Mobile Driver's License: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
 
(22 intermediate revisions by the same user not shown)
Line 8: Line 8:
* Google announced (2020-11-04) [https://mail.google.com/mail/u/0/#inbox/FMfcgxwKjTXmMRsgNsdGtNvFkrBGgbrM privacy-preserving features in Android's Mobile Driving License framework] including the credential API in Android 11.
* Google announced (2020-11-04) [https://mail.google.com/mail/u/0/#inbox/FMfcgxwKjTXmMRsgNsdGtNvFkrBGgbrM privacy-preserving features in Android's Mobile Driving License framework] including the credential API in Android 11.
* The [https://kantarainitiative.org/groups/PImDL-work-group/ Kantara's discussion group on Privacy and Identity in the mobile driver' license] aka PImDL focus is now on North America where individual provinces and states are responsible for issuing Identity Cards based on their experience with the driver's license.
* The [https://kantarainitiative.org/groups/PImDL-work-group/ Kantara's discussion group on Privacy and Identity in the mobile driver' license] aka PImDL focus is now on North America where individual provinces and states are responsible for issuing Identity Cards based on their experience with the driver's license.
===Actors===
# Holder - the subject of the [[Mobile Driver's License]]
# Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
# Issuing Authority - typically a state motor vehicle agency.
# Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.
* Caution on terms.  mDL and mDL app get conflated in the specs. The full mDL is seldom/never released by the app to the reader/verifier.
* Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may  be in the smartphone, but only a part is "presented" to the reader.


==Use Cases==
==Use Cases==
* [[Mobile_Driver's License in Healthcare]]
* [[Mobile_Driver's License in Healthcare]]
* [[State Issued ID for Healthcare]] on this wiki lists other uses states might have for the mDL standard format.
* The [[March 10, 2017 VPWG Meeting Page]] describes the ways that the Commonwealth of Virgina is expanding the use of the Identity cards. <blockquote>Catherine Schulten from LifeMed reported on the meeting she had with Dave Burhop. Both Dave and Catherine live in Richmond, Virginia. They met at the Department of Motors Vehicles where Dave is the CIO for the Commonwealth of Virginia DMV. The DMV have established a proof of concept for a mobile driver’s license that can be used as an ID card for vulnerable populations. In Heath care that is an interesting proposal because we could understand who the person is, help to understand programs available to them, and a lot of other information. These vulnerable people have a tendency to need a lot of health care. Catherine had proposed to Dave that they put together a study in a teaching hospital in Richmond that sees a lot of vulnerable individuals. Catherine would like to see how the combination of a mobile driver’s license and health care intersect for these people. LifeMed has a solution for identity in health care and she would like to see how the two programs could work together. Catherine will be putting together a proposal that Dave would bring to the DMV. There is no funding or grant money available, but right now they are charting the course without that in mind.</blockquote>
* The [[March 10, 2017 VPWG Meeting Page]] describes the ways that the Commonwealth of Virgina is expanding the use of the Identity cards. <blockquote>Catherine Schulten from LifeMed reported on the meeting she had with Dave Burhop. Both Dave and Catherine live in Richmond, Virginia. They met at the Department of Motors Vehicles where Dave is the CIO for the Commonwealth of Virginia DMV. The DMV have established a proof of concept for a mobile driver’s license that can be used as an ID card for vulnerable populations. In Heath care that is an interesting proposal because we could understand who the person is, help to understand programs available to them, and a lot of other information. These vulnerable people have a tendency to need a lot of health care. Catherine had proposed to Dave that they put together a study in a teaching hospital in Richmond that sees a lot of vulnerable individuals. Catherine would like to see how the combination of a mobile driver’s license and health care intersect for these people. LifeMed has a solution for identity in health care and she would like to see how the two programs could work together. Catherine will be putting together a proposal that Dave would bring to the DMV. There is no funding or grant money available, but right now they are charting the course without that in mind.</blockquote>
* The [[April 21, 2017 VPWG Meeting Page]] has a long discussion from Dave Burhop of Virginia on the use of the Driver's license with the Vulnerable population of the state. The last message was that Virginia charges $10 for the ID.
* The [[April 21, 2017 VPWG Meeting Page]] has a long discussion from Dave Burhop of Virginia on the use of the Driver's license with the Vulnerable population of the state. The last message was that Virginia charges $10 for the ID.
* Currently [http://www.card-reader.com/kiosk.htm kiosks have been deployed] that accept ISO 18013 compatible Driver's License cards. The same capability is likely to be required for ISO 18013-5 [[Mobile Driver's License]]s.


