[HN Gopher] FOIA requests show Apple's emails pitching state age... ___________________________________________________________________ FOIA requests show Apple's emails pitching state agencies on IDs and Wallet app Author : danso Score : 177 points Date : 2021-09-28 15:34 UTC (7 hours ago) (HTM) web link (www.muckrock.com) (TXT) w3m dump (www.muckrock.com) | [deleted] | nojito wrote: | Isn't the implementation the same between Android and iOS? | marcellus23 wrote: | Yeah, my understanding is that Apple is using a standard: | | > Apple's mobile ID implementation supports the ISO 18013-5 mDL | (mobile driver's license) standard which Apple has played an | active role in the development of, and which sets clear | guidelines for the industry around protecting consumers' | privacy when presenting an ID or driver's license through a | mobile device. | | https://www.apple.com/newsroom/2021/09/apple-announces-first... | [deleted] | literallyaduck wrote: | "Just unlock your phone so we can ID you." | | Edit: | | How the technical implementation works is irrelevant to how the | "boots on the ground" will use it. "We can't accept this until | the device is unlocked." will be a common refrain. Or "I need the | device to verify" while they eliminate your video record of the | encounter. | | We just recently saw how Apple bends over for government demands. | t3rabytes wrote: | Except that isn't how it works. | | > Only after authorizing with Face ID or Touch ID is the | requested identity information released from their device, | which ensures that just the required information is shared and | only the person who added the driver's license or state ID to | the device can present it. Users do not need to unlock, show, | or hand over their device to present their ID. | | https://www.apple.com/newsroom/2021/09/apple-announces-first... | _jal wrote: | Cops routinely use possession of a target's ID as a detention | method during traffic stops. | | I rather suspect we'll see begin to see stories of | substituting phone possession if this becomes widespread. | | Related... do "I've been pulled over" recorder apps continue | to run while this is active? | eli wrote: | The intent is that you tap the phone on a reader and that | it doesn't leave your possession. | [deleted] | fay59 wrote: | People need to accept that the moment you're face to face | with a cop, software isn't going to restore accountability | on the spot or give you an edge against an adversary that | has the monopoly of violence. If your threat model is that | you should be prepared for a cop to seize either your | physical driver's license or your phone, you should make | sure you carry the one you care the least about with you. | dwaite wrote: | In many locales they will not be able to retain a phone | legally without court order because of laws/rights around | search-and-seizure. | | Unlike a state-issued ID, the understanding is solidly that | the phone is the citizen's property. | crooked-v wrote: | > legally | | There's the problem. Cops do plenty of illegal things all | the time. | | That's before even getting into how civil forfeiture | exists as a massively profitable and federally-approved | end-run around the Constitution. | blitzar wrote: | Sure makes collecting up ID's quicker if it is just tap and | go. They should also log the transfer/recipient for the user. | | Wonder what kids are going to do for fake ID when you have to | tap to get into the club... | rurp wrote: | Oh I'm sure motivated kids will find hacks and workarounds. | If anything it might end up being even easier to fake your | age; especially when dealing with businesses that are | totally apathetic or unknowledgeable about technology. | borski wrote: | I can't tell if you're implying fake IDs are something we | should try to keep around; I have no problem improving | security for underage kids. | | Signed, someone who definitely did but shouldn't have been | clubbing at 14. | blitzar wrote: | I am implying that kids will find a way, for those of us | that live in the free world and are adults at 18 it is | less of a burden. For the poor souls in the US who _come | of age_ at 21, fake phones for id might be the new | accessory. | borski wrote: | Yes, some kids will find a way. I would have. But I have | no problem making the barrier to entry higher, at least | until parents start responsibly introducing their kids to | alcohol or drugs instead of just _pretending they don 't | exist_ or worse, arguing they are awful from a religious | or otherwise zealous perspective. | | In a perfect world, parents would teach their kids about | how to party responsibly, but we don't live in a perfect | world. At the very least, when kids get older they can | arguably make slightly better decisions (e.g. think more | clearly) _sometimes_. | justahuman1 wrote: | Hold someone else's phone? | DigitallyFidget wrote: | That's