1. 17

  2. 3

    The article seems to have a great deal of faith that a “scanner” will address the problem. This might be true, but the article really doesn’t give us the information to tell. PDF417 barcodes are commonly placed on drivers licenses in a number of countries but usually just contain a duplicate of the information on the face, which can be forged just as readily as the human-readable version. Part of this is because of technical difficulty in fitting a meaningful digital signature into a barcode of low enough density and size to still read easily. Unfortunately a lot of people don’t understand this, and companies market “scanner” apps to users like bouncers while implying that they provide strong protection against forgery. In the US, for example, they very much do not.

    This raises the question of what is in the PDF417 barcode. It’s hard to be confident from the article because we only see examples and licenses from generators, and we can imagine that both might have invalid data for whatever reason. The first example of a generated license, for example, has a barcode with visibly lower bit density than the others. It seems to contain a random number and nothing else, so presumably the author of this generator has just completely skipped trying to create a valid barcode.

    The other examples, both the one from the government and the second (animated GIF) fake example, contain a short JSON payload. JSON is not optimal for this use due to the high overhead but I’ll allow that it made development easy and future modifications very flexible. It’s hard to say too much about the JSON payload as the keys are either obfuscated or Icelandic abbreviations, but we can see that on the official example “TGLJZW” is the document ID number. The faked example is missing this field entirely. The field “ELUM4L9” is blank in both. More interestingly, the official example barcode contains the key:value “CmFuZG”:“iI5DMxm9”, which purely by eye seems like it could be a very compact digital signature of some sort. The faked example is missing it.

    So it’s possible that the licenses could be verified offline by use of the signature, although such a short signature presents a meaningful risk of brute-force attack. This is still the most that a “non-official” scanner implementation could do, and that’s assuming that I’m correct that it’s a compact signature and that the public key material is released.

    I find it more likely that the “scanner” here is assumed to be online, checking against the central database. This is a complex and risky proposition, so I can understand why its release has been much delayed. There are huge privacy implications to creating any kind of public or semi-public endpoint that allows for validation of driver’s license information, even if limited in scope, and you can virtually guarantee that it will be systematically abused for ID theft purposes.

    1. 3

      Norway has e-licenses as well, as mentioned in the article. In Norway’s case, the e-license is explicitly not regarded as an ID. Its only use is when you’re stopped during a traffic control. The police has access to the central database themselves, and may thus double check that the e-license is valid before letting you drive further.

      1. 2

        What’s the purpose of such an e-license if it doesn’t prove anything?

        1. 3

          I guess the government identified the shortcomings listed out in the article and decided they couldn’t make it safe and reliable enough for general use.

          The motivation behind the e-license was that there is legislation mandating you always having your driver’s license with you when driving. A lot of people find that cumbersome, so they made it digital. Some people doesn’t have wallets any more as they can pay with their phone/watch and the license was the only physical card left.

          In my opinion, they could have changed the legislation instead, so that it isn’t mandatory to present a license in the first place. It isn’t even a fine/criminal offence for not having it present either. You have to pay a ~$60 administrative fee for the trouble of locating your info on their laptop/tablet. The fee doesn’t show on your criminal record.