Bloomberg Law
Free Newsletter Sign Up
Login
BROWSE
Bloomberg Law
Welcome
Login
Advanced Search Go
Free Newsletter Sign Up

States Rolling Out Digital Identity Cards Promise User Privacy

Oct. 24, 2022, 9:20 AM

States launching digital versions of a driver’s license are championing the credentials as a way to keep personal information more private and secure, though nationwide adoption will depend on coalescing around a common standard for how the identification cards are built and used.

Mobile driver’s licenses are meant to be more fraud-resistant and privacy-protective than physical cards. Digital credentials also offer contactless convenience as licenses have evolved beyond just granting driving privileges to become a primary method of verifying a person’s identity.

“You hand over a driver’s license for a lot of non-driving-related applications,” from opening a bank account to visiting a doctor’s office, said Christine Nizer, who leads Maryland’s Motor Vehicle Administration. Individuals lack control over whether their license data is copied or how it’s stored, potentially leaving their personal information vulnerable.

“A mobile driver’s license lets you control what information is shared and limit it to what’s required for that transaction,” Nizer said.

A person seeking to enter a bar, for example, could prove that they’re at least 21 years old without revealing their birth date, along with other details like their name and address, by presenting a QR code for scanning. Security checkpoints at airports, which are starting to test the use of mobile driver’s licenses in some US cities, also require only a few data points from a person’s license.

Controlling information disclosure is one of the top digital ID advantages for people’s privacy. But privacy advocates warn that such a system may leave a digital trail of where and when a license is presented, potentially allowing governments or businesses to track people or their purchases.

“If I show my plastic driver’s license to a liquor store clerk, nobody else knows about that,” said Jay Stanley, senior policy analyst with the American Civil Liberties Union’s Speech, Privacy, and Technology Project. Depending on how a digital ID is built, scanning it might “ping” the state that issued it, to check that the credential is valid, he said.

Digital IDs should be designed in a way that allows for authentication without compromising privacy, Stanley said, such as by relying on the exchange of cryptographic keys that prove the credential is trustworthy.

Common Standards

Arizona and Maryland are among several states partnering with Apple Inc. to let residents add a copy of their license to the iPhone maker’s digital wallet by scanning their physical card and taking a selfie. Alphabet Inc.‘s Google is working on a similar function to bring digital IDs to its wallet later this year.

Other states, such as Louisiana, have launched standalone apps for hosting a mobile driver’s license. Utah will offer both options, with an app made by GET Group and an Apple wallet feature currently in the works.

GET Group North America is bringing similar technology to additional US states in the coming months and years, according to Aristotelis Mpougas, the company’s director of sales and marketing.

Work on digital driver’s licenses began a decade ago, but early efforts were state-specific. Developing IDs that work across state borders relies on common standards.

Most states are following International Organization for Standardization specifications that dictate how to design a mobile driver’s license so that it can be easily read and trusted as an identity credential. The American Association of Motor Vehicle Administrators is helping states comply with this standard, which remains voluntary but is considered a de facto requirement.

Taking a coordinated approach to digitizing credentials is necessary to make a dent in identity theft fueled by personal information stolen online, according to Jeremy Grant, a former federal official who focused on online identity.

“There needs to be some coordination from the top,” said Grant, who’s now managing director of technology business strategy at Venable LLP.

Lawmakers in Congress have proposed forming a digital identity task force to develop a government-wide strategy for validating digital IDs while safeguarding privacy and security. The Improving Digital Identity Act (S. 4528), cleared the Senate Homeland Security Committee in late September. Lawmakers plan on attaching the bill, which has a House companion, to must-pass defense spending legislation.

Data Protections

A key selling point of digital driver’s licenses is that they’re difficult, if not impossible, to steal, alter, or forge, according to industry experts.

Mobile driver’s licenses are digitally signed by the state’s issuing authority, allowing agencies or businesses that accept the IDs to electronically authenticate identity information and ensure that there has been no tampering. This process can be done offline, using a downloaded set of cryptographic keys that let a verifier confirm the validity of a digital ID with its issuer. Then “there’s no way for us to know that happens,” said Ryan Williams of the Utah Department of Public Safety’s Driver License Division.

“With the online version,” where the card checker reaches out to a state license database to confirm that an ID is real, “there’s a ping, but it’s not anything we track or are interested in tracking,” Williams said.

Utah’s mobile driver’s license app is designed not to interact with other apps on a user’s phone or track data such as location. Apple likewise doesn’t see when and where a user presents their digital ID from its wallet. The ID’s usage history is encrypted and stored on a user’s device.

Adoption so far has focused on in-person use cases like at banks or airports, where a physical ID card can be replaced by a digital one. Digital identity proponents are pushing for credentials that can be used online to access health-care records and government services such as unemployment benefits.

“What it doesn’t do yet is allow you to verify your identity in the digital world,” said Joe Palmer, chief product and innovation officer at iProov Inc., an identity authentication provider. iProov is working with several states and the US government to help implement digital IDs.

Another ISO standard is being developed for using digital identity online. It’s expected to come out in the next year or so, according to Mike McCaskill, director of identity management at the American Association of Motor Vehicle Administrators.

When that standard is issued, “using your identity on the internet becomes much more trusted,” McCaskill said. “You can trust that the person on the other side of that screen is actually the person sending you identity data.”

To contact the reporter on this story: Andrea Vittorio in Washington at avittorio@bloombergindustry.com

To contact the editors responsible for this story: Tonia Moore at tmoore@bloombergindustry.com; Jay-Anne B. Casuga at jcasuga@bloomberglaw.com