By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
DenyAccept

mDLs, Privacy, and User Tracking: What You Need to Know [Video and Takeaways]

Published
August 25, 2025
Table of content
This is also a heading
This is a heading

Join 14,000+ identity enthusiasts who subscribe to our newsletter for expert insights.

By subscribing you agree to with our Privacy Policy.
Success! You’re now subscribed to the newsletter.
Oops! Something went wrong while submitting the form.

Mobile driver’s licenses (mDLs) and mobile identity documents (mDocs) are rapidly moving from pilot projects to mainstream adoption. With more than five million mDLs already in circulation and half of U.S. states announcing plans to issue them, the identity community is asking an important question: what do these standards really mean for privacy, interoperability, and real-world implementation?

To explore these issues, we hosted a live podcast featuring two leading experts. Andrew Hughes, VP of Global Standards at FaceTec, has spent more than a decade shaping international ISO standards for digital identity, credentials, and biometrics. Ryan Williams, Program Manager of Digital Credentialing at the American Association of Motor Vehicle Administrators (AAMVA), leads the subcommittee responsible for translating ISO standards into North American implementation guidelines.

Moderated by Richard Esplin, Head of Product at Dock Labs, the conversation offered a rare opportunity to connect the dots between how the ISO standards are written, how they are being interpreted in practice, and what identity practitioners need to know as mDLs roll out worldwide.

ISO 18013 Standards Overview

  • ISO 18013 defines interoperable digital identity documents (mDLs, mDocs).
    • Part 5: Proximity (device-to-device) interactions.
    • Part 7: Remote (server retrieval) interactions.
  • Initial scope: replicate plastic driver’s license functionality digitally.
  • Future scope: expand to passports and other government IDs.

Adoption and Current State

  • ~5 million mDLs already in circulation.
  • About half of U.S. states have announced mDL plans.
  • Drivers’ licenses in North America function as de facto identity documents beyond driving.

Privacy Concerns and “No Phone Home”

  • Two modes of data retrieval:
    • Device Retrieval: verifier requests attributes directly from the user's device.
    • Server Retrieval: verifier retrieves data from the issuer's server using an access token.
  • Concerns:
    • Server retrieval may enable issuers to log or track usage patterns (IP, time, data shared).
    • “No phone home” manifesto highlights risks to civil liberties.
  • AAMVA perspective:
    • North America prohibits server retrieval in guidelines.
    • Device retrieval is mandatory fallback, ensuring interoperability.

Standards Development Process (Andrew’s View)

  • Standards creation = multi-year negotiation with 100+ countries.
  • Compromises often necessary → hence existence of two retrieval modes.
  • Version 1 (2015–2016 tech landscape): proximity first, server retrieval added to avoid insecure ad-hoc online models.
  • Edition 2 (due ~2026):
    • Server retrieval removed from the core document and moved to a separate specification.
    • Adding revocation mechanisms and support for ZKPs.
    • Enhancements for multi-wallet, multi-credential queries.

North American Implementation Guidelines (Ryan’s View)

  • AAMVA translates ISO standards into North American best practices.
    • Make optional ISO fields mandatory (e.g., demographic info like height, weight, sex) to align with physical license.
    • Prohibit server retrieval outright.
  • Implementation guidelines act as policy & procurement guides for state DMVs.
  • AAMVA’s 4 pillars: safe drivers, safe vehicles, secure identity, and saving lives.

Certification and Conformance

  • Standards specify mandatory and optional features, but real-world implementations vary.
  • Certification:
    • Purchasers (DMVs, states) decide which clauses to require.
    • Certification bodies provide assurance that solutions meet those requirements.
  • A reader can be compliant without implementing every optional feature (disclaimers clarify scope).

User Consent and UI Challenges

  • Standards specify signals and protocols, not UI design.
  • Annexes provide privacy & security considerations (e.g., unconscious user, emergency scenarios, dead battery fallback).
  • AAMVA requires issuing authorities to ensure:
    • User controls when/where to share data.
    • Selective disclosure is supported.
    • Consent is explicit at the point of transaction.

Server Retrieval Controversy

  • Andrew:
    • Server retrieval itself isn’t inherently controversial; misuse and surveillance are the problem.
    • Any internet service retrieves server data; key issue = personal data handling.
  • Adjustments:
    • ISO moving server retrieval into separate technical spec in Edition 2.
    • Ensures jurisdictions that need it have a standardized method without imposing it universally.
  • Ryan:
    • Even without server retrieval, privacy requires policy and regulation about data handling after release.
    • U.S. needs stronger privacy laws to complement technical measures.

Trust Infrastructure (Keys and Verification)

  • Digital Trust Service (DTS): AAMVA’s key repository for North American issuers.
    • Central source for issuer public keys.
    • Prevents spoofing/phishing by ensuring authenticity.
    • Free access; no registration required (only terms & conditions).
  • Issuer key approval process:
    • Jurisdictions must certify conformance to ISO and proper key management.
    • Ensures issuers have capacity to secure infrastructure.

Derived Credentials

  • Concept: create purpose-specific credentials from mDL data (e.g., student ID, employer ID).
  • Benefits:
    • Limit PII exposure (share only what’s needed).
    • Better alignment with use cases (a bookstore doesn’t need your height/weight).
  • Risks:
    • Requires strong trust and signature chains.
  • Consensus:
    • Derived credentials are the likely future of digital ID ecosystems.

Standard Future Enhancements

  • Revocation support: moving from periodic refresh toward status lists and ZK-based revocation.
  • Zero-Knowledge Proofs (ZKPs):
    • Google’s Longfellow ZKP design is seen as promising.
    • Enables selective disclosure efficiently on consumer devices.
  • Multi-credential support:
    • Queries across multiple credentials/wallets.
    • Clarified handling of combined credentials.

Browser and Standards Ecosystem

  • Collaboration across ISO, W3C, OpenID Foundation, IETF.
  • Browser support:
    • Chrome and Safari integrating Digital Credentials API.
    • Apple and Google documentation improving.
  • ISO cannot formally reference draft standards but tracks alignment closely.

Key Takeaways and Closing Advice

  • Andrew’s advice: “Don’t wait. Do it now. You’re already too late.”
  • Ryan’s advice: Education is essential for implementers, policymakers, and issuers.
  • Both: engagement in ecosystem discussions and standards work is critical to shaping outcomes.

Create your first digital ID credential today

The Truvera platform helps you integrate reusable ID credentials into your existing identity workflows to support a variety of goals: reduce onboarding friction, connect siloed data, verify trusted organizations and customers, and monetize credential verification.

Sign up for free
Request Free Consultation

Ready to get started?

Sign up to TruveraRequest Free Consultation

Company

Truvera Platform

Developers

Industries

Resources

Copyright © 2024 Dock Labs AG