Phone Home is Bad. Really Bad.
What phone home enables is worse than just surveillance and privacy invasion. Much worse.
The ACLU, EFF, EPIC, CDT, Bruce Schneier and nearly 100 others just signed their support to a public statement opposing phone home capabilities in digital identity systems: NoPhoneHome.com.
The statement is simple, clear, and helpful, but it severely soft-pedals the problem.
When Phone Home Is Far Worse Than Just Surveillance
The effects of surveillance are limited by what a surveiler can accomplish by surveilling. In that sense, a phone home to government is dystopian, as it provides the ability to decide whether or not we can proceed with an identity-enabled activity. It literally gives government the ability to say “yes, I will allow you to do that thing.”
Phone home is ultimately about control over digital activities. It may not start with that objective, but that is the inescapable conclusion when in the hands of government. That is far worse than just watching me — which is bad enough — it’s controlling me.
What is Phone Home?
Phone home is when you present a digital credential, whether in person or online, and the system you’ve presented to “phones home” to the original issuer (or a proxy) to verify that your credential is valid, enabling identification of both verifier and user. Phone home can also happen at a later time, and/or be triggered by an application on your own device, each with the same ultimate effect of surveillance and control by the issuer.
You might think such a phone home check is necessary to verify a credential, but it is not. Credential verification — including current revocation status — can now be done without phoning home. The SSI (self-sovereign identity) industry has emerged over the last ten years to solve this very problem, and it did solve the problem. It was first solved using blockchain tech and now there are other, non-blockchain methods that also provide robust verification without phoning home, including revocation.
So Why Phone Home?
So why does any digital identity system phone home, if it doesn’t have to?
The federated protocols that phone home are widely adopted within the IAM (Identity & Access Management) industry, because they power the single sign-on capabilities that corporate workers use every day. Many workers have dozens of systems they need to access, and some orgs run thousands of different software applications; single sign-on gives workers a single login instead of many, a benefit that has become a necessity in our software-dominated world. Within an organization’s trust domain, phoning home is harmless.
The $15 billion IAM industry — powered primarily by single-sign-on solutions — phones home to itself to verify every login, every day. This ubiquity of intra-domain phone home makes the underlying protocols well-worn, so developers, designers, architects, and other tech professionals are intimately familiar with them; OpenID, OAuth, SAML, and other protocols all phone home inherently, it’s how they work. So when government begins to get into the digital ID game and policy makers approach existing ID industry experts for products and advice, those experts simply tweak their existing, phone-home capable products and — voila — government inherits phone home capability.
When Phone Home Goes from Helpful to Harmful
The problem comes when phone home is used to verify identities across organizational boundaries rather than just within those boundaries. That’s when phone home goes from useful single sign-on to Orwellian surveillance and control.
Phone home from me to my employer to allow me into a system that I’m entitled to access? Great, that’s “intra-domain” (within the same organization). Phone home from the liquor store to the government to verify that I’m over 18 so I can buy alcohol? No way, that’s “inter-domain” (across organizational boundaries), and none of the state’s business. Both phone home, but one is harmless and the other Orwellian.
I live in Utah, where we have a law aimed to verify that a user is over 18 before they’re granted access to a pornographic website. While I’m no fan of pornography, I oppose any digital identity system that phones home for permission for those who do participate, and who are trying to follow the age verification law.
Ultimately, a digital credential from government should function like the physical one: it should have the power and trust of government when I use it, but no built-in way for the government to know if, when, or where I use it.
But… “The Phone Home Function Isn’t Activated”
As the phone home privacy debate intensifies, you’ll hear this argument a lot: “The system may technically have the capability, but we’ve not implemented it that way.”
This is the situation we find ourselves in with AAMVA and the mDL (mobile driver’s license). AAMVA is the association behind all the government drivers license departments in the United States, and it publishes recommended guidelines for how states should implement the mDL (mobile drivers license). To AAMVA’s credit, in their Dec. 2024 Implementation Guidelines (version 1.4) they did warn about the tracking potential of “Server Retrieval Mode” (phone home mode), and just recently released updated guidance (version 1.5) that finally prohibits the practice.
Better late than never. I still wonder why they tolerated it as long as they did.
