(Bredemarket Premium) Another mobile driver’s license pilot…but this one may move forward and become the real thing

When looking at U.S. state implementations of mobile driver’s licenses, there are various gradations of these implementations.

  • Some states have only performed pilots.
  • Some states have implemented production versions of mobile driver’s license, but their acceptance is limited and you still have to carry your physical driver’s license with you.
  • I don’t think any state has reached the level where the mDL is acceptable for ALL state purposes, and you DON’T have to carry your physical license with you any more.
  • NO state has reached the level where the mDL is acceptable for state AND federal purposes (such as boarding planes). That is still in process.
Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

This post looks at what is going on in one state, what may happen in the future, and what resistance the state may (or may not) meet from its own residents.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

You will soon deal with privacy stakeholders (and they won’t care about the GYRO method)

I’ve written about the various stakeholders at government agencies who have an interest in biometrics procurements- not only in this post, but also in a post that is available to Bredemarket Premium subscribers. One of the stakeholders that appeared on my list was this one.

The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.

Broken Liberty: Istanbul Archaeology Museum. By © Nevit Dilmen, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1115936

If you haven’t encountered a privacy advocate in your marketing or proposal efforts…you will.

Utah Gov. Spencer Cox has appointed Christopher Bramwell as the Department of Government Operations’ first privacy officer….As privacy officer, Bramwell will be responsible for surveying and compiling information about state agencies’ privacy practices to discern which poses a risk to individual privacy. He will also work with the personal privacy oversight commission and state privacy officer to provide government privacy practice reports and recommendations.

Obviously this affects companies that work with government agencies on projects such as digital identity platforms. After all, mobile driver’s licenses contain a wealth of personally identifiable information (PII), and a privacy advocate will naturally be concerned about who has access to this PII.

But what about law enforcement? Do subjects in law enforcement databases have privacy rights that need to be respected? After all, law enforcement agencies legally share PII all the time.

However, there are limitations on what law enforcement agencies can share.

  • First off, remember that not everyone in a law enforcement database is an arrested individual. For example, agencies may maintain exclusion databases of police officers and crime victims. When biometric evidence is found at a crime scene, agencies may compare the evidence against the exclusion database to ensure that the evidence does not belong to someone who is NOT a suspect. (This can become an issue in DNA mixtures, by the way.)
  • Second off, even arrested individuals have rights that need to be respected. While arrested individuals lose some privacy rights (for example, prisoners’ cells can be searched and prisoners’ mail can be opened), a privacy advocate should ensure that any system does not deny prisoners protections to which they are entitled.

So expect to see a raised concern about privacy rights when dealing with law enforcement agencies. This concern will vary from jurisdiction to jurisdiction based upon the privacy (and biometric) laws that apply in each jurisdiction, but vendors that do business with government agencies need to stay abreast of privacy issues.

A little more about stakeholders, or actors, or whoever

Whether you’re talking about stakeholders in a government agency, stakeholders at a vendor, or external stakeholders, it’s important to identify all of the relevant stakeholders.

Or whatever you call them. I’ve been using the term “stakeholders” to refer to these people in this post and the prior posts, but there are other common terms that could be used. People who construct use cases refer to “actors.” Marketers will refer to “personas.”

Whatever term you use, it’s important to distinguish between these stakeholders/actors/personas/whatever. They have different motivations and need to be addressed in different ways.

When talking with Bredemarket clients, I often need to distinguish between the various stakeholders, because this can influence my messaging significantly. For example, if a key decision-maker is a privacy officer, and I’m communicating about a fingerprint identification system, I’m not going to waste a lot of time talking about the GYRO method.

My time wouldn’t be wasted effort if I were talking to a forensic examiner, but a privacy advocate just wouldn’t care. They would just sit in silence, internally musing about the chances that a single latent examiner’s “green” determination could somehow expose a private citizen to fraud or doxxing or something.

This is why I work with my clients to make sure that the messaging is appropriate for the stakeholder…and when necessary, the client and I jointly develop multiple messages for multiple stakeholders.

If you need such messaging help, please contact Bredemarket for advice and assistance. I can collaborate with you to ensure that the right messages go to the right stakeholders.

Are unified digital IDs a thing?

I’ve been busy helping a client who needed summer fill-in help, but I’m finally making the time to catch up on my reading. And this article from Government Technology was on my reading list.

When I read the title “Mobile Driver’s Licenses Pave the Way for Unified Digital IDs,” I was intrigued by the last three words. I mean, there are more and more states releasing (non-pilot) mobile driver’s licenses, and the standard is coming along, and work is being done to prepare for federal acceptance.

But what about the “unified” part? How did David Raths address that?

Government uses of digital ID

Well, he listened to Eric Jorgensen, director of Arizona’s Department of Transportation.

“I actually hate the term ‘mDL’ because it doesn’t recognize the power of what we’re doing here….The whole concept is that we’re providing a way to remotely authenticate a person, to provide a trusted digital identity that doesn’t exist today. Once we provide that, we’re opening doors to enhanced government services. Also, the government can play a key role in facilitating commerce, providing a better citizen experience and providing for the security of that citizen — that goes way beyond what a driver’s license is about.”

