In 2021, the Department of Homeland Security issued a request for information (RFI) to inform upcoming decisions about federal policy to address requirements and standards that must be met for mobile driver's license applications to be accepted as credentials by Federal agencies for official purposes.
The Electronic Frontier Foundation (EFF), alongside the American Civil Liberties Union (ACLU) and the Electronic Privacy Information Center (EPIC), released comments in response to the DHS’s request for information. The EFF has a long-standing reputation as a fearless protector of the rights of individuals in the digital realm, working to “ensure that technology supports freedom, justice, and innovation for all the people of the world.”
Their official comments can be found here, but we’ll summarize the concerns outlined below, along with the approaches technology can take to address some of these concerns.
The first major concern outlined in the comments is the risk that requests for identity checks will increase with the ease of access and simplicity of online presentation. It could become nearly impossible to operate online in a pseudonymous or anonymous manner, without ties to your offline identity, if ID checks become automated and much easier to insert into online interactions.
Privacy protection is an important consideration, and the comments from EFF, ACLU, and EPIC caution against layering REAL ID with an mDL application, citing previously outlined privacy problems with REAL ID. An mDL application, aligning with ISO/IEC 18013-5, should be tamper-evident, especially with the use of verifiable credentials and decentralized identifiers, which reduces the need for REAL ID.
There are also significant privacy infringement concerns with the potential for a centralized database tracking ID checks, enabling the issuer of the identification to track the movements of holders. It is incredibly important, therefore, for any mDL application to allow for an mDL to be verified in a way that does not track the ongoing movements of individuals.
Another major concern arises if there is a shift to entirely replace physical ID cards with digital versions. The comments to the DHS cite studies published by Pew Research Center that found 24% of people who earn under $30,000 per year do not own a smartphone. Implementing a migration to solely using digital ID cards would cut off a significant portion of the population, with an outsized impact on the most underprivileged.
The ACLU also released a report highlighting additional privacy and equity concerns relating to digital driver's licenses, which can be found here. In this report, they further detail the concerns listed above, while also highlighting the risks of DMVs having the ability to instantly revoke digital driver's licenses and any additional tracking of ID holders without their consent.
Each of these points outlined in the EFF, ACLU, and EPIC comments and the report from the ACLU are concerns that we agree with. Although some are purely dependent on public policy decisions, we strive to solve those that can be addressed through technology and software.
Some of these concerns require policy-making decisions to be made, but some can be addressed with technology solutions in a way that protects these interests at their core.
One of the major concerns outlined in the comments is related to decreased user privacy online with an increase in identity checks. While checks may become more frequent, the technology can be built in a way where users are able to follow the principles of minimal disclosure. For example, someone could attest that they are over a certain age when accessing age-restricted content online, without disclosing any additional information about themselves, like their home address, as this is unnecessary to qualify access based on age.
As we discussed in other sections, a person can apply for a job online by showing they have a degree (without disclosing which university they earned said degree from) and that they are a resident of the state where the job is located (without disclosing their home address, which may be used to profile socio-economic status). We believe introducing selective disclosure technology into identity paradigms will help to build a more equitable and privacy-preserving digital future.
Another concern is the ability of issuers of credentials to use the technology to increase tracking measures on individuals, known as phoning home. Currently, when someone uses their physical driver’s license to prove their identity in person, the DMV is not notified where the person is and who they are showing it to.
As we shift to cryptographically signed ID cards, we need to ensure that this same privacy of movement is afforded to individuals, where the DMV is not notified each time a person has their identity verified using their mobile driver’s license. There is a risk that different implementation approaches may facilitate more surveillance state behaviors if the proper guardrails for privacy are not built in from the foundational layer.
One way to avoid having the specific verifier and individual’s location shared back with the DMV to check validity is to have widely published lists or super compact lists that can be easily transmittable, which would allow verifiers to see if a driver’s license has been revoked with a high level of certainty, while still maintaining blindness of who exactly has been revoked. In this proposed scenario, the DMV would be able to maintain its existing limits on the tracking of movements of individuals.
In addition to these concerns related to infringing on the privacy of individuals, there are also concerns about a future of digital identity controlled by a handful of Big Tech companies that may have conflicts of interest with the user and/or government agencies. With their scale, these Big Tech companies can act as de facto policymakers by, for example, deciding which identity wallets (potentially their own options) individuals can choose from in different situations, or which businesses can accept government-issued credentials online. Innovation requires a competitive market landscape, which can be limited when closed proprietary ecosystems are the only game in town.
We are fortunate to have collaborated with many individuals working at Big Tech companies who do champion user-controlled identity, individual privacy, and support for policies affecting society to be decided in their rightful domains. We hope that their efforts are fruitful in resounding through their organizational practices. However, corporate priorities often do override other aspirations, so we also implore the ecosystem, policymakers, and agencies to help ensure that individual privacy and innovation are not stifled.
We believe that when handling something as deeply personal as someone’s identification, like an mDL, citizens and residents deserve the right to be able to inspect the code and see exactly how their information is being handled and used.