Hello again! Today we continue our quest into the wilderness of digital identification. And once again: all the news that’s fit to Glitch, from Tornado Cash to World Liberty Financial.

How digital driver’s licenses could supercharge surveillance—and what can be done about it

Jay Stanley isn’t a crypto guy. But the longtime American Civil Liberties Union policy watcher and privacy advocate is aware of the novel capabilities crypto folks have invented to get privacy on blockchains.

And he thinks we should use them to escape a “nightmare” he sees unfolding.

The future of digital identity is a massively complicated issue that is as political as it is technological. But most Americans, regardless of political stripe, would oppose a national identity system that could be used to track their activities. According to Stanley, what may seem like a mundane trend taking hold across the US—the shift to digital driver’s license credentials—is leading Americans to “sleepwalk” into that exact sort of system.

Stanley says the problem begins with a widely adopted “mobile driver’s license” or mDL standard that does not adequately protect the holder’s privacy (more on that in a minute). A number of state legislatures are moving forward with mobile driver’s license programs that use the standard, he says. He is concerned that making it easy to digitally share your driver’s license information will lead to more businesses—not just those selling age-restricted stuff—asking you for your ID.

“The real game here is to create one that could be used online,” Stanley said on stage late last month during a panel I moderated as part of Paul Brigner’s PGP* for Crypto monthly breakfast event series in Washington, DC. “The concern is that there is going to be a lot of incentive for every website to track you and say: “Hey, do you want to watch a YouTube video? Do you want to log into your social media? Do you want to browse here at catbeds.com? Click here to send us your digital driver’s license.”

“This really has the potential to become a supercookie” that would work online and in the physical world, Stanley said. Think of all the places—bars, restaurants, convenience stores, airports, and hotels, to name a handful—where you already have to show your ID.

It would be one thing if it weren’t possible to keep your personally identifying information private while still transmitting the necessary information to anyone who checks your ID. But it is technically possible. “We have all these cryptographic techniques to preserve privacy, as in the cryptocurrency space,” Stanley said. “We should use them.”

Some folks are using them—here and there, anyway. But what lies ahead is a political, technical—maybe even cosmic—struggle to determine how best to identify ourselves as human in the digital world.

Standards: boring but important

Hardly anyone thinks technical standards are exciting. But they are powerful. That’s in part because standards-making bodies, like the World Wide Web Consortium (W3C), were created with the support of national governments. The W3C was formed in 1994 with support from the European Commission and the US government’s Defense Advanced Research Projects Agency (DARPA). It creates standards for the web—and has even created standards for untrackable, private digital identity systems.

In the eyes of privacy advocates, the problem is that the US Transportation Security Agency (TSA) and many state legislatures have chosen to adhere to a different standard.

Created by the International Organization for Standardization (ISO) in 2021, the mobile driver’s license or “mDL” standard is silent in important areas where user privacy is at stake, Stanley says. “For example, it allows the ID to have a phone home mechanism, where you present your ID to a liquor store clerk, and the liquor store clerk pings the server of the DMV,” he says. “Now the DMV has a bird’s-eye view of everybody that you show your ID to.” Last October, the ACLU published a list of 12 recommendations for state legislatures, including that new laws should prohibit digital driver’s license issuers from tracking users via such a “phone home” mechanism.

Stanley and both of his fellow panelists—Manu Sporny, founder and CEO of Digital Bazaar, and Kim Hamilton Duffy, executive director of the Decentralized Identity Foundation—say there is a better way.

The “verifiable credentials” standard, created by the W3C with Sporny’s help, sets technical parameters for a digital stand-in for a physical credential, like a driver’s license, designed with privacy in mind. The holder of a verifiable credential can use cryptographic proofs to selectively reveal only the necessary data to a given third party, while keeping everything else private.

Unlike the ISO process, W3C’s process has been open to the public. Work on the verifiable credential has been going on for years. “It is important to understand that when a standard is put together, that civil liberties organizations, security professionals, privacy professionals, did actually look at the standard and make sure that it had been vetted,” Sporny said.

Advanced cryptography, like the zero-knowledge proof systems emerging in the cryptocurrency world, are a natural fit for this standard. They give users the power to prove statements about themselves—they are above the legal age to buy a beer, for example—without revealing any other information.

We are all used to pulling out our plastic identity cards for various reasons. But they contain far more information about ourselves than any store clerk needs to see. “You are showing 35 pieces of deeply identifying information just to buy a beer,” Sporny said. “You shouldn’t be doing that.”

Sporny pointed to the California Department of Motor Vehicles as one agency that has given consumers both options in its app—mDLs that follow the ISO standard as well as verifiable credentials. Users in California can opt into a system called TruAge, which Sporny’s company helped develop for the National Association of Convenience Stores. The system lets users who opt in to digitally share an “unlinkable,” single-use cryptographic token that verifies their age without revealing anything else. “You don’t need to show your entire ID, you just need to show a proof that the DMV believes that you are over the age of 21,” Sporny said. “And that meets regulatory burden in many of the states.”

Avoiding a ‘show me your papers’ web

The speed at which new privacy and identity-related capabilities are emerging in the cryptocurrency space is at odds with the drawn-out process of making technical standards. Duffy, who heads the Decentralized Identity Foundation, aims to bridge that gap.

Her team is focused on another W3C standard called decentralized identifiers, or DIDs. Verifiable credentials and DIDs complement each other: the DID provides the verifiable identity information, while the credential makes verifiable statements about it. Blockchain systems can potentially play a valuable role as hosts of “verifiable data registries,” which record and provide necessary DID data when a user presents their ID.

