Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Transportation Cellphones Government Privacy Security Software

Iowa Wants To Let You Carry Your Driver's License On Your Phone 232

An anonymous reader writes: The Iowa Department of Motor Vehicles is busily developing software that will allow users to store the information from their driver's license on their smartphone. It would also add features like a simple barcode to scan for information transfer, and two-factor authentication to access it. "At first thought, the idea seems rife with potential security and privacy issues. It is well known at this point that nothing is unhackable; and if a project is made on a government contracting schedule, the likelihood of a breach is only greater. ... Questions of security, however, must take into account context – and there, it can be argued that our current regimes of physical documents have been an enormous failure. Having every state choose their own approach for issuing IDs has led to patchwork regulations and glaring weak points in the system that criminals have repeatedly taken advantage of. Driver's licenses today are regularly forged, stolen, and compromised – it’s far from a secure situation."
This discussion has been archived. No new comments can be posted.

Iowa Wants To Let You Carry Your Driver's License On Your Phone

Comments Filter:
  • by nucrash ( 549705 ) on Friday February 13, 2015 @10:19AM (#49047085)

    I don't see this as any different than Apple pay at some point. If this would help officers obtain validity of the license faster, this might be a benefit.

    I don't think this should be a requirement for Iowa drivers, but a perk of driving in Iowa.

    The downside that I can think of is that in many areas of Iowa I don't care to carry a smartphone because the lack of coverage there kills batteries.

    • by AmiMoJo ( 196126 ) * on Friday February 13, 2015 @10:24AM (#49047129) Homepage Journal

      It's a trap. If your driving licence is on your phone and you get pulled over, you have to hand over your phone. The cop takes it back to the car, data rapes it and hands it back. Later at the station they can analyse the contents offline, adding your contacts to the database of known associations and your selfies to their facial recognition database.

      • you beat me to it. this was the very first thing i thought of as well. while convenient, as it would make carrying a wallet unnecessary, it's a huge trap. you can't complain the cops have your phone, if you hand it to them. not to mention the camera you're probably using to document the stop is under their control.

        • you beat me to it. this was the very first thing i thought of as well. while convenient, as it would make carrying a wallet unnecessary, it's a huge trap. you can't complain the cops have your phone, if you hand it to them. not to mention the camera you're probably using to document the stop is under their control.

          However, if you hand your wallet over to a cop in the USA and theres cash in it he'll declare it 'obviously drug money' and confiscate it...

      • SCOTUS already ruled on this. Welcome to 2014.

        http://www.cnn.com/2014/06/25/... [cnn.com]

        • SCOTUS already ruled on this. Welcome to 2014.

          Yes, SCOTUS also ruled that you have a first amendment right to record the police, yet people are still being arrested (and occasionally beaten) for it, and often having their equipment damaged in the process. Your naivete might be cute if you were twelve.

          • That's fine and all, but when it goes to court, even a shitty lawyer could get any evidence obtained thrown out.

            As far as involuntary repudiation (e.g. the cops destroying evidence) I think it would be prudent for everybody to have their data securely backed up to a cloud service as its acquired, preferably to some kind of zero knowledge storage provider.

            • You are forgetting about parallel construction. They can also just share your private photos with the rest of the department.

      • It wouldn't need to be so dramatic, just bump the phone with another device (or another phone.) NFC simply doesn't have the bandwidth required to do what you're suggesting, and it could easily be configured to be doable without unlocking the device.

        It could also be done in such a way that it authenticates without giving out any sensitive information (i.e. the reader sends a random number, and your device responds with an ID number (that isn't the same as your DL number) and a signed copy of the random numbe

        • It wouldn't need to be so dramatic, just bump the phone with another device (or another phone.) NFC simply doesn't have the bandwidth required to do what you're suggesting, and it could easily be configured to be doable without unlocking the device.

          +1

          If this becomes a thing -- and I strongly suspect it will -- I know the Android security team will be looking for a way to enable it such that police cannot get anything other than your DL data. Perhaps even a "police stop mode" which enables a lock screen even for users who don't normally lock their phones and turns on the NFC. How to make the UI on that easy to invoke in a hurry when you're flustered, but still out of the way, since it's only needed on rare occasions, is an interesting question challe

          • Users must be able to provide officers with DL information, but officers must not be able to get any additional data.

            Obligatory xkcd [xkcd.com].

          • by Nkwe ( 604125 )

            (Disclaimer: I'm a member of Google's Android security team, but the above represents only my own opinions not an official statement. You can certainly believe that they're opinions I will be sharing/pushing internally, though.)

