The ACLU has issued legislative recommendations on protecting privacy and accessibility when creating digital IDs.
Around the country, state legislatures are embracing the creation of a nightmarish a new electronic national identification system that has the potential to track everybody — online and off. This system is being created in the form of digital driver’s licenses. At first blush, these can seem harmless. Digital driver’s licenses are just what they sound like: A digital version of your state-issued driver license, permit or non-driver ID, carried in an app on your smartphone.
Many people — including state legislators — seem to think that since a lot of people are already putting their credit cards in their digital wallets, why can’t we let them put their driver’s licenses in too?
But, as the ACLU has been pointing out for several years, it’s not so simple. Identity documents are entirely different from credit cards and other private authentication devices. IDs are government-created documents that are required for many official purposes. If you don’t like your driver’s license, you can’t get rid of it and go to a competitor. And a digital driver’s license that lacks sufficient privacy protections has the potential to worsen inequality by further blocking low-income and other marginalized groups from full participation in society. It could also lead to an explosion of demands to identify ourselves and allow everyone to be tracked through their ID, not only in the stores and offices they visit, but in their online activities.
At the ACLU, we are tempted to say hell no, no digital ID ever. But several things give us pause. First, there is clearly a strong societal demand for digital and remote transactions, and a corresponding need to identify people electronically, sometimes for legitimate purposes. If you want to do business with the IRS online, for example, you want to be really sure that nobody else can pose as you. That strong demand may mean that the arrival of digital IDs in some form is inevitable.
Second, in response to this demand, companies and government agencies are resorting to harmful, makeshift services that use face recognition and are run by opaque, and sometimes deceitful, private companies that have a profit motive to abuse information. To confirm identity, companies and agencies are also turning to data broker companies that compile information about individuals without their knowledge or consent — and in so doing, funnel money to that unethical industry.
Third, it is entirely possible, using well-established and easily available cryptographic technologies to prove our identities — or attributes such as our age, residency, or other characteristics — when reasonably necessary, without resorting to digital IDs that run the risk of allowing us to be tracked. A national standard for digital driver’s licenses or other digital IDs that made use of available privacy-protecting technologies would go a long way toward making an American digital ID system palatable from a civil liberties and civil rights perspective.
Right now, we’re concerned that a number of state legislatures and government agencies are rushing toward adopting digital driver’s licenses that do not require a minimum standard of privacy-protecting design. They are being pushed to adopt these licenses by powerful national entities, such as the Transportation Security Administration (TSA) and the DC-based American Association of Motor Vehicle Administrators (AAMVA). This creates the very real prospect that we’ll get locked into a digital identity system, potentially for decades, that is a huge threat just because nobody bothered to include privacy protections in the system.
What would those privacy-protecting technologies look like? In a legislative guidance document published this month, the ACLU outlines the minimum necessary features that any state digital driver’s license or other digital ID should include to ensure that going digital does not mean forgoing needed privacy measures.
These privacy-protecting design features are not enough, however. Even with such measures in place we are likely to see the availability of a digital ID system spark an avalanche of new identity demands, especially online, where tech companies love to know who you are and what you’re doing at all times for advertising and other purposes. Legislative steps are also necessary to minimize the exclusionary effect that digitizing identity is likely to have for those without the ability to fully enter the digital world. Right now, one in ten Americans doesn’t own a smartphone, including 16 percent of Black people and a quarter of people 65 or older. Affordable internet connectivity can also be a problem; 24 million Americans lack access to fast internet service.
In our legislative guidance, we explain 12 features that we believe are an absolute minimum requirement to ensure that any digital ID system is privacy-protective and as equitable as possible. They include, for example:
- Don’t let the ID issuers track their usage. When you show your plastic license to a clerk, nobody besides you and the clerk has a record of that transaction. But one standard for digital driver’s licenses — developed by a secret international committee and being pushed by the TSA and AAMVA — allows for Departments of Motor Vehicles (DMV) or other issuers of digital IDs to get data every time we use our digital license. State legislatures should prohibit such capabilities.
- User control over the release of data. If you have to prove that you’re over 21, you shouldn’t have to share your age, date of birth, name, or any other data. That privacy-preserving capability is possible with digital IDs, and state legislatures should require that IDs allow holders to share the minimum data necessary for a transaction.
- Don’t let ID verifiers track ID holders. Digital IDs must not be allowed to serve as “super cookies” — unique identifiers that allow us to be tracked across the stores, offices, and web sites that we visit. Available options to protect privacy against such tracking include single-use credentials, in which the DMV or other issuer provides a digital “stack” of unique IDs, each of which is used with a different verifier, or cryptographical techniques such as anonymous credentials. State legislatures should require IDs be designed to make tracking impossible.
- Preserving the right not to use a digital ID. People may have legitimate reasons for not wanting to use a digital ID. Many people do not possess smartphones, have access to reliable internet access, or have the technological savvy to participate in a digital identity system. Legislatures should bar those engaged in commerce or other regulated activities from refusing to accept physical IDs on an equal basis.
- Restrictions on ID demands. Once it becomes easy to share your ID with the press of a button, the danger is that we start getting identity demands from all quarters. Want to enter a 7-Eleven? Scan your ID. Want to browse a clothing store, buy a cup of coffee, park your car? Scan your ID. Want to watch a video, or log on to social media, or look at a news site? “Click here to send us your digital ID.” Legislatures should limit ID demands to only those that are reasonable and necessary for the transaction, such as in the purchase of age-restricted items.
These and the rest of the recommended provisions are explained in our guidance document, along with our recommended legislative language for implementing each one.
Asking someone for identity is sometimes necessary, but it’s also an act of power. The design of a digital identity system is not just a technical matter, but also a structure of power. Americans and their elected representatives and government officials at the state and federal level should pay close attention to that structure. In states moving forward with digital driver’s licenses, the measures we call for are the absolute minimum of what should be included in a privacy — and equity — protective digital identity system.
Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project