The Decentralized Identity Foundation has a grant from the Ethereum Foundation’s Privacy and Scaling Explorations program to work on figuring out how to “harmonize decentralized identity standards with these much more novel advances in (zero-knowledge proofs),” as Duffy put it. One application her team finds especially compelling is the ability to “wrap” a traditional identity credential, like a passport, with a zero-knowledge proof. “You can then use it in ways that support selective disclosure,” she said. An example is the Anon Aadhaar project, which takes advantage of an NFC chip in Indian passports to let users prove their citizenship privately, using a zero-knowledge proof.

But if this sort of “crypto magic,” as the ACLU’s Stanley puts it, already exists, why aren’t we using it?

Part of it is that the subversive, “you can just do things” culture that pervades the cryptocurrency community tends to clash with the traditional process of methodically developing technical standards. Another reason is that these tools are still difficult for normal folks to use. Recent advances, particularly in systems that let users generate proofs using their phones, are helping on both fronts, said Duffy.

A crucial remaining barrier is simply a lack of awareness of many privacy-related problems and their potential solutions, Stanley said. The ACLU has heard from state legislators who are acting “out of naiveté,” he said. “You put your credit card in your wallet? Well, put your driver’s license in your wallet. And everybody will think of me, your state representative, as very pro-technology and I’ve made your life easier.” Making decisions based on that kind of political incentive, rather than considering the larger ramifications, is what worries Stanley that the nation could easily “sleepwalk” into codifying systems that could compromise people’s privacy for decades to come.

The rise of artificial intelligence makes the situation potentially even more urgent. Duffy and Sporny contributed to an influential research paper last year focused on the idea of “personhood credentials,” which people could use to prove they are human, not a bot. Duffy is concerned that some folks may be tempted to try to solve this problem using mobile driver’s licenses. That would be bad, she said. “We don’t want to go from ‘Captchas are broken,’ to log in with your government ID,” Duffy said. “We want to make sure that we’re not building a ‘Show me your papers,’ web.” —Mike Orcutt

Share

Headline Watcher

The US government removes Tornado Cash sanctions. This comes after a federal appeals court ruled in November that smart contracts cannot be considered “property” since they can’t be owned, and therefore the Department of Treasury did not have the authority to impose the economic sanctions in 2022. Meanwhile, Tornado Cash developer Roman Storm still awaits a criminal trial, scheduled for July, on charges that he violated sanctions, facilitated money laundering, and operated an unlicensed money transmitter. As CoinDesk points out, Storm’s lawyers have already asked the court to consider the November sanctions ruling, but that request was “smacked down” by Judge Katherine Polk Failla of the Southern District of New York, who argued that whether or not Tornado Cash is sanctioned “does not affect the sanctions the Defendant allegedly conspired to violate”—those imposed on North Korea’s state-sponsored Lazarus hacking group.

Trump Treasury expands financial surveillance. The decades-old Bank Secrecy Act requires that financial institutions file a report to the US Department of Treasury for every transaction that exceeds $10,000. Financial privacy advocates argue the statute in need of an upward adjustment to account for inflation. Now the Trump administration has temporarily lowered it to $200 for people living in 30 zip codes in California and Texas, as part of a stated effort to root out money laundering by Mexican drug cartels. “More than one million Americans are about to face a new level of financial surveillance,” writes the Cato Institute.

Five ideas pitched at the White House crypto summit behind closed doors. Buy more bitcoin was a popular pitch. But one of the five in this list is not like the others. According to Unchained, citing a person who was briefed after the meeting, Paradigm co-founder and managing partner Matt Huang used his time to ask the administration to focus on the Department of Justice’s prosecution of Tornado Cash developer Roman Storm.

US housing agency considers launching a crypto experiment and The Trump Administration wants USAID on the blockchain. ProPublica reports that the Department of Housing and Development (HUD) has had initial discussions around using a blockchain to “monitor HUD grants,” and that these talks have touched on “the potential use of a stablecoin.” The second headline is from Wired, which highlights a passage from a memo Trump aides have been circulating about overhauling foreign aid programs. The memo states: “All distributions would also be secured and traced via blockchain technology to radically increase security, transparency, and traceability.”

The company testing Wall Street’s appetite for AI computing power. A company that started off focused on crypto mining before stockpiling GPUs when the crypto markets crashed will now be “the first prominent AI initial public offering,” according to The New York Times.

Razer aims to eliminate AI bots from games via World’s identity tech. The world’s “leading lifestyle brand” for gamers is launching a new sign-in feature aimed at verifying real humans in online games, using the biometric-based “proof of humanity” technology from World (formerly known as Worldcoin). The new feature “comes at a time when AI-infused bots are wreaking havoc on the gaming landscape,” reports Decrypt.

Trump-backed World Liberty Financial completes $550 million public token sale. The DeFi and stablecoin-focused project, launched last September, will be governed by holders of a token called $WLFI, and it has now sold 25% of the supply, according to The Block. One of the most famous buyers of the token, which is nontransferrable, was TRON blockchain founder and notorious Chinese crypto entrepreneur Justin Sun, who has sprung for $75 million worth. Coincidentally(?), the Securities and Exchange Commission is now working with Sun to find a resolution to its case against him for selling unregistered securities and market manipulation. Sure, the SEC is dropping all kinds of crypto cases right now. But the conflict of interest here is impossible to miss. “The President took a $75 million bribe and we all saw it,” writes independent journalist Jacob Silverman.

Share Project Glitch

Follow us on Twitter and Bluesky—or get corporate with us on LinkedIn.