            Sweet. Please consider taking this concept back to the team. On the unlock screen have three unlock codes: 1) The normal unlock code, 2) A "limited" unlock code that would allow access to a limited set of applications (and perhaps make the device look like it was mostly empty), 3) a "wipe" unlock code that wipes the device (or nukes the encryption key.) An additional "distress mode" unlock code could be useful as well - this mode would start audio and video streaming to some off-phone storage. The key featu

      • This is the biggest issue I see from having it on a phone. No thank you.
      • I already have my license on my phone, it's called scotch tape, bitchezz. and I can show the officer without even needing to unlock the screen!

      • It's a trap. If your driving licence is on your phone and you get pulled over, you have to hand over your phone. The cop takes it back to the car, data rapes it and hands it back. Later at the station they can analyse the contents offline, adding your contacts to the database of known associations and your selfies to their facial recognition database.

        That makes the assumption that for example Apple is run by total idiots. Paying with Apple Pay doesn't unlock your phone. This could work in a very similar way, instead of a payment terminal the cop has a license card reader, you put your phone on the button, your phone sends the license card data over, and _doesn't_ unlock the phone.

      • And how are you going to go about recording your stop when the police just took away your camera? What if they don't bring it back when they come back to your car, something serious comes up, and you have no evidence regarding what happened?

    • I think the secure element in Android's NFC payment (I'm not familiar enough with Apple) does a very good job at preventing fraud as far as that is concerned. If the driver's license identity system carried a similar security, then creating a fake ID would become enormously more difficult.

      Of course, similar results could be achieved with smart NFC/ISO7816 computer inside of a drivers license. (I.e a system where the scanner sends a randomized number, and the on-card computer replies with a signed copy of th

    • If this would help officers obtain validity of the license faster, this might be a benefit.

      The officer has a computer and data uplink in his vehicle - and a radio. Do you think he's going to trust *your* phone to verify *your* license? No he's still going to run it through his system, and to check for outstanding warrants on you, etc... Having your license on your phone does nothing to speed up the process, just allows the officer to your, freely unlocked, phone.

    • by PPH ( 736903 )

      I don't see this as any different than Apple pay at some point.

      Nice if you could load up $20 on Apple pay and pass it to the cop along with your DL.

  • I like this idea. Yes its prone to hacking. So are paper documents. Who hasn't forged an ID setting their age appropriately to get alcohol? :) And what happens when you lose your ID, in which most wallets or purses has absolutely no form of security?
    • Who hasn't forged an ID setting their age appropriately to get alcohol? :)

      I never did. If I wanted alcohol, I just grabbed a beer from the refrigerator. My dad always kept a six pack chilled, and didn't mind if I had one occasionally.

    • I like this idea. Yes its prone to hacking. So are paper documents. Who hasn't forged an ID setting their age appropriately to get alcohol? :)

      I never needed to. Apparently the country where I grew up was a bit more free than the world's "freest" country.

    • Re: (Score:2, Interesting)

      by sjbe ( 173966 )

      Who hasn't forged an ID setting their age appropriately to get alcohol?

      I haven't. In fact I've never consumed any alcohol because the smell makes me nauseous. I've tasted enough beer, wine and spirits (I cook with it) to know that I find the taste repulsive as well. I have no moral issue with responsible alcohol consumption but I never saw the point in trying to get drunk, especially when under-age.

      And what happens when you lose your ID, in which most wallets or purses has absolutely no form of security?

      I get a new one. It happens. That's not really a big worry to be honest. I'm more worried about losing the credit cards, medical cards and cash contained in my wallet.

    • by dave420 ( 699308 )
      I've never had to show ID when buying alcohol (outside the US, that is). Where I grew up we didn't need to carry our drivers licenses when driving - if the cops needed to see it, they'd give you a notice to show up at your local police station with the ID within a few days. Land of the free my ass :)
  • by Bugler412 ( 2610815 ) on Friday February 13, 2015 @10:23AM (#49047127)
    Handing you phone to a cop grants them implicit rights to search the phone. Therefore, having your license on the phone is a backdoor way to grant them access to search your device.
    • by s.petry ( 762400 )

      Good call! This is would immediately be abused because a device would have to be unlocked to show your ID. Someone (not you Burgler412) will probably say "well if you have nothing to hide" completely oblivious or forgetting that a cop in California was busted stealing people's selfies and sharing them with all his buddies and online. You may not have anything illegal on your phone, but that does not imply you have nothing you wish kept private either.

      I have to wonder... Did the greasy politicians wring

      • because a device would have to be unlocked to show your ID.

