51 comments

[ 3.1 ms ] story [ 99.9 ms ] thread
So now at traffic stops, "license and registration" can become "unlocked cellphone and registration"? No thanks!
It specifically says you can choose to keep a plastic ID, so, yes, but only if you opt into it. Certainly interested if this is a way to entice people to unlock their phones, though.
This would be shocking to me. I can't imagine that this is so sneakily being used to entice people to unlock their phones to get around laws. As much as that possibility is something that could happen, I think HN tends to be waaaay too far to one side of the debate where this thinking dominates the main purpose of these kind of changes.
The difference is that the law, even thought might not be intended to unlock phones for cops, it will be used that way regardless.
Who is making the software for this? Is that software open source? Did you know that US Presidential Elections use 10M+ voting machines that are closed-source, and made by a company friendly to the Republican Party?

So here, the government steps in and says "here's some closed-source software that you now will trust your life, security, property and government with. You're not allowed to know how it works, if you try to find out we'll throw you in prison."

Yes, HN tends to be wayyyy on the side of disbelief in the official words of the government on topics of software & trust. But isn't that healthy? Isn't that the way it should be? When the governments come at us with secret software and threatens us against learning about it, we should absolutely assume that it is intended for evil. Otherwise, how will we know when it "actually" is?

> Did you know that US Presidential Elections use 10M+ voting machines that are closed-source, and made by a company friendly to the Republican Party

Yet republicans have lost 5 of the last 6 presidential votes.

That's just a red herring to make you think they aren't rigging elections!

</tinfoilhat>

Diebold didn't get involved in elections until 2002. The only Republican president to serve since then won reelection in 2004 and then left the White House with low approval ratings unprecedented since Nixon (< 30%). There could have been massive fraud in favor of the Republicans in 2008 (not claiming this happened) and the Democrats still would have wiped the floor with them.

Anyway, partisan politics is a distraction here: the integrity of our elections is increasingly in the hands of a few voting machine manufacturers who sell hackable, un-auditable black box systems. Here are some starting points in case you're interested in this beyond the typical R/D sniping:

* https://www.eff.org/issues/e-voting

* http://blackboxvoting.org/

"Did you know that US Presidential Elections use 10M+ voting machines"

Not that the number of voting machines has any influence on the ease with which electronic voting can be manipulated, but less than 130M votes (http://en.m.wikipedia.org/wiki/Voter_turnout_in_the_United_S...), distributed over 10M+ machines? That's less than 13 votes per machine, on average. if that is true, someone has been overspending seriously on hardware.

Hm. Perhaps I remember incorrectly, and it was not 10M machines, but 10M votes "counted" through those machines.
You do not need to unlock a smartphone to exchange the information with an external device.

I would imagine that verification of said license should happen wirelessly.

so authorities / anyone can now pull someone's license wirelessly and know who's behind the wheel without actually pulling them over?
Well, they could always do this by running plates.
Which will tell you who the vehicle is registered to. That could be your company, an Uber driver, Hertz, your spouse, etc etc.
Sure, but my point is that in many situations this is already a reality, and people wanting to avoid this will be able to by using their existing, plastic ID.
The article makes no mention of this being used outside of law enforcement, but wouldn't this be incredibly easy to fake at a bar, for example? A nearly identical app except it's one where you can change the information. I don't imagine plastic cards going away, in this case.
Possible solution would be for the verifying party to have a smartphone app that could scan a QR code. But it's an added cost to them for very little gain. That said, the state could certainly mandate that bars, etc. use the scanner app.
So now the state knows when and where I am ID'd? Thanks but no thanks.
Couldn't they use the same technology they already use on the back of plastic ID's to verify an ID?
IIRC that typically just dumps the barcode/magstripe and compares the birthdate to whatever you're looking for (typically 18 or 21+). It doesn't go ask the state if the license is valid.
When I go to my local bar, they scan the code on the back of my ID to ensure it's not a fake. At a bar down the road, they swipe it through a computer. Sure, they look at it to see the age and compare the picture, but the computer does the verification of it's legitimacy. We're already there.

