The Des Moines Register reports that the Iowa Department of Transportation is developing a smart phone app that will act as an officially issued driver’s license. Department Director Paul Trombino says that the app will be provided to drivers at no additional cost and will be available sometime in 2015. Drivers will still be able to carry an old-fashioned plastic license if they so choose.
I’m conflicted about this news. From the perspective of a technophile, this is monumental. With the rise of digital payment systems, maybe we’ve gotten to a point in society where wallets go the way of the pay phone…whatever a pay phone is. From a data privacy professional’s standpoint, this story gets filed under the sarcastically named “what could possible go wrong?” category.
The success or failure of an electronic driver’s license program rests in a field known as identity management. Simply put, these are the technologies and practices that verify you are who you say you are. One of the oldest and most well-known identity management techniques is the username and password. We’ve been looking for an alternative for over 20 years now due to the fact that easy-to-remember passwords also happen to be easy-to-guess and hard-to-remember passwords get written down on post-it notes.
As Iowa moves forward on its driver’s license app, it will be interesting to see the steps required of a user to download an identity credential on a device, the steps taken to secure the credential while it resides on the device, and the extent of the information that resides in the credential. Ensuring that identity credentials are issued to the correct individuals and that once issued, the credentials cannot be modified or transferred will be crucial to the success of the program. If hackers are able to modify issued credentials or extract them from devices, we could see a new era in identity theft.
With a traditional plastic driver’s license, an identity thief has to physically steal a wallet or the license itself. For a driver’s license app, an identity thief could steal the device itself or steal the credentials remotely via the device’s networking capabilities. Thus, the overall security of a citizen’s device will have an impact on the security of an electronic driver’s license program.
An electronic credential has the potential to be modified and reproduced with much less effort and cost than would be required to modify or reproduce a traditional plastic license. Counterfeit plastic driver’s licenses require complex printing techniques and equipment. With an electronic credential, there’s a real possibility that once a single hacker has compromised the system, the capability will be shared with others who would only need a computer and enough expertise to follow the steps of the original hacker.
Of course, the threat of modification and counterfeiting will vary based upon the amount of information that is actually stored in the credential and steps that are taken to verify the credential. The credential on the actual device could contain a reference to information stored on state servers. This would allow law enforcement and anyone with access to the system to spot fake credentials.
While the stakes are high, the technological issues are not insurmountable. There are even potential applications where an electronic driver’s license could be more secure than a traditional one. In the coming months, Iowa will serve as a fascinating case study for the issuance of electronic identity credentials to citizens. The outcome could be a modern and streamlined program that is convenient for citizens or it could be a tale of stolen identities and computer savvy teenagers being able to buy beer.