Driver's license app on a smartphone raises privacy issues

Iowa is poised to become the first state to offer a mobile app as an official driver's license that can be displayed to police officers and security personnel, but smartphones hold a lot more data than a plastic card.

A smartphone app that drivers in Iowa will be able to use as an official driver's license could lead to privacy abuses by law enforcement.

In 2015, the Iowa Department of Transportation (DOT) plans to become the first to offer the apps to drivers for free, according to published reports.

"The way things are going, we may be the first in the nation," Iowa DOT Director Paul Trombino was quoted as saying in a report published in The Des Moines Register.

Iowa police will accept the driver's license app during traffic stops and by airport security officers screening travelers, Trombino said.

Thirty states already allow drivers to show proof of insurance via a smartphone app, so allowing them to also identify themselves as licensed drivers on a smartphone is a natural extension.

However, handing police officers or security screeners your smartphone gives them access to a lot more than your license, according to Forrester analyst Heidi Shey.

"The privacy concerns that have been brought up already about this are all worth considering. Putting a driver's license on a smartphone app leaves the door open to privacy violations simply due to device access," Shey said.

For example, if a police officer pulls over a driver for a traffic violation, the officer  typically takes the license and registration back to the patrol vehicle to process the information.

While the U.S. Supreme Court ruled in Riley v. California that a warrant must first be obtained prior to searching the contents of a cell phone, that ruling could be thwarted by officers citing "probable cause" or "exigent circumstances."

"Once well-recognized exception [to a warranted search] applies when 'the exigencies of the situation' make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment," the Supreme Court wrote in its decision.

The Electronic Privacy Information Center, a research group in Washington, filed a brief as part of the Riley case before the Supreme Court.

Alan Butler, EPIC's senior counsel in Washington, said while there's "no direct application of Riley" because the Iowa mobile app is being built to act only as an ID, it still raises a host of privacy concerns - not the least of which is all the searchable private information on a smartphone.

Additionally, what if the driver were to get a phone call or text message while the smartphone was in a police officer's possession?

"And, what is the app doing? Is it collecting additional information about me, whether intentionally or unintentionally?" Butler said. "What is my device doing when it's using the app? Is it leaking private information about me without my knowledge?"

There are also practical reasons a smartphone could fail as a means of legal ID, including a dead battery.

Until drivers leave their homes carrying nothing but a smartphone that acts as a wallet, electronic key, debit card, among other things, and that has the appropriate security for that information, "there's no good reason not to keep carrying a plastic driver's license in our wallet," Shey said.

"By that point in the future, maybe there will be a version of the app that can be pulled up on the touch screen on the car's dashboard and securely transmitted to a device that the police officer has, eliminating the need to hand your smartphone over," Shey said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Department of Transportationsecuritydata privacyprivacy

More about Electronic Privacy Information CenterTransportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place