Although all that Jorgensen is discussing is providing a trusted digital identity that is equivalent to a trusted physical identity. If you have to show your driver’s license when visiting a government office’s physical location, conceivably you can show your digital driver’s license when visiting a government office’s website.

Enterprise uses of digital ID

And there are applications beyond government. Delaware and other states are persuading private businesses to accept mobile driver’s licenses as valid forms of identification. There’s a powerful use case for age-restricted products, of course; since all that an alcohol-selling business needs to know is whether you are over the age of 21, the mobile driver’s license ONLY shows that you are over the age of 21. It doesn’t show your address, your weight, or even your birthdate.

But what about a true UNIFIED digital ID?

However, I semantically question whether this is truly a “unified” ID. This is just digitization of an existing government-endorsed ID. A “unified” ID would be one that would not only let me drive, vote, and buy alcohol, but would also serve as my ID to log into Facebook or buy Bitcoin. (Yes, I realize that use of a government ID to buy Bitcoin violates the space-time continuum in some way.)

And for that to happen, work may need to be done to make mobile IDs compatible with existing authentication/authorization methods such as OAuth and OpenID Connect.

And the whole “but what if I don’t have a digital ID?” question must be addressed.

And the whole “but what if I want to use a self-sovereign ID that is NOT government endorsed?” question must be addressed.

And presumably a myriad of other questions would need to be addressed also.

But for me, I can’t address unified digital IDs today. Just got a message from my summer-challenged client…

DHS TSA mDL Public Meeting general observations

As I previously noted, today (June 30, 2021) was the day for the Department of Homeland Security’s Transportation Security Administration to hold its public meeting on its Request for Comment on “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.” (See PDF or text version. The second link contains the method for providing comments.)

I will not provide a recap of the comments made by participants during the meeting, but will instead provide some general observations.

Incidentally, the list of all meeting participants will be made public at some point, and it’s possible that the chat transcript from the meeting will also be made public at some point.

Agreement and disagreement among the participants

As can be expected, there were a variety of views expressed at the meeting, ranging from industry comments about the items that should be in the DHS standard, to privacy advocates who questioned why DHS was implementing a standard at all. One example:

  • Industry participants, such as myself, were enthusiastic about the ability of a mobile driver’s license (mDL) to automatically update itself when new information became available at the DMV. For example, if I move to a new address, the DMV can automatically update the mDL on my smartphone to reflect the new address.
  • Privacy participants were, to put it mildly, a bit less enthusiastic about this feature. Physical driver’s licenses are updated as infrequently as every ten years; why should digital driver’s licenses be any different?

But there was apparent agreement between the industry and privacy participants about one possible feature on mDLs – the ability to control the data that leaves the smartphone and is sent to the verifying official. Everyone seemed to agree that this information should be granular, and that the mDL should not automatically send ALL available information on the mDL.

Let me provide an example. When I go to a bar and use my physical driver’s license to prove my age, the verifier (Jane Bartender) is provided access to my name, my address, my date of birth, my height, my (claimed) weight, and all sorts of personal information that would freak out your average privacy advocate. NONE of this information is needed to prove my age, not even my date of birth. All that the verifier needs to know is whether I am over the age of 21. An mDL can be designed to specifically state ONLY that I am over the age of 21 without revealing my birthdate, my address, or my (claimed) weight.

(You’d think that the privacy advocates would be thrilled about this granularity and would urge people to use mDLs because of this privacy benefit, but privacy and security folks are naturally suspicious and have a hunch that all of the information is being provided in the background anyway through double-secret means.)

But are the participants ready to respond to the RFC?

I had one other observation from the meeting. Before sharing it, I should explain that the meeting allowed the participants to ORALLY share the views that they will subsequently express in WRITTEN comments on or before the July 30 deadline.

And based upon the oral comments that I heard, some of the participants are ready to share their written comments…and others are not.

There were participants who spoke to the DHS about their items of interest, not only briefly stating these items, but WHY these items should be important to the DHS and to the general public.

And then there were participants who concentrated on unimportant details that were NOT of interest to the DHS or the general public. I won’t provide specific examples, but let’s just say that some participants talked about themselves rather than about DHS’ needs.

If these participants’ written comments are of the same tone as their oral comments, I can assure you that their comments will not influence the DHS in any way. Although I guess they can go back to their organizations and proudly proclaim, “We told the DHS how important we are!”

The DHS doesn’t care how important you are. In the DHS’ mind, you are not important. Only the DHS is important. (Oh, and the Congresspeople who fund the DHS are important, I guess.)

Perhaps in the next 30 days these other participants will take a look back at their message drafts and ask themselves the “So what?” question. What will motivate the DHS to incorporate desired features into the standard? And why should they?

And, as always, I can help. If nothing else, I can confidentially review your draft comments before submission and provide some suggestions. (Yes, it’s shameless plug time.)

If I can help you with your RFC response:

Or perhaps you are ready to respond now. I guess we’ll all find out when the DHS publishes its final standards, which may or may not reflect your priorities.

