I really admire these folks for standing on a worthy principle. I also dig the performance art vibe of showing up at the TSA headquarters without an ID to read a deeply nested tree of paper documents about IDs. If you're going to joust windmills, these are some good windmills to joust.
Representing the security what now? Given the agency's performance over the decades I'd be deeply surprised to find out the TSA could credibly secure a mall parking lot.
That’s not the point of terrorism. If you blow up a TSA building, citizens get scared because it looks like „if the state can’t even protect itself, how are the going to protect me?“.
To be honest, I am genuinely surprised an attack never materialized. But then I also remember mentioning my thoughts on the matter to my wife, who was aghast that I would even consider such a scenario. Maybe, on average, people are actually decent and it is people like me, who come up with weird hypotheticals.
Depending on your perspective on security theater, it might be appropriate to observe that a TSA building as exactly as much security as the TSA is capable providing itself.
> These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.
This is really disturbing in a number of different ways. It's bad enough to have the government requiring you to have a government-approved smart phone, but on top of that it's the logging and data analysis wet dream that authoriarian governments the world over could have only dreamed of.
Even worse, the whole thing is a cash cow for Idemia and a couple of other companies, who probably alt wrote the secret rules to benefit their company and prevent competition.
It gets worse. In US most of the bigger corps institute some sort of means to authenticate you via cellphone, which means that if you want to be remote, phone is effectively a necessity ( which one usually does ). Only a year ago, it was still possible to avoid having to have a cell ( although that meant you had to be in person -- an interesting trade off in itself ).
At my last workplace, I somehow managed to get away with only Microsoft Authenticator on my phone, with no actual remote management capabilities enabled. That's pretty much exactly where I draw the line: if I have to have a device to perform work functions, the workplace needs to supply it. I'm not going to put work data on my personal machines, and I'm definitely not letting a third party root my phone for me "for sekhurity", and apply work policies on my personal device. I'm okay with work 2FA on my phone, but only without MDM, as an exception for where otherwise there's no reason for me to have a work phone.
These days a lot of folks can probably do more than just authenticator on their personal device. Teams and Outlook, for example, are both able to run with the MDM-level controls the company wants but without the device-level MDM. It's part of the app and has no control over anything else.
A company I previously worked for had a policy that if you had any company data on your phone, they had the right to force you to unlock it and look through it (not sure if they ever actually did but it was in the employee handbook). When IT tried introducing a system that required me to Auth with my phone I refused, citing the policy, and they helped me setup a workaround Yubikey.
Might not be possible everywhere but worth a shot. Also always helps to make friends in IT.
That's the technological ratchet at work, as it has been since the dawn of humanity. A solution that's convenient or useful enough to gain wide adoption has a way of becoming a soft necessity, and eventually a hard one. Some examples that meaningfully affected our lives[0], in many ways not for the better:
- An accurate clock / watch -- hard necessity. Good luck functioning in society without it. Opening hours, appointments, public transit schedules, are just few among many things synchronized in time, that expect you to have a clock so you can stay in sync too. And no, you can't get away with a rooster or a sundial, like you could 200 years ago - you need precision of at least a minute.
- A car -- somewhere between hard and soft necessity, depending on where you live. The society expects you to be able to commute long distances in short time, for things like work, medical services, or government appointments.
- Mobile phones, Internet, credit/debit cards -- soft necessities. You can sort of still live without them even in the big cities, but it's going to be a pain, as everything is optimized on the assumptions everyone owns a smartphone, has Internet access, bank account with a card, and increasingly often, means of contactless payments (think e.g. public transit). There's a reason even the poorest people without a roof over their heads still own iPhones, and it's not entertainment.
- Government ID app, electronic IDs, other means to do official errands fully on-line - convenience for now. I feel they'll transition into soft necessities within next 10 years, simply because interacting with government is always very annoying, and those tools simplify that process and save you some trips.
--
[0] - All in context of the developed/industrialized/western societies; of course this does not apply to societies that did not embrace a particular technology (yet).
> If there's any one lesson to draw from the last several years, it's that the executive branch can do anything they goddamn well please.
You can agree or disagree with the goals and priorities of the Biden administration, but surely their interactions with the legislative and judicial branches demonstrate that, despite the high concentration of power there, the executive branch definitely still cannot act unchecked unilaterally.
While I completely agree that any individual should have access to the laws and texts that govern us, I have a problem with:
> “Access procedures are especially critical with respect to this proposed rule because ‘the class of persons affected’ – the relevant category pursuant to 1 CFR § 51.7(3), as quoted above – obviously includes individuals who do not have ID deemed compliant with the REAL-ID Act.
These laws "apply" to platform makers who are attempting to create Real ID mDLs, not people who want a REAL ID in the abstract. Someone without a REAL ID cannot get an mDL, regardless of the text of these rules.
