
Iowa to launch smartphone driver's license - cryptoz
http://www.desmoinesregister.com/story/news/politics/2014/12/08/iowa-digital-smartphone-drivers-license/20114979
======
chacham15
The problem with this is simple: IDs are meant as visual verification. By
making an app to do this, you are now by definition allowing my machine to
create my identity. Therefore, it stands to reason that you will need a visual
way to verify that the machine created the right identity which in my opinion
is a bad problem to have. Therefore, people suggest using a machine to verify
the id, but that defeats the purpose of having _visual_ identification.

A simple hack utilizing this vulnerability that would be hard to fix is
getting someones phone and then replacing their image with yours (e.g. by
running the real program in the background and an overlay to cover their image
and replace it with yours, you could get fancier and find the distortions in
the image below and apply them to yours as well). In any case, the key here is
that a human looks at the image, not a machine.

~~~
joezydeco
In my state (Illinois), a police officer can retrieve the digital photo that
was taken at the time the license was issued. A simple radio check can also
verify the other information on the license.

In reality, if you know your license number you don't even really NEED to
carry the card. The app just just an easier way to carry that number around.
I've known people that have been stopped without a license on-hand but able to
recite their number, resulting in no trouble at all.

~~~
bicknergseng
Furthermore, it's not like physical licenses are particularly robust against
identity fraud. Go to the nearest college campus and you'll find a dozen kids
with fake IDs in 10 minutes.

------
jonknee
> Rather than digging through clutter in your glove compartment for an
> insurance card, you can simply hand the law enforcement officer your mobile
> phone.

Well that's one way to facilitate a warrantless search. Even without the
obvious privacy element, "Sorry officer, my ID ran out of batteries" seems
like a pretty common problem.

~~~
themartorana
This - I can imagine how quickly a judge will find that handing your phone
voluntarily to a police officer equals consent for the entirety of its
contents to be searched, even if you just open the ID app.

And oh, the convenience. It's already unlocked for me.

------
cgs1019
So now at traffic stops, "license and registration" can become "unlocked
cellphone and registration"? No thanks!

~~~
NolF
Android Lollipop has the option to pin the user to the app [1]

[1] [http://www.cnet.com/au/how-to/ho-to-pin-apps-in-
android-5-lo...](http://www.cnet.com/au/how-to/ho-to-pin-apps-in-
android-5-lollipop/)

~~~
seanp2k2
Moot points: [http://arstechnica.com/tech-policy/2011/04/michigan-state-
po...](http://arstechnica.com/tech-policy/2011/04/michigan-state-police-we-
only-grab-your-cellphone-data-with-a-warrant/) and this was in 2011...

------
kkamperschroer
The article makes no mention of this being used outside of law enforcement,
but wouldn't this be incredibly easy to fake at a bar, for example? A nearly
identical app except it's one where you can change the information. I don't
imagine plastic cards going away, in this case.

~~~
andrewfong
Possible solution would be for the verifying party to have a smartphone app
that could scan a QR code. But it's an added cost to them for very little
gain. That said, the state could certainly mandate that bars, etc. use the
scanner app.

~~~
hyperbovine
So now the state knows when and where I am ID'd? Thanks but no thanks.

~~~
freehunter
When I go to my local bar, they scan the code on the back of my ID to ensure
it's not a fake. At a bar down the road, they swipe it through a computer.
Sure, they look at it to see the age and compare the picture, but the computer
does the verification of it's legitimacy. We're already there.

Let me tell you about the state tracking you, since you're worried about your
ID being tracked. You know those signs on the freeway that say "15 minutes to
Taylor Street" or "25 minutes to I-94"? Nice and handy, you know if it says 20
minutes when it normally says 5, there's a traffic jam. You know how they get
that info? I learned this recently while working for a client that was
involved in those signs being installed in that area. They scan the Bluetooth
on drivers phones, and time how long it takes for a unique phone to get from
one sign to the next. The average of that is the time that gets displayed on
the sign.

