The big questions surrounding privacy related to mobile driver's licenses that we need to consider are:
One of the significant concerns related to introducing easier digital identity checks is that we might inadvertently introduce a surveillance state where people are unwittingly profiled based on geographies and behaviors.
With advances in technology and cryptography, we are able to build solutions for digital identity and mobile driver's licenses that actually afford more privacy in interactions than existing physical driver's license cards.
Selective disclosure occurs when an individual makes an informed decision about precisely what information to share about themselves in an interaction. For example, if a person is 25 years old, they only need to tell a bartender they are over the age of 21 (if they're in the United States) for entry. They should not, however, need to disclose their home address or other extraneous pieces of information that may actually make the person feel unsafe in the interaction. Here are a few examples of what this might look like in regular life interactions:
With the adoption of mDLs, people will be able to selectively disclose the minimal required information in the context of that specific interaction. The mDL issuer, the DMV, can create digital signatures for specific attributes (like date of birth) or grouped attributes (like driving privileges) that the holder can choose to disclose.
Selective disclosure can be implemented in every form of digital identity, beyond just mobile driver's licenses and state-issued identity. For example, when applying for a job, a person should be able to present their verifiable credential digital diploma to prove they hold a bachelor's degree in a certain domain, without disclosing what university they graduated from, which may introduce bias into the hiring process.
Every time a holder decides whether to share their personal information, they should be fully informed of:
Aside from legal terms of service, these policies can be enforced on the technical level.
Selective disclosure and user-controlled identity will allow us to level the playing field a bit more for the power dynamic between individuals and the companies that aggregate and track information on them. This approach is aligned with recent data protection regulations, as outlined in Relevant Laws & Regulations, but with enforcement through technical architecture, rather than fines imposed for noncompliance. Both are strong incentive structures and can work hand-in-hand to reintroduce individual privacy protections into the modern digital world.