==Problems==
==Problems==
* [https://www-dallasnews-com.cdn.ampproject.org/c/s/www.dallasnews.com/news/watchdog/2020/11/26/after-27-million-drivers-license-records-are-stolen-texans-get-angry-with-the-seller-government/?outputType=amp Privacy of Driver's License not protected by some sovereign issuers like Texas].
* [https://www-dallasnews-com.cdn.ampproject.org/c/s/www.dallasnews.com/news/watchdog/2020/11/26/after-27-million-drivers-license-records-are-stolen-texans-get-angry-with-the-seller-government/?outputType=amp Privacy of Driver's License not protected by some sovereign issuers like Texas].
* The legal environment is also positively impacted by the [https://en.wikipedia.org/wiki/Riley_v._California Riley v. California case] of September 2014. The United States Supreme Court ruled that Police may not, without a warrant, search digital information on a mobile phone seized from an individual during an arrest.
* The legal environment is also positively impacted by the [https://en.wikipedia.org/wiki/Riley_v._California Riley v. California case] of September 2014. The United States Supreme Court ruled that Police may not, without a warrant, search digital information on a mobile phone seized from an individual during an arrest. So the issue about whether the NFC tap to release feature will work, or if the police will just take the phone and not return it.


==Solutions==
==Solutions==
* [https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/driving-licence/digital-driver-license NIST pilot run by Thales] This page hast a list (20201-10) of states that have mDL tests in progress.
* [https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/driving-licence/digital-driver-license NIST pilot run by Thales] This page has a list (20201-10) of states that have mDL tests in progress.
* [https://www.aamva.org/Mobile-Drivers-License/  AAMVA page dedicated to Mobile Driver's License (mDL)]
* [https://www.aamva.org/Mobile-Drivers-License/  AAMVA page dedicated to Mobile Driver's License (mDL)]
===Privacy Considerations===
* [https://security.googleblog.com/2020/10/privacy-preserving-features-in-mobile.html Google Privacy-preserving features in the Mobile Driving License] (2020-10-28) Which depends on the following Android 11 API3 0 Identity Credential features, However a keystore backed version will run on API 24 and later.
** [https://developer.android.com/reference/android/security/identity/IdentityCredentialStore IdentityCredentialStore] first available in [https://developer.android.com/reference/kotlin/androidx/security/identity/IdentityCredential API 30].
** [https://developer.android.com/jetpack/androidx/releases/security#security-identity-credential_version_100_2 Android Jet-pack] (2020-08-19) Security-Identity-Credential Version 1.0.0-alpha01 (and later), compatible with the data structures in the  ISO 18013-5 Personal identification — ISO-compliant driving license — Part 5: Mobile driving licence (mDL) application
===Consent and Notice===
The spec is unclear how exactly how the mDL in a smartphone would provide notice or consent. The following are an expectation of a user.
# Who wants to know - hopefully this would be a trustworthy statement of the reader's owner.
# What will they do with the information?
# What data is requested.  Most interesting is the picture and ID #.
Notice in a case like this is difficult as the standard does not even require the mDL reader from reporting the name of the entity requesting the id. Assuming that it did the question is whether that would constitute notice or if some sort of consent receipt would be required.


