake.
Foundational Federal Law: The REAL ID Act of 2005
The cornerstone of this shift is the REAL ID Act of 2005, codified in 49 U.S.C. § 30301 note. This law set minimum security standards for state-issued driver’s licenses and identification cards to be accepted for federal purposes, like boarding commercial flights. While it initially governed physical IDs, its mandates for digital features and databases laid the groundwork for what we now face with digital identification. The law was updated with the REAL ID Modernization Act, signed into law as part of a larger bill in 2020, pushing us further down this path.
Tom Renz’s Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
The Act’s Section 202(b) outlines the minimum requirements for an acceptable ID, and it’s packed with digital components that paved the way for today’s mobile driver’s licenses (mDLs). Here’s the breakdown from the relevant text:
- Digital Photo: “(5) A digital photograph of the person, which may be the photograph taken by the State at the time the person applies for a driver’s license or identification card or may be a digital photograph of the person that is already on file with the State.”
- Machine-Readable Technology: “(9) A common machine-readable technology, with defined minimum data elements.”
Additionally, Section 202(d) sets minimum issuance standards, requiring states to build an infrastructure around digital data retention. Consider the “facial image capture” requirement: “(3) Subject each person applying for a driver’s license or identification card to mandatory facial image capture.” This is biometric identification, folks, and it’s a key piece of the digital ID puzzle. The law also mandates digital source document retention: “(1) Employ technology to capture digital images of identity source documents so that the images can be retained in electronic storage in a transferable format.”
Key Federal Regulation: 6 CFR Part 37
The Department of Homeland Security (DHS) took this further with 6 CFR Part 37, the implementing regulation for the REAL ID Act, amended to embrace digital IDs. Section 37.7 specifically addresses the acceptance of mDLs for federal purposes, moving beyond the need for a physical card. The relevant text states:
- § 37.7(a) Generally: “TSA may issue a temporary certificate of waiver to a State that meets the requirements of §§ 37.10(a) and (b).”
- § 37.7(b) State Eligibility: “A State may be eligible for a waiver only if, after considering all information provided by a State under §§ 37.10(a) and (b), TSA determines that— (1) The State is in full compliance with all applicable REAL ID requirements as defined in subpart E of this part; and (2) Information provided by the State sufficiently demonstrates that the State’s mDL provides the security, privacy, and interoperability necessary for acceptance by Federal agencies.”
- This regulation formalizes the path for digital IDs, but it’s just the beginning of the problem.
The Data Sharing Nightmare: REAL ID Act Section 202(d)(12) and the S2S System
Here’s where it gets worse. The federal law mandating data sharing between states is found in Section 202(d)(12) of the REAL ID Act: “(12) Provide electronic access to all other States to information contained in the motor vehicle database of the State.” The primary purpose is to prevent one person from holding multiple REAL ID-compliant credentials by allowing states to check an applicant’s status nationwide.
The mechanism for this sharing is the State-to-State (S2S) Verification Service, managed by the American Association of Motor Vehicle Administrators (AAMVA), a private, non-profit entity. S2S is a “pointer system” that doesn’t store all data centrally but directs one state’s system to another to verify records. The platform, State Pointer Exchange Services (SPEXS), extends the system used for Commercial Driver’s Licenses (CDLIS). Data exchanged includes an individual’s name, date of birth, driver’s license number, and other fields to confirm or deny duplicate licenses. The AAMVA, being private, operates with limited public oversight, which is a red flag.