But while AAMVA is a national nonprofit, it is a private organization not subject to public comment, FOIA, political mandates or other regulations; all they can do is pass policy, it’s up to states to choose to follow them. Even if all 50 states choose to follow this new policy there’s still one enormous problem: the underlying ISO 18013 standard appears to require that all implementations retain Server Retrieval (phone home) capability.
When government is tempted with such power, it’s akin to giving an ice cream cone to a four year-old and telling him not to lick it, and then walking away. If the four year-old isn’t hungry at the moment maybe he can resist for a while, but if he’s hungry and the adults walk away… all of a sudden it’s an emergency.
And emergencies are precisely the problem with having latent phone home capabilities available, like those baked into ISO 18013.
Privacy By Policy
Using a phone-home-capable standard like ISO 18013 to implement a digital identity system while promising not to activate that capability is — with credit to Steve McCown for this insightful phrase — ”privacy by policy.” It’s like telling the four year-old not to lick the cone — that’s the policy — but then walking away to create the conditions where the policy will likely be violated.
All any government needs is an emergency, and often they don’t need even that. Sometimes they argue a need to monitor (and control) all uses of everyone’s identities so they can catch the bad guys just in case they show up. And that may be true: when all uses of government-issued digital credentials are constantly monitored, they may catch more bad guys, assuming bad guys are stupid enough to use systems with known surveillance. But American society decided at its founding that personal liberty was more important than catching every bad guy, that we should be protected from “unreasonable searches and seizures,” and that we should be presumed innocent instead of guilty.
As we’ve seen repeatedly, all government needs is an emergency like 9/11 or COVID and we quickly give into demands for intrusive and sometimes surreptitious surveillance. And this is the inherent weakness of privacy by policy; policies and policy makers change — in emergencies very quickly — and never do they change in the direction of greater personal liberty.
Bottom line: if the capability exists to surveil digital identity and to control it, to selectively deny its use, that power will be activated sooner or later; we’re always just one emergency away. Government may find other ways to still surveil and control, but having latent phone home capability embedded within a broadly used digital identity is like installing a big, shiny, easy ‘press here to surveil’ button… the only protection we have is current policy makers’ promise not to press it.
Ubiquitous Use = Ubiquitous Control
Another weak argument we’ve heard and will continue to hear: “the government-issued ID will only be used for a few things, like accessing government services, travel, etc.”
If it really stayed that way I’d have no problem with phone home, but it won’t stay that way, not by a long shot. Mark my words: government-issued credentials will begin to replace usernames and passwords internet-wide.
Just recently in my home state of Utah, the mDL program was funded to expand its utility for things like “e-banking, online shopping for age-restricted items, online car rental.” That is just the proverbial tip of the iceberg, and here’s why:
A government-issued verifiable credential is the strongest, most secure, highest-trust credential most of us will ever have. It is far more secure and trustworthy than any username-password combination, and the user experience will be better. Imagine the reduction of friction as websites say the equivalent of “just use your mDL with us, no need for a username or password or even to set up a new account.” It’s a huge win/win for both consumers and websites, as websites reduce friction, gain strongly vetted humans instead of bots, and get a windfall in liability reduction as they no longer have to maintain valuable, breachable honeypots of usernames and passwords. Users win by eliminating usernames and passwords, having a slicker experience, and increasing their security and resistance to ID theft.
Combine ubiquitous use with a latent phone home capability and you’ve got a tinder box, like a hungry four year-old holding an ice cream cone… as soon as the adult leaves the room that cone will get a lick. And with this kind of surveillance comes the huge bonus of control, literally the ability for government to say “no” to identity verifications for any reason under the sun.
Privacy Advocates in Free Societies Must Vigorously Oppose Phone Home Right Now, BEFORE It’s Too Late
The current, very dangerous problem with phone home is when it’s implemented unknowingly into a society that would oppose it if they knew what they were getting. Once phone home is embedded and government gets a taste of its power, I don’t see how that power is ever relinquished.
If phone home is on the table in your state — and it is in almost every state — it’s now or never.
To the current generation of privacy advocates: if we succumb to privacy by policy, and we allow phone home capabilities to be implemented while we are still above room temperature and standing on the top side of the grass, it’s on us. We must discover phone home capability wherever it might lurk, and activate any and all fellow privacy lovers to oppose it like we would a foreign invader…
Because if we lose this fight, we likely lose it forever.