==References==
==References==
* [[State Issued ID for Healthcare]] on this wiki lists other uses states might have for the mDL standard format.
* Also see the companion document on [[Mobile Driver's License Criteria]] for a high level of assurance.
* [https://docs.kantarainitiative.org/PImDL-V1-Final.html The report on Privacy and Identity in mobile Driver's Licenses] by the Kantara discussion group.
* [https://medium.com/@dkelts.id/mobile-driver-licenses-mdl-how-to-use-iso-18013-5-5a1bbc1a37a3 nice description on Medium]
* [https://www.pewresearch.org/internet/fact-sheet/mobile/ Pew Research mobile fact sheet]
* [https://www.pewresearch.org/internet/fact-sheet/mobile/ Pew Research mobile fact sheet]
* [https://www.mdlconnection.com/ review the mDL resources available from the Secure Technology Alliance on the mDLConnection website]
* [https://www.mdlconnection.com/ review the mDL resources available from the Secure Technology Alliance on the mDLConnection website]
Line 35: Line 58:
[[Category: Profile]]
[[Category: Profile]]
[[Category: Identity]]
[[Category: Identity]]
[[Category: User Experience]]

Latest revision as of 20:52, 2 July 2021

Full Title or Meme

The Mobile Driver's License is being developed to expand the Identity functions of the driver's license to the online space.

Context

Actors

  1. Holder - the subject of the Mobile Driver's License
  2. Reader - a device that can read and verify the mDL, which is presumably hosted in a native smart phone app
  3. Issuing Authority - typically a state motor vehicle agency.
  4. Trust Authority - some sort of wide ranging list of valid participators - not well defined at this point.
  • Caution on terms. mDL and mDL app get conflated in the specs. The full mDL is seldom/never released by the app to the reader/verifier.
  • Compare there terms Verifiable Credential and Presentation Exchange from the DIF folk. The VC (like the mDL or mdoc) may be in the smartphone, but only a part is "presented" to the reader.

Use Cases

  • Mobile_Driver's License in Healthcare
  • State Issued ID for Healthcare on this wiki lists other uses states might have for the mDL standard format.
  • The March 10, 2017 VPWG Meeting Page describes the ways that the Commonwealth of Virgina is expanding the use of the Identity cards.

    Catherine Schulten from LifeMed reported on the meeting she had with Dave Burhop. Both Dave and Catherine live in Richmond, Virginia. They met at the Department of Motors Vehicles where Dave is the CIO for the Commonwealth of Virginia DMV. The DMV have established a proof of concept for a mobile driver’s license that can be used as an ID card for vulnerable populations. In Heath care that is an interesting proposal because we could understand who the person is, help to understand programs available to them, and a lot of other information. These vulnerable people have a tendency to need a lot of health care. Catherine had proposed to Dave that they put together a study in a teaching hospital in Richmond that sees a lot of vulnerable individuals. Catherine would like to see how the combination of a mobile driver’s license and health care intersect for these people. LifeMed has a solution for identity in health care and she would like to see how the two programs could work together. Catherine will be putting together a proposal that Dave would bring to the DMV. There is no funding or grant money available, but right now they are charting the course without that in mind.

  • The April 21, 2017 VPWG Meeting Page has a long discussion from Dave Burhop of Virginia on the use of the Driver's license with the Vulnerable population of the state. The last message was that Virginia charges $10 for the ID.
  • Currently kiosks have been deployed that accept ISO 18013 compatible Driver's License cards. The same capability is likely to be required for ISO 18013-5 Mobile Driver's Licenses.

Problems

Solutions

Privacy Considerations

Consent and Notice

The spec is unclear how exactly how the mDL in a smartphone would provide notice or consent. The following are an expectation of a user.

  1. Who wants to know - hopefully this would be a trustworthy statement of the reader's owner.
  2. What will they do with the information?
  3. What data is requested. Most interesting is the picture and ID #.

Notice in a case like this is difficult as the standard does not even require the mDL reader from reporting the name of the entity requesting the id. Assuming that it did the question is whether that would constitute notice or if some sort of consent receipt would be required.

References