This is horrible, it should remain a card. Why should a cell phone, or any technological device now be required for participation in society or to validate yourself to any government official?
At that point, where do you draw the line of privacy? You're carrying with you an object that you can't trust 100% and can work against you anytime.
This is truly chilling dystopian type stuff. Soon a cell phone will be required for every "person."
But why? Why do people have to carry a wallet everywhere, unless they want to?
I have my payment cards on my watch. Pre-pandemic, my gym membership card was on my watch. If I had my ID on my watch as well, I don't ever have to worry about a wallet being stolen because I wouldn't carry one.
Sure, people can steal your watch at gunpoint- but it can be remotely disabled (even if you were forced to give your passcode under duress), and you'd still have a physical ID card at home you can use.
If I recall correctly, Moxie Marlinspike did a great talk about this idea years ago. How things like having a cell phone are theoretically “optional” yet to be normally integrated into today’s society entirely requires it. This is especially true in these covid-times.
I dont think this standard makes a phone a requirement. It just provides a new option.
Is having a computer a requirement to be part of modern society? It certainly helps, and the vast majority of people use them for the convivence, but its not required.
It can be encrypted by a key held within the phone's TPM so it is up to you whether or not to unlock the phone and launch the app that allows the car to be scanned.
> Crucially, the mDL application can ask the user to approve which data to release and may require the user to authenticate with fingerprint or face — none of which a passive plastic card could ever do.
I kinda feel like most people, when threatened by an authority figure with a gun, will approve whatever data that person asks for.
The place where I do think this is valuable is when showing ID to get into a bar, or at a store when purchasing alcohol. The only bit of info the bouncer/cashier needs is whether or not you are of legal drinking age; they don't need to know your actual age/birthday or your name or address.
Until the bouncer (or the bar's contracted developer) thinks it's easier or more secure to use the "Request all data" feature, and logs everything to an unprotected MySQL database. When a bouncer looks at your ID he doesn't write down or save any of that information. This really seems like a solution looking for a problem.
>I kinda feel like most people, when threatened by an authority figure with a gun, will approve whatever data that person asks for.
It's not supposed to be a foolproof solution. The point is to prevent the officer from casually looking through your photos/texts after you gave him the phone.
A pretty common way to get a fake id is to borrow a real id from someone else. Bouncers ask you how old you are or what your house number is as a check on that.
That seems like a plausibly useful feature, or are there other ways to tell that the virtual id matches the real person holding the phone?
The barcode at the back of a physical license card has all sorts of information that may not be printed at the front. For example, for noncitizens in the US it can have some information about visa status.
If there is a standard (name, DOB, photo, address, height, weight) that's probably more than enough.
Are we seriously looking at the possibility of handing over control of government-issued driver licenses to a private for-profit entity whose main way of making money is by monetizing citizen data? For real? Like many others here, my immediate thought upon reading this was, "W.T.F.?"
> In both cases, the verifier manually compares the appearance of the individual against a portrait photo, either printed on the plastic or transmitted electronically
So now I have to put my image in the store's database too? Way more invasive than plastic card, which doesn't electronically transmit my image.
What a stupid idea. After a weekend in nature, you now have to worry, you phone still has power to drive a car. And more stupid, hand over my phone unlocked to the police or to everybody who wanna see the license. More worse, until now, they just checked and it was ok. From now an, everybody is always saved after that in a DB. And why is that more secure? If you cheated until know and showed a false ID, so you show now just a false phone.
> After a weekend in nature, you now have to worry, you phone still has power to drive a car
Who doesn't have a charging cable in their car for their phone?? Also if you're going to be in nature for a weekend, you can opt to carry your physical ID as a backup (or leave it in the car if you're comfortable with that).
> hand over my phone unlocked to the police or to everybody who wanna see the license.
The article covers this. You never hand over your phone; you send a grant to the other party's device to read only certain bits of information from the ID app. And the article mentions that the right way to implement it on the ID-holder's side is to require PIN/biometric unlock in order to approve the transfer, but then immediately go into a lockdown mode so if the LEO then takes your phone, it'll be locked.
> More worse, until now, they just checked and it was ok. From now an, everybody is always saved after that in a DB.
