Digital Driver's Licenses: Unintended Consequences - Security Boulevard

Digital Driver’s Licenses: Unintended Consequences

Maryland recently joined seven other U.S. states to permit users to carry “digital driver’s licenses.” Under the program—which initially will work with Apple devices like iPhones—users can download a digital credential—a digital driver’s license—to their phones. The digital ID would be carried in the Apple digital wallet in much the same way as a regular ID is carried in a regular wallet. The digital driver’s license is based on the International Standards Organization (ISO) standard which is described more fully here.

Obviously, there are issues here related to the security of the credential, the degree of authentication necessary to obtain the credential, whether the credential can be simultaneously loaded into multiple devices and whether I can “loan” my driver’s license to my identical twin brother (yes, I have an identical twin brother). Moreover, for the credential to be meaningful, it must permit both local and connected validation—that is, a police officer needs to be able to check to see if you have an apparently valid ID at the scene of a violation or accident without access to online verification and they must also be able to validate the ID against some online database. In addition, we need to decide who has access to the digital validation protocols—police and other traffic enforcement officials? TSA or transportation security officials? The dude at the front desk of the office building? The bouncer at the bar? The server serving alcohol? The resident associate (RA) checking people in at the college dorm? Are there any controls on who can access these credential validation services and for what purpose? A digital credential is much easier to spoof (simply do a screenshot) if there is no ability to validate online. Moreover, the validation must be robust enough to work reasonably well offline—things like a photo ID, a watermark, etc. You know, all the stuff we put on the “real ID” driver’s license.

The Registration Process

According to Apple’s announcement, users of Apple’s Wallet app who wish to add a participating state’s driver’s license or ID

“… can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID. If the user has an Apple Watch paired to their iPhone, they will be prompted to also add their ID or driver’s license to their Wallet app on their Apple Watch. The customer will then be asked to use their iPhone to scan their physical driver’s license or state ID card and take a selfie, which will be securely provided to the issuing state for verification. As an additional security step, users will also be prompted to complete a series of facial and head movements during the setup process. Once verified by the issuing state, the customer’s ID or driver’s license will be added to Wallet.”

Hmm. That’s curious. You already took a really bad picture of yourself when you got your driver’s license (pro tip: Get your picture taken when you’re drunk so it will match what you look like when you are stopped by police or a bouncer). So you upload another picture of yourself with different movements to prove that the person holding the phone is the same as the person whose image is on the state driver’s license registry? So the MVA/DMV is going to have a sophisticated facial recognition protocol to scan all driver’s licenses photos? What could possibly go wrong? And if your scanned image doesn’t match your DMV photo (bad lighting; or perhaps you are a racial minority, which is notoriously bad for facial recognition), then what? No driving for you? And what does DMV/MVA do with the second picture that you just sent them? If there are laws prohibiting DMV/MVA from sharing photos that they took, do those privacy laws also apply to pictures you took and sent them? All very curious.

In fact, the standards suggest that “For unattended, disconnected use cases, trusted biometric attachments to the reader can verify the identity of the mDL holder versus the signed portrait image verified during the data exchange.” Translation—you go to a beer vending machine and present your mobile driver’s license (mDL). You transmit your certificate to the machine by NFC reader, which includes a copy of your driver’s license picture. Then, the machine takes your picture and uses facial recognition to check to see if your match your driver’s license, and if you do, and you are over the legal drinking age, you get your Nattie Bo (it’s a Maryland thing) which you can then hand over to that 17-year-old kid next to you, right? So cops, bouncers and security guards will not only have NFC readers but facial recognition cameras. Cool. Cool. Cool. The standard also anticipates being able to transfer your mDL certificate over the internet or over broadcast media over long distances to permit purchases of “adult” materials or beverages online. Want to download videos that are “inappropriate” for minors? No problem—just transmit your mDL and stay still as your computer captures your image for the facial recognition engine and you can now access your smut—all anonymously, right??

But that’s not what this article is about. There is a more practical problem when you mix analog law with digital technology.

Having the digital driver’s license is one thing. Presenting it is another. According to the same Apple announcement:

Presenting a driver’s license or state ID to TSA: Once added to Wallet, customers can present their driver’s license or state ID to the TSA by simply tapping their iPhone or Apple Watch at the identity reader. Upon tapping their iPhone or Apple Watch, customers will see a prompt on their device displaying the specific information being requested by the TSA. Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it. Users do not need to unlock, show, or hand over their device to present their ID.

Um, just a few questions here. First, you have to authenticate to your phone with a biometric to “present” your driver’s license. OK, seems reasonable. But this indicates that the information will be sent to “the identity reader.”

