Subscribe to the Free Future Newsletter
Free Future home
Digital driver’s licenses — now being built in many states — have a big problem that almost nobody is addressing: the likelihood that once they make it very frictionless to share our ID, we are likely to be bombarded by requests from all quarters to prove who we are. That’s a huge threat to our privacy. There is, however, a set of existing laws in the states that point to a solution for this problem: regulations governing who may scan the bar codes on physical IDs.
Digital driver’s licenses threaten to become unique identifiers that force us to reveal our identity to all manner of parties whether we want to or not, allowing us to be inescapably tracked. Companies today don’t usually demand that customers prove their identity unless they really need to, because it’s too much of a hassle and too big of an ask that will scare away too many customers. But when you can just serve website visitors a popup that says “Click here to share your ID,” everything changes. It would give government and companies more power over ordinary people — and often in unpredictable ways. For example, I recently explained how digital IDs will facilitate “surveillance pricing,” in which companies charge us different prices than other people based on what they know about us through tracking and surveillance of our activities and characteristics.
Any state or government that creates a digital ID needs to address this problem by making sure that people can say “no” to requests for digital IDs that are not absolutely necessary. But with the exception of New Jersey and Utah, none of the approximately 17 states that have created digital driver’s licenses have begun to address the significant dangers to privacy, access, and user control that these systems threaten to create.
What would a protection against such demands look like?
The existing regulations in many states that create protections around the bar codes printed on physical licenses are a good place to start. Machine-readable barcodes have been a sort of proto-digital ID: they allow quick and automated digital collection of all the data on your ID, albeit mostly in person. Abuse of barcode scanning has long been a problem in many states across the nation, for example at bars that scan IDs for the ostensible purpose of verifying age, but then collect far more data than the binary “over 21 yes/no” data bit they need.
Bar codes were mandated on driver’s license by the misbegotten post-911 Real ID Act, and many of the protections against scanning were enacted in the years after Real ID came into effect and, I suspect, in response to the act, which was unpopular across the political spectrum and sparked an outright rebellion in numerous state legislatures.
Based on information from online sources and some initial research of our own, it appears that 17 states regulate either when businesses may scan the bar code on a physical ID, how data from such scans may be retained or otherwise handled, or both. For example:
- Texas law says that it is an offense if a person “accesses or uses” digital information “derived from a driver's license,” or “compiles or maintains a database of electronically readable information derived from driver's licenses” or similar IDs.
- New Hampshire law says that “no person shall scan, record, retain, or store, in any electronic form or format, personal information obtained from any license” unless authorized by the state’s Department of Safety, which contains the state’s DMV.
- New Jersey’s law limits scanning and data dissemination to an enumerated list of permitted uses, and regulates data sharing. And the state’s new law authorizing digital driver’s license explicitly extends the old scanning law to digital driver’s licenses.
Many of the state laws include exceptions of varying breadth, and are quite weak. Nevertheless, they point toward possibilities for strong protections against omnipresent digital ID demands, which is going to be a much bigger problem with IDs that can be shared online with a single tap or click.
Meanwhile, however, state legislatures are steadily enacting laws enacting digital driver’s licenses that lack any protections against omnipresent ID demands — generally out of naiveté that a digital driver’s license is a simple matter and “the future” — while big tech companies like Google and Apple, along with the DMV bureaucracies, and the TSA build out the infrastructure for a national digital identity system.
State legislatures need to wake up to this entirely foreseeable consequence of a digital driver’s licence and protect their constituents.