Cybersecurity experts are warning about potential security and privacy risks associated with California’s new digital driver’s license.
Since Aug. 15, around 100,000 Californians have signed up for the new digital license on their smartphones, a Department of Motor Vehicles spokesperson told The Standard on Tuesday. The program is currently capped at 1.5 million participants.
Adam Marré, chief security officer for cybersecurity firm Arctic Wolf, said anyone downloading the new licenses should know their data is not completely protected from theft.
“The threat level of unauthorized individuals gaining access to or stealing user data [on mobile licenses] is not zero,” said Marré, a former FBI agent. “Putting 100% faith in user data being thoroughly protected is overly optimistic.”
Marré said it’s important for the DMV to educate license holders on the best ways to protect their digital identities. He recommended using strong passwords, enabling two-factor authentication and regularly updating security software and apps.
The California pilot program does not currently have a two-factor authentication option to access the digital license. Accessing the mobile license requires unlocking your phone and then the digital driver's license app, which a DMV spokesperson said constitutes two layers of security.
“The mobile license is secured through the use of biometrics, encryption and meets the highest federal and international security standards,” the DMV spokesperson added.
Alexis Hancock, of the San Francisco-based digital rights group the Electronic Frontier Foundation, highlighted the potential for mobile licenses to aggravate social inequities.
Hancock said reliance on digital licenses would marginalize people with limited internet access, or those who can’t afford to constantly upgrade their smartphones.
Hancock also warned about the potential misuse of digital identification.
“Digital identification can invade our privacy,” Hancock said. “Designed wrong, it might be a big step toward national identification, in which every time we walk through a door or buy coffee, a record of the event is collected and aggregated.”
Similar digital license programs in other countries ran into problems with their mobile IDs. In Iceland, bouncers reported that underage teenagers were forging their digital licenses to get into nightclubs.
Currently, Californians can’t use their digital licenses to buy alcohol or other age-restricted products. The mobile license is only accepted as valid identification at TSA PreCheck lines at about two dozen airports across the country—including San Francisco International Airport.
License forgery was also a problem in Australia’s New South Wales, where a researcher found it was possible to crack the encryption of their digital licenses in minutes.
The California DMV said it doesn’t permanently store personal data from the digital license other than a user’s phone number and an encrypted photo of their license card. However, the only real barrier between a bad actor and your personal information is your phone’s passcode.
While California is just beginning to experiment with digital identification, other states across the U.S. have had digital driver’s licenses for years. Arizona began piloting its mobile ID program in 2021, and was the first state to allow Apple users to store a digital version of their licenses in their phones’ Apple Wallets.
Questions, comments or concerns about this article may be sent to firstname.lastname@example.org