Apple digital driver’s license in Arizona raise privacy concerns

Arizona is the first state to allow driver’s licenses to be placed in Apple’s digital wallet, but digital rights activists are concerned about what it could mean for the future of privacy. 

People in Arizona can now upload their driver’s license or state ID to their iPhone, add it to their wallet app and use it to present at Transportation Security Administration checkpoints at Phoenix’s Sky Harbor International Airport. 

On Apple’s website, it states that the images and video users take to authenticate themselves for the program are “deleted from Apple servers right after sending your request to the state” and that the state does not get any other data from Arizonans’ phones. 

Arizona Department of Transportation spokesman Bill Lamoreaux said that the program has already seen more than 11,500 residents add their state ID card to Apple Wallet in the first day. 

ADOT, which oversees the Motor Vehicles Division that issues driver’s licenses, responded to the Mirror’s inquiries about the program ten minutes after Apple representatives replied to the Mirror and cc’d the same Apple representatives. 

“I’m hoping that the scope creep of this data is being well thought out with whatever potential future partners they may have,” the Electronic Frontier Foundation’s Director of Engineering, Alexis Hancock, told the Arizona Mirror. “I’m hoping that states are looking at this and thinking about the future technology.”

The new program is raising concerns among digital privacy advocates. 

“I’m hoping that the scope creep of this data is being well thought out with whatever potential future partners they may have,” the Electronic Frontier Foundation’s Director of Engineering, Alexis Hancock, told the Arizona Mirror. “I’m hoping that states are looking at this and thinking about the future technology.”

In a contract obtained by CNBC, Apple gets “sole discretion” over the rollout of the program in Arizona, including overseeing how the program will be marketed, reporting to Apple on the performance of the program, and what types of devices can be used in the program. 

Apple is notorious for its secrecy, often making workers sign non-disclosure agreements. 

“[O]nce added to Apple Wallet, your lD information is encrypted on your device, so others including Apple can’t access it unless you choose to present it,” Heather Norton, a spokeswoman with Apple said when asked if data is being shared with third parties. 

Apple played a large role in developing mobile drivers licenses and their technology, or mDL for short. The company has said that the technology is largely secure and the industry standard. Apple devices encrypt the ID data and store it directly on the user’s iPhone and users are not required to unlock their device to present their ID, another layer of protection, according to the company.

However, a report by the Icelandic security firm Syndis found significant flaws during a rollout of a digital ID program using Apple’s technology. Android users were able to alter their IDs and since there were not enough scanners in the country, people had to physically look at the IDs, leading to further exploits of the system. 

The program also has other privacy related concerns among concerns related to its implementation, according to Hancock. 

mDL also ties into another program called Real ID, which is part of federal law passed in 2005 that aims to create a unified drivers license system. Opponents of Real ID like the EFF argue that it aims to create a national ID system. 

“It assumes that all the parties involved that would request or ask for your ID would act in good faith or ask for your ID in good faith,” Hancock said. 

Hancock and her colleagues at the EFF as well as organizations like the ACLU and EPIC have expressed concerns about the growing trend of digitizing drivers licenses and the impact it could have on already marginalized communities. 

Elderly and those in poverty generally do not have access to smartphones and making it required to have a digital ID concerns groups like EFF who also raised concerns over the rollout of digital vaccine passports during the height of COVID-19 in places like New York and California. 

Lamoreaux feels differently about the program and the privacy concerns. 

“Apple Wallet data is encrypted and protected against tampering and theft,” Lamoreaux said in an emailed statement. “Facial recognition allows the MVD to securely verify and confirm the identities of those wishing to load their license into the Apple Wallet. 

“The MVD and Apple do not know when or where residents present their IDs. Biometric authentication using Face ID and Touch ID ensures that only the person who added the ID to the device can view or present their ID or license in Apple Wallet.”

Colorado, Hawaii, Mississippi and Georgia are set to be the next states to get the program, according to Apple. 

“I’ll be holding onto my physical card and may look like a dinosaur for it in the future,” Hancock said. “I hope to not see my worst fears come true, I don’t like being right.”