NoPhoneHome is Working, But Don’t Stop Now…

On Monday, June 2, 2025, we* launched NoPhoneHome.com with about 75 signers opposed to “phone home” (surveillance) capabilities within digital identity systems, including the ACLU, EFF, EPIC, CDT, Bruce Schneier, Dr. Jan Camenisch, Dr. Anna Lysyanskaya, and more. Now there’s 150+.

More importantly, it is beginning to have the desired effect:

Prior to June 2, Utah got the ball rolling with SB260, which prohibits surveillance within a state-endorsed digital identity system. Utah then turned off “Server Retrieval” (phone home) mode for the 100,000+ mDL (mobile driver’s license) holders in the state and just held its inaugural Data Governance Summit, strengthening data privacy practices statewide, attended by 700+. The governor spoke, singing the praises of data privacy and decentralized identity, followed by the Senate and House majority leaders, who did the same. (Utah is rapidly becoming a hotbed for decentralized tech and bold new policy.)

Now, because of the #NoPhoneHome campaign, we’re learning that other states are discovering that phone home capability is latently present within digital identity systems they’ve implemented or are considering, and they’re justifiably alarmed.

Key facts to remember:

1. To their enormous credit, AAMVA has recently banned Server Retrieval mode nationally in the U.S.;

2. Server Retrieval is “Recommended” within the ISO 18013–5 mDL standard, but not required (we originally thought it was required, so this is a positive correction);

3. Do not trust “privacy by policy”: if phone home capability is activate-able within an identity system, it’s only one ‘emergency’ away from activation… phone home capability should be removed entirely, and no standard where phone home is conformant (such as ISO 18013–5 or OpenID Connect) should be implemented, with the exception of #5 below;

4. The mDL has dominated the discussion since June 2 but it is not the only phone home offender, by a long shot: anything that uses OpenID Connect (OIDC) or almost any other federated identity protocol (OAuth, SAML, etc.) phones home for *every verification, every time*… watch for that discussion to increase in attention and fervor;

5. Phone home is harmless when used *within* an organization’s trust domain, but when it crosses domain boundaries — like when a citizen uses their state-issued ID to login to a non-state website — it enables Orwellian surveillance;

6. Phone home enables not only surveillance, it enables control — with phone home an authority can deny permission to proceed, effectively controlling identity-enabled online activities;

7. Some countries (i.e., Estonia, India, Singapore) have digital identity systems that phone home, and they seem OK with that… our concern is with societies that generally oppose tracking and surveillance and do not realize they may be getting surveillance in latent form.

Exposing phone home capabilities is already having a significant and growing impact, so if you live in a society that generally opposes surveillance, now is the time to raise the alarm with privacy advocates and policy makers however you can, while there is momentum… Because once phone home is implemented, and authorities get a taste of its immense power over citizens, it will be difficult to ever remove.

Now is the time. Please keep spreading the #NoPhoneHome message to all who might need to hear it. We may not get a second chance.

*We includes me, Kim Hamilton Duffy, Jay Stanley, Steve McCown, and Joe Andrieu.