1 CFR § 51.7(3) [0] is laying out the requirements by which a reference is eligible for being included in rulemaking?
The 5 U.S.C. 552(a) [1] it modifies notes that "Except to the extent that a person has actual and timely notice of the terms thereof, a person may not in any manner be required to resort to, or be adversely affected by, a matter required to be published in the Federal Register and not so published."
Which seems to be a pretty broad definition of affected person.
I'd certainly consider myself to be affected if in order to avail myself of one option of TSA identification for air travel I had to use an app that did... (reference not openly available)
These laws "belong" to the citizens. If the government is not applying it's rules correctly who is there to monitor that? Do I not have that _basic right_?
Someone (with or without ID) may very much suspect that there are legal issues with gating any federal or governmental behaviors behind real ID, or not allowing open source Real ID mDLs or various similar things.
> These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.
This is utterly ridiculous, at least for driving. Anyone who needs to validate that someone’s driver’s license is authentic should be well-equipped to query the relevant state’s database and look it up. Just like how they would search for outstanding warrants, Amber Alerts, etc.
With that in mind, surely it should be legal to drive with a photo of one’s driver’s license, a copy of one’s license, any app whatsoever that can display a license, etc. There is basically no security added by a fancy add by an approved contractor — at most they can do some “device posture” crap to sort of prove to a reader that the app thinks that the phone it’s on really does belong to the owner of the license, which is a silly form of security by overcomplication. If I want to pretend to be my friend, I can borrow their phone or their actual drivers license just fine.
I really admire these folks for standing on a worthy principle. I also dig the performance art vibe of showing up at the TSA headquarters without an ID to read a deeply nested tree of paper documents about IDs. If you're going to joust windmills, these are some good windmills to joust.
Why does the TSA building itself need so much security? Are they expecting it to be the target of an attack?
Is that surprising? It’s a federal agency representing the security apparatus of the US. That’s a good target for terrorism.
Representing the security what now? Given the agency's performance over the decades I'd be deeply surprised to find out the TSA could credibly secure a mall parking lot.
That’s not the point of terrorism. If you blow up a TSA building, citizens get scared because it looks like „if the state can’t even protect itself, how are the going to protect me?“.
To be honest, I am genuinely surprised an attack never materialized. But then I also remember mentioning my thoughts on the matter to my wife, who was aghast that I would even consider such a scenario. Maybe, on average, people are actually decent and it is people like me, who come up with weird hypotheticals.
~60 airplane hijackings per year in the 70s.
We’ve significantly reduced it down to <4 per year.
https://ourworldindata.org/grapher/airliner-hijackings-and-f...
Hijacking an airplane isn’t an attack on the TSA specifically though. We were talking about the security of the TSA building itself.
Yes, but the TSA wasn't created in the 1980s, when most of the decrease happened. The TSA wasn't invented until after 9/11.
Depending on your perspective on security theater, it might be appropriate to observe that a TSA building as exactly as much security as the TSA is capable providing itself.
Well, they are the best at security theater, so it makes sense their headquarters is too.
> These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.
This is really disturbing in a number of different ways. It's bad enough to have the government requiring you to have a government-approved smart phone, but on top of that it's the logging and data analysis wet dream that authoriarian governments the world over could have only dreamed of.
It's not a dream. China and India have been doing it for a while.
Discussed earlier
https://news.ycombinator.com/item?id=41608810
Even worse, the whole thing is a cash cow for Idemia and a couple of other companies, who probably alt wrote the secret rules to benefit their company and prevent competition.
It gets worse. In US most of the bigger corps institute some sort of means to authenticate you via cellphone, which means that if you want to be remote, phone is effectively a necessity ( which one usually does ). Only a year ago, it was still possible to avoid having to have a cell ( although that meant you had to be in person -- an interesting trade off in itself ).
Anyway, I hate the now.
At my last workplace, I somehow managed to get away with only Microsoft Authenticator on my phone, with no actual remote management capabilities enabled. That's pretty much exactly where I draw the line: if I have to have a device to perform work functions, the workplace needs to supply it. I'm not going to put work data on my personal machines, and I'm definitely not letting a third party root my phone for me "for sekhurity", and apply work policies on my personal device. I'm okay with work 2FA on my phone, but only without MDM, as an exception for where otherwise there's no reason for me to have a work phone.
These days a lot of folks can probably do more than just authenticator on their personal device. Teams and Outlook, for example, are both able to run with the MDM-level controls the company wants but without the device-level MDM. It's part of the app and has no control over anything else.
And, as a plus, your phone can now be subject to a subpoena issued to your employer!
I don't want their data on my device for a variety of reasons. Loss of control would be enough on it's own, but there are others.
Work with your IT dept.
A company I previously worked for had a policy that if you had any company data on your phone, they had the right to force you to unlock it and look through it (not sure if they ever actually did but it was in the employee handbook). When IT tried introducing a system that required me to Auth with my phone I refused, citing the policy, and they helped me setup a workaround Yubikey.
Might not be possible everywhere but worth a shot. Also always helps to make friends in IT.
> It's bad enough to have the government requiring you to have a government-approved smart phone
The government isn't requiring that.
