What Apple's Secret DMV Contracts Tell Us
States Become De Facto Unpaid Service Providers to a $2.46 Trillion Company
Hey all, Jason here.
Would you pay for this newsletter?
Don’t worry, it’s not going behind a paywall. I’ve been writing this newsletter for just over a year now, and I’ve been pleased with the response it has gotten. But creating original, value-add reporting and analysis is a time-consuming endeavor. I’ve been reluctant to pursue a “freemium” strategy of free and paid content tiers, as I’d rather focus my limited time on publishing less but better content.
This is a long-winded way of saying, while all content will remain available to all subscribers, if you’re getting value from this newsletter, you can now support it by signing up for a voluntary paid subscription (think of it as a fintech-inspired “tip”).
I’ll also be donating 15% of net subscription revenue each month to a non-profit focusing on supporting financial health, access, inclusion, and small businesses beginning with: Mission Asset Fund, Financial Health Network, Accion Opportunity Fund, and the East LA Community Corporation.
Subscribe for free now or upgrade to a Paid Subscription — one month is less than the price of an 🥑 avocado toast!
First Principles KYC Webinar
Sponsored content: KYC, it’s something every financial institution has to do. But, what’s smart vs. what’s required by the CIP rules? At SentiLink, we’ve been obsessed with the KYC rules, researching their history and launching our KYC Insights product.
We’ve taken a first principles approach to understanding what the regulations require and are excited to begin a conversation to rethink what they mean for our industry.
It’s our pleasure to be hosting a webinar on 11/17 at 1pm ET on KYC to deep dive into KYC regulations and their future. We’re bringing together three experts on financial regulation from different perspectives with SentiLink Co-Founder and CEO, Naftali Harris, to discuss:
George Seeberger, General Counsel at 1st Financial Bank USA
Robert Rowe, VP and Counsel for Regulatory Compliance and Policy at the American Bankers Association
Parag Patel, Attorney at Orrick Herrington & Sutcliffe
What Apple's Secret DMV Contracts Tell Us About Its Digital ID Plans
When news broke that Apple was adding support for state-issued drivers’ licenses and IDs to Apple Wallet, I was immediately curious to know more about how this would work in practice.
The identity credential landscape in the US is immensely complicated. While Social Security Number is treated as a unique identifier, it was never intended to be used as such, is insecure, and (for the most part) the functionality doesn’t exist to confirm an SSN with the entity that issued it; rather, it is most commonly confirmed by checking against commercial databases, generally the credit bureaus — which leaves users of that data (banks, lenders, etc.) vulnerable to a variety of fraud, including synthetic identity fraud.
The shortcomings of SSN as a trusted identifier make government-issued identity documents all the more important in the US. Drivers’ licenses and state IDs are the most commonly used. With 50 states (+ territories) issuing uniquely designed credentials, validating an ID is authentic (real) and belongs to the bearer (proves their identity) is no simple task in the real-world — doing so remotely (digitally) presents an order of magnitude greater challenge.
Multiple ID verification (“IDV”) companies have sprung up to do exactly this. And the identity verification market is big business — according to a company in the space, Mitek Systems, it was worth an estimated $7.6 billion in 2020 and will grow to nearly $16 billion by 2025.
Socure, a company offering IDV services, just raised $450m at a $4.5 billion valuation — an increase in value of ~2.5x from earlier this year.
But companies currently offering these services, vendors like Jumio, Trulioo, and Onfido, lack a key element — integration and confirmation by the entities issuing the ID credentials — in the US, typically state DMVs.
With Apple increasingly relying on high-margin services revenue to drive its growth, the appeal of building an identity verification service — with the help of state DMVs — is clear.
It would provide a differentiating feature to attract new iPhone users, it would make existing users more sticky, and, potentially, serve as a lucrative new source of revenue, should Apple monetize the identity credential by charging businesses to access it.
