Introducing Kantara’s Working Group for Privacy Enhancing Mobile Credentials

When a group of 31 Pennsylvania state residents were asked where they use their state driver’s license, the responses included:

• Visiting a notary who does not know me personally for a paper-based transaction.
• Cashing a check at a grocery store.
• Checking in at the airport with luggage
• Checking in for the COVID and flu vaccines
• Picking up a package at FedEx or Post Office
• Buying tobacco or alcohol products
• Purchasing prescriptions including some cold/allergy medicines
• Applying for a fishing or hunting license
• Obtaining or renewing a library card (to prove that I still live in the township)

Clearly the use of a driver’s license goes well beyond proving eligibility to drive a vehicle. It has become the de-facto standard for proving that you are who you say you are – and are entitled to the product or service requested. An increasing number of states are adopting mobile ID systems to recognise and verify mobile credentials including driver’s licenses (mDL).
One of the latest is Mississippi which has just announced it will roll-out a new digital identification program later this month. The mobile ID system will allow users to store virtual credentials such as a driver’s license and coronavirus vaccination card in their Apple or Android phone wallet.

So how do we ensure that the use of this vital credential is underpinned by a sense of trust? How do we assure users they can trust the entity that is requesting their ID?
And how secure will their personal data be once it is shared by the law enforcement officer or nightclub doorman and stored within the organization’s ID verification infrastructure?
Existing standards such as ISO/IEC 18013-5:2021 (Personal identification: ISO-compliant driving licences) focus on security at a transactional level.
They provide for robust confidentiality and data protection in transactions that take place between the issuing authority (AMVA, DVLA etc.) a verifying organization (bank, government agency, health authority) and the individual customer or citizen.
But in any sphere of life, trust is built on relationships over time, not just through a single transaction. While technical security of data and systems is vital, individuals want to know that their identity and personal information will be respected long AFTER the transaction is complete.
We therefore need standards for privacy and security that give greater assurance that the data we share as we transact with our suppliers and government institutions won’t be misused – whether intentionally or otherwise.
This is what Kantara’s new working group on Privacy Enhancing Mobile Credentials (PEMC) is intended to address. For most US citizens, their first “digital” ID is likely to be a state-issued one, typically a driver’s license.
But what happens once that citizen has multiple credentials – even multiple licenses issued by different jurisdictions? What provisions does the wallet provider need to make to accommodate a smooth and frictionless user experience?
How do we ensure that, in the ecosystem of issuing authority, identity system provider and verifier, all are committed equally to consistent standards of privacy and data protection that go far beyond simply securing the transaction?
The new Kantara PEMC Working Group aims to bring together a wide group of stakeholders, representing all elements of the identity ecosystem.
Chairman John Wunderlich says: “We need a robust level of debate in this area. We need to understand what makes for a good, trustworthy experience from the perspective of wallet provider, credential issuer and verifier AND the user.
As an industry, we need to create an environment that rebuilds consumer confidence at a time when data security and privacy are really under the spotlight.
To do that we need to use standards as the building block – and assessors that can independently monitor compliance to those standards. That is where Kantara excels.”
Hear John speak about the latest developments in the area of mobile driver’s licenses, identity and standards assurance at the Festival of Identity in London and online on 15th November at 12:00 GMT.
Additionally, why not consider joining the Working Group and help us craft a strong basis of trust for the use of mobile credentials?