
One State Has Started Putting Drivers’ Licenses on Smartphones - Fjolsvith
http://blog.caranddriver.com/one-state-has-started-putting-drivers-licenses-on-smartphones/
======
SCAQTony
At least this is an opt in function.

Those with flip phones or those worried that their full identity and address
is on a smartphone that could be hacked via malware or otherwise do have a
choice.

------
brerlapn
Having worked in identity management, I suspect that some of the benefits are
oversold. The chain of identity proofing for a traditional driver's license
involves both "who is the person who holds this document?", "how do I know the
document is trustworthy?" (i.e., not a forgery), and to a lesser extent "is
the information on this document accurate?".

It's hard to imagine how a bar or venue would be able to rely on an electronic
record of a license displayed on a device that is not under the venue's
control. Physical driver's licenses have anti-counterfeiting measures such as
holograms or secondary shadow photos of the bearer that require more than just
a good laser printer to fake. It would be trivial to write an app that faked
all the functionality of a license that I show the bouncer on my phone, so
they would be unable to rely on it to answer "is the information being
displayed [age, name] accurate?" without some sort of additional transaction
with the central license database to verify the license. Such an additional
transaction would add a lot of friction to the simple act of flashing a
license at a bouncer or bartender, with all sorts of potential for outages
(see, e.g., Virginia's IT outages since they outsourced the state IT en toto
to Northrop--DMV's unavailable for days at a time). If you owned a business,
would you allow your ability to even be open on any given day dependent on
whether your state was managing their data access well enough to be available
(and with low enough latency to the transaction not to interfere with running
your business)? That's just one slice of business, and I haven't even gone
into potential issues of the data trail such transactions would create, or the
heightened damage identity theft would pose, or the immaturity and blindspots
in government identity management policy development.

I think governments should absolutely be exploring ways to make data like
identity-proofing via driver's licenses widely accessible via services for use
by citizens and businesses, but even there I'm a bit skeptical as most
organizations are horrible at controlling access to sensitive information even
at the internal level, much less making it available via an API. TSA PreCheck
(the vendor's relevant experience) is such a different beast in it's use case
from a broad credential like a driver's license that it's hard not to expect
gaping security and policy issues to emerge as they start to roll these out.

I geek out about identity tech, use 2FA wherever I can, do this
professionally, and am currently wrestling with a couple of Yubikeys for even
more 2FA fun, but I can't imagine opting in to an electronic driver's license,
and if anyone asked me I'd vehemently advise against it.

------
informatimago
That sounds like a very dangerous proposition. Cops have a tendency to take
phones for guns, and shoot to kill.

~~~
brerlapn
From the article, you don't hand the police your phone--you would authorize
the officer via the app to view your license on their own device or laptop.

