By Liam Roche, LLM 2025
Introduction
On the 29th of August 2024, residents of California gained the ability to add their Driver’s licenses to Google’s Wallet platform for use on mobile devices as an alternative to presenting a physical document. A few weeks later, Apple followed suit, and enabled the capability on its wallet application platform. With this, California joins 13 other states and territories in allowing people to digitize their drivers licenses, passports and other forms of documentation. The technological development in this space is hardly surprising given the rapid development of digital wallet technologies and their rise to prominence particularly following the Covid-19 pandemic-driven boom towards contactless payments. The most recent emergence of digital IDs into this space has presented a number of novel opportunities to increase personal privacy protections along with a number of significant issues.
The Promises of Digital IDs
Convenience
At its most obvious point, digital IDs have a distinct advantage for users: convenience. In the 2020s, smartphones have become an integral part of modern life and at this stage more than 90% of US adults own a smartphone. In such an environment, the emergence of digital payment methods and now digital IDs have increased the usefulness of mobile devices and the ease of use of payment methods. Additionally, the autofill and syncing capabilities enabled by these platforms will make them more ubiquitous year after year.
Security
The emergence of digital IDs presents a significant opportunity to increase user privacy in situations in which a person is required to prove their identity for age, residency, or citizenship. Unlike physical IDs, digital counterparts allow users to select what data to share prior to showing the screen to the person requesting the identity document. For instance, one may choose to show only the name, year of birth and photograph to buy an age restricted item at a store but may choose to show more information if applying for a bank account. With such an implementation, a user is able to better control access to their personal identifiable information and show only what is needed in a given situation.
Remaining Privacy and Security Concerns
Platform Control and Access
Despite privacy and personal security benefits, integrating identity documents into digital wallets presents significant challenges from legal and privacy perspectives because wallet platforms are themselves controlled by large private companies. Currently, the leading digital wallet platforms are offered by Google, Apple, and Samsung (of note, Samsung has not announced plans to integrate digital IDs into their offering). This creates an interdependence between state governments issuing the IDs and the companies offering these platforms raising a number of concerns amongst privacy and legal professionals over the lack of statutory regulation of companies and the data they can collect on users in relation to digital IDs.
Because of the near-ubiquitous nature of digital wallet platforms and the range of solutions they offer including banking, money transfer, financial information storage, and now digital ID storage, consumers grant the companies behind the platforms to an immense amount of sensitive personal data. On the side of financial data, the industry has responded to this privacy and security concern with notable steps to protect personal data and create barriers for direct access. One example of this is the PLAID standard, which acts as a security and compatibility layer between Wallet platforms and an individual’s bank records. The system only allows certain data to be viewed by the digital wallet provider including for example the amount in a given account but not the account number itself.
Security
A key consideration on digital wallet platforms is of course security as any system storing sensitive personal data such as financial data and now identity information must have robust protections in place. One of the most used security measures taken with wallet platforms in relation to stored financial these services is virtualization. In simple terms, after a user adds a card to a wallet platform, the Wallet service authenticates with a payment provider or bank. Rather than copying the card number directly, payment provider (bank or other) creates a virtual card number which is then used to make payments. This reduces the number of instances a consumer’s card is relayed to vendors and additionally reduces the danger if a virtual card number is compromised.
Digital IDs however present a new paradigm and introduce a new set of issues from a security perspective. As things stand, there are a number of additional considerations with digital IDs. To begin, unlike payment cards, digital IDs cannot be virtualized because of the need for verification with existing databases such as the National Driver Registry System (NDR). Because of this requirement, digitized IDs must have all of the same data as their physical counterparts and thus the true and exact data must be directly stored with a digital wallet provider. This is a vulnerability which is being addressed in a number of ways by the platforms including Apple who requires biometric authentication to access stored ID data which cannot be bypassed and data is not immediately accessible without this authentication.
Increasing Platform Storage and Processing Requirements
Imposing concrete legal protections for storing and processing ID data remains a critical question in this space from both a privacy and security perspective. This lack of concrete regulation ensuring robust security and privacy protection, presents significant concerns for the use of digital IDs. Presently, platforms employ security measures like biometrics and other methods which are helpful in terms of ensuring user control over access to ID data. However, concerningly here such security measures are in large part decided by the platforms themselves rather than legislative regulation. This means that approaches to and robustness of storage security and processing can vary depending on what platform one uses. As the offerings presently stand, there is a great deal that needs to be ironed out as it were in terms of digital IDs particularly in relation to the requirements placed on platforms for storage and processing of data from digital IDs.
Access to Devices by Authorities
A final consideration which courts and legislators must consider is the fundamental question of access and control by authorities of digital IDs. At this stage, according to the California Department of Motor Vehicles, drivers are still required to carry their physical license, and the digital manifestation is only applicable for age verification at “select locations” with “additional uses forthcoming.” Any such forthcoming use of digital IDs though must to be navigated with extreme caution due to the complexities surrounding IDs.
Though this feature is not an approved use case yet, in a hypothetical situation, if an individual using a digital ID is pulled over while driving by a law enforcement officer, they would provide their digital identification document by displaying their mobile device to the officer. Critically, from the perspective of constitutional protections, lawmakers must consider whether and when such an access would constitute an unauthorized access of the individual’s device by law enforcement. If a notification came through while an officer was looking at the device would that constitute an unauthorized access? These are particularly pressing concerns when one considers the amount of data present on a phone.
Conclusion
With all of this in mind, it is clear that despite the prima facie convenience and additional privacy controls that digital identification documents stored on various platforms could afford, a number of large legal issues must be ironed out before these new forms of ID can be used safely and securely from the perspective of fundamental privacy and security considerations.