MDL Considered Harmful

From MgmtWiki
(Redirected from MDL Considered Harmfull)
Jump to: navigation, search

Full Title

The Current Mobile Driver's License Design is Considered to be Harmful to the population at large.

Author: Tom Jones

Date: 2023-03-23 (latest update)

Context

This is a paper about Ethics. That is a topic in which the computer practitioners have recently become interested as they try to make the case that they should be considered to be professionals, even though they are unwilling to accept the responsibility for their actions that any professional must assume. On 2023-03-01 President Biden promised to changed that and make app developers responsible for cybersecurity.[1]

In February 2023 there were 5,823,500 driver's licenses issued in Washington State[2] out of a population of 7.79 million which means that there were almost 2 million residents without a driver's license, over 1/4 of the residents. An official ID card is available for these people at a cost of $54, not a good investment for most of that population. Unlike many states, the Washington State Department of Licensing (DOL) will offer a state ID card at no cost for those who are homeless. For people who may not be homeless but are receiving public assistance, the DOL is offering cards at a reduced price of $5, if they have a letter from the Department of Social and Health Services. A letter is not required for those under 25.

The State DL or ID is now the de facto ID card required for nearly all restricted access sites and resources in most of the United States.

Problem

Problem one

The Pareto Principle devised by Vilfredo Pareto, specifies that 80% of consequences come from 20% of the causes, asserting an unequal relationship between inputs and outputs. This principle serves as a general reminder that the relationship between inputs and outputs is not balanced.[3]

Nearly all computer applications for public consumption would be very happy to reach 80% of the population and some would consider an identification method that excluded 20% of the population that does not have a state-issued ID to be any impediment to the success of their application in the marketplace. Since 80% penetration of the marketplace can be achieved at 20% of the cost of universal availability, the results should not be a surprise. Most identification systems are not inclusive. Notably this includes the identification systems defined by NIST SP 800-63-3. When NIST went to issue a new version of the standard, this discrepancy was brought to their attention and the rush to release version 4 of the standard was held back until this discrepancy was addressed.

The Mobile Driver's License standard ISO 18013-5 took the Pareto approach. It is strictly limited to driver's licenses in direct contact with the verifier and so is specifically targeting only 75% of the North American population. This is ethically unacceptable. But it is completely in line with other current efforts to monetize digital wallets and their accompanying distributed ids; they can only be used by rich Technorati with the most current technology.

Problem 2

By far the biggest challenge is getting secure wallet code into the user's hands. The top contenders in 2023 are the Smartphone titans, Apple and Google, at least in the Western World. But that doesn't sit well with regulators who want to see competition. Somehow governments, who have failed their citizens for years now, think that they can create a marketplace and let "Survival of the fittest" give us a product that is better for their citizens.[4] Our experience with existing privacy regulation should show that to be unlikely. See the wiki page describing how GDPR is a scam designed to penalize the winners of the competition rather than encourage competition.

Problem 3

The current ISO specification define the issuer of the MDL to be the single guarantor of the holder's privacy considerations. The way the standard is written, the holder is only given the choice of allowing or rejecting a request, and is not clear if the holder needs to be informed of the verifier's intent in any case. Sovereign governments have very poor records in terms of protecting the holder's private data in the past. It is unclear how they will do that in the future given that there is no standard for the digital wallets or the way that the wallets communicate with the verifier. The Kantara Initiative published a report[5] on a way to do that so that health information that was designated a HIPAA protected information in a covered health provider could continue to be protected when it was passed to the holder at their request. The HHS/ONC determined that the HIPAA converge was not applicable once the holder received the data and so missed a good opportunity to help patients keep their private health information confidential, but also made it so that data collected by the patient in their own home was also not covered.

NIST is clearly conflicted. This is the goal from the MSL doc they just published[6] "The NCCoE plans to develop an open-source reader reference implementation of ISO/IEC 18013-5 and ISO/IEC 18013-7 which can be used as a stand-alone reader or can be integrated into an existing Verifier’s web application / service". And here is a statement from the current draft of 800-62-4 that is inconsistent with that goal.
2.3.3. Equity As defined in Executive Order 13985, Advancing Racial Equity and Support for Under-served Communities Through the Federal Government [EO13985], equity refers to the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to under-served communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders, and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality

Problem 4

Adoption of the MDL will be largely dependent on the ease of use and cost. The current 18013 card is very convenient and the cost is born by the drivers as they have no alternative. This is a significant source of revenue along with the car license plates. To become more useful the programs, like at described above fro WA state, need to b more generally promoted so that all resident will share in the benefits of an Identifier card. One method described above is to use the same technology on other state-issued cards, like medicare. Without such incentives the uptake is likely to be stay low and the undeserved will continue to be marginalized.

Privacy

Solution

Assert Non-negotiable Criteria

Interestingly this is what NIST SP 800-63-4 is trying to do. The best outcome might simply be to adhere to that evolving standard. Here are some thoughts about what is needed:

  1. Any resident that wants or needs a state-issued identifier can get one. No requirements, like citizenship, are required. (Principle Inclusion).
  2. The Identifier document does not need to include any particular license or Attribute to exist. All such Attributes license grants are (conceptually) added after the existence of the identifier document. (Digital Identifier needs to be the initial criterion.)
  3. Revocation of an identifier document is subject to judicial review in the presence of the human (or court-designated guardian). (UN right to recognition as a person).
  4. High Assurance features, like Real ID or Passport, may be bound to the identifier as the need arises.

