Privacy advocates are worried about mobile driver’s licenses
Dozens of privacy advocates, along with groups like the American Civil Liberties Union and the Electronic Frontier Foundation, on Monday attached their names to a new campaign to change the technological standard backing mobile driver’s licenses.
Their concern is functionality embedded in the digital credentials that allows data about user behavior to be transmitted back to government agencies. The campaign, which is also backed by government officials and lawmakers, arrives as mobile driver’s licenses and digital identity cards gain steam abroad and in the U.S., where they’re offered by more than a dozen states.
The campaign, titled No Phone Home, is backed by a statement that calls for identity systems like mobile driver’s licenses to adopt a technological standard that is incapable of tracking or surveilling users. “Identity systems that phone home facilitate centralized tracking and control, privacy invasions, and other potential abuses,” the statement warns. “If this capability exists within a digital identity system, even inactively, it will eventually be used.”
The statement is signed by privacy and digital rights groups like the ACLU, EFF, Electronic Privacy Information Center and the Center for Democracy and Technology. It’s also signed by more niche industry groups like the Trust Over IP Foundation and the Decentralized AI Society. Brave Software, which makes the open-source Brave web browser, “the browser that puts you first,” has attached its name.
Dozens of technologists, academics, government officials and politicians have also signed on, including Christopher Bramwell, Utah’s chief privacy officer; Michael Leahy, Maryland’s former chief information officer; and Utah state Rep. Kristen Chevrier.
Timothy Ruff, a venture capitalist who coordinated the project, said the public ought to be more concerned about the current privacy paradigm surrounding governments’ nascent digital ID efforts, which he said have smuggled in surveillance capabilities without much resistance.
“Digital identity has been the province of Big Tech: Google and Amazon and Facebook and Microsoft and every other place we have a username and password,” Ruff said. “People have not adequately considered the ramifications of government getting into the digital identity business.”
Their three-paragraph manifesto is a public-relations campaign for a simple idea: Your identity belongs to you, and — just as with your physical identity card — your mobile driver’s license doesn’t need to tell anyone where you went or what you did there. Behind the campaign, though, the details get a bit more complex.
A growing number of digital IDs offered by state governments and foreign nations rely upon the wonderfully named ISO/IEC 18013-5:2021 standard. It hasn’t been universally adopted but its reach has now grown wide enough to raise concern, in part because it’s also the standard used to integrate mobile driver’s licenses with Apple Wallet and Google Wallet.
Privacy advocates have several problems with the specification set by the International Organization for Standardization, or ISO, most notably its requirement that mobile driver’s licenses include a function to send back data. Digital identity technologies got their start in corporate environments, Ruff said, where privacy was not a chief concern because information from such credentials was only being shared within organizations. There was no fear of companies spying on themselves.
But the privacy dynamic changes when governments are issuing IDs to the public. State governments have largely circumvented the issue by vowing never to activate the so-called server retrieval function. But privacy advocates say that’s not good enough.
“It’s what we call privacy by policy,” Ruff said. “And policies change. Policymakers change.”
Online bad guys could hijack the phone-home function, unscrupulous government officials might switch it on in secret or careless ones might leave it on by accident. And in fact, one state government did just that, only recently shutting it off after realizing the mistake, Ruff said.
Jay Stanley, an ACLU senior policy analyst and co-author of the No Phone Home statement, said his organization was concerned about the “limitless” potential misuses of location data, which governments could use to create a “bird’s eye view” on an individual. He said this could reveal where IDs are being used, whether it’s liquor stores, doctor’s offices or motels.
Digital spaces present additional risk, he said. Some states already require online age verification in some capacity, and rely on digital ID systems to accomplish it. Louisiana, for example, requires residents to verify their ages when accessing adult content online using LA Wallet, the state’s digital ID app.
“The age verification movement could become a way in which a digital identity system that doesn’t protect privacy will collect a lot more data about people,” Stanley said. “And that gets even more worse when you think about a ton of websites asking you for your digital ID. Now, a stream of all your websites are flowing to the government, and it’s not hard to imagine how that could be abused against, say, Gaza protesters or protesters of any political strike, for that matter, who don’t like them.”
The new campaign extends work Stanley began last October when he authored a report for ACLU urging state legislatures to not include phone home capabilities in their digital ID programs. He wrote that “a digital ID will be far more powerful than a plastic one and will open up a Pandora’s Box of potential privacy, equity, and other issues.”
