Idemia digital drivers licenses expose citizens to hackers, government abuse, critics say
The world’s largest biometrics surveillance company wants to add your driver’s license photo to its digital library, which already has collected and processed some 3 billion faces.
Idemia, based in Paris, is at the center of a push to create digital driver’s licenses, also known as mobile driver’s licenses, that could allow motorists to flash an app on their smartphones instead of showing traditional plastic ID cards to prove they can drive, vote or drink beer.
Idemia systems are responsible for issuing traditional licenses in 42 states that account for 80 percent of all U.S. drivers.
Idemia is a multinational company that has partnered with U.S. security and law enforcement agencies for decades to provide multilevel data-gathering, including fingerprinting, airport security and facial recognition technologies.
But massive data breaches such as those at Facebook and Equifax have put Idemia under scrutiny, especially among privacy and digital rights groups. Critics say the company is vulnerable to hackers and government abuse as it fosters an “Orwellian vision” of a monitored society in which privacy and civil liberties yield to intrusion in the name of public safety and security.
“Despite its reach into the private and commercial affairs of most Americans, Idemia is not a household name,” said Twila Brase, a digital privacy advocate based in St. Paul, Minnesota, who penned a sharp critique of the firm last year. “However, this global company is acquainted with most American citizens, whose private information flows through its equipment, databases and software products.”
Idemia did not respond to requests for comment. The company’s website says it stands for “augmented identity.”
“In designing our market-leading solutions, we rely on the most physical, natural and authentic verification: the body’s own biometric data,” the company website says. “Your identity can be verified with a simple glance or the tap of a finger which means that your identity cannot be stolen, imitated, jeopardized or corrupted. You are in direct control of your personal information.”
The Departments of Defense and Homeland Security and the FBI did not respond to requests for comment about their contracts with Idemia.
Idemia emerged from the 2017 merger of the French digital security firm Oberthur Technologies and Morpho S.A.S., a French multinational corporation that specialized in security and identity technologies.
The company’s website boasts revenue of more than $3 billion, 14,000 employees of more than 80 nationalities and clients in 180 countries.
Idemia’s U.S. headquarters is in Reston, Virginia. Information that the company collects every day flows into databases at the Departments of Defense and Homeland Security and the FBI, where millions of personal, biographic and biometric files are kept on Americans and foreigners.
Critics of the company say it’s unclear how long Idemia stores data because so many details are categorized as “classified” or too sensitive to national security to be made public.
“They have an Orwellian vision of control,” said Ms. Brase, a public health nurse who wrote the 2018 book “Big Brother in the Exam Room: The Dangerous Truth about Electronic Health Records.”
Jennifer Lynch, director of surveillance litigation for the Electronic Frontier Foundation, a San Francisco-based digital rights group, has testified before Congress that lawmakers need to increase oversight of the government’s “broad expansion of data collection.”
According to the Center on Privacy and Technology at the Georgetown Law Center, most adult Americans are already in a facial recognition database because of how governments format driver’s licenses and passport photos for such use. The center notes that 31 states currently allow law enforcement to search driver’s license image databases with facial recognition software.
Idemia boasts on its website that “criminal justice systems throughout the United States use [Idemia] facial recognition technology to identify persons of interest and enhance their investigation capabilities.” In addition to Idemia, Amazon, Apple and Facebook are considered to be leaders in developing the technology.
Ms. Lynch warned that too few federal and state regulations sufficiently govern police use of facial recognition technology and that poor data management and “a high rate of misidentifications” have plagued agencies such as Homeland Security. She noted that the department’s inspector general recently criticized the office of biometric identity management for failing to train personnel properly and for relying too heavily on third-party data collectors.
In an interview, Ms. Lynch said Idemia poses a threat because of its position at the center of so many government databases.
“One algorithm hashes all of [Idemia’s] biometric data,” she said. “If a hacker gained access to that proprietary algorithm, they potentially could have access to the biometric data of every person in the database.”
Government agencies also could easily check across all of the databases even if they are not cleared to do so, she said.
‘Can of legal worms’
In India, Idemia is involved in Aadhaar, the government’s biometric identification program, which collects, processes and stores the iris patterns, personal details and fingerprints of 1.2 billion Indian nationals.
Aadhaar has been subject to serious security breaches. Access to identities it verifies has been sold for less than $10 online.
Idemia now is pushing for mobile driver’s licenses as a form of universal digital ID.
Jenny Openshaw, chief of North American sales for Idemia, discussed the company’s efforts to develop mobile driver’s licenses in October at the Money 20/20 financial conference in Las Vegas.
According to industry reports, Ms. Openshaw said Idemia was working with 38 state driver’s license programs and that much of the work focused on mobile versions using facial recognition technology to unlock access to the app.
Police say mobile driver’s licenses connected to a central database could make their work safer and easier because updates could provide information about a motorist’s license suspension, change of address or outstanding tickets and warrants.
Civil liberties advocates worry that multiple state mobile driver’s license programs could morph into a de facto national ID system without any significant public debate.
Alan Butler, senior counsel at the Washington-based Electronic Privacy Information Center, warned that a host of thorny civil liberty, privacy and data security issues must be addressed before mobile driver’s licenses are widely adopted, especially the question of whether police could remotely access a person’s smartphone hosting the app. Such searches, he said, would be illegal without a warrant.
“Device-to-device communications is its own can of legal worms,” Mr. Butler said.
At the Money 20/20 conference, Ms. Openshaw engaged in a panel discussion titled “Can Secure Private Digital ID Still Allow Us to Enjoy Life?” She said several government agencies were working to establish standards for mobile driver’s licenses, according to industry reports.