Debunking Myths about the Mobile Driver's License
While artificial intelligence is in the spotlight, a quieter technology revolution is underway: a large-scale push to build secure digital identity systems. This is, in part, driven by verifiable digital identity being a complementary technology to AI. With AI-generated text, images, and increasingly convincing videos, having a way to verify something or someone is provably who or what they claim to be will be crucial. The heightened security of encryption-backed identity can dramatically mitigate types of fraud, hacking, and impersonation.
Building digital ID is largely a problem of coordination – getting buy-in for a novel system from everyone from legislators to major enterprises to state agencies. One early leader in contention for defining the digital ID future is a set of standards known as “mDL,” or the Mobile Drivers License – a real, state-issued credential stored on a mobile device. The mDL is just one part of the fast-growing digital identity ecosystem, but it’s being used in our pilot program with the state of California and other pilots across the United States.
You might have some preconceptions about how a driver’s license that lives on a mobile device works based on your familiarity with other digital services, such as logging in to a website. But this new generation of credentials is built much differently, using recent innovations in cryptographic digital signatures.
This makes digital credentials, like a mobile driver’s license, far more secure and private than a web-based service, among other implications. But to understand this new kind of security and privacy, you have to leave behind some old ideas.
The “Photo of a Plastic ID” Myth
A mobile driver's license (mDL) is far more than just a digital image of your physical ID. Unlike a simple photo, an mDL is embedded with cryptographic digital signatures, ensuring that the data it contains is both tamper-evident and provably authentic. This means that anyone verifying your ID, whether in person or online, can trust that the information hasn’t been altered, providing higher security and trust than a static image.
One of the key advantages of mDLs is their versatility in both physical and digital realms. Whether you're verifying your identity in person, such as at a traffic stop or an airport, or over the internet for online services, mDLs offer a seamless digital verification experience. This flexibility is something a static image on your phone just can’t offer, especially as our lives become more intertwined with digital interactions.
While a photo of your ID reveals all your personal details, a significant benefit of mDLs is the ability to share only the necessary information for a specific interaction, rather than revealing all the personal details on your driver's license. For example, if you're buying age-restricted products, the mDL can confirm your age without exposing your address or other sensitive information. This minimal disclosure feature enhances privacy and reduces the risk of identity theft.
Finally, mDLs are built on global standards like ISO/IEC 18013-5 and ISO/IEC 18013-7, which means they can be accepted across industries and borders. A photo of your ID might be accepted in some places, but it lacks the standardization needed for widespread trust and interoperability. These standards ensure that mDLs can be trusted by various entities, from law enforcement agencies to financial institutions, no matter where you are. This broad acceptance and reliability make mDLs a future-proof solution for secure identity verification in our interconnected world.
The “Phone Home” Myth
If you’re still new to the idea of the mobile driver’s license, you might assume they offer less privacy than a hard-copy ID. From bank accounts to college enrollment, we’ve become very used to proving our identity by sending a password to a remote database over the internet. Similarly, you might assume that a mobile driver’s license may require pinging back to a government agency server whenever someone wants to verify your identity. If that were how a mobile driver’s license worked, it would create yet another trail of data that could be used to track you, like many web services do today. This is known as the “phone home” problem.
To be clear, mobile driver's license programs can be implemented in that way, creating (even inadvertently) a new surveillance system. But there are ways to implement mobile driver's licenses that don't have to "phone home," - which is how we approach our implementations at SpruceID in our work with customers.
The mDL standard is ultimately a shared data format, and the systems around it can be built in many ways, but the core mDL architecture can be implemented using an entirely new kind of digital “proof” that checks the validity of an ID issuer’s digital signature locally, called “device retrieval” in the mDL specification. That means no pinging a remote server, and no risky data trail.
Instead, a mobile driver’s license (or other digital credential) is verified by a file on your device. That includes a private digital “signature” proving that it’s from the correct issuer, like the DMV. The signature corresponds to a private key held by the issuing agency that is secret, so no one but the DMV can issue DMV-signed credentials; it’s tied to your specific hardware device, so the file itself can’t be copied; and it’s cryptographically signed to your identity information, so it can’t be tampered with.
The “Supercookies” Myth
Even if a digital identity check doesn’t create a real-time trail of digital pings over the internet, an ID check can still leave a record on the device or system of the verifier. For instance, when you buy a case of beer, the liquor store might not ping the DMV’s server – but it will probably retain a record of the verification.
These records can be a risk to your privacy. If a 3rd party gathers together the scattered records of your ID checks, they can create a record of some of your activities – for instance, how often you visit the liquor store. This is a widespread practice when it comes to records of your web browsing – the collated records of your online activity are known as “supercookies,” and are often used to target you with advertising.
This risk is a good example of how regulation and best practices are necessary complements to new technology – new laws, or reasonable disclosure frameworks, might be needed to ban the practice of making real-world supercookies. However, there’s also a more immediate solution: the issuers of digital credentials can impose data-deletion policies that require verifiers to delete records of identity checks.
With a few exceptions, such as law enforcement, verifiers should be okay with deleting these records immediately, significantly reducing supercookie risk. Best of all, there are cryptographic methods for proving that the data is actually disposed of.
This is a great example of a key principle in digital credential design. The mobile driver’s license (mDL) is a data standard for digital identity, but many of the systems around that data standard can be designed in many different ways. Some ways of building an mDL system might enable or even encourage archiving data to build a “supercookie,” but systems can also be built to discourage or disallow them.
By the same token, other digital credential standards, including SD-JWTs and W3C Verifiable Credentials, can also be deployed in ways that enable tracking. In essentially every case, no tech standard can guarantee user privacy; therefore, how the system is designed, and how that design is guided by regulations and agreements, is key.
Technology, Legislation, and Markets In Harmony
Unfortunately, the greater privacy and control enabled by encryption-based digital identity won’t just happen magically. While the technology has the potential to create a more innovative and secure system, the specific way it is built in the coming years will determine whether that potential is fulfilled.
Many of the teams building these systems have the highest ideals, and are already working to build privacy-preserving features into their structure. But technology alone isn’t enough, in this case, or in general: technology and policy must work in concert to create the future we want.
We believe the best way to guarantee a future identity system that’s both secure and private is legislation that supports the goals of the technology. That legislation, which organizations like the ACLU are currently pushing forward, would bar abuses like surveillance using digital identity – whether for commercial purposes, or more nefarious ones.
We encourage all players in the digital identity space, and potential future users of tools like the mobile driver’s license, to participate in those legislative efforts. Done right, they will help make sure that an exciting new technology supports freedom, safety, and innovation, working together as one.
Are you interested in learning more about digital credentials such as the mobile driver’s license and how they might work for your use case? Explore our website to learn more.
About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.