In my (European) country now we can have a digital copy of the driving license on the phone. It specifically says that it’s valid to be presented to law enforcement officers during a check.
I saw amazed in the beginning. They went from limited beta testing to full scale nationwide launch in just two months. Unbelievable. And I even thought “wow this is so convenient I won’t need to take the wallet with me anymore”. I installed the government app and signed up with my government id and I got my digital driving license.
Then yesterday I got stopped by a random roadblock check and police asked me my id card. I was eager to immediately try the new app and show them the digital version, but then because music was playing via Bluetooth and I didn’t want to pause it, i just gave the real one.
They took it and went back to their patrol for a full five minutes while they were doing background checks on me.
That means if I used the digital version, they would had unlimited access to all my digital life. Photos, emails, chats, from decades ago.
What are you are going to do, you expect that they just scan the qr code on the window, but they take the phone from your hand. Are you going to complain raising doubts? Or even say “wait I pin the app with a lock so you can’t see the content?”
“I have nothing to hide” but surely when searching for some keywords something is going to pop-up. Maybe you did some ironic statement and now they want to know more about that.
And this is a godsend for the secret services. They no longer need to buy zero day exploits for infecting their targets, they can just cosplay as a patrol and have the victim hand the unlocked phone, for easy malware installation
Immediately uninstalled the government app, went back to traditional documents.
Convenience always has a cost
NSA has all your info already anyway
I’ve always just shown a scan of my ID on my phone. It’s just a picture?
and they accept that as a valid id? I mean in a store ok, but a public official? It’s incredibly easy to make a fake screenshot
the digital version of id cards are glorified qr codes: they scan it and their device downloads from the government servers the official version. Or, for offline usage: the qr code contains all the data, signed with their key, they check if the signature is valid
If you use an android phone, just create a separate account on your phone just with the apps you want the police to see. No email, photos, social media, or anything. This way you can switch to the restricted user before giving the cop your phone.
Containerized apps on Android when?
I have the digital id in case i forget my physical one (despite not legaly being required to carry id) but its in an empty graphene os profile.
If you are on android you can use screen pinning. That way phone won’t get locked and bother the police but they can’t switch to any other app without your password.
But I don’t know how much I’ll trust an app by government. Maybe in Europe that app is Open source.
Wouldn’t trust a gov app in europe either. But then again i don’t trust any app and have them firewalled at least .
The EU covid app was released on fdroid. I would trust it if it was open source, audited by a third party, and finally made available on fdroid.
Ok this has some right for existence… Yet,just being oss isn’t always the point alone. Without checking the code myself I still just have to trust.
Fortunately fdroid does some checks. And the third party audit does some checks. Thats already a lot of others checking it.
For some reason that’s only a thing when navigation is set to buttons, when using gestures it’s not available. So yeah it’s a bit hard to go to settings, change the navigation mode, turn on pinning, pin the app and only then hand over the phone…
I also have my phone setup to gesture navigation. If I swipe up and click on app icon I see option to pin it.
Must be some OnePlus limitation or something.
Yup, if you hand them your unlocked phone they can look through it.
But they have one advantage: They are way easier to counterfeit. Meaning that with a few months of programming at most, if you ever find yourself on a run, you’ll be able to ID yourself on trains or buses or check in to hotels with fake personal info.
you realize they’re more than just your picture on a screen, right? there’s a whole public key private key verification process that happens, which covers your photo and personal info, at least from what I understand of ISO 18013-5.
if anything it should be almost impossible to make a fake mobile id, barring exploits in reader software or the govt leaking their private key.
Yes I do. Therefore I would never use it in front of state authorities, but I doubt a hotel receptionist would make use of a pubkey cryptography.
you don’t think they’ll just use some app to verify it? my state’s mdl doesn’t even show any personal info other than name, if they want birthday they have to scan it
Don’t get me wrong, it’s great that you figured this out. But why did you not consider this sooner? Wouldn’t it have been obvious that you would have to have the phone unlocked and that having a police person have any access to an unlocked device would be a real problem?
What’s obvious to you may not be obvious to other people?
Likewise, what’s obvious to you at one moment may not be obvious to you at another, simply because you’re thinking about the situation from a different angle.
They don’t need to take your phone with them. They literally can just scan the code, because it sends all the info to their screen, that they were gonna look up anyway.
No way the government implemented an app for this use case. That’s extremely inefficient.
I thought you actually tried, that they took your phone?
Couldn’t these apps also use the Android/iOS’ wallet manager which allows handing it over unlocked while the phone is “closed” (not necessarily locked, though…)?
I don’t know if they could, because they will probably compromise all information into the wallet.
But it’s a good idea. I hope that it can be implemented like you said in a secure way.
Illinois at least passed a law to limit the consent given when using a digital ID with a police officer such that they’re ONLY allowed to use it for ID and not snooping, but that’s the only state to do so.
https://www.eff.org/deeplinks/2024/10/should-i-use-my-states-digital-drivers-license
But do you trust them to follow the law? I certainly don’t.
That means if I used the digital version, they would had unlimited access to all my digital life. Photos, emails, chats, from decades ago.
Do they actually take your phone when you present it to them for digital ID? They don’t scan it and bring up the same information on their scanner?
No they don’t, they just scan it and dont take the phone. But of course, they could.
I just double checked on my phone, on Android you can pin the current app, that limits access for the user to only that app. Unpinning requires you to essentially unlock the phone again. I wouldn’t hand my phone to a pig either, but if I pinned the app, it would be secure enough for a traffic stop.
For people with iPhone you can do this too.
Go to settings and pull down with your finger to get the search box to appear, then search for “Guided” and click “Guided access”.
Enable this setting as well as toggling “Accessibility shortcut”. Now you can open an app and triple click the lock button and select guided access.
Then on this screen you can press start in the top right or options in the bottom left to refine the controls, for instance:
- Side button
- Volume controls
- Motion
- Software keyboards
- Touch
- Time limits
Now the phone is locked in that app and to come out of it requires the passcode.
Thanks man. This is really useful whenever i need to show someone anything on my iphone.
No problem.
Yeah it’s great for giving your friends your phone if you don’t trust them not to try and fuck with you for jokes. Or if using it for playing music in a group gathering.
Even for children using the device. Particularly as you can set the volume and not give them the permission to change it.
As others already stated there are solutions already to pin apps and to be honest, I feel I would not give the phone to a policeman like that.
On the other hand, what I’m more concerned about is giving the access to my phone’s data through different permissions to my government.
For example this is the list of permissions for the Hungarian government app: https://reports.exodus-privacy.eu.org/en/reports/hu.gov.dap.app/latest/#trackers
You’re absolutely right about the danger of giving up your phone, if the police wanted to take it from you. By sticking with traditional documents you remove any pretense they might have to try. It is not a stupid call, it’s just less convenient - but then, security is always a compromise with accessibility.
