The tone of this article is bizarre, ignoring the fact that Apple is implementing an ISO standard. It's interesting that states interpreted this conversation as a procurement conversation, since it's not clear the government is being asked to buy anything but instead to see where they are on the mDL standard and whether they'd be interested in participating in Apple's early phase release of support for that standard.
The information is useful, but the whole framing is very strange and conspiratorial that's not supported by the emails or the facts.
One formula for low hanging clickbait is <large organization> + <conspiratorial topic> = plausible deniability for exploring option of malicious intent regardless of lack of evidence. And due to their success, tech companies make for great candidates for <large organization>.
Who invented "clickbait". What is the purpose of "clickbait".
Non-profits supporting investigative journalism like MuckRock are to blame. MuckRock is not selling advertising, but don't be fooled. Investigative journalism will just create more clickbait.
Whereas Big Tech companies have nothing to do with clickbait nor advertising. They are not spreading clickbait like non-profits that submit FOIA requests. Tech companies do not make money from clickbait nor eyeballs. Tech companies have sources of non-advertising revenue and legitimate business purposes that benefit society.
In 2012, EFF filed over 200 FOIA requests through MuckRock, for information about drone usage. EFF should stop participating in these clickbait campaigns. EFF should be protecting Apple from low hanging clickbait.
We should be thanking Big Tech companies not scrutinising them. They mind their own business, they do not try to learn what their users/customers are doing. They respect user/customer privacy. OTOH, these non-profits submitting FOIA requests do not respect the privacy of Apple and governments, who deserve to be left alone, to do their work in private. This is a basic human right.
Why don't people trust Big Tech. Tech companies have done nothing wrong.
Did you read the emails, though? They certainly don't sound like simply asking about "where they are on the mDL standard". They are asking for NDAs to be signed - why is that necessary if this is just about the progress of implementing an ISO standard?
And there's this from CA:
> The agreement I've been provided goes beyond a POC and appears to create more of a long term relationship.
> They are asking for NDAs to be signed - why is that necessary if this is just about the progress of implementing an ISO standard?
I'd assume there's something in there about Apple sharing their product roadmap and planning, so they can get all the ducks in a row for a unified launch rather than support coming in piecemeal.
I agree that it's interesting and useful, but the article also tries to spread some FUD about this being "Apple's standard" when it's not (with some fearmongering rhetoric around "what about Android?", "what about other competing systems we haven't heard of yet?"); it's an ISO standard for mobile driver's licenses. I'm actually surprised and pleased that Apple has decided to go with a standard instead of doing their own thing, as usual.
But the author of the article either a) can't be bothered to do some basic research about the topic she's writing about, or b) is deliberately stirring up (fake) controversy to increase engagement. Either thing is pretty bad.
Apple is super secretive about upcoming releases. They are are obviously going to ask for an NDA, otherwise they wouldn't be able to even mention things like upcoming release dates.
What do you see the ISO standard as modifying here?
There are zillions of standards after all, most not implemented by Apple and of the implemented ones, many are results of corporate lobbying or interests. Being a published standard doesn't mean it's somehow in the public interest or there is pressure to implement it.
Having a look at your link, I see section A.3.10 is proposing the use case "Vote or register to vote".
Given how politically controversial the issue of voter ID is in some places (especially the US), I'm wondering if this this ISO standard is going to get mixed up in that political controversy.
Perhaps it's because it's only controversial to some, and only in the United States. And the fact that this "issue" is magnified by mass media.
It honestly isn't that controversial of an idea: a document stating that you're already registered to vote. That's it.
This is how it works in Canada: the address that Elections Canada has on hand for you (if any) is sent a flat piece of paper –not in an envelope either– that simply indicates that you're pre-registered to vote, and includes your home address, your polling location, and your poll number (which poll worker station you go to). The poll worker verifies your information with a second piece of information with your name + address: driver's license, passport, or piece of mail from a utility company, etc.
Personally, it'd be nice if I could opt to not receive and to not have to carry a piece of paper in the mail, and it sounds like this ISO standard + implementation can achieve that. (I'm guessing – I can't actually access the document)
> Perhaps it's because it's only controversial to some, and only in the United States.
