The US Department of Homeland Security (DHS), the Transportation Security Administration (TSA), Homeland Security Investigations Forensic Laboratory, and the National Institute of Standards and Technology (NIST) are on the final leg of evaluating biometric digital ID systems through the Remote Identity Validation Technology Demonstration (RIVTD) program.
Launched in late 2022 and now on its third and final “track,” the RIVTD program is “a series of technology challenges to evaluate the ability of systems to authenticate identity documents, assess the ‘liveness’ of selfie photos, and evaluate identity verification using images taken with smartphones and similar devices.”
Track 1 focused on assessing the validity of an identity document, such as a US state-issued driver’s license or identification card.
Track 2 focused on matching a “selfie” photo to the photo on the identity document.
Track 3 is currently underway and is focused on assessing the “liveness” of the “selfie” photograph.
One of the goals behind Track 3 is to be able to detect when someone is trying to fake the selfie with either a paper or digital photograph, or by using a mask instead of taking an actual selfie in real-time.
“As remote ID validation technologies become more prevalent, liveness/presentation attack detection of bad actors or impersonators will be a critical component of remote, self-enrollment of an individual’s digital identity”
Jason Lim, TSA Identity Capability Manager, January 2024
“The ability to establish and verify an individual’s identity enables the Department to perform risk-based decision making that is tailored to the individual. Such decision making may involve determining whether an individual is eligible to receive specific services or benefits or ascertaining if an individual is a known or suspected threat”
US Department of Homeland Security (DHS), Digital Identity and Trust
Through the DHS Science and Technology (S&T) Directorate’s Biometric and Identity Technology Center, the RIVTD is aimed at enabling industry to:
- Develop more secure, accurate, and easy to use technologies
- Objectively measure performance against realistic and sophisticated attacks
- Answer questions about the overall performance, risks, and fairness of these technologies for use in commercial or government applications
- Inform efforts to standardize and certify technologies that are effective against sophisticated and rapidly evolving attacks
The RIVTD demos are held at the Maryland Test Facility (MdTF). The MdTF RIVTD FAQ page states that document validation systems should support both REAL ID and legacy documents.
Beginning on May 7, 2025, US travelers must be REAL ID compliant to board domestic flights and access certain federal facilities. The card, itself, must be REAL ID compliant unless the resident is using an alternative acceptable document such as a passport.
And a digital REAL ID is already well underway.
“You may be interested to learn that physical driver’s license holders may soon be able to apply for Mobile Driver’s Licenses (mDLs) stored on smartphones if they want to move to a digital ID, thanks to a collaborative project involving the Science and Technology Directorate (S&T), National Institute of Standards and Technology (NIST), and TSA”
DHS, “Implementing Mobile Driver’s Licenses: Not as Easy as You Think,” March 2022
In 2020, the US Congress passed the REAL ID Modernization Act, “allowing the DHS to accept electronic transmission of user identity information and opening the possibility that novel digital technologies could be used to verify and maintain identity.”
The bill revised requirements for obtaining driver’s licenses and personal identification cards under the REAL ID Act of 2005.
Specifically, the REAL ID Modernization Act:
- Permits electronic and mobile driver’s licenses
- Allows electronic submission of required information
- Permits a digital photograph to be one that is already on file with the state if the photograph was taken during the six-year period preceding the application
- Repeals the authorization for the Department of Transportation to make grants to states for conforming with standards
- Requires aircraft operators and third party reservation entities to notify passengers about this bill’s requirement
- Eliminates documentation requirements for Social Security numbers and permanent addresses.
“During periodic testing and development, TSA and DHS Office of Science and Technology (S&T) may retain passenger data for up to 24 months. When testing with S&T, signage at the checkpoint will notify passengers of the extended retention period and will allow passengers to opt-out of the live photo”
TSA Digital Identity *Fine Print
Earlier this year, the TSA announced it had “collaborated on several innovative digital identity initiatives” at select TSA checkpoints.
The TSA highlights that “photos and biometrics are deleted upon completion of the identity verification transaction,” but the fine print says passenger data may be stored for up to two years for “testing and development” purposes like the RIVTD.
