When Digital Devices Meet Analog Laws: The Digital License Paradox
When California allowed car owners to opt for “digital license plates” which could be customized to add personal messages, few who opted into the new technology suspected that they were permitting the government to track their location anywhere they were. But a recent penetration test of the California Reviver license plate indicated that, with superuser privileges, hackers were able to track the GPS locations of every single registered user, manipulate data on users’ plates and to engage in a specific form of cyberswatting—activating a feature of the license plate to change the characters to the term “STOLEN”—alerting police that the vehicle was stolen. The Reviver website markets advantages of the digital plate, including helping drivers if their cars are disabled or stolen, and indicated that the data is stored digitally on the cloud. Less obvious is the fact that not only can this location data be hacked, it can be subpoenaed or obtained by a court order. This means that your license plate may dime you out if you are driving to a girlfriend’s house, are in the neighborhood of a bank robbery or happen to drive near a clinic providing prenatal care.
But more significantly, when we move to new technologies, we often fail to update the laws and regulations that applied to the previous iteration of said technology. In the case of Reviver, since they are not a telephone company, the location data they collected is not consumer proprietary network information (CPNI). Since the data tracks only a license plate and not a person, a court might find (and, in my opinion, would be wrong to find) that the location data is not personally identifiable information (PII). Indeed, the Commonwealth of Virginia used this rationale to justify the use of automated license plate readers to collect and permanently store data about drivers’ whereabouts on public roads. This was true even though the U.S. Supreme Court held that a police officer had probable cause to stop a driver of a car because a license check of the owner (not the driver) of the car indicated that the owner’s license had been suspended. It was reasonable to presume that the driver was the owner. So, it’s Schrödinger’s car—where the owner is simultaneously presumed to be (and not to be) the driver.
Another example relates to Maryland’s new digital driver’s license. The Maryland legislature authorized the issuance of new “electronic credentials” to be used by licensed drivers “in addition to, and not instead of, a license or an identification card …” As implemented, users provide a copy of their regular Maryland driver’s license through an app. The app, after validating the user (including biometric validation), issues a digital certificate or credential which the user then downloads to their mobile device. On the iPhone, this takes the form of a digital wallet certificate, which can communicate with the police, airport personnel, etc., through Near Field Communication. As a result, the driver no longer needs to hand over their driver’s license, and particularly need not hand over the phone. The data elements necessary for verification are (presumably) beamed securely from the driver’s phone to the receiver. In fact, the legislature noted specifically that the motor vehicle administration “shall design the electronic credential in a manner that allows the credential holder to maintain physical possession of the device on which the electronic credential is accessed during verification.”
Yeah, sure.
The problem is, under Maryland law, like other jurisdictions, “[e]ach individual driving a motor vehicle on any highway in this State shall display the license to any uniformed police officer who demands it.” Unlike some states, however, Maryland law defines “display” as “the manual surrender of the licensee’s license into the hands of the demanding officer for inspection …”
So, users in Maryland who attempt to “present” their digital driver’s license to police will be required to physically give their phones to the police for inspection. This likely means they must unlock the phone so it can be inspected. This is true despite the fact that the U.S. Supreme Court held that police are not entitled to conduct a search of a cell phone at a crime scene without probable cause and a warrant, under most circumstances. Moreover, a court might find that, by handing the phone to the police, the driver had abandoned their expectation of privacy in the device. Therefore, the police could engage in a full-fledged examination (or forensic reproduction) of the device’s contents.
This was not the legislature’s intention when it created digital credentials. In fact, under the “full faith and credit clause” of the U.S. Constitution, each state must recognize the public acts (including the issuance of driver’s licenses) of the other states. But if I drive into the District of Columbia or Virginia with my Maryland digital driver’s license, there is not yet a technology that allows the Virginia State Trooper to “read” my Maryland digital license. As such, I either have to continue to carry—and “present”—my plastic ID card, eliminating any advantage of having a digital ID, or face the risk of being arrested for violating Virginia law which makes it an infraction for anyone who “fails to carry his license or permit, and the registration card for the vehicle which he operates …” Even if you showed that you had the license with you, you still have to pay the court costs associated with the offense.
Now, back to the digital license plate. The company that issues it requires payment of a monthly fee. If you fail to pay the fee (or, more accurately, if the company thinks you have failed to pay the fee) then you are driving without a valid license plate. Moreover, while the California digital plate is reportedly accepted in other jurisdictions, police in those jurisdictions who are unfamiliar with the technology may use this as a justification for pulling over California drivers. For example, states like Alabama, Arizona, Arkansas, Delaware, Florida, Georgia, Indiana, Kansas, Kentucky, Louisiana, Michigan, Mississippi, New Mexico. North Carolina, Oklahoma, Pennsylvania, South Carolina, Tennessee and West Virginia do not automatically issue front license plates, and it is perfectly legal to drive in those states without a front plate. If you drive without a front plate in other jurisdictions, you may get stopped, arrested, searched and have your vehicle impounded.
Technology transitions are hard, and technology often changes faster than the law. Courts grapple with this all the time. Are emails “writing” under the law? Are text messages? Emojis? Where is the “original” of an email or digital document? When new technologies meet old laws, it may mean that you end up pulled over on the side of the road in handcuffs. The price of progress?