Not only in the United States. See this article about proposals to introduce voter ID laws in Australia – https://thenewdaily.com.au/news/politics/australian-politics... – much like the US situation, the reforms are being proposed by the centre-right federal government, while the centre-left parties are opposed to it, as are progressive-leaning activist groups (such as the Human Rights Law Centre quoted in the article)
I can only speak for Australia, but this isn't an issue here. The article represents little more than a thought bubble that hasn't gone anywhere because it really is pointless. Proposals like that are never popular, have a near-zero chance of passing our parliament, and even if they did it wouldn't have the same election-swinging disproportionate effects as in the USA.
In Australia we have compulsory voting. We have an extremely well run elections operated by a highly competent non-partisan commission. And there are exceedingly few citizens which don't have some form of ID, whether that's a driver license, a photo card (voluntary card for people who don't have a driver license) a public healthcare card, or an ID issued by the welfare system.
>It honestly isn't that controversial of an idea: a document stating that you're already registered to vote. That's it.
Personally my problem is that voting laws are handled at the Federal level down, but IDs are run by the States. I guess RealID is supposed to be sort of the solution to that issue, but the requirments for those are annoying to fulfill if you're not a utility-paying tenant.
> I guess RealID is supposed to be sort of the solution to that issue, but the requirments for those are annoying to fulfill if you're not a utility-paying tenant.
If you have a car, you're good, since the vehicle registration and insurance count as the two documents you need. If you have a job, you're good, since a W-2 and a pay stub count as the two documents you need. If you don't pay any bills, and you don't have a car or a job, then you're almost certainly living with someone else (probably your parents), so you're good since they can fill out a Residency Affidavit.
I did say annoying, not impossible. For me it was no car, not the master tenant, no Residency Affidavit in my state, and I don't own a printer. So, an annoying afternoon to pull up my W2 and a paystub and send them to a Kinkos, as opposed to just one afternoon wasted at the DMV.
Coming from a country (Australia) where federal elections are 100% run by and under control of an (independent) federal agency – I wonder how much of the recent US controversies over voting are due to the fact that the implementation of federal elections is something under state (and often even local) control?
Would a "federal takeover" improve things? Have the FEC (or maybe even a new successor agency) actually run presidential and congressional elections?
Of course, I realise it is very unlikely that legislation for such a "federal takeover" would make it through Congress, and if they did, there is a high likelihood that SCOTUS (especially with their current majority) would strike it down as an unconstitutional encroachment on state's rights.
Problem with that argument: in New Zealand, they have non-compulsory voting, but New Zealand doesn't have those kinds of controversies either. That's why I don't think compulsory voting really works as an explanation, despite the fact that it is the first thing to pop into many Australians' heads.
In fact, most Western countries are like New Zealand – lack of compulsory voting (unlike Australia), lack of any major controversies over the integrity of the voting system (unlike the US)
I am no fan of digital ID's but did he really need a FOIA request to break open the idea that Apple were thinking of adding drivers license to their native app and talking to the DVLA in various states about it?
>“How did it happen? Why had I or no one ever heard of it, given I know a lot of folks in the government tech space?”
Apparently this guy doesnt know much ... but enough to waste some peoples time with useless FOIA requests.
UK shows off prototype of digital iPhone driving license using Apple’s Wallet app - May. 13th 2016 11:06 am PT [1]
Louisiana, where I live, was the first state to roll out a digital driver's license on July 3, 2018, and a few other states are working on similar initiatives. The app that you use in Louisiana is called LA Wallet. [2]
> Apparently this guy doesnt know much ... but enough to waste some peoples time with useless FOIA requests.
I think this is really useful.
Apple and Microsoft have some of the most sophisticated BD/partnership teams in the world.
Many companies who partner with Apple use an internal codeword and don't let others within the company know the client, terms of the deal, or the scope of the work.
Being able to see how Apple is approaching these deals is really interesting and valuable. They are going into 50 states and dealing with the DMV. The DMV has a reputation of being disorganized and not very technical. Apple has the opposite reputation. We are getting a front-row seat into how "disruption" happens.
Even if partnership deals don't get you excited, having transparency into how private companies do business with the government is almost always a good thing.
And what did we learn? Not a whole lot. Just a pretty regular plain process asking for meeting and setting up some articles of understanding to implement an ISO standard, with the expected twist that it was under NDA until the public announcement.
