Kantara lays out trust-building recommendations for mDLs
A global digital ID association has published steps vendors and others need to take in order to build effective mobile driving license services that also put ID holders in control of their identity.
The Kantara Initiative’s report starts from the premise that trust in mobile driving licenses grows with the degree of control that license holders have over the documents, their privacy and their biometric identifiers.
Privacy and digital ID-related requirements and expectations identified in the report pertain to all ISO/IEC 18013-5-compliant credentials in the pursuit of “robust and privacy-protective” systems for stakeholders.
The organization notes that the interface between issuing authority infrastructure and the mobile driver’s license is out of scope of ISO 18013-5, while those between the mDL and mDL reader and the reader and issuer are covered by the standard
The report surveys other standards and guidance being formulated. The American Association of Motor Vehicle Administrators (AAMVA) has looked into public key collection and dissemination solutions, as it seeks to stand up a Verified Issuer Certificate Authority List (VICAL). The AAMVA has also issued guidelines for issuing authorities on how to administer mDLs. The Identity Council of the Secure Technology Alliance (STA), meanwhile, has published a set of educational materials and resources for participants within the mDL ecosystem.
Eleven categories of risk considerations are listed, including for establishing consent, purpose legitimacy, collection limitation, data minimization and use, retention and disclosure limitation. Data flows for various use cases are defined and mapped out. These considerations state the importance of “proof of presence” in online transactions with mDLs, likely in the form of biometrics.
The Kantara authors write that their requirements will enable relying parties — anyone relying on validity of a person’s or process’ authenticators and credentials — to give mobile license holders a significant and “potentially verifiable” assurance about how their private data is protected.