As mobile IDs proliferate, concerns about cybersecurity and data privacy mount

New York is rolling out mobile driver’s licenses, giving residents in the Empire State the option to ditch plastic for digital IDs—at least some of the time.

With the launch, New York joins a dozen other states in offering mobile IDs. The New York Mobile ID app was announced at a press conference last week at LaGuardia Airport, where it can be used—in addition to 27 other airports—for identity verification. According to the Transportation Security Administration, New York is now the ninth state to offer digital IDs that are interoperable with the TSA’s credential authentication technology.

In a statement, New York Gov. Kathy Hochul said the “cutting-edge technology” provides “convenience and added security” for users and those who accept mobile IDs. Port Authority Executive Director Rick Cotton echoed Hochul’s comments, adding that they will be especially helpful in expediting “the screening process” amid an $8 billion revamp at LaGuardia.

States have long been excited at the prospect of mobile IDs, which provide residents with greater convenience and give them the ability to limit the amount of information shared when verifying identities or ages in certain situations. In addition to those offering them, another dozen states are in the process of implementing digital IDs. The remainder of states have either considered legislation or have passed bills to study or mandate them.

And as more states move towards requiring age verification to access social media and adult websites, mobile IDs will play a key role.

“Digital credentials are the future of identity verification, and New York is proud to be among the states leading this innovation in partnership with the TSA,” New York Department of Motor Vehicles Commissioner Mark Schroeder said in a statement.

But there are still issues with mobile IDs, especially around cybersecurity and privacy.

Tim LeMaster, vice president of global systems engineering for the data security company Lookout, noted that mobile IDs are “just another application for our mobile devices,” which are already vulnerable to hacks. He pointed to recent research from his company that found that 60% of mobile devices run on outdated operating systems, meaning they can be compromised by anything from a phishing email or text message to an unsecure connection. 

Generally, LeMaster said, laptops and computers will have endpoint protection, but many mobile devices may not be so well protected.

“This is not a space where you just want to cross your fingers and hope for the best,” he said. “Organizations and individual users shouldn't do that, and they don't do it on traditional endpoints, so they shouldn't be doing it on mobile.”

Those behind New York’s mobile ID emphasized its cybersecurity protections. IDEMIA Public Security North America, which partnered with the New York DMV, said the app is designed to conform with mobile driver’s license standards from the International Organization for Standardization. On-demand credential updates are pushed to the app, as well as real-time notifications if an ID has been revoked or canceled.

Donnie Scott, CEO of IDEMIA Public Security North America, said in a statement the partnership with New York’s DMV is “an example of iron sharpening iron” given the strong protections embedded in the mobile ID.

Still, the risk that users’ personal information could be exposed remains, potentially creating headaches for states as they wrestle with the ongoing threat of hacks and attempt to implement their own data privacy laws.

In January, the New York Civil Liberties Union’s Surveillance Resistance Lab sent New York Commissioner Schroeder a letter warning that a mobile ID program “drastically changes what it means for New Yorkers to have a state-issued ID and exposes them to numerous risks.” The group said the program uses “largely untested technology” and has an “unprecedented data collection program.”

NYCLU raised concerns about the program’s use by law enforcement to track residents or access their mobile devices through a seizure. That is especially troubling for the state’s immigrant community, which spent years fighting to expand access to driver’s licenses in New York and now may be vulnerable to their mobile license being used by immigration authorities to find them.

“People who have acquired driver’s licenses in this time, including those vulnerable to government surveillance and immigration enforcement, did not sign up for a mobile tracking program,” NYCLU wrote.

The group also warned of the “deep implications for social inequity,” as it argued that mobile IDs could become the “norm” and so marginalize those people who do not own smartphones, including low-income, older and rural residents. Since that letter, NYCLU said little has changed in the program.

“This mobile driver’s license program may as well just hand over the public’s personal data to state and corporate entities—there’s been no public input and no oversight,” Daniel Schwarz, NYCLU’s senior privacy & technology strategist, said in an email. “A program that would completely overhaul how identity records are stored, presented and accessed requires the highest level of public scrutiny and should be implemented with utmost care, legal attention and technical safeguards.”

Despite any potential issues, Lookout’s LeMaster predicted that mobile IDs will continue to spread across the country.

“I think the advantages outweigh the risks at the end of the day, from a state perspective,” he said, “just in terms of convenience for the government, let alone convenience for the end user or the mobile driver's license holder.”