What “identity reader”? And how is the data transmitted? Presumably, through a “secure” NFC transmission to some device held by the police, the TSA, the bouncer and the security guard. And what “data” is transmitted? The Apple article says “the specific information being requested by the TSA.” With a credit card, that’s easy, it’s PAN or PAN and PIN or some combination. With a ballpark ticket, it’s seat number. But what information is transmitted from the driver’s license? License number, address, expiration, etc.? Or does it include an image of the license itself? Or an image of the photo from the driver’s license? Devil. Details.

Moreover, this assumes that every patrol car, every police officer, every bouncer, every security guard, etc., has an “identity reader” with them all the time. If not, they will ask you to hand over your license—which means handing over your phone.

So you’re driving on the Baltimore Washington Parkway and are pulled over by a Maryland State Trooper. She demands your driver’s license, vehicle registration and proof of insurance. In the “real” world, you (with permission) reach into your glove compartment for the registration—which you know you shouldn’t keep in the glove compartment, but, hell, where else are you going to keep it? You also (again with permission) reach for your wallet (v e r y  s l o w l y) and remove your driver’s license and then …

Then you hand these documents to the trooper. Right? Under Maryland law, “Each individual driving a motor vehicle on any highway in this State shall display the license to any uniformed police officer who demands it.” Here’s the kicker. The same statute provides that “display” means the manual surrender of the licensee’s license into the hands of the demanding officer for inspection. Virginia law requires a person stopped by a police officer to “exhibit his registration card, driver’s license, learner’s permit, or temporary driver’s permit”. In many U.S. states and some localities, the police can stop and question individuals and demand that they produce ID (so-called “stop and identify” jurisdictions).

The Problem With Digital ID

So here’s the problem with a digital ID. If the only ID you have is on your phone, and your battery dies, you can be arrested for driving without a license. Same thing applies to getting on an airplane, into a bar or anyplace that requires an ID. So, as a practical matter, you would want to carry both the digital and analog ID. Which means replacing both if one is lost—which means that all of the economies associated with digital delivery and presentation are lost.

But more importantly, if you are required to “present” or “exhibit” your digital driver’s license, you are now compelled to hand over your unlocked phone to the cops. In 2014, the U.S. Supreme Court recognized the unique character of things like cell phones and the tremendous amount of information they contain and that police could not seize and examine cell phones as a “search incident to an arrest” without a warrant.

Now, in this hypothetical situation, you simply hand the cops your unlocked cell phone. Without a warrant, without probable cause. So now the cop takes your “license”—that is, your unlocked cell phone—to the squad car. They check to see if you have been texting while driving. They check your GPS to see where you are going (and where you have been). They read your emails, text messages and scan your social media and online platforms. They may even image the contents of the phone and online materials.

After all, you have “consented” to the search by handing the police your unlocked phone, right?

The truth is (1) you haven’t really voluntarily “consented” to any search. You did what the law required—you have “exhibited” or “displayed” your driver’s license to police on demand. If you don’t do that (assuming you are operating a motor vehicle—which, in many states, includes just sitting in the car with the engine off), you can be arrested and (2) merely providing the “license” for examination is not consent to any and all searches.

But a court could disagree. A court could find that the police may examine the phone because you have consented. It could rule that the police may at least look at the home page or landing page under what is called the “plain view” doctrine. If a text message pops on the screen while they are examining your phone, well, that’s plain view. A court could mandate that a driver unlock the phone (and if it times out, unlock it repeatedly) or face incarceration for driving without a license. In states that have “stop and identify” laws, the cops could go up to virtually anyone they suspect of committing—or having committed—or intending to commit any crime and demand that they produce their ID—that is, their unlocked phone.

In the same vein, a bartender could demand a woman’s driver’s license (her unlocked cell phone) and then scan through it for anything they wanted. Of course, this would be inconsistent with the “data collection” and “data limitation” principles of privacy law, but most states don’t have a privacy law—and if they do, it’s not clear that it applies to someone looking at chats or pictures on a cell phone. Although it should.

At the end of the day, the Fourth Amendment prohibits police (and those working as agents for the police or the government) from engaging in a “search” or “seizure” that is “unreasonable.” Whether a full-on examination of a “voluntarily” surrendered cell phone is “reasonable” will depend on what the courts have to say.

If the courts interpret the transaction as consent to examination, you can bet that people will stop using digital IDs. Or, more likely, jurisdictions will move to digital IDs only and, once there is no choice but a digital ID, then the courts will rule that a person handing their phones to the cops, to a bartender or to a TSA agent constitutes consent to an examination. And that’s how rights are lost—slowly, over time. What is needed are clear rules on what police and others can and cannot do with devices that contain digital IDs. And right now we don’t have such rules.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 118 posts and counting.See all posts by mark