Over the last year, technology experts and government agencies — state and federal alike, including the National Institute for Standards and Technology (NIST) — have been working together to develop digital driver’s licenses (DDLs). Projects in several states are underway and are intended to modernize the age-old experience of pulling out your plastic ID card and showing it to a law enforcement officer, manager of an age-restricted venue, airport desk or security agent, or anyone else who needs to regularly verify your identity.
The other thing these DDL initiatives have in common is that they’re met with a healthy dose of skepticism and concern from consumer privacy advocates, a portion of the media and some end users. It turns out, digital IDs can make for a touchy topic.
From the start, let me resolutely state that we in the driver’s license and broader tech industries take those concerns very seriously and encourage an open conversation about the security and privacy implications of DDLs and any other form of digital ID, for that matter. In both the research and development and active pilot phases, we’ve meticulously designed and adapted our technology and user experience with those considerations in mind.
We’ve also learned an immense amount about the preferences of citizens, law enforcement officers and merchants. As such, there are a few claims or questions that are often raised that can be dispelled.
Quite the contrary. Consider that a physical ID is just a representation of digital data that has already existed for decades, not the end point of an individual’s personal data. Then think about how vulnerable date of birth, address, physical likeness and other personal information are when a wallet or plastic driver’s license is dropped and lost somewhere. While there’s a chance a phone could be lost too, there are several layers of security standing between a citizen’s digital ID and anyone else. There is multi-factor authentication required to open the phone, including PINs, fingerprint biometrics or even Face ID. Additionally, DDL technology can include an encrypted application which has an isolated locking mechanism, requiring another authentication step. All of the data contained therein is wrapped by encryption, and the ID can always be wiped remotely if someone does gain access to the device. Those same assurances simply aren’t possible for recovering any form of physical ID once it has fallen into the wrong hands.
With a DDL, a citizen has far more control over their personal information than traditional identification. Because the acceptance or scanning applications can be customized to fit the use case or scenario, the person verifying the ID only sees the information pertinent to the transaction. For example, once scanned, a liquor store owner would only see the customer’s picture and a simple birthdate or yes or no about whether they’re over 21 and legally allowed to purchase alcohol. They would not have access to the driver’s home address, height or weight, or their driver’s status. Instead, a citizen can choose whether to show anyone the full digital copy of their license. On a more technical level, a DDL can be stored in an encrypted file, which is isolated from the rest of the data on the phone via a data element accessible only by the DDL application.
Maintaining the phone owner’s privacy and eliminating any liability for handling the device for the officer is of utmost priority in the development and refinement of a DDL solution. During a typical traffic stop, there’s no point in time that an officer should take possession of the mobile device. There are technical ways the driver can authorize the sharing of their driver details using their own device, which sends those details back to the officer’s squad car computer, without giving access to the other content on the phone. Law enforcement stakeholders have said they don’t want the liability of passing mobile devices back and forth. They don’t want to drop, break or otherwise harm the device, much less invade people’s privacy. Most importantly, officers want to keep their hands free so that protocol can be followed and everyone can be as safe as possible throughout the entire interaction.
This is a big one that we hear all the time. Yes, digital IDs are easier to provision and manage. But currently, driver’s licenses and IDs are administered by states, counties and local jurisdictions. It is up to the states to move toward DDLs as a complement to plastic cards because they see benefits and increased citizen privacy. It is also important to reiterate that no one will be forced to get a DDL. It’s purely for convenience and improved security, not federal government oversight.
It is our hope that we can facilitate a constructive and open-minded conversation as tech providers continue to make government services and IDs more efficient, secure and useful for citizens. The first step in that direction is providing reliable information to educate and dispel some of the common myths and misconceptions that exist today. Hopefully many of those misgivings have been addressed here.