Four years after hijackers showed driver’s licenses to board planes used in the 2001 terrorist attacks, Congress passed the “Real ID” Act to force states to exert greater oversight of the primary identification Americans use when they fly domestically.

Now, after 13 years of delays and extensions, the Trump administration has fixed a hard deadline of October for states to comply. Under the law, all airline travelers must display a new, technologically advanced license if they wish to board a plane. But privacy advocates warn that the program, with its requirement of data and photo sharing between states and the federal government, carries with it some Orwellian implications.

The Department of Homeland Security has given the 23 states still operating under extensions until Oct. 10.

Lawmakers were spurred to pass the “Real ID” Act by the 9-11 Commission. The congressional aim was to prevent ID fraud by ensuring applicants don’t have multiple licenses, to verify Social Security numbers and to check a person’s immigration status. The new licenses are also meant to be machine-readable and harder to forge.

“They wanted to take driver’s licenses from an analog world into a digital world,” said Pam Dixon, executive director of the World Privacy Forum, which has opposed the measure. Yet this digital world may also usher in an unprecedented national identification database that alarms states and civil liberties advocates.

To compel compliance, the Trump administration—as with the preceding Bush and Obama administrations—is threatening to bar airline passengers if their license isn’t “Real ID” approved. The nightmare scenario could be thousands of travelers turned away at U.S. airports ahead of, say, the Thanksgiving travel period.

Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a nonprofit that advocates for digital privacy and free speech, said it’s an open question whether the government would take such an extreme step. The DHS meanwhile said full compliance is long overdue.

“It has been 12 years since the REAL ID Act was passed,” the DHS said on its web site. “It is time that the remaining jurisdictions turn their commitments to secure identification into action.”

The law is “precisely the kind of scheme that the framers expected that federalism would guard against.”

The “Real ID” law sparked a firestorm across the political spectrum when it was proposed. Privacy advocates decried the legislation as government intrusion, state officials were upset over an unfunded mandate and constitutional lawyers expressed alarm over the act’s perceived assault on state authority, given that licensing drivers is strictly a state-level function.

“A federal law that aims to conscript the states into creating a national ID system, with all the privacy and civil liberties risks … is precisely the kind of scheme that the framers expected that federalism would guard against,” the EFF and World Privacy Forum wrote to DHS officials in 2007. The groups also noted federal court rulings that prohibit Congress from using the U.S. Constitution’s Commerce Clause to “commandeer” state regulatory bodies.

Advocacy groups across the political spectrum see the law as a threat to privacy. In the years after the law’s enactment, the American Civil Liberties Union pushed state legislatures to prohibit compliance. More than a dozen states passed laws to guarantee their motor vehicle departments would reject the federal measure, while some governors vetoed legislation aimed at making procedures compliant.

But more recently, that stridency has waned.

“The opposition that was very strong back in 2009, 2010 nationally was slowly picked off by the DHS in the years since,” said Ben Feist, legislative director for the ACLU in Minnesota, where lawmakers repealed a 2009 statute that kept the state out of “Real ID” compliance. Feist said the federal “threat” that Minnesota residents wouldn’t be able to fly “made most of the legislators here very concerned and less inclined to stick to the principle.”

“It might be easier to try that stunt in Minnesota,” he said. “Are you really going to stop everyone with a California and New York license from boarding a plane?”

Dixon, of the World Privacy Forum, said the DHS has sought of late to encourage compliance by scaling back some requirements. Moreover, she said it’s now less likely the government would use DMVs for data collection given the myriad other agencies collecting and retaining data on Americans.

Still, states including California, Michigan and Minnesota plan to offer two licenses to allow drivers the option of avoiding the U.S.-approved version. There’s also been a tide of state legislation outlining what states DMVs can—and can’t—do to accommodate the federal law.

It remains unclear how tough the DHS plans to be on states such as Minnesota that decline to share driver data. Dixon, who researches national ID systems, said there may be some “wiggle room” where states must show that they have the capability of sharing information with other states, not that they actually do.

DHS spokeswoman Anna Franko said the agency expects states to “query other states to prevent the applicant from holding more than one Real ID document and not more than one driver’s license.”

She added that, “as a condition of becoming compliant, states must commit to using these verification services once they have become available.”

Tien, of the EFF, said it’s possible the deadline could get pushed back again, but added that the threat to privacy is still real. “It was an abomination from a privacy standout then, and it is now,” he said. “The only issue is that it’s been many, many years and the thing is still sort of lurching around.”