In our recent live podcast, Richard Esplin (Dock Labs) sat down with Andrew Hughes (VP of Global Standards, FaceTec) and Ryan Williams (Program Manager of Digital Credentialing, AAMVA) to unpack the new ISO standards for mobile driver’s licenses (mDLs).
One topic dominated the discussion: server retrieval.
The ISO 18013 standard allows two ways to share mDL data:
- Device retrieval: data is shared directly from the user’s phone.
- Server retrieval: the verifier pulls data from the issuer’s server after the user presents a token.
The second option has sparked privacy concerns.
With server retrieval, issuing authorities could theoretically log every credential use: IP address, time, and attributes shared.
Critics warn this creates the very “phone home” tracking that digital ID systems must avoid.
Andrew explained why it was added in the first place: when the standards were written years ago, there was no clear way to use an mDL online. Server retrieval was introduced so that if jurisdictions wanted an online model, there would be a standardized approach, not a “wild west” of proprietary, insecure, or privacy-invasive solutions.
That said, AAMVA has drawn a hard line: server retrieval won’t be allowed in North America. All exchanges must happen device-to-device.
The ISO committee is responding too.
In Edition 2 of ISO 18013 (expected 2026), server retrieval will be removed from the core standard and spun out into a separate technical specification. This ensures it won’t be the default anywhere, while still leaving a standardized path for jurisdictions that want it.
Bottom line: mDLs are advancing fast, but how data is retrieved, and how privacy is protected, will shape trust and adoption in every region.