That already happens now; if you get pulled over, the cop isn't going to manually read your ID and copy it into their squad car's computer. They scan the barcode on the back and all of it gets sucked in. (Even many bars and convenience stores that sell alcohol will scan the barcode and get way more information than they need.)
> And why is that more secure? If you cheated until know and showed a false ID, so you show now just a false phone.
Sure, you can borrow someone else's phone, but presumably your photo won't match theirs. And if it's close enough, then yeah, you can probably get away with it. But just because something doesn't close all the loopholes, it doesn't mean it's not worthwhile. A discouragement for this particular thing is that the person you've borrowed the phone from will probably not want to give up their phone for an entire night!
Personally, I'm torn on this. If it really would allow me to selectively give only the bits of information from my ID that various parties actually need, that would be nice. But I worry more about how the ID data will be secured on whatever non-government third-party's backend this will inevitably be outsourced to.
You'd be sending a message cryptographically signed by the government to someone else's device, so it doesn't matter what's on your screen—if you can't produce that signed message, you can't do anything.
The thing that kills me is the fact that if you are driving your own car, the police already know who you are and if you have a license when you get pulled over. The whole requirement to have a card on you is bogus bullshit, and only serves to make you a criminal if you happen to forget it.
If you drive the car of a person who has a suspended license, you will get pulled over. Their ALPR system will automatically flag you, and the officer will tell you that he ran your plates and pulled you over because the owner has a suspended license. That might be a good time to have a physical ID on you to prove you're not the owner. BUT at the same time, if you know your DL number, or even your name and address, there's no reason the cops can't look you up to verify who you are.
I would like this better if it included ID that blind and low vision people use to substitute for licenses. I don’t like that this plan seems to lock out proof of identity services for people with disability by design.
I know this is a real problem because I can hardly see. I don’t have a license. It causes continuous problems in real life.
I live in Oz. You are supposed to be able to use a “Photo Card” to prove identity the same as a drivers license. It takes the same amount of proof to get a “Photo Card” from the government as a drivers license. They look the same as a drivers license, even the same holograms, but a different colour.
But I have continuous trouble dealing with banks, insurers, government (crazy!), post office, telephone companies, internet companies. I bought a passport mostly because it easier to carry that around.
If we get an app that only accepts drivers license and not the official photo card equivalent it means we’ll get told by contact centres to drive (!) to our nearest branch of whatever and bring a folder full of ID and hope the drone will accept it.
This is a very US-centric approach to set a standard for having your ID on your phone. Why not calling it simply Mobile ID and having the driver license as one of the data records or features? That would be more natural design.
Yeah, I did think it was kinda weird (even as an American) that this is presented as a digital driver's license and not just a digital ID.
It's possible that they are afraid the latter will raise more "big brother" type concerns with people in the US, so they're focusing on the DL part of it.
I know people who don't have a DL, and instead have a (nearly identical looking, also obtained from the same government agency that handles DLs) state ID, and it would be silly if this new "mDL" didn't also support their IDs.
It's an ISO standard for a driver's license and the US isn't the only party involved in it (although it may be unique in that it plays the role of a national ID there).
I like this idea in theory, but... I wonder if the mDL apps can be generic enough that you can implement one and load a credential from any issuer into it, or if it's going to be a single (probably proprietary) app per issuer.
This is something I'd like to be able to use on non-Android and iOS platforms, but that's unlikely if it's not possible for anyone but the issuer to write an mDL app.
In India this has been a thing for a while now. Just that it is provided by the central Govt itself - https://digilocker.gov.in.
You can keep many Govt issued IDs in there and those are all good to be accepted and treated as valid across the country - for example DL and vehicle ownership docs when checked by cops. You can keep some non Govt IDs as well e.g. insurance docs.
I do have some privacy/safety concerns but I'd trust my Govt (that issued most of these docs in the first place) more than a corporation who are known as a business with privacy invasion as their primary function - in fact almost anything they do revolves around this core idea.
Ha ha, no. No way in hell am I ever letting an image, facsimile, or digital token version of my driver's license on a Google-controlled platform. I'd sooner xerox it and stick it on a sign in my front yard.
Perhaps governments should require phone manufacturers to provide security updates for at least 5 years, otherwise you can throw your smartphone out of a moving car every two years to keep your driver license secure.
