‘mDL don’t phone home’: digital ID experts sound alarm over privacy capability

Influential digital identity professionals and privacy groups are warning that mobile driver’s licenses can comply with the international standard and still represent a major surveillance risk, due to “phone home” capabilities that can be hidden from users.

A presentation at Internet Identity Workshop (IIW) 40 by Steve McCown, Utah Privacy Officer Chris Bramwell and Digital Trust Ventures Co-founder and Principal Timothy Ruff on the privacy concerns with mDLs that are not alleviated by the ISO/IEC 18013-5 standard inspired Decentralized Identity Foundation (DIF) ED Kim Hamilton Duffy to delve into the concern.

It also led to a public statement cosigned by the ACLU, the Electronic Frontier Foundation (EFF), the Electronic Privacy Information Center (EPIC), the Center for Democracy & Technology (CDT) and cryptography and cybersecurity luminary Bruce Schneier.

McCown is a digital identity architect and Utah privacy commission advisor, and the IIW presentation was based on his review of the ISO spec. Crucially, he found that the specification allows for issuers to “break” the standard three-party trust triangle by communicating with verifiers to carry out server retrievals.

“Core contributors to the mDL specification were present, and they acknowledged that server retrieval functionality was included as a compromise because some countries require it,” Duffy writes. “They explained that the technical capability exists in the specification, and preventing unwanted data collection requires individual implementers to create appropriate policies or regulations.”

Duffy notes that several objections to the warning were raised during a second session at IIW 40. It is a misconception that real-time status checks must include server retrievals to verify a specific credential, he says. While police checks are “a fair exception,” the proposed use of mDLs for ID verification at businesses like pharmacies and bars are not. Better policies and regulations can help, but requiring them to reign in a surveillance capability contained in the technical architecture begs the question of authorities’ trustworthiness.

AAMVA’s answer

Ruff points out in a Medium post that the American Association of Motor Vehicle Administrators (AAMVA) warned about this very issue in version 1.4 of its Implementation Guidelines. Further, AAMVA’s “Mobile Driver’s License Implementation Guidelines, Version 1.5,” published in May,  specifically prohibit implementing phoning home.

But, he cautions, AAMVA cannot enforce its policy recommendations on the 50 states that are individually responsible for implementing mDLs.

“If phone home is on the table in your state — and it is in almost every state — it’s now or never,” Ruff argues.

Article Topics

AAMVA  |  data privacy  |  digital ID  |  ISO 18013  |  mDL (mobile driver's license)  |  mDL privacy concerns  |  mDoc  |  No Phone Home