Louisiana’s Digital Driver’s License and Act 440 — One step forward and two steps back
Louisiana Act 440 of 2023 has generated a bit of snickering in the press and protest by civil liberty organizations about the state requiring adult entertainment websites to validate that their customers are 18 years or older. No more pinky swears. If you’re 18, you’re going to have to prove it. If you live in the pelican state that is.
Groups like the Electronic Frontier Foundation have pointed out the negative ramifications of Act 440 on public privacy. As someone who’s had to learn a great deal over the last five years about identity management and safeguarding data, I see the downsides of potential data breaches and misuse. It’s also a missed opportunity to better bolster the adoption of Louisiana’s digital driver’s license to perform an age verification without exposing all of the personally identifiable information (PII) available on the license.
Louisiana was the first state in the nation to issue a digital driver’s license (dDL). A benefit of the dDL is that it enables age verification without a resident having to share the actual date of birth value. This is likely the first interaction citizens have had with a tool to perform an age attestation without having to supply their actual year of birth or DOB. The state envisions a whole ecosystem around the dDL to validate citizen identity, issue permits and licenses, and state benefits qualifications by state agencies, retailers, and institutions.
The dDL is available from the LA Wallet app for iOS or Android on mobile devices. A Louisiana resident must possess an existing, physical driver’s license to create the digital one. The LA Wallet’s account is set up via an email and password to sync the dDL to the printed plastic card DL. Password and email alone are a weak threshold to establish a digital identity though. Since there’s not a solid proofing process to validate that the person creating the dDL on a mobile device is the owner of said driver’s license, we’ve got a spoofing problem here. This is a critical flaw in the trustworthiness of a state-issued digital ID. I’ll explore potential solutions in another post, but let me stick to the relevance of Act 440.
The problem with Act 440 is how it references the dDL and other forms of identification for use in identity validation. There is no specifying any safeguards for privacy or restrictions on data retention and use by 3rd parties. As a consequence, numerous age-validation brokers can ask for and accept a range of qualifying documents to establish age, and each will have different retention and data privacy schemes. Not all of these brokers are going to ensure privacy by design. Privacy by design is a concept that requires organizations to consider privacy and security risks when designing their products and services. It involves protecting sensitive data management, preventing cyber security risks, and avoiding privacy breaches. Once personally identifiable information (PII) gets collected, there’s the risk of hacking said data, and in this case, publicly exposing a person’s adult website preferences.
Because Act 440 specifically references the state’s dDL, this would appear to be a solution to the aforementioned privacy problems because the LA Wallet enables proof for age validation. I’m oversimplifying, but the technical process and compliance with Act 440 only need affirmative responses to the following questions:
- Is this information coming from a valid LA Wallet — Y or N?
- Is the age credential in the LA Wallet equal to or above 21 years — Y or N?
With the correct architecture, there’s no PII to exchange or store. However, there is that spoofing problem with the LA Wallet. When it comes to adult websites I’m just going to name the prime suspect for spoofing a digital driver’s license — any teenage boy in the state of Louisiana. The teen only has to get a hold of a parent’s physical driver’s license to create an LA Wallet on his mobile phone and then use it to register for adult sites. The free ones anyway.