" For additional protection, mDL apps will have the option of both requiring user authentication before releasing data and then immediately placing the phone in lockdown mode, to ensure that if the verifier takes the device they cannot easily get information from it."
That's an interesting feature. I wonder if it's going to result in pressure from law enforcement to unlock the device.
Why would you need that? Insurance cards have zero security on them anyways. There's no standard format for paper cards as is is. All I have ever had is a piece of paper that I ran off on my printer, and it says "EVIDENCE OF INSURANCE" in Times New Roman and lists off a bunch of crap that the police can't verify. Some states, having a card is pointless, because if you lose your policy, the state finds out and already has record of it.
[+] [-] rootsudo|5 years ago|reply
At that point, where do you draw the line of privacy? You're carrying with you an object that you can't trust 100% and can work against you anytime.
This is truly chilling dystopian type stuff. Soon a cell phone will be required for every "person."
[+] [-] diebeforei485|5 years ago|reply
I have my payment cards on my watch. Pre-pandemic, my gym membership card was on my watch. If I had my ID on my watch as well, I don't ever have to worry about a wallet being stolen because I wouldn't carry one.
Sure, people can steal your watch at gunpoint- but it can be remotely disabled (even if you were forced to give your passcode under duress), and you'd still have a physical ID card at home you can use.
[+] [-] wtfrmyinitials|5 years ago|reply
[+] [-] dgrin91|5 years ago|reply
Is having a computer a requirement to be part of modern society? It certainly helps, and the vast majority of people use them for the convivence, but its not required.
[+] [-] swiley|5 years ago|reply
Often does work against you really.
[+] [-] aeternum|5 years ago|reply
[+] [-] hansjorg|5 years ago|reply
[+] [-] as_keyof_typeof|5 years ago|reply
[+] [-] kelnos|5 years ago|reply
I kinda feel like most people, when threatened by an authority figure with a gun, will approve whatever data that person asks for.
The place where I do think this is valuable is when showing ID to get into a bar, or at a store when purchasing alcohol. The only bit of info the bouncer/cashier needs is whether or not you are of legal drinking age; they don't need to know your actual age/birthday or your name or address.
[+] [-] mawise|5 years ago|reply
[+] [-] gruez|5 years ago|reply
It's not supposed to be a foolproof solution. The point is to prevent the officer from casually looking through your photos/texts after you gave him the phone.
[+] [-] ianferrel|5 years ago|reply
That seems like a plausibly useful feature, or are there other ways to tell that the virtual id matches the real person holding the phone?
[+] [-] diebeforei485|5 years ago|reply
If there is a standard (name, DOB, photo, address, height, weight) that's probably more than enough.
[+] [-] Zanni|5 years ago|reply
[+] [-] lurchpop|5 years ago|reply
[+] [-] monksy|5 years ago|reply
https://idscan.net/scanning-solutions/age-verification-solut...
They use it for marketing purposes.
[+] [-] cs702|5 years ago|reply
[+] [-] neolog|5 years ago|reply
So now I have to put my image in the store's database too? Way more invasive than plastic card, which doesn't electronically transmit my image.
[+] [-] Edmond|5 years ago|reply
There is a much better approach that doesn't have the privacy problems that the proposed solution has: https://certisfy.com
Use good old PKI with the verification process for generating certificates delegated to suitable third-parties.
[+] [-] comfyinnernet|5 years ago|reply
It's nice to know Google is concerned about this dystopian possibility.
[+] [-] vlovich123|5 years ago|reply
[+] [-] _trampeltier|5 years ago|reply
[+] [-] kelnos|5 years ago|reply
Who doesn't have a charging cable in their car for their phone?? Also if you're going to be in nature for a weekend, you can opt to carry your physical ID as a backup (or leave it in the car if you're comfortable with that).
> hand over my phone unlocked to the police or to everybody who wanna see the license.
The article covers this. You never hand over your phone; you send a grant to the other party's device to read only certain bits of information from the ID app. And the article mentions that the right way to implement it on the ID-holder's side is to require PIN/biometric unlock in order to approve the transfer, but then immediately go into a lockdown mode so if the LEO then takes your phone, it'll be locked.