Incremental Solutions

  • NIST is leading an NCCoE effort to expand inclusion for NIST identification standards SP800-63-4 and held a session on 2023-03-02 that addressed the problems there.
    • Panel Discussion Members:
      • Kimberly Adams (Senior Advisor, Digital Cash & Voucher Technology, Technology for Development of Mercy Corps)
      • Safi Mojidi (Head of Information Security at FOLX Health; #STMIC Fellow at New America)
      • Maria Vachino (CEO of Cyntegra; VP of Assurance at the Kantara Initiative)
    • What are challenges to access for various communities?
      • There are vulnerable populations who do not have all the typical identifiers, such as a permanent address or a non-shared phone number, which are needed for identification.
      • There are some low-tech communities, and these cannot afford to be victims of fraud. It would be helpful to have a standardized identifier that is accepted widely regardless of the system used (since not all have cell phones, laptop/PC, or even internet access). Industry needs to
      • There are some situations where persons have gone through gender affirming care and do not look like the person in their identification photo. It would be helpful to take these communities into account when developing systems.
      • Drivers’ licenses are typically the default identification but there is variation among states for how verification happens. Also, there is not a good way to use passports.
    • What are some risks that need to be considered?
      • There are risks for fraudulent representation. Industry should try to balance how to provide services to both businesses and citizens that accounts for this issue.
      • Industry should be intentional about the tactics used to prevent improper health data sharing and be thoughtful about the mechanisms used on the back-end to verify identity.
    • How can we better balance equity and privacy?
      • More data is needed to help balance challenges between equity access and security/privacy. This will help to tailor controls to strike a better balance and measure impact.
      • There is a need for qualified technical individuals in this space.
      • There is a need to track additional information (the point was made that you cannot improve what you don’t measure, and you cannot measure things that are not tracked.) Decisions must be made on exactly which aspects of equity to track, what kind of questions to ask, what the opt in process is, and how to collect and process this information in a way that is policy preserving.
      • Efforts to educate the public that these decisions have been made “with you” rather than “for you” will help the public buy into and use the technology and help build trust within marginalized populations that may distrust the technology.
    • NIST is currently considering what to put in this revision of the special publication on digital identity regarding an approach/proposed common language that addresses security, privacy, equity, and usability. What should this language include/address?
      • The language should recognize industry specific needs.
      • It may make sense to combine equity and privacy as a singular category, but to also consider equity more explicitly when identifying the key issues that will have equity impacts for certain applications.
      • Risk assessments should not be done at the end of product completion – these should be integrated into the designs of the products. Security should be integrated into all aspects of the application, while considering how this impacts accessibility.
      • We may need profiles of the different identity assurance levels to give agencies the ability to tailor and move toward using the federated credentials (but still providing the flexibility that is needed).
  • Jorge Flores from Entidad described a solution to the Open Wallet Foundation Architecture team in support of migrant farm-workers that needs to be understood to be believed. They have been able to get digital wallets in the hands of migrant farm workers affiliated with the United Farm works Union in spite of issues like:
  1. multiple workers sharing the same phone
  2. very old phones with very old versions of the operating systems
  3. loss of network connectivity because of expired telco plans or remote location (the phone may still hold a functioning wallet)
  4. deliberate theft of phone by others who want to claim the benefits of an insurance plan or other social benefits
  5. limited ability to read or speak English
  6. many nationalities and many languages
  7. many different political subdivision with different rules on eligibility.

Complete Solutions

  • Create use cases that explicitly address several undeserved population groups.
  • Eliminate the concept of a Driver's License as a document and consider it to be one grant that might be included in a larger framework of licenses granted by a state. See the wiki page on State Mandated Identification for more details on this.
  • The state would create one (or more) Digital Twin of a person within that state and assign it grants. Every resident gets a card with an Identifier that can reference all of the grants that state has of that person, either natural or legal.
  • While this solves one problem, it creates a very attractive target for malware of many different types, both nation-state and criminal.
  • The question about what level of trust to grant the state by its citizens is, and will continue to be, a difficult question. If that is not addressed, the uptake of MDL will be adversely effected.

References

  1. Dustin Volz, Biden National Cyber Strategy Seeks to Hold Software Firms Liable for Insecurity Wall Street Journal (2023-03-02) https://www.wsj.com/articles/biden-national-cyber-strategy-seeks-to-hold-software-firms-liable-for-insecurity-67c592d6
  2. Total number of licensed drivers in the U.S. in 2020, by state Statista (2023-02-28) https://www.statista.com/statistics/198029/total-number-of-us-licensed-drivers-by-state/
  3. Evan Osnos, Ruling-class Rules The New Yorker (2024-01-29) p 18ff.
  4. Susan Morrow, https://cybernews.com/tech/who-will-win-the-war-of-wallets/
  5. Kantara Initiative Kantara Mobile Assurance Statement PDF https://kantarainitiative.org/download/kantara-mobile-assurance-statement/
  6. NIST ACCELERATE ADOPTION OF DIGITAL IDENTITIES ON MOBILE DEVICES' https://www.nccoe.nist.gov/sites/default/files/2023-03/mdl-project-description-draft.pdf