what concerns me. It wouldn't be unreasonable or | impossible for this to happen. The physical IDs have a | ton of security features to them. And that's actually not | even required. It's NFC based tap, someone will find a | way to exploit and spoof a valid ID. | dwaite wrote: | Typically if presenting in person (such as airport | security) you would need to also release your picture, | which would show up on the TSA agent's terminal next to a | big green checkmark for the valid cryptographic | signature. | | Without the picture? My understanding is that release | does require authentication, and the message could | disclose whether that was done with say the fingerprint | used when the license was added to the phone. | | The use of cryptographic signatures means the weakest | link would likely be the identity verification process of | the issuing DMV (or their app). | judge2020 wrote: | If it's in any way reliant on a central database, or even | PGP, I fail to see how you could fake an ID besides | finding someone that looks like you and sending that in | your place. | dylan604 wrote: | It would be interesting if the tap just sent over an ID | number and then the receiver downloads the data including | photo on file. | Bud wrote: | Good! Apple _should_ be pitching beneficial technologies like | this. | Lamad123 wrote: | This company wants to shipify the rest of society at all cost!! | PerkinWarwick wrote: | Hey, at least they're not requiring a chip implant. | | Of course the phone OS people are going to do this. Judging from | a few years of Live PD, every single person getting pulled over | never ever has a valid ID, but always always has a cell phone | that they clutch like their life depended on it. | | Anything in the article is just a detail that is being hashed | out. | rastafang wrote: | > Hey, at least they're not requiring a chip implant. | | Baby steps... | jasonpbecker wrote: | The tone of this article is bizarre, ignoring the fact that Apple | is implementing an ISO standard. It's interesting that states | interpreted this conversation as a procurement conversation, | since it's not clear the government is being asked to buy | anything but instead to see where they are on the mDL standard | and whether they'd be interested in participating in Apple's | early phase release of support for that standard. | | The information is useful, but the whole framing is very strange | and conspiratorial that's not supported by the emails or the | facts. | lotsofpulp wrote: | One formula for low hanging clickbait is <large organization> + | <conspiratorial topic> = plausible deniability for exploring | option of malicious intent regardless of lack of evidence. And | due to their success, tech companies make for great candidates | for <large organization>. | jonas21 wrote: | This is also important to keep in mind when reading articles | about less well-liked companies, e.g. Facebook, Amazon, etc. | fsflover wrote: | So Apple joined them now it seems. | 1vuio0pswjnm7 wrote: | Who invented "clickbait". What is the purpose of "clickbait". | | Non-profits like MuckRock are to blame. They are not selling | advertising, but clickbait has nothing to do with | advertising. | | Moreover, tech companies have nothing to do with clickbait | nor advertising. They are not spreading clickbait like non- | profits that submit FOIA requests. Tech companies do not | profit from clickbait. Tech companies have sources of non- | advertising revenue and legitimate business purposes that | benefit society. Unlike non-profits making FOIA requests that | spread clickbait. | | In 2012, EFF filed over 200 FOIA requests through MuckRock, | for information about drone usage. EFF should stop | participating in these clickbait campaigns. | | We should be thanking tech companies not scrutinising them. | Tech companies mind their own business, they do not try to | learn what their users/customers are doing. Tech companies | respect our privacy. These non-profits submitting FOIA | requests are a nuisance. They do not respect the privacy of | Apple and governments. Both deserve to be left alone, to do | their work in private. | | Why don't people trust tech companies. They have done nothing | wrong. | | A conspiracy requires two or more actors. Thus, if the topic | must be "conspiratorial", then the formula should be | | <large organisation> + <co-conspirator> [+ <conspirator> ..] | + <conspiratorial topic> = plausible deniability for | exploring option of malicious intent regardless of lack of | evidence | | Apple is the large organisation. The states are the co- | conspirators. A non-profit submitting FOIA requests. | Definitely clickbait. | joekrill wrote: | Did you read the emails, though? They certainly don't sound | like simply asking about "where they are on the mDL standard". | They are asking for NDAs to be signed - why is that necessary | if this is just