Integrating with 50+ ID issuing agencies is the mammoth task Apple has taken on in incorporating state-issued IDs into its wallet. And while that may be convenient for consumers and presents opportunities — to state and federal agencies, commercial entities, and, of course, Apple itself — it also poses a host of risks.
In order to better understand how this program would work in practice, I requested documents and communications with Apple regarding the project from a number of states that Apple announced would participate in the program.
The below analysis is based on Memorandum of Agreement and non-disclosure agreement documents I received from Georgia and Arizona pursuant to state open records requests. Some of the materials requested were refused as being “proprietary,” that releasing certain documents “would cause public harm,” or that requests were “overly broad.”
Connecticut and Iowa both acknowledged receiving my information requests sent September 6th, 2021, but have yet to produce any documents in response.
These are the most interesting revelations from those documents and their potential implications.
Apple Is in Control — Not State Government Agencies
The most striking aspect of Apple’s Memorandum of Agreements (MOA) with state ID-issuing agencies is the degree to which Apple controls the program.
Based on a review of nearly identical MOAs Apple reached with Arizona and Georgia:
Apple determines and provides the “technical and functional specifications, the required Program-related features and functionality, including those capabilities associated with proofing, presentment, and lifecycle management” — which state Agencies are required to support
Apple has sole responsibility for designating what devices are “Eligible Devices” for use with a Digital Identity Credential (presumably only Apple devices)
Apple has “sole discretion” for determining launch date of Program
Apple sets requirements for “form and format” of reports state Agency is to provide for “monitoring and improving the performance of the Program”
Agreement requires state Agency to “prominently feature the Program in all public-facing communications relating to Digital Identity Credentials,” but such communications are “subject in all cases to Apple’s prior review and approval.”
This is all to say, state Agencies that have agreed to some version of this MOA, which, beyond Arizona and Georgia, appears to include Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah, have ceded a shocking degree of control to Apple.
Under the MOAs reviewed, Apple has the right to determine what devices will support a Digital Identity Credential, the technical and functional specifications, the launch date, the form and format of reporting, and has the right to review and approve how the program is marketed and communicated to the public.
Apple has said its Digital Identity Credential Program will conform with standards set by ISO 18013-5 mDL (a standard Apple helped create). While, in theory, this should allow states to reuse technology created to support Apple’s implementation with other potential partners, in practice, confidentiality clauses in the agreements may complicate or discourage states from doing so.
Beyond giving Apple near total control over the Program, states also agree to terms that make it nearly impossible to terminate the Program in the future. Per the two MOAs reviewed, the state Agencies that have entered into them can only terminate them with Apple’s consent or for cause — if Apple breaches the terms of the agreement and doesn’t remedy within 30 days.
How the Digital Identity Credential Can (or Can’t) Be Used Isn’t Defined
Equally shocking is the lack of any clear requirements, at least in the documents reviewed, of how a Digital Identity Credential provisioned on to an Apple device can or can’t be used. The description of how a Digital Identity Credential can be used once it is created is pretty much limited to this:
“Subject to the terms and conditions of this Agreement, the Parties shall support the development of a Digital Identity Credential to be (a) provisioned onto Eligible Devices (as defined below), and (b) used as a means of verifying an individual's identity in a variety of in-person and remote use cases (together, the "Program").”
There are no parameters in the reviewed MOAs governing where a Digital Identity Credential can be used or if or how Apple can restrict the use of a credential.
For instance, does Apple get to control what applications or websites can access a stored identity credential? Can Apple use its OS-level control of identity credentials in a way that preferences other parts of its business, like the Apple Card or its yet-to-launch buy now, pay later offering?
What about legal but dis-favored industries, like gambling or pornography, which face restrictions or bans in Apple’s App Store? Can Apple charge applications that receive identity credential data (as it does with issuers of payment cards used via Apple Pay)?
The reviewed agreements between Apple and state Agencies are silent on these questions.