> I am no fan of digital ID's but did he really need a FOIA request to break open the idea that Apple were thinking of adding drivers license to their native app and talking to the DVLA in various states about it?
He would need an FOIA request to each state DMV for documentation on the agencys' responses to Apple and any internal deliberation on the matter.
What an odd idea that FOIA requests are a waste of some employee's time, considering the vast amount of waste in the system already. Anything that can be released with an FOIA request should never have been locked behind closed doors in the first place. Locking public information up is shady and is the true reason that is wasting everyone's time.
It varies depending on the agency, the scope of the request and the purpose of the request. For just one example, here's the State of Illinois FOIA FAQ:
Taxpayers already do with their contribution to the country budgets, in EU you can submit FOIA for free to governments entity and to any private company who received government funding, it's a matter of public interest and if you receive my money (as taxpayer) then you put into account the fact that as a citizen I might request some answers
Hit the nail on the head: "if it can be implemented...?"
We're talking 50 individual state governments here. We all know that federal, state, and local govt IT practices are basically troubled at best, disastrously shoddy at worst, the only way I would accept this idea is if it was a completely optional, user-chosen, option for an ID.
I would want at least ten years of first adopters getting their lives shafted and/or stolen and/or stalked and/or breached before I'd ever think of even using the optional service.
As the experience of Estonia shows, a digital ID can be very useful and effective, but does take some work (they had a big revocation effort to manage, which they were able to do so because their country is so small).
Bigger countries such a Germany have basically punted on this issue.
I'm a big fan and disappointed that California isn't in the vanguard.
The US still doesn't have wide-spread use of chip & pin on credit cards. Innovation & adoption of digital identity in this country is unlikely to be rapid.
> The US still doesn't have wide-spread use of chip & pin on credit cards
That's not really the case anymore. The new struggle is contactless. I can count on my hands how many times I've had my current debit card swiped (which is good since its stripe is looking like shit by now).
Gas stations are finally implementing chip transactions (the deadline is Oct 2021 iirc), which fortunately generally includes a contactless reader.
But alas, we'll likely see the same problems with digital ID that we have with REAL ID.
It's so funny to me that HN is so skeptical of technology sometimes. Why build the internet when you get all the information you need at the local library? Why have cars when my horse provides companionship and transportation at the same time?
To answer the question though, since Apple Pay now works almost everywhere, my ID is one of the only cards I still need to carry. If I had a digital ID, I don't think I'd need to carry a wallet anymore.
I don't think of HN as a "technology fan site" but people who have to deal with this stuff every day. Some caution, especially based on experience, is warranted.
> To answer the question though, since Apple Pay now works almost everywhere, my ID is one of the only cards I still need to carry. If I had a digital ID, I don't think I'd need to carry a wallet anymore.
Where do you live? I currently live in California so only carry ID when driving or (more recently) when planning to enter certain buildings, like federal buildings or airports. Otherwise I don't bother and it hasn't been a problem for me.
Sometimes people do ask for ID (or an SSN) but when I politely say "I'm sorry I don't have one" they typically want to do business with me so magically don't need any info.
I'm clearly over drinking age and don't need controlled prescriptions.
As someone who has been building software for 20+ years now, I know how it fails and how it can make people's lives miserable. I know how developers cut corners and how quality always takes a back seat to other business concerns. I know how technology can erode privacy, or be used as a tool for governments to exact more control on their citizens.
I'm probably more skeptical of technology in everyday life than your average non-technical person.
> Apple Pay now works almost everywhere
I live in a city, and Apple/Google Pay definitely does not work anywhere near everywhere (even after more businesses went contactless due to COVID). I wouldn't think of leaving home without physical credit cards.
(I was at a bar this weekend. Ironically I could not pay my tab with my phone, but their photobooth took Apple & Google Pay.)
> I live in a city, and Apple/Google Pay definitely does not work anywhere near everywhere (even after more businesses went contactless due to COVID). I wouldn't think of leaving home without physical credit cards.
This isn't the case in some parts of the world.
In Australia, even before COVID, I could make 2-3 day interstate business trips with flight tickets, credit cards, public transport all my phone.