about the progress of implementing an ISO | standard? | | And there's this from CA: | | > The agreement I've been provided goes beyond a POC and | appears to create more of a long term relationship. | kelnos wrote: | I agree that it's interesting and useful, but the article | also tries to spread some FUD about this being "Apple's | standard" when it's not (with some fearmongering rhetoric | around "what about Android?", "what about other competing | systems we haven't heard of yet?"); it's an ISO standard for | mobile driver's licenses. I'm actually surprised and pleased | that Apple has decided to go with a standard instead of doing | their own thing, as usual. | | But the author of the article either a) can't be bothered to | do some basic research about the topic she's writing about, | or b) is deliberately stirring up (fake) controversy to | increase engagement. Either thing is pretty bad. | crooked-v wrote: | > They are asking for NDAs to be signed - why is that | necessary if this is just about the progress of implementing | an ISO standard? | | I'd assume there's something in there about Apple sharing | their product roadmap and planning, so they can get all the | ducks in a row for a unified launch rather than support | coming in piecemeal. | tester89 wrote: | Sorry, which ISO standard? | CalChris wrote: | ISO 18013-5 mDL mobile driver's license standard | | https://www.apple.com/newsroom/2021/09/apple-announces- | first... | judge2020 wrote: | Would be nice if these standards were open. Can't audit it | until it's introduced in iOS 15.x, I guess. | | Edit for reference: | https://www.iso.org/obp/ui/#iso:std:iso- | iec:18013:-5:dis:ed-... | skissane wrote: | Having a look at your link, I see section A.3.10 is | proposing the use case "Vote or register to vote". | | Given how politically controversial the issue of voter ID | is in some places (especially the US), I'm wondering if | this this ISO standard is going to get mixed up in that | political controversy. | lscotte wrote: | As predicted. say anything that casts Apple in a negative light | here on HN and get instantly modded down. It's OK, I expected | it. | user-the-name wrote: | You talk about a "reality distortion field", but you are the | one here who is just making things up. | Lamad123 wrote: | These sheeple become wolves with sharp teeth when defending | their. "Bottle of mine, it's you I've always wanted! Bottle | of mine, why was I ever decanted?" | blitzar wrote: | I am no fan of digital ID's but did he really need a FOIA request | to break open the idea that Apple were thinking of adding drivers | license to their native app and talking to the DVLA in various | states about it? | | _> "How did it happen? Why had I or no one ever heard of it, | given I know a lot of folks in the government tech space?"_ | | Apparently this guy doesnt know much ... but enough to waste some | peoples time with useless FOIA requests. | | _UK shows off prototype of digital iPhone driving license using | Apple's Wallet app - May. 13th 2016 11:06 am PT [1]_ | | _Louisiana, where I live, was the first state to roll out a | digital driver 's license on July 3, 2018, and a few other states | are working on similar initiatives. The app that you use in | Louisiana is called LA Wallet. [2]_ | | [1] https://www.macrumors.com/2016/05/13/uk-digital-driving- | lice... [2] https://www.iphonejd.com/iphone_jd/2018/07/review-la- | wallet.... | johnm212 wrote: | > Apparently this guy doesnt know much ... but enough to waste | some peoples time with useless FOIA requests. | | I think this is really useful. | | Apple and Microsoft have some of the most sophisticated | BD/partnership teams in the world. | | Many companies who partner with Apple use an internal codeword | and don't let others within the company know the client, terms | of the deal, or the scope of the work. | | Being able to see how Apple is approaching these deals is | really interesting and valuable. They are going into 50 states | and dealing with the DMV. The DMV has a reputation of being | disorganized and not very technical. Apple has the opposite | reputation. We are getting a front-row seat into how | "disruption" happens. | | Even if partnership deals don't get you excited, having | transparency into how private companies do business with the | government is almost always a good thing. | azinman2 wrote: | And what did we learn? Not a whole lot. Just a pretty regular | plain process asking for meeting and setting up some articles | of understanding to implement an ISO standard, with the | expected twist that it was under NDA until the public | announcement. | tw600040 wrote: | //I am no fan of digital ID's | | Why not? What's not to like about it? if it can be implemented | in a reasonably foolproof way? Isn't being able to ditch the | wallet a huge win? | zentiggr wrote: | Hit the nail on the head: "if it can be