Apple Digital Driver’s License Part 2
Recently, Apple announced that several states, including Arizona, Georgia, Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah will permit drivers to present a “digital” driver’s license based on an accepted standard stored in Apple customers’ digital wallet. A previous post discussed some of the issues related to the presentation of such digital IDs in the context of driving and the real world.
One issue is that drivers, well, move. So if I am in Maryland, and drive through the District of Columbia on my way to Virginia, in my home state, I am fine with the digital ID, but in the District and the Commonwealth, I can be arrested for driving without my license. As a result, to be in compliance with the law, I would have to carry both the digital and the analog versions of my ID, just as I have Apple Pay and the physical credit cards represented by Apple Pay. Convenient.
But hidden in the Apple announcement is an easter egg that may be portentous for those in the infosec community. The Apple identity management protocols that support the mobile driver’s license are part of a set of ISO standards for identity tokens. While Apple’s current implementation of mobile driver’s license (mDL) uses near-field communications (NFC) to exchange and validate tokens, those same tokens can be exchanged through any secure medium—like https, vpn or similar means of communication (and the term “secure” is used here in a relative sense).
Thus, as one article notes:
“Using your driver’s License to log in to websites may seem like a foreign concept, but it is quickly gaining momentum. With appropriate privacy protections in place, such as total user control over personal data released to Relying Parties (RP), the Connected mDL can be used to log in to government services websites with high assurance for both the mDL Holder and the RP. The ISO mDL can support authorizing access to websites now or in the future as standardization evolves to specify the Open ID parameters. The value to all parties is that Users will want to keep their social and professional identities separate from their Legal Identity, and eGov RPs may not trust Social logins.”
This could enable either identity-based or authorization-based access control or use by websites. You could, for example, be required to prove age to access “age-appropriate” materials like online cigarette or alcohol (or porn) sales, or residence to vote online in local school board propositions or purchase lottery tickets, or identity to access government sites, work sites, etc. The government-issued token—the driver’s license—becomes a digital identity document.
What is A Driver’s License?
Remember what a driver’s license actually is. Driving a car or truck or motorcycle is dangerous and unnatural. You aren’t born knowing how to do it, and if you do it badly, people die. So you have to learn how to do it and demonstrate some basic competence and knowledge (to a certifying authority) in order to be permitted to propel a ton and a half of metal at a mile a minute. While many libertarians may disagree, as a general rule it makes sense that people be tested and certified in basic competence before they can steer that Chevelle in my neighborhood. A driver’s license is merely a certification that the person demonstrated such competence (and paid the fee). There’s a picture on the license (my first license had no picture; was printed by dot matrix and was not laminated) simply so that you can show that the person in the picture is the actual person who was certified to take the test. That’s it. You know how to drive—or at least, you knew how to drive for an hour, forty years ago.
We have converted that simple certification of ability into a near-universal identity document.
Identity Vs. Authority Vs. Ability Vs. Characteristics
The driver’s license, then, “certifies” several things. It certifies that a test has been passed (and a fee paid). It certifies that the bearer is the person who passed that test. It certifies authority or authorization to do something—in this case, operate a motor vehicle on roads and public highways. It incidentally certifies some of the other requirements to be licensed—like age, residence, lack of physical restrictions. Some of these data elements are intrinsic—height, weight, eye color, race (where asked)—though not immutable. Some are not (glasses, residence, organ donation). Some are in between (name, which can be changed). And finally, there is what the license is really all about—I was able to competently navigate a Buick Skylark for 40 minutes on the streets of Yonkers in 1974.
Identity and Access Management
The problem is, we use identity and authorization as one thing. We use identity as a proxy for attribution. If I want to, for example, buy alcohol online, various entities are interested in different things about the transaction. The vendor wants to ensure that they are paid—that is, that the payment token (e.g. credit card) is valid and that I am an authorized user of that token. They don’t really care about the name or identity, but identity is embedded into the token for non-repudiation purposes. So the “payment” token becomes an identity token (what’s the name on the card, expiration date, CVV and zip code?)