I rarely carry cash or even my physical credit cards, and haven't needed to for years now.
Yes, and also enabling not-physical validation (e.g. you could open a bank account or w/e similarly strict thing online, with your identity being verified automatically). It's convenient and saves time.
> if it can be implemented in a reasonably foolproof way?
With my wallet, I run the risk of losing my ID or having it get stolen.
With an ID on my phone, I still have those risks, but now I also have the risk of dropping the phone and breaking it, as well as the battery dying. Not to mention just some random software glitch breaking things.
> Isn't being able to ditch the wallet a huge win?
For all but the most trivial of trips outside my home (where I expect to need ID), I doubt I would leave my physical ID at home, ever. And if I have to carry it as a backup, why have the digital ID at all?
These all seem like pretty unlikely issues in day to day life. I've owned a smartphone for over ten years, never so much as broken a screen, and it's extremely rare for my battery to die. Software has been extremely reliable. I already have a wallet case I use with my phone (so if I lose my wallet, hey, built-in tracking device on my wallet!).
This seems like a great physical ID replacement. If it were available in California I would 100% use it immediately and leave my physical ID in a filing cabinet at home forever.
I replace my phone every two years and trade/sell my old one while the resale value is still good. It comes out to about a dollar a day in cost, which is a bargain considering the utility I get out of it. Battery health has been around 90% at the two year mark.
Because the problem is that we need id so often not that its inconvenient. You should need it for a passport, to show a policeman if pulled over, and if applying for welfare benefits or accessing govt services (voting, tax stuff, etc.) Basically nowhere else. Make id more convenient and more ppl will demand it.
>“How did it happen? Why had I or no one ever heard of it, given I know a lot of folks in the government tech space?”
I had a good LOL at that too. I remember people in uni were even talking about this in a business course like 10 years ago. This is not like a groundbreaking idea to digitize an ID.
This makes sense to me. Apple wants to have their wallet app hold some state IDs so they reach out to states to talk about how it might work or not work with them.
The quotes from the technologist in the article just seem kinda random. I feel like those would be the basis for an article ... once you know them, but nothing in that article answers any of them or tell me that any of them are a problem.
state/federal agencies should never use any third-party software that exfiltrates any personal data of residents (especially google, which already infests governments & schools). it should be self-evident that this creates an irresistable incentive for the state and corporations to consolidate power, capital and influence against the populace.
>especially google, which already infests governments & schools
Working in schools, I can assure you, google classroom and all the accompanying apps are not some cabal from the schools. They're free. That's the incentive.
Also, I would ask, what is the other option? That the government builds and maintains specific programs for every function? How okay are you with taxes going up quite a bit? Because they will need to in order for the public sector to compete for talent with the private sector.
My opinion is that these sorts of things don't need to be electronic, as paper is more secure anyway. But maybe I'm a Luddite. At the very least, I am privileged enough to have a career that allows me the flexibility to interact with government agencies if I need to. If I was still working retail, I could see how online services would definitely be a plus in time saved.
yes, the government should generally build the software they need to support essential functions for the populace, which certainly can include open-source/collaboratively-developed software, even the paid kind. we shouldn't allow government to decide to pay for software by gutting individual privacy and liberty. that goes counter to the spirit of our inalienable rights.
also, "taxes will go up" arguments are at best naive. taxes (amounts/rates) have little correlation with supporting the essential needs of government. they're primarily employed to generate leverage, (unfair) economic gain, and power. public sector pay is uncompetitive because politicians and bureaucrats don't find competitive pay to serve those purposes.
but yes, paper is perfectly fine technology for most educational purposes, relatively secure and private intrinsically.
Due to how education authority is distributed and entrenched in the US, it is exceptionally unlikely they have the competency to build the software tooling they need for essential functions. Khan Academy tried to provide this service, but it appears there's been very little uptake. It's even worse if you’re a startup, with horrendously long and tortured sales cycles and your contract at the whim of career admins and politicians.