So don't worry about your ID being scanned. They already know where you are.
But obviously they're not sharing the information real widely, since the
police took three days to find the person who hit my car and drove off even
though I told them the description of the car, the driver, and the license
plate number. So there's a little comfort I guess.

~~~
jcrawfordor
I've done some research in this area. Most systems are based on small radar
devices mounted to light poles along the freeway which measure vehicle speeds
traffic volumes at critical points (some traffic lights use these too now to
detect waiting vehicles). A less popular now (because of higher
install/maintenance cost) but still in use solution is magnetic induction
loops embedded in the freeway lanes, in pairs to allow for speed calculation.
The times are then extrapolated from the speeds at critical points (major
on/off ramps, junctions, etc). A newer and still somewhat cutting-edge
technology is the use of longer-ranch omnidirectional radars that can observe
traffic on a road for quite some distance.

One of the really neat things about the modern radar units is that they feed
into some software processing that can automatically detect accidents and
other types of unusual events and alert authorities.

I'm not saying that there aren't people using bluetooth, but I suspect it's a
small minority. I would think that if a municipality wanted to track
individual vehicles through an entire section they would be more likely to use
LPR, because it's a well established technology and there's a lot of inertia
in government purchasing (read: unwillingness to try new tech/manufacturers).

Edit: there's also the confusing issue of vehicles that are tracked by radio
transponders - these are going to be voluntary participants though, the
obvious groups being people with EZPass type toll transponders and semi trucks
with weigh station prepass devices (which are rather similar to the toll
system). I wouldn't be surprised if municipalities use this data for traffic
observation because it's already being collected for other purposes.

~~~
feld
Bluetooth is not a small minority. It's a huge business, and Trafficcast is
one of the leaders in this. Their product is called BlueTOAD. They're signing
contracts with governments left and right.

[http://trafficcast.com/news/](http://trafficcast.com/news/)

MADISON, WI October 18, 2010 - TrafficCast announced it has now finalized
agreements with nine leading distributors of traffic signal and control
equipment, enabling localized sales services and product support in forty-one
states plus the District of Columbia for its innovative BlueTOADTM
technologies.

MADISON, WI March 1, 2011 - TrafficCast International, Inc. today announced
that Econolite Canada, Inc. will distribute its BlueTOADTM line of products,
enabling localized sales services and technical support in the ten provinces
and three territories of Canada.

------
razster
I've been in contact with the said governor and Land Border Integration (WHTI)
to see if they'll accept ETC (Enhanced Tribal Cards) along side the
application. My hopes are that I can start creating digital cards for tribes,
a long side hard cards.

This will save so much time imo, and more secure than you're standard hard
card which is way to easy to replicate.

------
frankus
Assuming this acts only as a glorified replacement for a memorized license
number, it seems like a nice convenience.

But the nice thing (from a law-enforcement perspective) about plastic IDs is
that they can be made expensive to forge/alter, and (forgeries aside) it's
fairly easy to restrict the number of copies.

------
jackmaney
I find myself unable to comprehend how anyone could possibly think that this
is a good idea. If your ID is tied to your phone, then you're one phone-drop
away from not having an ID. Phones are fragile.

~~~
pavel_lishin
If you keep your ID in your wallet, you're one sewer grate away from not
having an ID.

~~~
dllthomas
I find I pull out my phone far more often than my wallet, and most places I
pull out my wallet are not right next to a sewer grate. On the other hand, I
also find that most times I drop my phone it works afterward.

------
liquidise
Does anyone know the project cost for developing this app? I've done a fair
amount of google'ing to little avail.

------
dyeje
So how do you prevent people from spoofing an ID?

~~~
uniformlyrandom
Cryptography, I guess.

Verification method must include authentication and authorization by means
other than human eye reading some text off a card (digital or physical).

~~~
yaur
The problem seems closer to DRM than code signing though.

Since I'm handing you the device I am in complete control of the output and
can clone the output of another card or any signing cert/key embedded in the
app. The incentive to do this is to: a) Get into a bar or b) Avoid being
arrested on an open warrant. Either of which I can see someone paying and risk
breaking the law to accomplish.

~~~
andrewla
I don't see any details, but it would be straightforward to have a token
(available as a bar code or a qr code) that represents a digital signature of
the photo/identity information, with the signer being the state of Iowa. Or a
TOTP to make it harder to use a screenshot for this purpose.

Or for police specifically, it could look up the token in the state's database
to access a photo and have a human verify that the photos match (and match the
person presenting the id).

The structured information is easy to sign; the photo is more difficult. I'd
be curious if they had anything intended for this.

