People poke fun that I prefer paper docs (notably boarding passes/tickets). However, last night I tried something new that involved starting a rental time and stopping it on my phone. That was the only way (despite it being a physical object that knew when I was very likely done with it). Sure enough I'm not getting data and can't access the button to stop it. The company refunded my few minutes of troubleshooting after I asked, but it makes me very wary for if my phone dies or freezes or glitches. Paper doesn't do that.
What happens when...
0. The police ask for ID, you provide it, and they search your now unlocked phone without your consent?
1. Your phone battery dies and you need to provide ID.
2. A perfect digital static copy of it is created, say from an inadvertent screenshot. Now there's a risk of having that get in the hands of someone else.
3. What if you need to give your ID to someone? Now you potentially have to give your phone to them.
4. How are counterfeit DDLs going to be policed? It seems like it makes making fake IDs trivial.
While going DDL only seems like A Good Idea(tm) in theory, it's probably best used as a backup to a physical card rather than the other way around.
The problems that a digital license solve always seemed so pointless.
They seem to come in two flavours:
* I want to compress every aspect of my essence onto my phone. These are the people who will kvetch if you don't accept Apple Pay because they haven't touched a physical Mastercard in years. They can't bear to possibly have TWO things in their pants pockets at once. Good for you, kid. Your aesthetic choices are not my government mandate.
* I want some means to supply filtered data-- switch the license into a mode that only says I'm 21, no home address or card number. In practice, no non-toy use case will permit it. Law enforcement will demand to see every field either because they don't know how to use the filtering, or see opportunities for fishing expeditions. Age-verification software at the bar that scans the license will inevitably be extended to plumb the data into a CRM, and thus will demand every field on the license.
In exchange I get something that runs out of battery, won't survive wading through a flood, and leads to frustrating exchanges with law enforcement who already can't identify most of the 82,000 different types of valid identity document in circulation.
Apple’s implementation doesn’t require unlocking the device, and the ID is validated as a ‘true’ ID rather than just an image through cryptographic exchange over NFC with a compatible ‘ID reader’ device: https://support.apple.com/en-us/118260
Within the next couple of CCC there will be a talk: copying and cloning everyone's nearby DDL with a long range NFC attack.
On the balance, even Apple's implementation seems like a privacy invasion nightmare for the minor benefit of convenience of not having a wallet+phone case.
I haven’t read deeply into Apple’s standard for digital ID, but I would assume that it’s implemented the way contactless payment via Apple Pay/Google Wallet/other mobile wallets is — rolling tokens that are valid for a single transaction. Skimming attacks are also improbable given that you need to authenticate with FaceID or a passcode for every transaction. It’s not like the phone is constantly blasting out ID/payment card details.