Charter schools as the developers or consumers of such software, as well as homeschoolers, would see better outcomes imho. Retooling public schooling apparatus is a lost cause (although there is likely some small impact to be realized if you're a technologist in a position where you can deliver disproportionate impact to your local institution).
yes, no doubt the challenges are significant, given the centrality of public education in local, state, and even national politics, but policy (slowly, piecemeal) got us into this problem, and perhaps only policy (after a long cycle of learning & debate) can get us out.
the main point is that a key (hopefully self-evident) principle is that our liberties shouldn't be for sale at any price. if that means states/localities need to develop software (and software development as a competency), so be it. political winds can change.
but as has been pointed out, it's not even clear that we really need much new technology, when existing tech seems to be perfectly satisfactory, if unexciting. the mass distance-learning experiment we just experienced seems largely a failure. turns out learning, while central, is only one of many educational concerns, and computer-based learning is at best augmentative, not primary (unlike, say, school administration systems).
They're not free. They're certainly not "free" as in they respect my freedoms, nor the freedoms of any child or parent that has to dirty themselves with it. It might not be a cabal with the schools, but surveillance capitalists are certainly a cabal unto themselves; a nasty and greedy cabal which has no place near public institutions.
As schools attach themselves to these incredibly abusive products, I sincerely hope the publics' opinion of schools drops with exponential relation.
They shouldn't be widespread. I will continue to hope that schools which mandate their use fall ever further out of favor. May the management be ever engaged in fights for public funding, and their allotments continue to shrivel.
I'd love to see a wholesale turnover in all establishments that cozy up to the likes of Google and Microsoft.
That hasn't happened because they're cheap, effective, and relatively easy to manage. Unless Google fucks things up big time, they're probably going to be around for a long time.
Unless Google fucks things up, or citizens start making bureaucrats' lives much harder.
I'm 100% in favor of people going directly to teachers, principals, counselors, on and on up until enough additional busywork is piled on top of these civil servants that their choice is a perpetual drowning in outrage or a removal of abusive technology.
It shouldn't be that hard to accomplish; possibly even just ten to fifteen people per school, applying pressure wisely, ought to make for effective burnout.
Hey, at least they're not requiring a chip implant.
Of course the phone OS people are going to do this. Judging from a few years of Live PD, every single person getting pulled over never ever has a valid ID, but always always has a cell phone that they clutch like their life depended on it.
Anything in the article is just a detail that is being hashed out.
Yeah, my understanding is that Apple is using a standard:
> Apple’s mobile ID implementation supports the ISO 18013-5 mDL (mobile driver’s license) standard which Apple has played an active role in the development of, and which sets clear guidelines for the industry around protecting consumers’ privacy when presenting an ID or driver’s license through a mobile device.
Slightly aside -- I have never worked out why everyone calls it a "driver's licence" (or license), as every one I've ever seen, on all sides of the pond, is clearly labelled a "Driver Licence" in big bold letters.
It doesn't appear to be an attempt at plural (obviously that'd be wrong in any case), and possessive doesn't make any sense in either this, or the common use, context.
17 states say "Driver's License". Arkansas, Georgia, Idaho, Illinois, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, New Mexico, Pennsylvania, South Carolina, Vermont, Virginia, West Virginia.
Indiana and South Dakota actually call it an "Operator License", rather than "Driver" or "Driver's".
It’s “Driver’s License” in my state (Idaho), while it’s a “Driver License” in California.
I always assumed that the possessive form was to indicate that it was a license possessed by a driver. In fact “Driver License” makes less sense in my head, as I can’t make heads or tails of what role each word is supposed to make in that clause.
I disagree with the article. I will choose to put my government documents as a backup in my Apple Wallet. I don’t care if other people choose not to, that is their decision.
Good to see the IL was direct in rejecting the idea of an NDA. Meetings like this should not be hidden from public view since it involves decisions that affect the constituents.
Also, Apple seems to have this backwards: The states don't operate on their product schedule. Nor should they.
You could ask the same about Apple Pay: "Is the end Goal to make Apple Pay the only payment method supported on the internet and kill credit card numbers"
Not only is there nothing to support your claim, there's no reason to believe this would be the next step if your claim was accurate. Instead, they'd just...require ID on the internet, it's not like that's not currently possible.
Verifying pictures of people's physical ID cards is much more involved than using a digital standard.
It may be a big leap to say that implementing a Digital ID standard means that an ID-locked internet is the end goal, but it is a necessary step to reach that goal.