Delta and United are two airlines that are currently partnered with the TSA on digital ID initiatives.
In 2018, United Airlines entered a strategic partnership with Peter Thiel’s Palantir Technologies — a company that was funded by the CIA’s venture capital arm In-Q-Tel.
Last year, a trade association representing some 300 major airlines announced a proof of concept demonstrating the “first travel experience using digital identity,” which also included a “biometric liveness check” like the one the DHS and TSA are currently evaluating.
The International Air Transport Association (IATA), in partnership with Swiss-based digital identity solutions provider SICPA, demonstrated “the first fully integrated digital identity travel experience” involving a British Airways flight from London to Rome.
Convenience and privacy were the main selling points for that particular digital identity travel scheme — “passengers have a full control on their personal data” is what IATA and partners claimed.
However, just like with any Terms of Service agreement, opting not to disclose your personal data may lead to exclusion.
For example, in December 2020, IATA announced it was building the IATA Travel Pass “to manage COVID-19 testing or vaccination.”
And just like with last year’s digital identity for travel announcement, IATA said back in 2020 that the IATA Travel Pass would be “putting travelers in control of their personal information for top-level data security and data privacy.”
But what does “being in control of your data” actually mean if you decide to keep your data private?
In the case of vaccine passports, it meant you couldn’t travel or participate in many aspects of society.
“Our goal has always been a future of travel that’s fully digital and secured with biometric identification”
Nick Careen, IATA Senior Vice President for Operations, Safety and Security, October 2023
Convenience is also a major selling point for for DHS when it comes to digital identity.
In an article from March 29, 2022, the DHS depicted a scenario that looked like it could’ve come from one of those late-night infomercials that show people failing at basic tasks in black-and-white.
Imagine the following:
“You’re in the airport security line struggling to get your driver’s license out of your wallet. After retrieving it, you drop your identification (ID) and continue toward the checkpoint unaware you don’t have one of the most essential documents needed to get through security. Thankfully, someone behind you finds and returns your wayward ID just as you reach the travel document checker.”
The DHS then presents the following solution to the nearly tragic and traumatic experience.
“You may be interested to learn that physical driver’s license holders may soon be able to apply for Mobile Driver’s Licenses (mDLs) stored on smartphones if they want to move to a digital ID, thanks to a collaborative project involving the Science and Technology Directorate (S&T), National Institute of Standards and Technology (NIST), and TSA.”
Convenience is one selling point; security is another.
According to the DHS “Digital Identity and Trust” portal, “The ability to establish and verify an individual’s identity enables the Department to perform risk-based decision making that is tailored to the individual. Such decision making may involve determining whether an individual is eligible to receive specific services or benefits or ascertaining if an individual is a known or suspected threat.”
“Digital trust enabled by new capabilities, such as digital credentials (e.g., mobile driver’s licenses (mDL)) and zero trust architecture, are critical to the Department of Homeland Security successfully deploying and operating 5G communication systems, critical infrastructure, government services, and many other Department missions.”
“This digital identity determines what products, services and information we can access – or, conversely, what is closed off to us”
World Economic Forum, 2018
All roads are leading towards massive digital identity rollouts: Congress has already passed legislation to make way for a digital Real ID, the DHS and TSA are working feverishly towards evaluating the technical aspects of digital ID systems, and the private sector has been building its own digital identity schemes for years.
Now, it looks as though the White House will be issuing an executive order pushing “federal and state governments to speed adoption of smartphone-based mobile driver’s license and ID options more widely.”
Last week, NOTUS reported that it had acquired a draft of the executive order that stated, “It is the policy of the executive branch to strongly encourage the use of digital identity documents.”
“The draft order also pushes government agencies to accept digital IDs when building websites that allow the public to do things like file unemployment or apply for Social Security benefits, and government-run Login.gov, the standard credential for accessing federal websites,” according to NOTUS.
Will digital identity schemes always be voluntary, or will they, little-by-little, become mandatory?
If not mandatory, how could abstaining from a digital ID affect your ability to travel, to get a driver’s license, to transact financially, or to even access the internet?
Image source: TSA YouTube