Not all mobile driver’s licenses use the ISO standard — there’s also the OpenID Connect, or OIDC, which Ruff said he also opposes because it’s set by default to phone home. But Stanley called out the ISO standard as “insufficient,” because while it doesn’t compel states operating digital ID systems to collect location data, it does require verifiers’ systems be capable of retrieving it.
“It shouldn’t be built that way,” Stanley said. “And in general, the ISO standard represents the interests of verifiers — big companies who want to make you prove who you are. It doesn’t represent the interests of identity holders, ordinary people who might want their privacy protected.”
Though the No Phone Home campaign has earned the support of the nation’s top privacy groups, it did not get the blessing of the influential nonprofit American Association of Motor Vehicle Administrators. Claire Jeffrey, a spokesperson for AAMVA, explained in an emailed statement that while the group “strongly agree[s]” that mobile driver’s licenses should not contain a phone home capability, the statement contained a phrase it could not endorse: “to prioritize privacy and security over interoperability and ease of implementation.”
“The wording of the letter presumes a choice between interoperability and privacy/security which is counter to our fundamental philosophy that all are equal requirements for a healthy ecosystem,” Jeffrey wrote. “AAMVA remains committed to continuing our collaboration with the ACLU and other partners to improve identity protection through enhanced privacy and security.”
Alexis Hancock, director of engineering for the Electronic Frontier Foundation, said she also doesn’t love the forced choice between privacy and ease-of-use spelled out by the statement, but considered it a detail she was willing to overlook, perhaps to be negotiated later.
“You kind of have to choose in coalition work,” she said. “Are you not signing because of a nitpick or maybe you can discuss the nitpicks, but my main goal with signing on was pushing the mDL spec to a better place.”
Hancock and other signatories are pushing for an open standards development process, an opportunity to ensure that digital identity technologies like mobile driver’s licenses represent the interests of the people who use them, not the companies that create them. But the International Organization for Standardization is a closed body — its members create thousands of standards, on everything from road vehicle safety to medical devices, and then present them to the world.
“A lot of that comes into play when what we deem as a proper way to go about building technology that impacts masses of people,” Hancock said. “We’d rather go for more open standards that can have a more public consensus and some society input.”
She pointed to HTTPS, the web protocol widely used across the internet to ensure data arrives at its destination securely, as an example of a hugely beneficial technology that was created through a more democratic process. It’s a prominent example, but far from the only one — countless other technologies undergirding the internet are built with openness, vendor neutrality and users in mind.
An open development process is favored by many because it gives a wide variety of ideas and interests a fair hearing. Even individual developers and private companies that don’t directly collaborate with the public often go to great lengths to provide frequent updates on their projects and collect feedback from users early and often. When technologies are created behind closed doors, the only option left to unhappy users is to demand reforms to an already completed product. Hancock pointed to Accelerated Mobile Pages, a framework that Google foisted on the web without much initial outside input, as a recent example of a company flouting open principles for its own benefit.
“When standards are closed, normally what ends up happening is usually companies with proprietary ideas will step in and are able to buy access and membership in these spaces,” Hancock said. “So what’s indicative of a closed standard is usually a company agenda may flavor their input and there may not be a capability for public technologists in any way shape or form to put their take on the standard or something that would benefit the wider community.”
In the case of mobile driver’s licenses, an outcome has been the inclusion of the phone home feature that many are concerned will someday violate personal privacy in unexpected ways. Beyond the improved interoperability and public input opportunities offered by open standards, Hancock said open standards support other goals held by her organization, like the right to be anonymous online, not requiring age verification and not assuming that each device is used only by a single person.
If the No Phone Home campaign doesn’t prove forceful enough to convince the companies and organizations with competing ideologies, like the AAMVA, to change or replace the ISO standard, Ruff said more direct tactics may be needed. Leahy, the former Maryland CIO and an early signer of the statement, said he thinks legislation will be necessary. He shared draft legislation that would require mobile driver’s licenses to “operate without surveillance, remote verification dependencies, or undisclosed data transmissions to issuing authorities.”
Today, most people don’t carry a digital driver’s license, but that could change relatively quickly. More states are latching onto the trend of digital wallets, and a growing number of foreign nations, including many European Union members, are pressing ahead.
“We have to act now,” Hancock said, “because governments are enthusiastic about digital ID, but if we don’t pin down these basic principles now, it’s going to be a problem later.”