Cryptocurrencies and blockchain (and to some extent, cash) break that linkage. Payment does not require proof of identity or authorization to have value and non-repudiation. That is one reason that cryptocurrencies are popular—for good and for evil. They make payment systems into—well, payment systems. Transferral of value (or a token which the parties agree has value) from one party to another. Identity is only necessary to ensure that the value is transferred from an authentic and authorized person to an authentic and authorized person, and identity can be proxied. But it can also be spoofed, as hackers are using various techniques to spoof crypto wallet addresses and redirect funds.
Beyond Money
We also link identity to other things that don’t really require identity. If you want to sell alcohol to someone over 21, you need evidence of age—not identity. But we require proof of identity as well. In fact, all you really need to sell the alcohol is proof that the purchaser is over the legal age to buy and that their money is good. Now to deliver the product, you need a valid address to send it to as well as proof that the purchaser actually authorized delivery to that address (it doesn’t have to be their address). You may also need evidence that the product is permitted to be delivered to that address (10 cases of Tito’s Vodka to the United Arab Emirates?) And finally, that doesn’t solve the problem of porch pirates or repudiation of delivery. So you might require the purchaser to sign for the delivery—again, adding identity to the transaction.
The Apple ID
That’s where the mobile driver’s license comes in. When a police officer stops you, you are required to demonstrate that you have been appropriately licensed to operate a motor vehicle. If the linkage between the authorization and identity have been established on your device and acknowledged by the certificate authority (DMV or MVA) and can only be accessed biometrically by the licensed driver, then all you need to present is the single credential—the holder of this iPhone has a valid driver’s license. You need not present a picture, proof of residence or even proof of identity! You are required to carry evidence that you navigated the Buick successfully—one credential. Identity is irrelevant for that purpose.
But the cop wants to know who you are for other reasons. They want to issue a citation and compel the attendance of the person in court. They want to check if the person has existing warrants. They want to know the person’s driving record—or whatever information they find on that computer screen in their car. The data they input is used for things like enforcing the “Do Not Fly” list or other government lists. But remember, the purpose of the license is simply to show authorization to operate a vehicle. We can do that without identity.
By storing multiple credentials in one token, we can either present all of the credentials every time (the current implementation) or present only the credentials necessary. If a cop wants to check if you are licensed, only that credential is presented. If you use your mobile driver’s license to get into a bar, only the age credential is presented. If you are stopped by the police in a ‘stop and identify’ state, only the identity credential is presented. If you buy a lottery ticket, only the residence credential is presented. If you are in an accident, only the blood type or organ donor credential is accessible. This would permit the credential to carry a great deal more information, but protect that information from disclosure—if properly implemented.
The problem is, many companies and government agencies like the extra information. They want to know and track activity. They want to merge identity and authorization so they can know who bought stuff, when and over what period of time. We are used to handing over a driver’s license to be able to do things other than drive—get on a plane, into a bar, vote, purchase things, etc. and create a record of what we have done.
For companies trying to do identity and access management, we use userid’s and passwords as proxies for “I am an employee” and “I am authorized to be here,”—and bad proxies, at that. Instead of “I am an employee,” we get “I am John Smith, born June 4, 1984 in Smithfield, Mass., and licensed to operate a motor vehicle by the Commonwealth of Kentucky in the year 2000, with blue eyes and brown hair and 5’9” tall, and I live at 221B Baker Street in London, I was hired by the company in 2019 and am currently a security engineer in the Maida Vale office…” It’s a mess.
So the problem with the Apple driver’s license may end up being that it takes an imperfect system and replicates it digitally. We present an entire credential that isn’t necessary. We need to rethink what we want digital certificates to certify, what data we need to transfer and how to protect and secure that data—rather than just scanning in a cert to a wallet.
