Apple Announces Details of Storing State IDs in Wallet
An intriguing feature of Apple’s iOS 15 announcement at WWDC was the option to store a driver’s license or a US state ID in the Wallet app on the iPhone and Apple Watch. At the time, Apple offered no details, and the feature hasn’t appeared in the iOS 15 betas. Now Apple has provided some specifics: the feature will roll out first to residents of Arizona and Georgia, with Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah to follow. We’re voting for California, New York, Tennessee, and Washington State next.
Apple’s announcement is nicely detailed, but after a briefing with Apple, John Gruber of Daring Fireball shared some additional quick insights. Most importantly, you won’t have to unlock, show, or hand over your iPhone—identification information will be transmitted to a reader using NFC after biometric authentication, much like Apple Pay. Even better, the system will offer the option to share only necessary information. For instance, if you need to prove your age, you could verify that without also sharing your birthdate. (It’s also worth reading the footnotes for Gruber’s profanity-laced tirade about the ugliness of many state IDs.)
If you’re an international traveler and a US citizen returning to the US from overseas, refusing to present your phone (or computer) to a customs official upon demand can get you in very hot water very quickly. Bad advice from Gruber, and I’m surprised he would say such a thing.
For the last couple of years I’ve been using Yoti which is supported by my local council and the Scottish Government for authentication to my account with them. In theory you can use it to prove your age at the off-licence without sharing any other details (eg a simple, “yes, this person is 18 or older”). I say in theory because I clearly don’t look anywhere close to young enough to ever be challenged
It looks like Apple’s state ID in wallet is taking a similar approach for a subset of what Yoti addresses (in person local ID proof, but no online login or detail sharing, and no support for passports). I think this is a good thing: if someone needs to know I’m over 18, they don’t need any other details. And I was pleased to see that Apple is using some sort of standard for digital driving licences. Even if you think everyone should use an iPhone, no identity system will be adopted (nor should it be) if it can only be used by people who use a specific vendor’s products.
It will be interesting to see how this space develops. I believe there are countries much further ahead (eg Estonia), and I’d like to see Apple provide access to NFC for other identity service providers. I think it is naive to assume Apple can, or should, be the only provider of digital identity services on the iPhone globally – there should be a way for other providers to tie into the system.
I’m not sure I have any specific point here, but I’m interested in the topic. Digital ID could be extremely intrusive and abused if not designed right. So I want to see providers like Apple and Yoti who have a privacy-first design, with secure local storage of personal info, gain traction. This should be the standard to which any digital ID provider is held. If instead we end up with governments and citizens accepting these details being held ‘securely’ on private cloud services, it will be a disaster waiting to happen (and I will not be participating!).
I assume Gruber was referring to the routine case when law enforcement asks to see your ID. In the case of Customs, this would be your passport, not a drivers license - where Apple’s new system won’t even be applicable.
If they actually ask to inspect your phone (not just to see your ID), then you’re in a completely different situation where none of this applies. Comply or refuse based on your understanding of the law and how much aggravation you are willing to put up with.
And, of course, you’re still going to need to carry your physical ID anyway. There will be many situations (especially initially, but probably forever) where the person requesting it won’t have the ability to read the electronic version.
Yes, if you’re at a border, it’s an entirely different situation. @geoffduncan wrote about this for us a few years ago.
No. In the Daring Fireball article linked to by Josh, Gruber says:
“… never ever hand your phone to a cop or anyone vaguely cop-like, like the rent-a-cops working for TSA. If they tell you that you must, refuse. If you really need to hand it over, they’ll take it from you.”
A review of Geoff’s article (fortuitously provided by Adam above) should provide sufficient explanation of why Gruber’s advice is egregious. If not, there are hundreds if not thousands of articles across the web, many of them posted by reputable educational institutions, that provide some of the same reasoning. And here is Homeland Security’s own justification on how they may treat your devices as “luggage” when crossing the border, thus obviating the need for a warrant:
Many corporations requiring employee travel to foreign countries now issue “burner” or “loaner” devices specifically for travel. The machines are typically provided wiped completely clean of data, with only applications installed.
The TSA is not a part of Customs. TSOs are not law enforcement officers of any kind. They have no right to search anything beyond their narrow mandate to look for hazards to flight (like weapons or explosives).
If they happen to see other illegal materials, they can hold your bags and call an actual law enforcement officer (who can, of course take further action), but that’s the extent of their authority.
I used to be a frequent reader of the TSA Blog and this subject often came up, with the TSA people moderating the blog giving the above answer.
A TSO absolutely does not have the right to go rummaging through the contents of your electronics, because nothing they could possibly find could be a hazard to flight safety.
Customs’ mandate is to inspect what you bring into the country (international arrivals). TSA’s mandate is to ensure that nothing hazardous gets on a plane (all departures). Their jurisdictions do not overlap, they have different authorities and they answer to different Federal agencies.
I never asserted that TSA was part of CBP/ICE or DHS. So, again, no. I took exception to Gruber’s statement “never ever hand your phone to a cop or anyone vaguely cop-like” as being unnecessarily confrontational and risky in an area where Customs agents have the warrant-free ability to search or request a search of your devices. Geoff covers a broad range of possible responses (or prior-to-travel-preps) that acknowledges DHS authority.
My statement about Gruber’s (probably overly broad) comments stands.
Join the discussion in the TidBITS Discourse forum