implemented...?" | | We're talking 50 individual state governments here. We all | know that federal, state, and local govt IT practices are | basically troubled at best, disastrously shoddy at worst, the | only way I would accept this idea is if it was a completely | optional, user-chosen, option for an ID. | | I would want at least ten years of first adopters getting | their lives shafted and/or stolen and/or stalked and/or | breached before I'd ever think of even using the optional | service. | | Yes, little trust. | gumby wrote: | It's an ISO standard. | | As the experience of Estonia shows, a digital ID can be | very useful and effective, but does take some work (they | had a big revocation effort to manage, which they were able | to do so because their country is so small). | | Bigger countries such a Germany have basically punted on | this issue. | | I'm a big fan and disappointed that California isn't in the | vanguard. | Karunamon wrote: | And as we all know, standards are implemented faithfully | and to-the-letter in real life. /s | | What's the problem this actually solves for the average | person? Obviating a physical card? | notJim wrote: | It's so funny to me that HN is so skeptical of technology | sometimes. Why build the internet when you get all the | information you need at the local library? Why have cars | when my horse provides companionship and transportation | at the same time? | | To answer the question though, since Apple Pay now works | almost everywhere, my ID is one of the only cards I still | need to carry. If I had a digital ID, I don't think I'd | need to carry a wallet anymore. | gumby wrote: | I don't think of HN as a "technology fan site" but people | who have to deal with this stuff every day. Some caution, | especially based on experience, is warranted. | | > To answer the question though, since Apple Pay now | works almost everywhere, my ID is one of the only cards I | still need to carry. If I had a digital ID, I don't think | I'd need to carry a wallet anymore. | | Where do you live? I currently live in California so only | carry ID when driving or (more recently) when planning to | enter certain buildings, like federal buildings or | airports. Otherwise I don't bother and it hasn't been a | problem for me. | | Sometimes people do ask for ID (or an SSN) but when I | politely say "I'm sorry I don't have one" they typically | want to do business with me so magically don't need any | info. | | I'm clearly over drinking age and don't need controlled | prescriptions. | kelnos wrote: | As someone who has been building software for 20+ years | now, I know how it fails and how it can make people's | lives miserable. I know how developers cut corners and | how quality always takes a back seat to other business | concerns. I know how technology can erode privacy, or be | used as a tool for governments to exact more control on | their citizens. | | I'm probably more skeptical of technology in everyday | life than your average non-technical person. | | > _Apple Pay now works almost everywhere_ | | I live in a city, and Apple/Google Pay definitely does | not work anywhere near everywhere (even after more | businesses went contactless due to COVID). I wouldn't | think of leaving home without physical credit cards. | | (I was at a bar this weekend. Ironically I could not pay | my tab with my phone, but their photobooth took Apple & | Google Pay.) | gumby wrote: | Yes, I leave my DL my gf's car (which annoys her no end) | as that's the only place I would need it. I don't carry a | wallet any more. | sofixa wrote: | Yes, and also enabling not-physical validation (e.g. you | could open a bank account or w/e similarly strict thing | online, with your identity being verified automatically). | It's convenient and saves time. | beambot wrote: | The US still doesn't have wide-spread use of chip & pin | on credit cards. Innovation & adoption of digital | identity in this country is unlikely to be rapid. | jackson1442 wrote: | > The US still doesn't have wide-spread use of chip & pin | on credit cards | | That's not really the case anymore. The new struggle is | contactless. I can count on my hands how many times I've | had my current debit card swiped (which is good since its | stripe is looking like shit by now). | | Gas stations are finally implementing chip transactions | (the deadline is Oct 2021 iirc), which fortunately | generally includes a contactless reader. | | But alas, we'll likely see the same problems with digital | ID that we have with REAL ID. | kelnos wrote: | > _if it can be implemented in a reasonably foolproof way?_ | | With my wallet, I run the risk of losing my ID or having it | get stolen. | | With an ID on my phone, I still have those risks, but now I | also have the risk of dropping the phone and breaking it, as | well as the battery dying. Not to mention just some random | software glitch breaking things. | | > _Isn 't being able to ditch the wallet a huge win?