Hello, everybody, I'm gonna talk about digital ID today. So there's a lot of talk about creating a new digital driver's license or digital ID, and I'm gonna like a beginning of a movie, I'm gonna start with a really tight shot, I'm gonna zoom out here, but tight shot is a digital ID is your driver's license, but you're gonna put it on your phone. Sounds great, sounds great, it's modern, it's smooth, everything's inevitable in that direction anyway. And this is what state legislators are thinking about when they pass digital ID, walls and so forth. But of course, in a lot of the discourse treats it that way, but a wider focus is needed, it's actually not the same to have a digital version of your driver's I've seen your phone. And my one slide today is this, which is the sort of classic identity triangle, you have the issuer, if a driver's license the DMV, and you have you the holder, and then the relying party or the verifier. And basically, what happens is the DMV digitally signs a file, that's your driver's license. But so on your phone, you share that digital file through various mechanisms with a verifier, who checks the public key of the issuer to make sure that it matches the digital signature of your driver's license. Pretty simple, if you understand like no PKI. But this could mean the digitization of it can lead to significant changes, it is not a small shift. For one thing. Now your phone is involved when you get pulled over by a police officer, is a police officer going to gain control of your phone or looking at your phone or anything like that. The systems that have been designed would say no, but a lot of people are going to understand they don't have to hand their phone to a police officer, they might feel pressured by a police officer, etc, etc. And we have seen a big problem with police, taking people's phones, mirroring them, etc. Without under supposedly voluntary circumstances, tracking by the issuer. Does the DMV get a bird's eye view of every time you show your driver's license to somebody they know every liquor store, you've been to office building, doctor's office, etc, etc. That's a bad privacy thing. tracking my verifiers. This is something that's already a bit of a problem with a plastic license. But if you show your digital ID in many different places to those people have a bird's eye view as well. Maybe they're all different outlets have the same megacorporation or what have you. We worry about there being more demands for ID if it is easier to show your ID just pick it take out your phone, press a button, it's easier to ask people to show their IDs and there could be a situation in fact, a robot can ask you for your ID wirelessly, you now you're walking into Target you're walking into a store Oh, to come in, please were to come in this section of the store, whatever, please press here to send us your your driver's license. So now we're getting more and more demands. We're worried about clothes or proprietary wallets. So specific companies say Apple have a key role they putting themselves in the middle of these transactions and potentially getting data from it. Remote revocation, we're worried that like, you know, they give you a private plastic license that has a 10 year expiration date, they can yank your driver's license out of your digital wallet anytime they want to 1000 functionality that they want to build in. And of course, very significantly, this further disadvantages those who don't have a cell phone, don't have tech savvy don't have good Internet access or what have you. And so it has serious equity implications. It's possible that a digital ID instead of being currently being sold as an optional accessory to your plastic license becomes mandatory and that all these problems here get much bigger. There's also the question What happens if your phone dies? My daughter's phone died the other day? No reason Iran for it. No water damage, nothing just died? Is that on you? You're gonna go to jail because your phone died? That's an unanswered question. So let me broaden out the focus here a little bit more. The real game here is not just replacing your your plastic license. It's a usable ID that you can use on the Internet. That will have a lot of advantages for us, we can access our IRS more easily data more easily, etc, etc. But all those problems I just listed, the stakes get raised a lot becomes a much bigger deal. For example, a burden of the DMV or whoever issues your thing they have a bird's eye view of everywhere you go. Now that includes every website that asks you for your ID. And so it's not just what stores you're going to but what websites proprietary can corporate control over the wallet infrastructure. Now Apple is between you and your web surfing and away they head for mo revocation. Now, the people who control your digital driver's license can yank away your ability potentially to access a lot of the Internet. greater demands for ID This is one of the things that we're going to see and I'm really worried we're going to wake up one day and you're going to need your ID to check watch a video to join any social network or view anything socially to use your credit card to visit you know, even go shopping potentially, and the modus Fidessa can be age verification, which obviously, as we've heard in the previous panel is a huge political issue right now. Security, they want to make sure your audit the there occurred there Cybersecurity