Politics & Government

Despite ban, site for Kansas drivers says their personal info may be stored overseas

File photo of Revenue Secretary Sam Williams standing next to examples of new, Real ID-compliant Kansas driver licenses.
File photo of Revenue Secretary Sam Williams standing next to examples of new, Real ID-compliant Kansas driver licenses. The Wichita Eagle

Kansas drivers who renew their licenses, registration or K-TAGs online are giving permission for their personal information to be stored outside the United States, even though Kansas forbids the practice.

The state contractor that powers the online renewals says all data is stored in the United States, despite a page on its website that says the company can store personal information in foreign countries.

Where data is stored is important because it helps determine who can access it. Digital law and privacy experts say storing data outside the United States increases the chances that other countries will access the data, either through their intelligence channels or by coercing companies into handing it over.

The Kansas City-based company PayIt powers the online apps that allow Kansas drivers to update their state-issued documents online. The company’s terms and conditions are clear that by using their services, drivers give the company permission to store their personal data in other countries.

“By using and providing information to us through the Site or Service, you agree and consent to the transfer, storage, and processing of your information to any such country in order to provide the Site and Service,” the company’s website says.

The terms and conditions are accessible by clicking a link at the bottom of PayIt’s sites for renewing licenses, registrations and K-TAGs. They say that PayIt can store and access personal information in multiple countries, and that PayIt can use users’ personal information to perform market research or offer other products.

Kansas awarded PayIt a contract in March 2017 to develop apps that appear under the brand iKan. The company makes money by charging fees on transactions performed in the app.

PayIt’s contract says that “no data should be tested or stored outside the United States, nor will any access be granted from outside the United States.”

PayIt says it is following its contract.

When McClatchy approached the state about PayIt’s terms and conditions, a spokeswoman for the Kansas Office of Information Technology Services supplied a written statement from PayIt managing director Grant Gordon saying that data for all Kansas apps is stored in the United States.

In an interview, Gordon said the company currently does not have any business outside the United States.

“Everything we do is in the states. Our servers are in the states,” Gordon said.

Gordon said the terms and conditions used by PayIt are standard across the industry. And PayIt has no plans to send data outside the country, he indicated.

“If we ever change course, I’m sure everybody would be alerted, but absolutely that’s not our intention at all. It’s to be stateside only,” Gordon said.

Digital privacy and law experts said it is standard practice for governments to seek storage that keeps data within national borders.

“One negotiates in-country hosting because if the data cross a national border, another nation can collect it at the crossing through intelligence channels or obtain it under coercion through judicial or political channels,” Chris Hoofnagle, faculty director at the Berkeley Center for Law & Technology, wrote in an email.

It also generally makes sense to physically store data near its users because the data can be accessed more quickly, Hoofnagle wrote.

Keeping data in the United States makes it more likely that U.S. law will govern disclosure of the data, said Greg Nojeim, senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy & Technology in Washington, D.C.

It also makes it less likely that foreign law enforcement will obtain access to the data.

“If you’re a foreign government and you want access to data and the company holding the data has operations in your territory, you can use coercive measures — the same kind of coercive measures the U.S. would use — to compel a company to do something,” Nojeim said. “You can threaten fines, you can jail people. That kind of thing.”

Gov. Jeff Colyer hailed the launch of PayIt’s iKan platform in March. He said the platform provides more options for Kansans “to make transactions quickly and conveniently.”

But the site faced scrutiny over security issues almost immediately. For a time, the personal vehicle registration information of Kansans was easily accessible to others on the site, raising privacy concerns.

The drivers license renewal portion of PayIt’s platform launched in October. Colyer’s office said then that Kansas is the first and only state to offer drivers license renewals through a mobile app.

Related stories from Wichita Eagle

Jonathan Shorman covers Kansas politics and the Legislature for The Wichita Eagle and The Kansas City Star. He’s been covering politics for six years, first in Missouri and now in Kansas. He holds a journalism degree from the University of Kansas.