One of the main functionalities of mDL is to provide user consent and selective information release which is one of the core privacy principles to establish trust within parties in an mDL ecosystem.
Privacy must be achieved by the end-to-end solution and met by all parties in an mDL ecosystem. Common parties in an mDL ecosystem are Issuing authorities, mDL solution providers, mDL holders etc.
An mDL transaction involves interchange/exchange of Personally Identifiable Information (PII) and the privacy and security of PII data containing identity attributes and driving privileges is of utmost importance to establish mDL as a trustworthy credential among citizens.
Selective information release or selective disclosure establishes trust and achieves the following principles for privacy protection defined in ISO/IEC 29100:2011.
- “Data minimization.“
- “Collection limitation”
As per ISO 18013-5 specification, “Data scopes will need to be defined and implemented by verifiers and Issuing authority to facilitate easy request of data subsets to support standardized interactions between holder and reader across core use cases”. “Data minimization must be an important privacy feature in implementing mDL for verifiers since processing of data requested by a verifying entity should be minimized to the specific purpose of the use case”. For example, a gas station selling alcohol and tobacco products should only request data elements that confirm the age to be over 21 and portrait of the holder instead of the need to provide the full personal information.
As defined in the ISO/IEC 29100:2011, “organizations should not collect PII indiscriminately. The amount and the type of PII data collected should be limited to that which is necessary to fulfil the legitimate purpose of the use case”. Identity attributes data must be provided by mDL to only authenticated readers operated by a verifying entity. Readers must use certificates from the Master trust list to validate the integrity, provenance and accuracy of mDL data received from the holder. “No additional data should be requested by the mDL reader other than what’s needed to authenticate the mDL holder for that use case and should avoid logging mDL PII and if required log only the data required by law”.
mDL Holder consent achieves the following principles for privacy protection defined in ISO/IEC 29100:2011.
- “Consent and Choice”
- “Openness and Transparency”
Consent and choice
An mDL reader operated by a verifying entity should provide consent and choice to the mDL holder whether to allow the processing of their PII during their interaction.
mDL Reader must inform the holder what data is being collected, how the data is being processed and the purpose of the data being requested.
The basic principle is that no user identity data should be shared with another party without informed consent from the user. The mDL holder should be able to actively confirm or deny the consent regarding the sharing of data with the verifier or relying on parties in either offline or online data exchange models with the reader or issuing authorities. The user consent in a typical mDL transaction can occur in the following phases as per ISO 18013-5
- “Device Engagement: Tapping or allowing a QR code to be scanned to connect mDL to the reader (Disconnected) or for the reader to connect to the Issuing authority (Connected).”
- “Data Transfer: User consent is requested by the mDL reader from the mDL holder to release the requested data elements and to validate the issuing authority signature on those data elements.”
Openness and transparency
All interactions between the mDL reader and holder should be open and transparent to both parties. The Verifying entity operating the reader should provide clear directions regarding which data elements to be released to the reader and the purpose of the request. The session between the parties should expire after a specific time and should not entertain follow-up requests once the connection is broken. “The mDL holder should have an audit trail of their interactions with reader devices and log information about each transaction. The verifier should avoid logging mDL holder PII and register each reader device individually with the issuing authority” to promote openness and transparency among parties in an mDL ecosystem.
- ISO 18013-5 Personal Identification - ISO Compliant Driving Licence - Part 5: Mobile Driving Licence application (mDL).
- ISO/IEC 29100:2011 – Information Technology- Security Techniques – Privacy Framework