people who don't want to track you in case you later turned out to be a hacker, they're gonna want to enforce bans. If you're somebody who's been kicked off the site a year ago that you're not coming back under a different ID, this will solve that problem for them. And of course, marketing, as cookies go away and other ad tech elements, they're going to want a rock solid DMV vetted, identification, so they know who you are, can market to you. So this is like potentially a very major infrastructure in American life. That's, that is, you know, coming about, and it's being built now. And there's all that much conversation about it outside of some very pretty geeky areas. It's been, you know, there's a whole community of people working on interesting, sort of crypto or graphical solutions for this. But meanwhile, and and there's there's things called VCS being created by the W three C, very interesting standards. But meanwhile, there's this other standard created by the International Standards Organization, the ISO, which does not have a lot of the protections in place. It was created in secret by people by parties, we don't know because they won't tell us who was in it. And this is being embraced by the TSA, which is pushing the states to embrace it, because the TSA has the power into the REAL ID Act, to set the definition of what identity forms will be recognized by the federal government, if your driver's license is recognized by the federal government is kind of an OnStar. And the TSA is embracing this ISO standard, a number of states are adopting it. And the question is, because the ISO standard is very vague, and does not include all of these privacy protections, is sort of what will, what will it look like? So we have this, you know, identity triangle. And one of the questions is, who are the adversaries that it's built, it's designed to to defend against, and for the ISO, it's YOU the holder, they want to make sure that you don't have a fake, Id can't get a fake, Id aren't able to share your ID, etc, etc. But that doesn't protect you against verifiers or the issuer, the issuer, getting all your data and so forth. Is there So the questions are as these things are built, will it include include a lot of critical ethical protections that are now completely available and possible? Or will they just sort of not bother and give us this digital identity that we get locked into as a standard like the QWERTY keyboard, and we end up with a system that is sub optimal, doesn't protect privacy, and yet becomes omnipresent. So you can have a system that has selective disclosure. So you can, you can authorize your age without sharing any other information about yourself, including your date of birth, I've over 21 You can have unlink ability between different verifications so that if I show an ID to separate parties, they can't collude to get together and see that the same person. And even with a new age verification, you could do that, that the issue or the DMV could give you like a stack of like one time uses as pads, each of which is separate, so that your tokens don't match as you can as you sow them over time? Are they going to bother to build that in? It's easily done and cryptographically? But are they going to do it? That's the question. And a lot of these states, it's just politicians saying we want people to be able to put the driver's license on the wall, it's like I said, that very shallow view of what this is, is there are the are the identities going to phone home every time. Under the eyes of Saturday, there's two ways of doing it, you show your verification to the liquor store, they call up the DMV to verify that it's the right ID. And that's just it doesn't have to be done that way. But that's one of the things that can be done. And we're worried that some of the states are going to do it that way. And so really, this is a significant change potentially to Internet, we could see the Internet walk down the hallways, age verification everywhere, creating identity, gays all over the place, geography gate, you can only come to this website, if you live in this state, before an interior driver's license, and other things that we can't even, you know, sort of anticipate. And this is a significant threat to anonymous speech, which is one of our nation's oldest traditions. The Federalist papers were written anonymously, it's where many pamphlets during the Revolutionary War
and yet it's being portrayed as some sort of obscure standards battle here that almost nobody is paying attention to. We're advocating in the States, we're pushing individual states to try to make sure they build these things in we are advocating with the TSA at the to slow down and do this right. And I advocated in general that like, there's a lot of great cryptographic stuff that's being built. Some of it's a little immature, it's if but but these things are coming out very quickly. We have the crypto magic, let's use it here. So if we're going to have a digital identity system, we can have our cake and eat it too. We can get the conveniences and yet not have it turned into a privacy nightmare. Last point, there also needs to be policy protection each here. If it becomes very, very easy to share your ID Everybody's gonna be asking for it. Go to website press here to send us your your ID. So we need legal protections as well so that people aren't forced to share their idea the way they go. And with that, I'm done.
