Home » Business Topics » Data Privacy

Mobile drivers’ licenses: A humbler take on self-sovereign identity and personal data protection

Mobile access control by fingerprint for identification. Human forefinger touch on screen of smartphone to scanning. Online security concept. Personal data protection with biometric technology.
Image by redgreystock on Freepik

I’ve been interested in self-sovereign identity for a number of years now, ever since I interviewed Phil Windley, a founder of the Internet Identity Workshop (IIW) and then chair of the Sovrin Foundation, in 2018. 

In a self-sovereign identity (SSI) scenario, the users themselves control the sensitive information previously stored by a third party. Take biometrics, for example. Smartphones like the iPhone encrypt biometric identifiers on-device, and they stay on the device, which makes on-device matching possible to unlock the phone. 

Contrast that on-device matching process with on-network matching, in which users must trust a third party to store the sensitive personal information and do the identity management in a matching process over a network. 

SSI initiatives such as Sovrin promise better protection of personal data by eliminating the need to duplicate that data. In 2018, these initiatives were ambitious and broad ranging, with national governments such as Honduras and Sweden and provincial/state governments from British Columbia to Illinois announcing plans to protect and grant controlled access to digitized official documents, from property deeds to birth certificates. 

At the time, Sovrin used (and may still use) a combination of pseudonymous pairwise identifiers, private peer-to-peer agents and zero-knowledge proof cryptography to secure the documents. In a zero-knowledge proof, the party providing the proof need only confirm a fact, rather than provide information to prove a fact. So the sensitive information itself is not copied, and it’s not moved.

SSI, backed by standards such as the W3C’s Decentralized Identifiers specification, looked promising, and inspired a lot of passion in its backers. Windley as Sovrin’s chair logged a million miles a year on planes to get the word out about the Foundation. The Foundation had enlisted IBM and Cisco, among others, to act as data stewards (rather than owners) of the Sovrin platform, and who was piloting the credential and official document schemes. 

Windley left Sovrin in 2020. He’s currently a Senior Software Engineering Manager for Amazon Web Services and chairs the Personal Privacy Oversight Commission for the state of Utah. He published an O’Reilly book called Learning Digital Identity in 2023. He’s still doing the annual Internet Identity Workshops more than 37 years after he started.

In retrospect, Sovrin’s efforts were certainly well thought out and well intentioned. But, in retrospect, were they overly ambitious? Or was the timing just wrong?

Fast forward to 2023 and 2024

Unnecessary data duplication is a huge issue for enterprises just trying to get their arms around the massive data growth they’ve experienced given today’s complex information environment. 

Consultants like Dave McComb of Semantic Arts have found evidence of hundreds of copies of individual social security numbers while conducting a data audit at client sites.

The alternative to duplication is to grant access, a technique that some call “zero-copy integration”. Earlier this year, I wrote an article {https://www.techtarget.com/searchenterpriseai/tip/The-role-of-trusted-data-in-building-reliable-effective-AI} for TechTarget Enterprise IT that described zero-copy integration this way:

In February 2023, Canada’s Data Collaboration Alliance, led by [Cinchy CEO and Co-founder Dan] DeMers, announced Zero-Copy Integration, a national standard ratified by the Standards Council of Canada. The standard advocates access-based data collaboration, rather than copy-based integration, to eliminate data duplication.

Those who adhere to the principles of zero-copy integration agree to share access to, rather than duplicate, data resources. By design, reusable data resources must be shareable and secure. It’s a data-centric and application-agnostic approach that demands scalable and secure access control.

The Mobile Driver’s License

I did some desk research recently to check out zero-copy credential trends, and the initiative that definitely seems to be gathering more steam in 2023 and 2024 in the US is the mobile driver’s license (mDL), the data equivalent of a physical license card that’s stored and encrypted on your smartphone.  IDScan.net reports that 12 US states already have operating mDL programs in place.

The attraction of an mDL from a license holder’s perspective is that you limit the duplication of the kind of personally identifiable information (PII) that’s printed on your physical license card. 

US banks and other financial institutions (FIs) have been prohibited by Federal statute since 2018 to store copies of driver’s licenses. But interestingly, the statute allows the FIs to make temporary copies, as long as they destroy them after the verification/authentication process.

In the case of California, which currently has an mDL pilot program, the DMV only stores your phone number and an encrypted image of your physical license card. 

This is not an ideal situation, but at least it’s an indication of a move in the right direction. State agencies in general (illinois being another example) are using public key infrastructure (PKI) cryptography for their nascent digital ID programs.