_ | | For all but the most trivial of trips outside my home (where | I expect to need ID), I doubt I would leave my physical ID at | home, ever. And if I have to carry it as a backup, why have | the digital ID at all? | colordrops wrote: | What an odd idea that FOIA requests are a waste of some | employee's time, considering the vast amount of waste in the | system already. Anything that can be released with an FOIA | request should never have been locked behind closed doors in | the first place. Locking public information up is shady and is | the true reason that is wasting everyone's time. | throaway46546 wrote: | Doesn't the FOIA requester have to pay for those employee's | time anyways? | dhosek wrote: | It varies depending on the agency, the scope of the request | and the purpose of the request. For just one example, | here's the State of Illinois FOIA FAQ: | | https://www2.illinois.gov/dnr/FOIA/Documents/FOIA_Frequentl | y... | lnxg33k1 wrote: | Taxpayers already do with their contribution to the country | budgets, in EU you can submit FOIA for free to governments | entity and to any private company who received government | funding, it's a matter of public interest and if you | receive my money (as taxpayer) then you put into account | the fact that as a citizen I might request some answers | siruncledrew wrote: | >"How did it happen? Why had I or no one ever heard of it, | given I know a lot of folks in the government tech space?" | | I had a good LOL at that too. I remember people in uni were | even talking about this in a business course like 10 years ago. | This is not like a groundbreaking idea to digitize an ID. | sumthinprofound wrote: | > I am no fan of digital ID's but did he really need a FOIA | request to break open the idea that Apple were thinking of | adding drivers license to their native app and talking to the | DVLA in various states about it? | | He would need an FOIA request to each state DMV for | documentation on the agencys' responses to Apple and any | internal deliberation on the matter. | clairity wrote: | state/federal agencies should never use any third-party software | that exfiltrates any personal data of residents (especially | google, which already infests governments & schools). it should | be self-evident that this creates an irresistable incentive for | the state and corporations to consolidate power, capital and | influence against the populace. | Loughla wrote: | >especially google, which already infests governments & schools | | Working in schools, I can assure you, google classroom and all | the accompanying apps are not some cabal from the schools. | They're free. That's the incentive. | | Also, I would ask, what is the other option? That the | government builds and maintains specific programs for every | function? How okay are you with taxes going up quite a bit? | Because they will need to in order for the public sector to | compete for talent with the private sector. | | My opinion is that these sorts of things don't need to be | electronic, as paper is more secure anyway. But maybe I'm a | Luddite. At the very least, I am privileged enough to have a | career that allows me the flexibility to interact with | government agencies if I need to. If I was still working | retail, I could see how online services would definitely be a | plus in time saved. | clairity wrote: | yes, the government should generally build the software they | need to support essential functions for the populace, which | certainly can include open-source/collaboratively-developed | software, even the paid kind. we shouldn't allow government | to decide to pay for software by gutting individual privacy | and liberty. that goes counter to the spirit of our | inalienable rights. | | also, "taxes will go up" arguments are at best naive. taxes | (amounts/rates) have little correlation with supporting the | essential needs of government. they're primarily employed to | generate leverage, (unfair) economic gain, and power. public | sector pay is uncompetitive because politicians and | bureaucrats don't find competitive pay to serve those | purposes. | | but yes, paper is perfectly fine technology for most | educational purposes, relatively secure and private | intrinsically. | toomuchtodo wrote: | Due to how education authority is distributed and | entrenched in the US, it is exceptionally unlikely they | have the competency to build the software tooling they need | for essential functions. Khan Academy tried to provide this | service, but it appears there's been very little uptake. | It's even worse if you're a startup, with horrendously long | and tortured sales cycles and your contract at the whim of | career admins and politicians. | | Charter schools as the developers or consumers of such | software, as well as homeschoolers, would see better | outcomes imho. Retooling public schooling apparatus is a | lost cause (although there is likely some small impact to | be realized if you're a technologist in a position where | you can deliver disproportionate impact to your local | institution). | clairity wrote: | yes, no doubt the challenges are significant, given the | centrality of public education in local, state, and even | national politics, but policy (slowly, piecemeal) got us | into this problem, and perhaps only policy (after a long | cycle of learning & debate) can get us out. | | the main point is that a key (hopefully self-evident) | principle is that our liberties shouldn't be for sale at | any price. if that means states/localities need to | develop software (and software development as a | competency), so be it. political winds can change. | | but as has been pointed out, it's not even clear that we | really need much new technology, when existing tech seems | to be perfectly satisfactory, if unexciting. the mass | distance-learning experiment we just experienced seems | largely a failure. turns out learning, while central, is | only one of many educational concerns, and computer-based | learning is at best augmentative, not primary (unlike, | say, school administration systems). | monksy wrote: | Good to see the IL was direct in rejecting the idea of an NDA. | Meetings like this should not be hidden from public view since it | involves decisions that affect the constituents. | | Also, Apple seems to have this backwards: The states don't | operate on their product schedule. Nor should they. | [deleted] | perf1 wrote: | Is the end Goal to make the internet only accessible via Digital | ID and kill of the anonymity? | tw600040 wrote: | I don't think that is the end goal. But obviously we need | protections to make sure this doesn't lead to that case. | ezfe wrote: | You could ask the same about Apple Pay: "Is the end Goal to | make Apple Pay the only payment method supported on the | internet and kill credit card numbers" | | Not only is there nothing to support your claim, there's no | reason to believe this would be the next step if your claim was | accurate. Instead, they'd just...require ID on the internet, | it's not like that's not currently possible. | leecb wrote: | Is the end Goal to make conversation only accessible via the | telephone and kill off in-person conversation? | sneak wrote: | There's lots to support his claim. You can't use Homepods | without an iCloud account, you can't get an iCloud account | without an Apple ID, and you can't get an Apple ID without | providing a phone number and email address. | [deleted] | dwaite wrote: | The (eventual) goal is not to kill off anonymity, but to better | support user control of data and thereby give more anonymity. | | You should be able to prove your age to buy liquor, without | disclosing any other information (including your name or birth | date). That should work without the government or any other | party knowing you. But we are still on the road to get there. | | There are numerous other efforts for decentralized identity | systems where the user 'holds' digitally signed credentials and | presents them under consent. While most parties realize that | reducing data release and supporting anonymity are important | objectives, the different efforts (and participants) have | different priorities. | | Some efforts, like Smart Health Cards, do not support selective | disclosure of information, instead just supporting digital | medical documents as signed data. This was a scope reduction to | get a system out more quickly for COVID vaccination | credentials. | | Mobile drivers licenses support selective disclosure, but many | privacy controls are really being implemented via | certification, where compatible reader devices are being | limited to those who certify that they discard data after use. | | There are stronger primitives like Anonymous Credentials [1] , | which also make the cryptography itself unlinkable, and | predicate proofs which let you present answers to questions | without presenting the underlying information. However, | standardizing and deploying such crypto at scale takes years. | | [1] http://cs.brown.edu/people/alysyans/papers/cl01a.pdf | [deleted] | duxup wrote: | This makes sense to me. Apple wants to have their wallet app hold | some state IDs so they reach out to states to talk about how it | might work or not work with them. | | The quotes from the technologist in the article just seem kinda | random. I feel like those would be the basis for an article ... | once you know them, but nothing in that article answers any of | them or tell me that any of them are a problem. | bingohbangoh wrote: | Well yeah, you can put your driver's license in your apple wallet | in some states now. ___________________________________________________________________ (page generated 2021-09-28 23:00 UTC)