Tom,

To clarify, I said that issuing authorities that want their keys to be added to the AAMVA Digital Trust Service (the VICAL, or trust list for North America) will be prohibited from using server retrieval. AAMVA does not prescribe to our members. The members collectively decided that they want to prohibit server retrieval for issuers wanting to join the AAMVA DTS.

As additional information, I also want to point out / share the following:

ISO/IEC 18013-5 explicitly points out the potential privacy danger associated with server retrieval.
An issuing authority has to explicitly decide to (a) user server retrieval, and (b) to track user activity, should they want to do so. And then build the infrastructure to support this. It is not something that can be activated “with the flip of a switch” or happens accidentally.
WG10 (the custodian of ISO/IEC 18013-5) is currently working on a next edition of ISO/IEC 18013-5 (containing non-breaking additional functions). Many WG10 members have voiced support for completely removing server retrieval from the standard. The only thing that we have to work out is how to support a known existing implementation that uses mdoc for health information that, because of the use case, has to come directly from the issuer.

Thanks,

Loffie Jordaan

Business Solutions Architect

Phone: 703.522.4200

aamva.org

From: Tom Jones <thomasclinganjones@gmail.com>
Sent: Friday, May 9, 2025 14:42
To: pemc kantara <Wg-pemc@kantarainitiative.org>
Subject: [WG-PEMC] privacy enhancing position from AAMVA

WARNING: This email originated from outside of AAMVA. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

Big news from

hashtag#EIC2025

yesterday:

AAMVA (American Association of Motor Vehicle Administrators)

said on stage that they will forbid their members from enabling “server retrieval”, the hidden surveillance feature inside the new mobile driving license (MDL).

This is big news. While no

hashtag#MDL

in production currently uses this “phone home” feature, it’s very existence in the ISO specification means that, in theory, the DMV could choose to be notified every time you use your MDL to prove your identity, age, or address. Given the wide range of scenarios where an instantly-verifiable digital identity credential like an MDL would be useful, this could be tantamount to a citizen-scale surveillance dragnet for the government: a massive invasion of privacy and curtailment of liberty. Thankfully,

hashtag#privacy

advocates have been tirelessly shining a light on this risk, and with this clarification of policy we know that at least in the US the risk is somewhat reduced. How the rule will be enforced and what transparency measures will be in place are not yet clear, but this is a very positive step nonetheless.

Peace ..tom jones