No Phone Home Overview: How the industry has responded to ISO/IEC18013-5:2021 (Mobile Driver’s License)

In the past few weeks, there has been significant attention from both the media and the digital ID industry regarding ISO/IEC18013-5:2021, and in particular, the potential surveillance capabilities of this standard. This article showcases why privacy experts have been arguing for secure and non-Owellian government services: 

‍

Digital Public Infrastructure is taking the world by storm, with Digital Identity as the leading edge for its adoption. For the most part, this has been a welcome change that has been mutually beneficial to both the user (citizen) and issuer (government) due to streamlined efficiency and improved data recording/verifiability. The latest service to undergo this shift has been mobile driver's licenses (mDLs). 

‍

In theory, mDLs are a good move because: 

‍

• The issuer (usually the DMV or local equivalent) issues the digital license. 
• The holder (the citizen) has sole digital ownership, with an ability to provide it in many different situations.
• The verifier (usually a police officer, TSA agent, or alcohol/tobacco clerk) can retrieve the needed data at the time of verification through its public key (such as age, driving permit validity, etc.).

‍

‍

‍

However, in practice, some of these systems have been built with back-end channels that can alarmingly enable surveillance and control from both the government and corporations. To verify a credential, a "phone home" function involves the app automatically contacting the developer, issuer, or its vendors (aka, a proxy) without the user's knowledge or consent. This can occur live or delayed, but with the same ultimate effect of surveillance and control by the issuer. 

‍

The public purpose for phoning home is to complete tasks, update information, or transmit details regarding the smartphone's location or status. In fact, this federated protocol was widely accepted and adopted within the $15bn Identity & Access Management industry as it is what enabled single sign-on (SSO) capabilities - something that corporate workers and individuals use every day. In this context, an SSO is phoning home to itself to verify every login. This is considered an “intra-domain” interaction within a single organization, and thus, an acceptable use case. The problem with the ISOs deployment in mDLs is that it enables “inter-domain” phoning home, which signifies it can “call” across organizational boundaries.

‍

To provide a (not-so) hypothetical example of how this would operate in the real-world should the standard remain; when you use your mDL to verify your age when purchasing a pack of cigarettes, data would be sent to the issuer (in this case, the government), so that the store clerk can confirm that you are indeed of age to purchase the item. However, the government has no need to know what you are purchasing and at what time. To take the example further, you would no longer have control of what the verifier is doing with your data, and it would be perfectly viable that they are selling it on to an insurance company, which could raise your monthly premium in light of this purchase.

‍

It is immediately clear in this instance that this practice of phoning home carries significant risks to the user. Firstly, it can jeopardize privacy by sharing the mDL Holder's data with entities like the DMV or private vendors. Secondly, this allows for long-term correlation and tracking, severely increasing the risk of abuse by malicious actors in the future. It’s also important to highlight that mDLs are spreading to more use cases (banking, shopping, car rentals), meaning more control opportunities.

‍

International Organization for Standardization (ISO) is the body responsible for the ISO/IEC 18013-5:2021, which is the main technical standard mDLs employ. It is this standard that permits server retrieval for mDLs and enables authenticated data checks with issuers. It mandates that mDLs have a system capable of “retrieving data.” Initial discussions regarding the standard’s safety were discussed in a webinar at the end of 2024. Critics argued it was developed in closed processes by corporations and lacks public interest representation.

‍

American Association of Motor Vehicle Administrators (AAMVA; mDL standards body) warned of the risk in Dec 2024 (v1.4) and advised against server retrieval in May 2025 (v1.5), but the ISO 18013 standard still includes the controversial server retrieval capability. Christopher Goh, the Austroads National Harmonisation Lead on Digital Identity, argues the feature was added for security, not surveillance, and is optional, not mandatory.

‍

The response to Goh’s perspective has been fairly unanimous from the Digital ID industry. Experts have banded together to sign a statement found on “nophonehome.com”. It reads, “Identity systems that phone home facilitate centralized tracking and control, privacy invasions, and other potential abuses. If this capability exists within a digital identity system, even inactively, it will eventually be used.” 

‍

Nophonehome.com is a signed statement from the majority of VIPs within the Digital Identity ecosystem. The very people working on creating ethical ID systems have come together to highlight how phone home capabilities within ID systems could be detrimental to a citizen’s basic privacy rights. The campaign demands mDLs use privacy-preserving standards and disable or eliminate tracking functions. It argues that technical capabilities for surveillance should not exist at all, even if inactive, because they can be misused or accidentally activated.

Some signatories, such as Alexis Hancock of the Electronic Frontier Foundation, acknowledge the statement isn’t perfect, but see it as a necessary start to push mDLs in the right direction. Ultimately, credential revocation and verification can be achieved without phoning home, using decentralized approaches such as SSI (Self-Sovereign Identity) or ZKPs.

‍

Other notable digital rights groups that signed are the American Civil Liberties Union (ACLU), Electronic Privacy Information Center (EPIC), and Center for Democracy and Technology (CDT). In total, over 30 organizations signed the statement. 

‍

Our take on the subject is that we, as Key State Capital, endorse the no phone home statement. As an angel syndicate that invests in ethically created decentralized and verifiable ID systems, it is a paramount step within our due diligence process to understand and review any backdoor capacities of the technologies we invest in. While not the sole prerequisite for an efficient privacy-focused identity system, the absence of phone home features is an essential aspect.