This article was authored by Mark DiFraia, Partner & EVP Digital Identity at Kuma LLC. DiFraia is an industry expert in digital credentials and has a decade of experience overseeing DMV-related operations.
The topics of Digital Identities and Digital Credentials, most notably Mobile Driver Licenses (mDLs), have reached a crescendo within North American DMVs. Whether your firm is charging forward, or looking to hold off the move… the topic has been gathering momentum since the AAMVA eID working group began prepping their inputs for the ISO 18013 effort and the White House published the National Strategy for Digital Identities in Cyberspace. We have seen self-funded pilots, NIST-funded efforts and a competitive procurement already. Many new Driver License RFPs are including provisions to enable digital identities. As we find ourselves here, in the middle of the 2019 AAMVA Conference season, it is hard not to feel the momentum building toward the first large wave of these technologies about to find their way into the hands of residents. While excitement and momentum are impossible to ignore, I have come to wonder if DMVs are truly ready for all that the digital domain brings to the forefront. There have been lots of discussions to date about ISO 18013 device-to-device interoperability, but there are at least 3 “not-so-obvious” areas that require states to be extremely well prepared in order to navigate these new waters with success. They include:
- Who is managing all this interoperability?
What entity is responsible for ensuring that the world of ISO 18013 reader technologies are able to interoperate, at scale, with these new mobile credentials? Will there be Certificate Authority that has the job of certifying each device, vendor or organization? Should they be allowed to charge money for that? Where is that money going to come from? Should any org be able to self-certify themselves? Do users determine they trust a reader or does the reader need to be enrolled in a service?
As I look at the problem, I can make arguments for and against several different positions specific to these kinds of questions. As much as I like my own personal opinions, it is going to be the DMV commissioners across the nation that ultimately need to choose how their state will set its own policies on some of these issues. For example, if the ISO 18013 standard is designed to ensure all mDLs are interoperable, who could possibly attempt to manage certificates for every pharmacy, law enforcement laptop, point-of-sale card reader and other technologies across a state – or the nation for that matter? Does the vendor providing the mDL technology to users get the right to manage and/or monetize these actions? Should it all just be open source with users deciding that they trust a service provider enough to tap or otherwise transmit their private information? If your state hasn’t debated and arrived at a posture on these kinds of physical/in-person interoperability issues, you might want to circle the wagons. It is critical that leaders understand the landscape and determine to what, exactly, the technology community should be adhering.
- Will the credentials state DMVs offer also serve users and service providers in the online world? If so how will that be managed, monetized and sustained?
There are many forces in the digital market showing respect and excitement for the value of DMV proofed identities. NIST has funded pilots for mDL that included online use cases, the Better Identity Coalition published guidance for federal lawmakers, encouraging them to consider funding to states to enable DMVs to transact in the online identity verification world. The opportunity and promise for protecting and enabling people are immense, to say the least. However, it can’t just happen by itself. There are policies to establish and decisions to be made that will put jurisdictions in a position to participate in a manner that is as comfortable, safe and sustainable.
Importantly, this subject will require DMVs to think about how they intend their digital credentials to be presented to the online world. Will the state manage a network of its own that welcomes and certifies digital service providers? Will the vendor that wins the technology procurement have the right, obligation or another mandate to do this? Should the vendors be allowed to broker the identities between users and their service providers? Is there exclusivity? Should the states be expecting a revenue share with their digital enablement vendors? What does a good deal look like? How much are these proofed identities worth? Should we require complete vendor interoperability? Will this be an OpenID Connect type industry structure or should we be planning to embrace the blockchain efforts of the self-sovereign identity movement?
Again, if your teams have not had the opportunity to debate and establish positions on these kinds of challenges, it might be time to take a step back and ensure your plan accounts for these topics.
- Aside from the interoperability and data definitions being offered through ISO 18013, what expectations are you placing upon the vendors that are offering digital credentials and services to your state?
There has never been a more stressful time in the management of personally identifiable information (PII) than we are experiencing today. Europe put the GDPR in place within the last 12 months, California made a bold step with its own state-level policies regarding personal data, and NIST has just published the NIST Privacy Framework. Additionally, the International Association of Privacy Professionals (IAPP) continues growing, both in participating organizations and with individuals becoming certified.
Does your state have a stance that the digital credentialing technology providers need to follow specific to PII that you can point to? How do you require PII in transit to be encrypted? How is PII to be managed through centralized services or orchestration tools that may be involved? Is PII stored on the users’ mobile devices? If so, do you have expectations for how that security should be constructed? How does the credential get to the users’ phones? What prevents someone from spoofing the enrollment/sign-up to receive a digital credential other than their own? How much of the data moving through the systems should any single vendor be able to store, learn from and leverage for their proprietary additional services? States should consider where their key technologists believe information should live, when/if/how it can be shared, how it is protected, who can possess it, etc. Remember, a highly-secure and interoperable digital credential can become a high-speed tool for accelerating fraud if it isn’t properly secured and bound to the living-breathing human who owns the identity.
You will notice that this article does not articulate what I think the answers are to the questions posed above. Nor do I attempt to pick technologies. That is because it isn’t my place. However, it is my mission to ensure all parties in this developing digital identity world are informed, conscious of the economics and ultimately fully address the elements that make any group ready to participate with full confidence.
As an individual with immense personal capital invested in the digital future of our nation, I am extremely excited for all that is to come. That said, my excitement is tempered with the growing concern that jurisdictions haven’t yet had the time, resources or support to determine their positions on these key areas and more. It is my sincere hope that this piece offers all DMV leaders a glimpse into the kind of confident preparedness that is required in order to move forward knowing your constituents have been well cared for. This is the nations’ chance to put the identity horses back in the barn. With the proper due diligence, a safer and more secure digital world it is completely within our reach.
Reach out to me directly to learn more about digital credentials and how Kuma can help you set a readiness plan. Also look for me at the upcoming AAMVA meetings this summer. Kuma advice is always one click away.
