An Identity Wallet Bill of Rights - Starting With the Mobile Driver License

Spruce’s continued mission is to let users control their data across the web, whether it’s web2, web3, or beyond. This also applies to credentials issued by existing entities, such as the Mobile Driver License (mDL) issued by motor vehicle authorities across the world.

There is now a global standard called ISO 18013-5 that describes how we can represent a digital driver’s license on someone’s smartphone, and the whole end-to-end process on how to present it in-person. However, the methods to provision them, refresh them, or send them online are still under active discussion within ISO working groups. In the US, TSA and other organizations have already committed to using this standard, so it impacts DMVs who want their mobile driver’s licenses to also be useful for travel at the airport. In other countries, there is beginning to be adopted as well.

The EFF, ACLU, and EPIC recently have called out several concerns regarding implementations of the mDLs in their comments to a Department of Homeland Security request for comments, and as implementers of open source digital identity software, we have additional concerns in the mix that we felt it necessary to call out too:

  • User choice for identity wallets may be restricted to just a few companies due to anti-competitive policies for device API access. Hardware manufacturers and operating system vendors use internal APIs that third-party developers cannot access, meaning wallets by app developers will not be able to create a competitive user experience or security model on a level playing field. Practically, this could funnel users to just the operating system-provided identity wallets and extinguish the possibility of increased user choice when handling their most critical data.
  • Is a large tech company the right decision maker for how state-issued digital identities can be used on billions of devices, especially in light of many recent antitrust allegations? For example, gatekeeping of verifiers occurs with Apple’s PassKit restricting the verifier set to Apple’s approved list of developers. In the physical world, we don’t have to ask Apple to inspect a driver’s license. This seems a lot like a policy decision for users who have mobile driver’s licenses. When was the last time your leather wallet told you that you couldn’t use something how you wanted?

The EFF further has recommended W3C Verifiable Credentials due to their history of being developed in the public, and being an open standard. We agree with this. Vendors such as Microsoft, Ping Identity, Workday, and Spruce have already adopted these in pilots and production use cases. Furthermore, Underwriter Labs, an author of ISO 18013-5, has described how to interoperate Verifiable Credentials with the ISO described data model and protocols. We look forward to continuing our collaborations here such as demonstrating interoperability with TBD:

Spruce and TBD Demonstrate Decentralized Identity Interoperability
We have heard a lot about Decentralized Identity in the last few years. For both Spruce and TBD, Decentralized Identity and user control are at the center of both our missions, and we are excited to announce that we achieved another milestone towards interoperability.

We think that this can culminate in an Identity Wallet Bill of Rights that describes how a third party wallet provider can participate on an even playing field, allowing for an entire ecosystem instead of 2-3 vendors thereby increasing user choice. This way, users can enjoy increased wallet selection built on open protocols and standards, ensuring that a market can form to tailor to specific use cases. Identity is far too important and critical of a component to leave to two or three companies to dominate.

When was the last time you had to ask a tech company for permission to use your passport, with the implication that they could lock you out entirely? If things continue without an open ecosystem for identity wallets, this could be the unfortunate reality. Digital identity is still in its infancy, and it’s not too late to start now.

In our efforts to help lead this charge, we are sponsoring a community project led by Kaliya Young, a longstanding member of the identity ecosystem, to lead this and help create a level playing field for identity wallets without compromising on security. At Spruce, we believe that users should have a choice in which wallet manages their most critical data, and that two or three companies should not dictate the most meaningful and high-stakes digital interactions for billions of people.

Towards this, we are working on a set of requirements that we believe would enable wallet providers to achieve the same levels of user experience, functionality, and security that are enjoyed by wallets with privileged, internal APIs not currently available to third-party developers. We want to invite you to do the same through this community effort so that together we can ensure that wallets have a level playing field and that users have true choice. If we can get this right, we have a real opportunity to get it right for users across identity, payments, and beyond in the digital era.

We will continue to pursue our efforts in the decentralized identity ecosystem, and always champion architectures that put users first.

Check out this link for the full community project announcement:

Where the W3C Verifiable Credentials meets the ISO 18013–5 Mobile Driving License
New Community Project Sponsored by Spruce

Spruce lets users control their data across the web. Spruce provides an ecosystem of open source tools for developers that let users collect their data in one place they control, and show their cards however they want.

If you're curious about integrating Spruce's technology into your project, come chat with us in our Discord: