- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 26 Jun 2025 13:59:15 -0400
- To: Kim Hamilton <kimdhamilton@gmail.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
On Tue, Jun 24, 2025 at 11:25 PM Kim Hamilton <kimdhamilton@gmail.com> wrote: > I realized we’ve been talking past each other in the mDL discussion, and a large factor is likely different assumptions and use based on where we live. So I wrote a US driver’s license explainer: > http://kimdhamilton.com/american_privacy/ Hey Kim, part 3 of your series is excellent as well. I wanted to expand on some of the concerns you raise in your series, focusing on the concerns from the retail sector's use of driver's licenses (quite possibly the most prolific use of DLs in the US). This is from the perspective of our experiences deploying TruAge to a market with 150,000+ retail locations and who do close to 50M age-gated product sales /per day/ almost every single day of the year. 200M people in the US buy an age-gated products at least once a year, with many of them using driver's licenses to prove their age. One of the goals of TruAge is to remove the over identification and over collection of personally identifiable information in the retail sector. This was largely pursued due to the liability of holding on to all that information -- what happens if the point of sale is stolen? We had to ensure that the entire driver's license wasn't being stored in point of sale systems, and what we really wanted to do was eliminate the need to store ANY driver's license information in point of sale systems (and to replace them with single use tokens that contain no PII such that theft did not provide any benefit to the thief). The technical design of the TruAge system has largely achieved those goals. There is concern, however, with mDL server retrieval in that ecosystem because customers really, really, don't like the idea that showing their driver's license is going to end up "phoning home" to the government. The dangers are obvious; the state knowing when you're buying alcohol and possibly keeping track of that information long-term... and a number of state governments know this and avoid it... but as you mentioned, some don't either because they don't understand the consequences of rolling out server retrieval (the privacy training just isn't there in many cases), or due to a specific policy position that a party in power holds. What the retail industry definitely does not want to see is server retrieval in mDL, because it opens all of the data/privacy leakage concerns back up that we've worked so hard to close and it creates brand new liabilities for retailers that are specific to mDL. Remember that retail stores exist on both sides of the US and Canadian border. If a Canadian shows an mDL with server retrieval on the US side, retrieving that mDL from Canada, or vice-versa, puts the store in a position that it has never been in before... new sorts of telecommunications and privacy regulations kick in. Retailers don't want to be pulled into complex situations such as that. Even within the US, as you say in your article, privacy laws do change from state to state. For example an mDL retrieval in a store in one state from a resident in another state is something that deeply concerns lawyers that deal with retailer liability. An mDL is a legal form of ID, the store has to take it (or will be forced to eventually, just like they must accept plastic driver's licenses today). However, if server retrieval is the only way, it might be against state policy to reach across state lines to do so -- state's often do not allow other states to have access to resident data in their state... and this has nothing to do with DMV policy as it's often state policy and therefore AAMVA's policy suggestions can be overridden on a state-by-state basis. This is not unique to the US... an international driver's license is a valid form of identification for age-gated purchases, so we could have US stores retrieving EU driver's license data from EU systems and then storing them on US systems. I'm saying all of this to provide a real-world use case, with a deployed-in-production system, to highlight your point about how intractable, from a legal perspective, server retrieval is at scale in the US, and to point out that even though your article focuses on the US challenges, I don't think people have really thought about how it applies to the global context for the most common use case (age verification) for driver's licenses. This is a place where "privacy by policy" begs to know "exactly who's policy?". It doesn't just have to do with the jurisdiction you're from, or the jurisdiction you're operating within. Often, it includes both, and you're in trouble if those two jurisdictions don't agree on the server retrieval policy... which is 50 states x 50 states -> 2,500 combinations that lawyers will need to consider wrt. server retrieval. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Thursday, 26 June 2025 17:59:56 UTC