        Incorrect, and what you replied to:

        Handing you phone to a cop grants them implicit rights to search the phone.

        Is also incorrect. As I mentioned here:

        http://tech.slashdot.org/comme... [slashdot.org]

        • "Could" sure, but nothing you state relates to what is being developed and proposed. "Could of", "should of", "would of" and all that...

          • by JigJag ( 2046772 )

            and just to make sure it got said, it's neither "could of", nor "should of", nor "would of", but "could have", "should have", and "would have".

    • by duranaki ( 776224 ) on Friday February 13, 2015 @10:31AM (#49047201)
      Right? So don't hand them the phone. Hold it up so they can scan the QR code on the display. I don't hand my phone to the TSA Security guard validating my boarding pass, I just hold my phone over the scanner.
      • Right? So don't hand them the phone. Hold it up so they can scan the QR code on the display.

        Where I live, and based upon my experience :), the policeman asks you for your license and insurance card, then walks back to his/her vehicle to do the checks. There is no way for the policeman to scan the QR code while the phone is in your possession in your car. You would have to give up possession of your phone to the policeman while the checks are being performed.

        • What do you mean "there is no way for the policeman to scan the QR code while the phone is in your possession in you car."

          This system hasn't been implemented yet, that means that the cops don't have the necessary hardware... yet. The necessary hardware is a hand held NFC terminal or QR code scanner. He walks up to your window, taps on it, says license and registration. You hold up your phone, he holds up the scanner, you put your thumb on your phone's fingerprint scanner, the information transfers.

        • by duranaki ( 776224 ) on Friday February 13, 2015 @11:22AM (#49047685)
          Yeah, that's pretty much the routine because your license and registration have no inherent value. Your phone on the other hand, is a VERY personal and rather expensive device. It would be pretty insane to devise a policy where you *wanted* all your police officers to take temporary possession and responsibility for expensive fragile devices to accidentally drop on the asphalt and what not. If such a policy was created, no one would use it because no one would hand their phone to the cops. How would they occupy their time while waiting for the cop to write the ticket? I appreciate paranoia for paranoia sake, but no implementation that has you surrendering possession of your phone just to show ID will ever fly.
        • by c ( 8461 )

          There is no way for the policeman to scan the QR code while the phone is in your possession in your car.

          Hold your QR code up to the always-on camera on his chest?

      • by quantaman ( 517394 ) on Friday February 13, 2015 @12:17PM (#49048187)

        Right? So don't hand them the phone. Hold it up so they can scan the QR code on the display. I don't hand my phone to the TSA Security guard validating my boarding pass, I just hold my phone over the scanner.

        Fine in theory until the officer opens with "can you please hand me your phone so I can check your license information".

        People have trouble saying no to completely unreasonable and unnecessary requests from cops, how many people do you think will start a police interaction by rejecting what sounds like a reasonable request for a standard procedure?

      • I thought you were holding it out for me to take...whoops...I'll bring it back to you in a few minutes.

      • You haven't had much experience with cops, right? Besides, even if you're only getting a traffic ticket, they'll want to take it back to their car.

    • Allowing a police officer to set foot in your house doesn't give them implicit permission to tear it apart. Why would this be any different? Especially after the Supreme Court ruled that warrants are required to search phones?

      (Those are rhetorical questions. It would be no different.)

      • Allowing a police officer to set foot in your house doesn't give them implicit permission to tear it apart. Why would this be any different?

        Opening the trunk of your car to get something for the policeman then allows the policeman to search the trunk. Once you hand the phone over to the policeman, he can search it.

    • it would also block the most common method of recording the interaction with the cop
  • by Kadagan AU ( 638260 ) <kadaganNO@SPAMgmail.com> on Friday February 13, 2015 @10:24AM (#49047133) Journal
    .. I can't show you my license because my battery died..
  • by queazocotal ( 915608 ) on Friday February 13, 2015 @10:26AM (#49047139)

    Licence has a qrcode or similar onto the DMV website.
    (proper verification apps ensure that the URL is actually the DMV website and ignore any other URL)

    • by ihtoit ( 3393327 )

      all well and good but what's to stop the cop from rifling through the texts on the device you just voluntarily handed to him in an unlocked condition?

      That's right, NOTHING. At that point, no form of estoppel would be legal, in fact telling a cop he can look at your digital licence but not your text messages would give him cause for suspicion. Welcome to an overnight pending charges of possession of kiddie porn.

