Equity in Civic Technology, Privacy & Data
Low Visibility Ahead: Mobile State IDs May Prevent Fraud in Digital Identity Verification, but Pose Threats to Privacy
The surge in applications for government benefits during the COVID-19 pandemic demonstrated that federal, state, and local agencies face real challenges in verifying identity over digital, online interactions. When agencies did not take enough care to verify applicants’ identities, fraud ran rampant, undermining public confidence in the administration of these programs. On the other hand, too many restrictions on identity verification have left many waiting too long for their benefits. Understandably, government agencies would like to have new, quick, and reliable options for identity verification, beyond what’s currently available.
Enter mobile state IDs (also commonly known as mobile driver’s licenses). Mobile state IDs do exactly what’s written on the tin – they let users store a digital copy of their driver’s licenses or state-issued IDs on their mobile smartphone devices. At the time of writing, 12 U.S. states have mobile state ID solutions available or in-progress. These mobile state ID solutions vary as far as how and when they can be used. Some only enable in-person use cases, such as airport screening. This type of digital ID, which is essentially a digital copy of a physical identity card that can only be used for physical interactions, wouldn’t have been much use during the pandemic when individuals sought to access public benefits by identifying their identity remotely.
Some mobile IDs go beyond in-person uses and are accessible over the internet, enabling “unsupervised remote” verification. Since last June, Apple has allowed developers of apps like car rentals and liquor delivery to access mobile ID information (a majority of U.S. states with mobile state IDs use Apple Wallet). Since the beginning of 2023, Louisiana requires use of the mobile state ID to access age-gated adult websites.
Unfortunately, we are likely to see much more of the state-by-state approach to digital identity verification with mobile state IDs. Unlike for the in-person use case, there is no unified standard for mobile state IDs for digital identity verification. A fragmented, state-by-state approach is likely to be more expensive and more risky. Each state will have to do duplicate work in sourcing, vetting, and working with providers of mobile state ID technology. But the ultimate requirements for functionality, security, and privacy should be similar, no matter the state. With each state going at it alone, it becomes much more likely that an individual state creates a mobile state ID solution that is deficient in terms of functionality, security, or privacy.
From a fraud prevention perspective, mobile state IDs carry real promise for government agencies. The main advantage of mobile state IDs is that they tie user identity to a physical and fairly secure consumer electronic device, namely, a smartphone. A government agency knows that a user is who they say they are because the user can prove they have ownership and access to a smartphone bearing their state-issued credentials. A lost device isn’t a problem – without knowledge of the phone’s PIN or a way to bypass the phone’s built-in biometrics, a thief can’t use a stolen device for identity fraud. Of course, while tying mobile IDs to smartphones provides significant security benefits, it also limits access to those with the economic means to purchase and maintain an expensive device. This is particularly worrisome when one of the benefits of a mobile ID is easier access to benefits, which is most likely to be needed by those with the least economic privilege. Consequently, it is critical that agencies continue to make benefits accessible in a wide variety of ways, rather than relying on mobile ID systems.
If there is a weakness in mobile state IDs for fraud prevention, it would be in the initial creation of a mobile state ID. The fraud resistance of mobile state IDs is only as strong as the identity verification process used during the mobile state ID setup process. Unfortunately, in this case, the state ID authority now faces a chicken-or-the-egg problem – it cannot use an existing mobile state ID to provision a new mobile state ID. So the state ID authority must rely on the existing methods, with all of their potential shortcomings to privacy or equity. With that said – Apple, Google, and Idemia (the largest third-party provider of mobile state IDs) all verify identity in the same way: they compare an image of a physical ID card to a live selfie video of the applicant to ensure the user setting up the mobile ID is the owner of the physical ID, and they check the information on the physical ID card against the issuing agency’s records to ensure that it is a legitimate ID (which requires the agency to be compatible with the mobile ID provider). From the perspective of fraud prevention, this approach is still difficult to beat, though deep fake-generated selfies may change that in the future.
Aside from their potential for fraud resistance, mobile state IDs pose risks to privacy, and these risks will take time to iron out through regulation and technology. The key risk is that mobile state IDs allow either governments or businesses to tie a user’s online activities to a real name and government-issued ID. This might mean that websites that require ID to access (like an age-restricted dating website) can store a list of their visitors, verified by a government ID. Or an alcohol website can keep track of every individual who purchases from them. (In the latter example, it is worth noting that while this is technically possible at a brick-and-mortar liquor store, the barrier to maintaining a unified list is lower in a context where the ID information is collected automatically, rather than being examined by a human salesclerk.) Being able to track users in an identifiable way raises a number of privacy concerns by opening them up to ad targeting, data discrimination (imagine your health insurance company learning how often you purchase wine), or chilling effects where users limit their own behaviors for fear of surveillance. Other means of tracking a user’s internet activity are at least facilely malleable – a user can use a different email address, or change their IP address. However, it would be hard to envision a world in which users can request new versions of their government-issued identity to protect their privacy online.
Instead the parties involved in mobile state IDs – state governments issuing mobile state IDs; providers of digital wallets like Apple, Google, and Idemia; and the businesses and agencies who want to accept mobile state IDs – need to work together to develop privacy-first approaches. At a minimum, a privacy-first approach to mobile state IDs for digital verification would:
- Keep users in control of what they share. Users can always choose which attributes from their mobile state IDs to share with third parties.
- Enable targeted verification of information. Mobile state IDs can take privacy one step further by only choosing to verify user responses to questions like, “Are you over the age of 18?” instead of sharing a user’s complete birthday.
- Audit the technology used for mobile state IDs. Independent third-parties should help to verify that each state’s implementation of mobile state IDs meets necessary privacy and security standards.
- Provide guidance for agencies that want to accept mobile IDs. Many of the privacy concerns surrounding mobile IDs concern how the receiving party (the ID checker) handles the process. What data do they store, and for how long? In what contexts do they require an ID? Do they share ID information with other agencies? Establishing clear best practices around the answers to these questions can help to protect people who need to share their IDs in order to receive government services.
Though it is possible to envision a world in which every U.S. citizen can securely and privately share their identity over the internet, much work remains ahead. For now, state policymakers and users are warned – low visibility ahead.