> More worse, until now, they just checked and it was ok. From now an, everybody is always saved after that in a DB.
That already happens now; if you get pulled over, the cop isn't going to manually read your ID and copy it into their squad car's computer. They scan the barcode on the back and all of it gets sucked in. (Even many bars and convenience stores that sell alcohol will scan the barcode and get way more information than they need.)
> And why is that more secure? If you cheated until know and showed a false ID, so you show now just a false phone.
Sure, you can borrow someone else's phone, but presumably your photo won't match theirs. And if it's close enough, then yeah, you can probably get away with it. But just because something doesn't close all the loopholes, it doesn't mean it's not worthwhile. A discouragement for this particular thing is that the person you've borrowed the phone from will probably not want to give up their phone for an entire night!
Personally, I'm torn on this. If it really would allow me to selectively give only the bits of information from my ID that various parties actually need, that would be nice. But I worry more about how the ID data will be secured on whatever non-government third-party's backend this will inevitably be outsourced to.
[+] [-] lights0123|5 years ago|reply
You'd be sending a message cryptographically signed by the government to someone else's device, so it doesn't matter what's on your screen—if you can't produce that signed message, you can't do anything.
[+] [-] olyjohn|5 years ago|reply
If you drive the car of a person who has a suspended license, you will get pulled over. Their ALPR system will automatically flag you, and the officer will tell you that he ran your plates and pulled you over because the owner has a suspended license. That might be a good time to have a physical ID on you to prove you're not the owner. BUT at the same time, if you know your DL number, or even your name and address, there's no reason the cops can't look you up to verify who you are.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] sydneycatalyst|5 years ago|reply
I know this is a real problem because I can hardly see. I don’t have a license. It causes continuous problems in real life.
I live in Oz. You are supposed to be able to use a “Photo Card” to prove identity the same as a drivers license. It takes the same amount of proof to get a “Photo Card” from the government as a drivers license. They look the same as a drivers license, even the same holograms, but a different colour.
But I have continuous trouble dealing with banks, insurers, government (crazy!), post office, telephone companies, internet companies. I bought a passport mostly because it easier to carry that around.
If we get an app that only accepts drivers license and not the official photo card equivalent it means we’ll get told by contact centres to drive (!) to our nearest branch of whatever and bring a folder full of ID and hope the drone will accept it.
[+] [-] ivan_gammel|5 years ago|reply
[+] [-] kelnos|5 years ago|reply
It's possible that they are afraid the latter will raise more "big brother" type concerns with people in the US, so they're focusing on the DL part of it.
I know people who don't have a DL, and instead have a (nearly identical looking, also obtained from the same government agency that handles DLs) state ID, and it would be silly if this new "mDL" didn't also support their IDs.
[+] [-] lmz|5 years ago|reply
[+] [-] ryukafalz|5 years ago|reply
This is something I'd like to be able to use on non-Android and iOS platforms, but that's unlikely if it's not possible for anyone but the issuer to write an mDL app.
[+] [-] crossroadsguy|5 years ago|reply
You can keep many Govt issued IDs in there and those are all good to be accepted and treated as valid across the country - for example DL and vehicle ownership docs when checked by cops. You can keep some non Govt IDs as well e.g. insurance docs.
I do have some privacy/safety concerns but I'd trust my Govt (that issued most of these docs in the first place) more than a corporation who are known as a business with privacy invasion as their primary function - in fact almost anything they do revolves around this core idea.
[+] [-] causality0|5 years ago|reply
[+] [-] dessant|5 years ago|reply
[+] [-] fredoralive|5 years ago|reply
(Yes I know other forms of licences are fallible, I’m just being cynical).
[+] [-] neom|5 years ago|reply
That's an interesting feature. I wonder if it's going to result in pressure from law enforcement to unlock the device.
[+] [-] imgabe|5 years ago|reply
[+] [-] diebeforei485|5 years ago|reply
[+] [-] deadbunny|5 years ago|reply
[+] [-] 1123581321|5 years ago|reply
[+] [-] olyjohn|5 years ago|reply
[+] [-] hayyyyydos|5 years ago|reply
Ditch the concept entirely, no need for proof of insurance - either in physical card or digital form.