We, the undersigned, believe that identity systems must be built without the technological ability for authorities to track when or where identity is used. Such tracking can occur when either the identity verifier or user’s application interacts with or “phones home” to the identity issuer or another third party. Identity systems that phone home facilitate centralized tracking and control, privacy invasions, and other potential abuses. If this capability exists within a digital identity system, even inactively, it will eventually be used.
The first paragraph of the ‘No Phone Home’ statement makes its case eloquently. If digital identities like a mobile driver’s license are designed to communicate information to a central hub then they will be used to monitor our movements and actions. Power corrupts; creating the power to track a person through their ID will be too tempting a proposition for governments and big businesses to resist, no matter how many times they promise not to abuse this power. The ubiquity of smartphones means digital IDs are now easily realized as apps but that also means they run on devices that can report our location without our knowledge.
It is perfectly possible to create secure digital IDs without any tracking capability. That makes it worrying that governments are already developing new IDs with tracking capabilities without explaining their reasoning to the public. Or to put it another way, I can understand why authoritarians like the Chinese Communist Party and Vladimir Putin would want to promote the benefits of digital IDs without commenting on whether they provide a convenient mechanism to monitor and harass citizens, but it is harder to excuse the latent tracking capabilities that can be secretly and remotely enabled in mobile driving licenses because they comply with the relevant ISO standard.
The use of technology to infringe privacy has been commonplace for so long that our societies have spawned a guardian class of experts and non-governmental organizations (NGOs) that raise the alarm when new technologies put us in danger again. This time the resistance is being led by Timothy Ruff, co-founder of Digital Trust Venture Partners and a former guest on Commsrisk TV. His No Phone Home campaign was only launched on June 2 but has already secured the endorsements of many heavy hitters from the world of tech, privacy and civil liberties. They include:
- the American Civil Liberties Union (ACLU);
- the Electronic Frontier Foundation (EFF);
- the Electronic Privacy Information Center (EPIC);
- Professor Bill Buchanan, expert in applied cryptography and the first Brit to receive an OBE for his contribution to cybersecurity;
- Brendan Eich, former CTO and CEO of Mozilla who is now CEO of secure browser developer Brave;
- Christopher Bramwell, Chief Privacy Officer for the US state of Utah; and
- Bruce Schneier, author and lecturer on computer security who has also served as CTO of several security businesses.
This sample is arbitrary. There were many other well-known signatories to the No Phone Home manifesto at its launch, so I was flattered that Timothy wanted my name alongside them. The list of signatories has grown exponentially since then, indicating the strength of feeling about this matter, especially among American experts.
I suspect the only reason Timothy wanted my signature was to test his theory that Americans are more energetic defenders of their liberties than other nationalities. In particular, Timothy intimated that he expected less enthusiasm for the No Phone Home campaign from Europeans. I will be very glad if readers of Commsrisk living around the world show Timothy that he is wrong. The complete No Phone Home statement and list of signatories is here, the form to sign as an individual is here and the form to sign on behalf of an organization is here. Anyone wanting a lengthier examination of the dangers of Phone Home tech should read Timothy’s analysis here.