Apple has a history of leveraging its dominant position in phone hardware and software to preference its own offerings and exact a toll from 3rd parties using its hardware and software platforms. Absent legal or contractual requirements to the contrary, there’s little reason to think Apple would behave differently with its control of a government-sanctioned identity credential.
Also worthy of concern is that state Agencies agree, without exception or the right to revisit, that an Apple device’s security, including a simple numeric passcode, is considered reasonable and appropriate security:
“The Parties agree that properly secured Eligible Devices, protected by a passcode, FaceID, or TouchID, shall be considered to be protected with reasonable and appropriate security measures pursuant to this Agreement.”
Such a blanket agreement gives state Agencies little recourse should Apple devices’ security prove insufficient, thus compromising the integrity of stored Digital Identity Credentials — something that isn’t without precedent.
State Agencies Required to Promote Digital Identity Credentials
In multiple sections of the MOA, state Agencies agree to measures designed to promote and support the adoption of Digital Identity Credentials.
While Google is also working on building functionality to support digital identity documents, including drivers’ licenses, a real-world launch seems a ways off. As such, any agreement to “promote Digital Identity Credentials” would seem, for the moment, to de facto mean promoting Apple’s Digital Identity Credentials.
One of the core Program objectives state Agencies agree to is “to accelerate the adoption and acceptance of Digital Identity Credentials under the Program as a means of verifying an individual's identity in a variety of in-person and remote use cases.”
One strategy evident in the agreement to drive adoption of Apple’s ID offering is to require state Agencies to offer it to pretty much everyone who already has or is getting or renewing a driver’s license:
“After the launch of the Program, Agency will ensure that a Digital Identity Credential is offered to all users who:
(i) presently hold a physical Identification Document issued by Agency;
(ii) offered at the time of issuance of a physical Identification Document newly issued by Agency, and
(iii) offered proactively as an option at the time a user receives a new or replacement physical Identification Document.”
Other measures to encourage adoption include a prohibition on state Agencies charging users a fee (beyond what they would already charge for a standalone physical credential) for the Digital Identity Credential.
State Agencies also agree to cooperate with Apple to develop “a robust plan for education and marketing” — it’s unclear exactly what this would entail and who would pay for it.
There are a number of other interesting aspects of the MOA designed to drive public Agencies to promote Digital Identity Credentials and, by extension, Apple:
A requirement that state Agencies and their service providers treat Digital Identity Credentials on parity to physical credentials
Agency’s agreement that it will work with Apple to identify other stakeholders in government (taxation, Secretary of State), law enforcement, and industry (age-restricted businesses) “that are critical to the Program achieving a sufficient level of acceptance of Digital Identity Credentials”
A blanket and unconditional ban on Agencies supporting policy or legislation that could be expected to discriminate against Digital Identity Credentials — even if a legitimate reason to do so arose: “To the extent Agency exercises any influence or control, Agency shall not support any policy, legislation or regulation that would reasonably be expected to discriminate in any manner against Digital Identity Credentials”
State Governments Bear Costs of Supporting Program
State Agencies entering this MOA with Apple take on substantial obligations and potential liabilities, which inevitably will require time, resources, and money to fulfill:
“Agency shall, at its own expense, either itself or through its service providers be responsible for: (i) maintaining adequate computer and communications systems, and other equipment and facilities necessary or appropriate for issuing and servicing Digital Identity Credentials in connection with the Program; (ii) monitoring and notifying Apple of changes in applicable law that will affect the Program, and ensuring that all aspects of the Program comply with applicable law;”
State Agencies also agree to complete readiness, quality, and certification testing, per Apple’s specifications, on each type of Eligible Device (eg, any iPhone, iPad, Apple computer that will offer Digital Identity Credential functionality.)
Despite the presumably significant public time and financial resources required to support the program, the two reviewed agreements with Apple entail no compensation from Apple to state Agencies for fulfilling these vendor-like obligations.
An Arizona Department of Transportation (ADOT) spokesperson further confirmed that “No payment or economic considerations exist” between ADOT and Apple.