It's not forcing you to get a mobile ID.
Your physical ID continues to be just fine. Mobile device ID's are simply for people who want the convenience of not carrying the physical one.
Think long-term. In 40 years, when the last paper IDs are discontinued, we'll all be tracked, but the time to complain was now.
> are simply for people who want the convenience
That's the technological ratchet at work, as it has been since the dawn of humanity. A solution that's convenient or useful enough to gain wide adoption has a way of becoming a soft necessity, and eventually a hard one. Some examples that meaningfully affected our lives[0], in many ways not for the better:
- An accurate clock / watch -- hard necessity. Good luck functioning in society without it. Opening hours, appointments, public transit schedules, are just few among many things synchronized in time, that expect you to have a clock so you can stay in sync too. And no, you can't get away with a rooster or a sundial, like you could 200 years ago - you need precision of at least a minute.
- A car -- somewhere between hard and soft necessity, depending on where you live. The society expects you to be able to commute long distances in short time, for things like work, medical services, or government appointments.
- Mobile phones, Internet, credit/debit cards -- soft necessities. You can sort of still live without them even in the big cities, but it's going to be a pain, as everything is optimized on the assumptions everyone owns a smartphone, has Internet access, bank account with a card, and increasingly often, means of contactless payments (think e.g. public transit). There's a reason even the poorest people without a roof over their heads still own iPhones, and it's not entertainment.
- Government ID app, electronic IDs, other means to do official errands fully on-line - convenience for now. I feel they'll transition into soft necessities within next 10 years, simply because interacting with government is always very annoying, and those tools simplify that process and save you some trips.
--
[0] - All in context of the developed/industrialized/western societies; of course this does not apply to societies that did not embrace a particular technology (yet).
Until they aren't.
Well sure. Physical IDs are also not tiny government listening devices either. Unit they are.
Kudos to Mr. Hasbrouck, who I assume is the narrator, for putting feet to ground to demonstrate the lack of open access to executive branch law.
You can't have a law, and also keep it secret.
If there's any one lesson to draw from the last several years, it's that the executive branch can do anything they goddamn well please.
This is nothing new.
> If there's any one lesson to draw from the last several years, it's that the executive branch can do anything they goddamn well please.
You can agree or disagree with the goals and priorities of the Biden administration, but surely their interactions with the legislative and judicial branches demonstrate that, despite the high concentration of power there, the executive branch definitely still cannot act unchecked unilaterally.
Is this satire?
You neglected to mention the president that has been convicted of multiple felonies
While I completely agree that any individual should have access to the laws and texts that govern us, I have a problem with:
> “Access procedures are especially critical with respect to this proposed rule because ‘the class of persons affected’ – the relevant category pursuant to 1 CFR § 51.7(3), as quoted above – obviously includes individuals who do not have ID deemed compliant with the REAL-ID Act.
These laws "apply" to platform makers who are attempting to create Real ID mDLs, not people who want a REAL ID in the abstract. Someone without a REAL ID cannot get an mDL, regardless of the text of these rules.
1 CFR § 51.7(3) [0] is laying out the requirements by which a reference is eligible for being included in rulemaking?
The 5 U.S.C. 552(a) [1] it modifies notes that "Except to the extent that a person has actual and timely notice of the terms thereof, a person may not in any manner be required to resort to, or be adversely affected by, a matter required to be published in the Federal Register and not so published."
Which seems to be a pretty broad definition of affected person.
I'd certainly consider myself to be affected if in order to avail myself of one option of TSA identification for air travel I had to use an app that did... (reference not openly available)
[0] https://www.ecfr.gov/current/title-1/part-51/section-51.7#p-...
[1] https://www.govinfo.gov/link/uscode/5/552
These laws "belong" to the citizens. If the government is not applying it's rules correctly who is there to monitor that? Do I not have that _basic right_?
Someone (with or without ID) may very much suspect that there are legal issues with gating any federal or governmental behaviors behind real ID, or not allowing open source Real ID mDLs or various similar things.
> These mobile driver’s licenses (mDLs) will be issued by state driver’s license agencies, but the standards incorporated into the TSA rule require that they be deployed through smartphone platforms (i.e. Google and/or Apple) and operate through government apps that collect photos of users and log usage of these credentials.
This is utterly ridiculous, at least for driving. Anyone who needs to validate that someone’s driver’s license is authentic should be well-equipped to query the relevant state’s database and look it up. Just like how they would search for outstanding warrants, Amber Alerts, etc.
With that in mind, surely it should be legal to drive with a photo of one’s driver’s license, a copy of one’s license, any app whatsoever that can display a license, etc. There is basically no security added by a fancy add by an approved contractor — at most they can do some “device posture” crap to sort of prove to a reader that the app thinks that the phone it’s on really does belong to the owner of the license, which is a silly form of security by overcomplication. If I want to pretend to be my friend, I can borrow their phone or their actual drivers license just fine.
https://archive.is/paqb8