When a bartender checks your ID, she doesn’t record your home address or your height and weight. All she needs to know is whether or not she can legally serve you a drink. Digital driver’s licenses should work the same way, according to privacy and security experts.
Digital identity platforms should prioritize personal privacy and data minimization over scanning and storing as much information as possible. That means limiting access to information based on what data is needed to complete a transaction.
Several states are moving forward with digital driver’s licenses. Drivers in Arizona and Georgia will soon be able to use iPhones and Apple Watches as digital licenses or ID cards. People living in Kentucky, Maryland, Oklahoma, Iowa, Utah, and Connecticut are next in line for this transition.
Here is a look at how to build digital identity systems that protect privacy by design and balance the need for information exchange with an individual’s right to privacy.
Building a secure system
States should take a lesson from blockchain technology to implement digital driver’s licenses, according to John Evans, chief technology advisor at World Wide Technology. These platforms should be built with these security protocols:
- Distributed data
- Multi-factor authentication
Evans said this multilayered defense will make it hard for attackers to get access to this data.
“If a person gets access to one piece of your information, they can’t put all the rest together because it’s distributed,” he said.
Aaron Ansari, vice president of cloud security at Trend Micro, agreed that blockchain is a good fit for mobile driver’s licenses to uniquely ID a single person.
“If a duplicate ID happens to show up but the blockchain doesn’t match, we’ll know instantly that there is a fake of your ID,” he said.
Evans was the CISO for the state of Maryland for five years and helped the state get started on the transition to a digital driver’s license. His team looked at how Estonia implemented a similar system. That country’s digital ID system was hacked in its early days.
Evans said that states must use the principle of least privilege when building these digital systems. The person checking a digital license should get only enough information to complete a transaction and nothing more.
Scanners that check digital IDs could be programmed to access only the information a particular organization needed. A scanner in a bar could flash green or red, based on the person’s age. A scanner at a bank would have access to more information to meet the authentication requirements for opening an account.
Evans sees this transition as a way to put controls on access to personally identifiable information.
“Ideally you don’t even have to open the digital driver’s license, you scan it and only pieces that are relevant show up on the scanner,” he said. “Ideally you would be giving them less information than you are now.
The risk of building a new tracking system
Ansari agrees that least privilege and data minimization should be the guiding principles but he isn’t optimistic that those priorities will win out.
“I don’t see that as something that is happening, in fact I see exactly the opposite,” he said. “It seems more and more that there is overreach from a state and federal POV.”
“This raises the danger that a relatively small cadre of corporations and specialized government bureaucracies will build a new infrastructure for their own economic and administrative purposes, regardless of the larger implications. It raises the danger that there will be no balanced assessment of the costs and benefits of such a system and that we will adopt systems that do not strike the right balance between the needs for identification, security and convenience and Americans’ well-founded aversion to government and corporate surveillance and regimentation.”
In its “Identity Crisis” report, the organization recommends that digital IDs be designed to prevent the issuer from monitoring an individual’s transactions.
Bob Rudis, chief data scientist at Rapid7, said that state legislatures rolling out digital driver’s licenses have not all added enough protections to restrict law enforcement from using unlocked devices for other investigative purposes.
“This could be a real privacy mess for citizens in those less-ethical states,” he said. “Hopefully Apple and Google wallets will allow for just unlocking the mDL and not the entire phone.”
Ansari of Trend Micro expects some of the security standards for digital driver’s licenses to come from companies that make the phones. He said one key to securing the digital driver’s licenses will be a complete segregation of the wallet and the payment components of the wallet, he said.
“Apps can request access via Apple but they can’t get access to the wallet directly, ” he said. “There should be complete segregation where nothing has access except the core OS which should be able to pass along the info in a secure manner.”
Limiting the opportunity for tracking
Another privacy challenge around digital IDs is the potential to track a person’s movements and activities in a way that is not currently possible. Al Pascual, senior vice president of data breach solutions at Sontiq, said that means prioritizing data minimization along with the principle of least privilege.
“That information doesn’t need to be stored or retained by everyone accessing it, only those regulatorily mandated to do so, such as financial institutions,” he said.
With tech companies making money by selling digital identity management platforms and government agencies trying to streamline operations and save money, citizens will have to be the privacy advocates in the digital identity debate, he said.
“We want privacy by design, which means technology that prevents others from knowing where we’ve been and what we’ve purchased,” he said. “Privacy by design inherently obscures how that license is being used and that should be the standard by far.”
Pascual also sees few market forces encouraging companies to protect consumer data, meaning that data minimization works more in principle than in practice.
“The fines are not frequent enough or significant enough to really drive the kind of behavior change we would expect,” he said.
Security risks of mobile driver’s licenses
As states move to implement digital identity platforms, bad actors will look for new opportunities to steal data while also using standard social engineering and other common attack methods. Rudis of Rapid7 sees these potential mDL threat scenarios:
- An increased surface area for attackers due to connecting the mDL issuer infrastructure to the internet
- Potential bugs and vulnerabilities in the wallet app
- Information overreach during transactions
One example of the information overreach issue is reader apps requesting more information than necessary for a given transaction, such as a liquor store reader app could request all the fields from a mDL instead of only the single required field.
“I see this as being a very real problem, since users will just want to get a given transaction over with and very likely just tap ‘OK’ with as much speed as they dismiss cookie consent dialogs without reviewing them first,” he said.
Rudis said that certificates are no panacea and that entities on the Verified Issuer Certificate Authority List also will suffer integrity issues, and that rogue entities will make it onto that list.
“Poorly implemented encryption-in-transmission schemes may also be subject to person-in-the-middle attacks,” he said. “Ransomware operators can hold up the operators of the back-end issuer and validator infrastructure via denial of service attacks that could cause millions of citizens to be delayed in real life until the attack ceases.”
Rudis sees mDLs as worthwhile overall, despite these potential security risks and said that the mobile driver’s license standard has been worked on for many years and a number of states have already implemented their own versions of the mDL wallet and reader apps.
These systems conform to the ISO/IEC FDIS 18013-5:2021 standard, which covers encryption on-device, encryption in-transit, authentication for unlocking the mDL data and configuration rules for mobile devices and servers.