Who Wins & Who Loses When We Privatize Identity?
Proving your identity is a key requirement in all sorts of interactions: a traffic stop, renting a car, entering a nightclub, opening a bank account, applying for a loan. The offline process, while perhaps simpler, isn’t infallible: identity documents can be forged; human judgment is required (does the photo match the person in front of me?) and can be flawed or otherwise influenced.
The story of proving identity online is an order of magnitude more complex. The tools and systems for doing this presently generally try to answer the question, have I seen these data points associated before (name, address, DOB, SSN) and, where a stronger identity check is required, perform the digital equivalent of a human looking at a driver’s license: taking a photo of the credential, attempting to verify the credential is authentic and hasn’t been tampered with, and matching the photo to the bearer of the document.
While these tools are good, they’re not fool proof, and can result in both false positive and false negatives — fraud getting through, and real users blocked.
Moving to a deterministic identity regime, where the credential issuer (in this case, state DMVs) is part of the process should be a step-change improvement. It has the potential to reduce identity theft and the resulting fraud (something I have first-hand experience with.)
Still, relying on a private company to execute on the deployment and distribution of such Digital Identity Credentials comes with a multitude of risks. The privacy risks are real. Apple may have a business model that is less averse to privacy than Google or Facebook, but it’s not immune to competitive or economic pressures that may conflict with user privacy or with the interests of state agency partners.
The more obvious risk is handing more data and control to what is already one of the most valuable, powerful companies on the planet — one that has a history of leveraging its market power in anti-competitive ways that enrich itself while disadvantaging other businesses and, by extension, consumers.
While the reviewed agreements with state DMVs go to great lengths to ensure states treat digital and physical credentials with parity, it’s unclear what requirements (if any) would apply to companies that may leverage Digital Identity Credentials stored on Apple devices.
Given the presumed speed, cost, and accuracy advantages of Digital Identity Credentials, one can imagine service providers, for instance those offering spending accounts or loans, that only accept digital IDs — exacerbating already stark “digital divides” between haves and have-nots.
Finally, from a public policy perspective, it’s concerning an initiative that potentially has far reaching impacts seems to have been entered into in secret between state Agencies and Apple, without a chance for input from the public or other impacted stakeholders.
Based on the reviewed agreements, state DMVs are becoming de facto unpaid service providers to Apple — a company worth $2.43 trillion as of writing.
All of this raises serious questions about the ability of state Agencies to negotiate effectively to protect the interests of their citizens and taxpayers vs. those of one of the world’s richest and most powerful corporations.
Is Privacy Really a Tech Problem? And Who Owns it?
Sponsored content: The explosion of cloud apps and infrastructure has brought flexibility and innovation, but also increased risks to data privacy. According to Okta, large enterprises deploy an average of 175 apps. At the same time, privacy regulations and consumer expectations of transparency are evolving rapidly.
Who’s best positioned to manage a robust privacy program, given the shifting regulatory landscape and the vast amounts of sensitive personal data flowing through enterprise apps and infrastructure? Two privacy leaders share how they — and their customers — are approaching privacy, and who owns it.
Join Anshu Sharma, Co-Founder and CEO of Skyflow, and Daniel Barber, Co-Founder and CEO of DataGrail, for the upcoming webinar, ‘‘Is Privacy Really a Tech Problem? And Who Owns It?”, this Thursday, November 18th at 10:00am PT.
Other Good Reads This Week
Prime Time in Crypto (Net Interest)
The Appeal and Proliferation of Buy Now, Pay Later: Consumer and Merchant Perspectives (Federal Reserve Bank of Kansas City)
Wall Street regulator rejects VanEck’s bitcoin-backed ETF (FT)
Contact Fintech Business Weekly
Looking to work with me in any of the following areas?
Sponsoring this newsletter
Content collaboration or guest posting
News tip or story suggestion
Early stage startup looking to raise equity or debt capital
Feel free to reach out to me: firstname.lastname@example.org