      • If enough states had drivers license apps, maybe we could pressure device manufacturers to make a "license mode." So you get pulled over and need to show your driver's license. You unlock your phone just enough that the drivers license can be displayed but not so much that other applications can launch (or photos/texts/etc can be rifled through).

  • Anything that involves me handing my unlocked phone to a police officer is a complete no-go... it would open any of the contents of that phone to their search.

    Sorry, this idea should be shot dead.

  • by jeffy210 ( 214759 ) on Friday February 13, 2015 @10:28AM (#49047169)

    The biggest problem I have with this and carrying your insurance on your phone is in order to produce it to authorities you have to unlock your phone. Coupled with some of the rulings we've seen about law enforcement being able to rifle through your phone without a warrant, this gives them instant access to everything beyond your license.

    I'd rather just stick to handing them a single card that is solely for that purpose.

    • he biggest problem I have with this and carrying your insurance on your phone is in order to produce it to authorities you have to unlock your phone.

      You have to unlock the phone? Says who?

  • and the overwhelming response was "NO". Why would it be any different now?

    • by Qzukk ( 229616 )

      Because this time they're absolutely certain that millions of 18-20 year old college students won't work to forge this ID and get drunk.

  • Enormous failure? (Score:5, Insightful)

    by fahrbot-bot ( 874524 ) on Friday February 13, 2015 @10:40AM (#49047263)

    ... it can be argued that our current regimes of physical documents have been an enormous failure.

    Unless, by enormous failure, you mean, has been working for hundreds of years, then citation please. No one's stolen my driver's license or any other physical documents - ever - and they're pretty simple to use - no batteries or cell signal required. In addition, I don't have a smartphone.

  • by omnichad ( 1198475 ) on Friday February 13, 2015 @10:47AM (#49047327) Homepage

    This is just a ploy to get you to hand over an unlocked phone without a warrant.

  • by goodmanj ( 234846 ) on Friday February 13, 2015 @10:48AM (#49047335)

    This is as good a place as any for me to jump on my favorite hobby horse: the US government should be issuing a standardized national ID; there should be a federal administration that handles identity of US persons.

    Specifically, the government should issue 2-factor authenticators to all citizens which do absolutely nothing but verify identity to businesses, people, and other government agencies. The service should return no name, address, or other identifying data: just a hash ID code which is unique for every person, and unique for every agency or business which requests your ID. Thus, a bank can verify that you're the same person who set up your bank account, the state police can verify that you're the same person who applied for a driver's license, but that's all they can learn about you. This would makes it very difficult for anyone but the federal government to steal your identity, and tough for anyone but the feds to correlate your credit card data with your medical data with your Facebook profile.

    Obviously, this means the federal government would be able to use your identity records to track you. But they can do that anyway, with a quick call to a credit card company and your internet service provider. This at least keeps everyone *else* from being able to do so.

    • by gsslay ( 807818 )

      The service should return no name, address, or other identifying data

      Can you spot the flaw in the plan?

      The service should return no name, address, or other identifying data

      See it now?

    • Right now I can opt out of any identification requirements by simply not engaging in activities that require it. Don't want a drivers license? Don't drive. This will not be the case if any form of ID is created solely for the purpose of identifying individuals. Then you won't be able to 'opt out'. It will be a short step to requiring identification be carried at all times.

  • by dohzer ( 867770 ) on Friday February 13, 2015 @10:53AM (#49047383)

    On the plus side, if your battery goes flat, all you have to do is commit a crime and wait for the police to recharge your phone so they can access your ID card.

  • by grimmjeeper ( 2301232 ) on Friday February 13, 2015 @11:10AM (#49047525) Homepage
    So the government wants you to accept an application built by them, including giving it permissions to operate on your phone. You don't even need to hand your unlocked phone to a cop to have them looking around in your personal business. The app can do that all by itself any time it wants. Thanks but no thanks.
  • This wasn't a good idea the first time someone proposed this. Or the second time. Or the 5th, 10th, whatever.
    Having ID that I may need to hand to a city/state/federal official, that lives on my phone...is a complete non-starter.

    You get the little plastic thing in my wallet. You do NOT get all of my contacts and other information as well.
  • They want you to install an app. Yet pretty much a picture of the barcode is all that is needed. Considering the poor state of security on phones the rights are far to course grained. The app needs to connect to the DMV for authentication means it has access to data at all times. You quickly have a heavily encrypted app that can can expand it's scope of permissions with clueless users.

    They will I assume want you to hand your phone to the cop unlocked. Maybe your smart and setup a secondary login with o

  • See the USA in your Chevrolet... But bring a physical driver license.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...