A much bigger flaw in their reasoning is that it's unclear who "they" is. Apple? Why would they care beyond maybe locking their own services behind ID? Government? Because they don't seem to be even making a uniform push to get things implemented.
There’s lots to support his claim. You can’t use Homepods without an iCloud account, you can’t get an iCloud account without an Apple ID, and you can’t get an Apple ID without providing a phone number and email address.
The (eventual) goal is not to kill off anonymity, but to better support user control of data and thereby give more anonymity.
You should be able to prove your age to buy liquor, without disclosing any other information (including your name or birth date). That should work without the government or any other party knowing you. But we are still on the road to get there.
There are numerous other efforts for decentralized identity systems where the user 'holds' digitally signed credentials and presents them under consent. While most parties realize that reducing data release and supporting anonymity are important objectives, the different efforts (and participants) have different priorities.
Some efforts, like Smart Health Cards, do not support selective disclosure of information, instead just supporting digital medical documents as signed data. This was a scope reduction to get a system out more quickly for COVID vaccination credentials.
Mobile drivers licenses support selective disclosure, but many privacy controls are really being implemented via certification, where compatible reader devices are being limited to those who certify that they discard data after use.
There are stronger primitives like Anonymous Credentials [1] , which also make the cryptography itself unlinkable, and predicate proofs which let you present answers to questions without presenting the underlying information. However, standardizing and deploying such crypto at scale takes years.
How the technical implementation works is irrelevant to how the "boots on the ground" will use it. "We can't accept this until the device is unlocked." will be a common refrain. Or "I need the device to verify" while they eliminate your video record of the encounter.
We just recently saw how Apple bends over for government demands.
> Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it. Users do not need to unlock, show, or hand over their device to present their ID.
People need to accept that the moment you’re face to face with a cop, software isn’t going to restore accountability on the spot or give you an edge against an adversary that has the monopoly of violence. If your threat model is that you should be prepared for a cop to seize either your physical driver’s license or your phone, you should make sure you carry the one you care the least about with you.
I am implying that kids will find a way, for those of us that live in the free world and are adults at 18 it is less of a burden. For the poor souls in the US who come of age at 21, fake phones for id might be the new accessory.
Yes, some kids will find a way. I would have. But I have no problem making the barrier to entry higher, at least until parents start responsibly introducing their kids to alcohol or drugs instead of just pretending they don't exist or worse, arguing they are awful from a religious or otherwise zealous perspective.
In a perfect world, parents would teach their kids about how to party responsibly, but we don't live in a perfect world. At the very least, when kids get older they can arguably make slightly better decisions (e.g. think more clearly) sometimes.
Oh I'm sure motivated kids will find hacks and workarounds. If anything it might end up being even easier to fake your age; especially when dealing with businesses that are totally apathetic or unknowledgeable about technology.
That's what concerns me. It wouldn't be unreasonable or impossible for this to happen. The physical IDs have a ton of security features to them. And that's actually not even required. It's NFC based tap, someone will find a way to exploit and spoof a valid ID.
Typically if presenting in person (such as airport security) you would need to also release your picture, which would show up on the TSA agent's terminal next to a big green checkmark for the valid cryptographic signature.
Without the picture? My understanding is that release does require authentication, and the message could disclose whether that was done with say the fingerprint used when the license was added to the phone.
The use of cryptographic signatures means the weakest link would likely be the identity verification process of the issuing DMV (or their app).
If it's in any way reliant on a central database, or even PGP, I fail to see how you could fake an ID besides finding someone that looks like you and sending that in your place.
That would kinda be the idea, using someone who has a similar looking photo to you. I'm thinking in terms of kids getting into clubs. Physical fake ID's are easy for a knowledgeable bouncer to spot, but if it's all digital data, then it's significantly harder for the bouncer to spot fakes when the data is validated by a system. They'd need entirely new training.
And it's not like there isn't already a black market of stolen IDs already. Get a photo of your client, run it against a database of stolen info, get a match. I understand I'm simplifying this immensely, but if the system can be broken, then it will be exploited. And really it's not if, but when.
I can see this being a useful technology in the case of law enforcement, pharmacies, doctors offices, or anywhere you would need to check in with your driver's license.
The information is useful, but the whole framing is very strange and conspiratorial that's not supported by the emails or the facts.