The DHS RFI “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses” is NOT due on June 18 (it’s now due July 30)

Back in April I wrote about a Request for Information that was issued by the Department of Homeland Security. Its title: “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.”

The information was due to DHS on June 18 (tomorrow), and my post included a “shameless plug” offering to help companies with their responses.

No company requested my assistance.

But all is not lost, because you can STILL request Bredemarket’s assistance in composing your responses, because, according to Jason Lim, the due date has been extended.

DHS will hold a virtual public meeting on June 30, 2021 on mDL REAL ID RFI to answer questions regarding the RFI and to provide an additional forum for comments by stakeholders and other interested persons regarding the issues identified in the RFI.

DHS is also extending the comment period for the RFI by 42 calendar days to provide an additional period for comments to be submitted after the public meeting. New deadline is July 30, 2021.

If you want to register for the public meeting, click on the link at the bottom of Jason Lim’s LinkedIn post. I’ve already registered myself (the meeting starts at 7:00 am PDT, but at least I don’t have to commute to go to the meeting).

And the shameless plug still applies: if you need assistance in managing, organizing, writing, or checking your response, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail). As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

Are you responding to the DHS RFI, “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses”?

I already posted about this Request for Information (RFI) on LinkedIn and Facebook, but I wanted to highlight the details of the Department of Homeland Security’s recent request (see PDF or text version).

The RFI delves into a number of questions about treating mobile (i.e. smartphone) driver’s licenses as REAL ID-compliant. The RFI itself states:

DHS invites comments on any aspect of this RFI, and welcomes any additional comments and information that would promote an understanding of the broader implications of acceptance of mobile or digital driver’s licenses by Federal agencies for official purposes. This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a future rulemaking based on input received as a result of this RFI. In addition, DHS includes specific questions in this RFI immediately following the discussion of the relevant issues.

The RFI can be responded to by any member of the general public, although it is expected that the majority of responses will come from mobile driver’s license vendors and various interest groups. And trust me, there is a wide range of interest groups that are interested in this topic, and in the broader topic of REAL ID in general. Federalism itself is a popular topic when discussing REAL ID.

(Although personally, I believe that if the Federal Government is controlling air travel, and if the Federal Government is…obviously…controlling Federal facilities, then the Federal Government can implement rule-making regarding access. Needless to say, since all 50 states and several territories have adopted REAL ID, the decision has been made.)

While respondents can conceivably talk about anything in their responses, DHS (as noted above) has 15 specific questions to which it is seeking information (see section IV beginning on page 20325). Some are general, such as general questions about security, and some are more specific, such as question 4, which specifically focuses on DHS adoption of requirements derived from “Industry Standard ISO/IEC 18013–5: Communication Interfaces Between mDL Device and Federal Agency, and Federal Agency and DMV.”

Responses to the RFI must be submitted by June 18, and are submitted electronically. (Read the Commenter’s Checklist, and note that DHS prefers that respondents address all 15 questions.) I’m sure that a number of companies and organizations are already starting to think about their responses.

Shameless plug: if you need assistance in managing, organizing, writing, or checking your response, contact me. As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

The infancy of mobile driver’s licenses

More and more states are adopting mobile driver’s licenses that can be stored on a smartphone. Mobile driver’s licenses (mDLs) are available from Colorado, Delaware, Louisiana, and Oklahoma, and may be available from additional states by the time you read this.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

For me, the two key benefits of mDLs are the following:

  • If you have your smartphone, you have your mDL. Since smartphones are becoming more of a necessary must-have item – and wallets are not – the presence of a driver’s license on a smartphone is beneficial. (Unless, of course, you’re the type of person who misplaces your smartphone.)
  • mDLs can be designed to show only the information that is necessary. If I want to enter a bar or other facility for people over 21, I don’t have to show the bouncer my weight, my address, or even my birthdate. I just have to show the bouncer that I’m over 21.

While mDLs are becoming available in more states, they are not fully mature yet.

  • They are only valid in the state where they were issued. You can’t show your Oklahoma mDL in California. (Well, I guess you CAN show it, but a Californian isn’t obligated to do anything.)
  • Even within the state of issue, they’re still not always valid. At least some states require you to carry your physical driver’s license while driving, even if you have an mDL. And you can’t present an mDL to airport security in Denver or any other city. (See the LA Wallet image above, which clearly states “NOT FOR FEDERAL IDENTIFICATION.” So even if Louisiana’s physical driver’s license is REAL ID compliant, its mDL isn’t.)

Part of the issue regarding acceptance of mDLs is that the standards are still evolving. One key standard, ISO/IEC FDIS 18013-5 (Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application), is still under development.

But these four states, and others, didn’t want to wait until the standards were fully approved, and their solutions were fully certified, before issuing mDLs. Louisiana’s LA Wallet solution was introduced back in July 2018. While none of the solutions by definition can claim compliance with ISO/IEC FDIS 18013-5, they are already providing benefits to the license holders in these four states.

How long will it be until all states, provinces, and territories support mDLs?