Let me tell you about the state tracking you, since you're worried about your ID being tracked. You know those signs on the freeway that say "15 minutes to Taylor Street" or "25 minutes to I-94"? Nice and handy, you know if it says 20 minutes when it normally says 5, there's a traffic jam. You know how they get that info? I learned this recently while working for a client that was involved in those signs being installed in that area. They scan the Bluetooth on drivers phones, and time how long it takes for a unique phone to get from one sign to the next. The average of that is the time that gets displayed on the sign.

So don't worry about your ID being scanned. They already know where you are. But obviously they're not sharing the information real widely, since the police took three days to find the person who hit my car and drove off even though I told them the description of the car, the driver, and the license plate number. So there's a little comfort I guess.

I've done some research in this area. Most systems are based on small radar devices mounted to light poles along the freeway which measure vehicle speeds traffic volumes at critical points (some traffic lights use these too now to detect waiting vehicles). A less popular now (because of higher install/maintenance cost) but still in use solution is magnetic induction loops embedded in the freeway lanes, in pairs to allow for speed calculation. The times are then extrapolated from the speeds at critical points (major on/off ramps, junctions, etc). A newer and still somewhat cutting-edge technology is the use of longer-ranch omnidirectional radars that can observe traffic on a road for quite some distance.

One of the really neat things about the modern radar units is that they feed into some software processing that can automatically detect accidents and other types of unusual events and alert authorities.

I'm not saying that there aren't people using bluetooth, but I suspect it's a small minority. I would think that if a municipality wanted to track individual vehicles through an entire section they would be more likely to use LPR, because it's a well established technology and there's a lot of inertia in government purchasing (read: unwillingness to try new tech/manufacturers).

Edit: there's also the confusing issue of vehicles that are tracked by radio transponders - these are going to be voluntary participants though, the obvious groups being people with EZPass type toll transponders and semi trucks with weigh station prepass devices (which are rather similar to the toll system). I wouldn't be surprised if municipalities use this data for traffic observation because it's already being collected for other purposes.

Bluetooth is not a small minority. It's a huge business, and Trafficcast is one of the leaders in this. Their product is called BlueTOAD. They're signing contracts with governments left and right.

http://trafficcast.com/news/

MADISON, WI October 18, 2010 - TrafficCast announced it has now finalized agreements with nine leading distributors of traffic signal and control equipment, enabling localized sales services and product support in forty-one states plus the District of Columbia for its innovative BlueTOADTM technologies.

MADISON, WI March 1, 2011 - TrafficCast International, Inc. today announced that Econolite Canada, Inc. will distribute its BlueTOADTM line of products, enabling localized sales services and technical support in the ten provinces and three territories of Canada.

Given that it takes ~four seconds to pair my stationary iPad with my stationary JamBox, I'm skeptical of this claim. I once worked on a project that involved using tick data collected from the thousands of induction loops embedded in California freeways. Despite the data being somewhat noisy and error-prone, it was not difficult to more or less accurately infer traffic flow from these counts. I had always assumed that this is how they produced those estimates, but this was about 6 years ago.
I've heard they use the signals from EZ-pass tags (regardless of whether or not it's a toll road, since the tag ID can be read anywhere).
Imagine a bizzaro world where everybody uses smartphone IDs and iowa was introducing a first of its kind plastic ID card.

I bet we'd see a comment just like this at #1.

Because plastic cards are unfakeable now.
Of course you can fake a plastic card today, however it's far easier to mimic and manipulate pixels than it is a plastic cards look, feel, holographic logos, etc.
it's far easier to mimic and manipulate pixels

For techies. For other people making the computer work is magic.

So how do you prevent people from spoofing an ID?
Cryptography, I guess.

Verification method must include authentication and authorization by means other than human eye reading some text off a card (digital or physical).

The problem seems closer to DRM than code signing though.

Since I'm handing you the device I am in complete control of the output and can clone the output of another card or any signing cert/key embedded in the app. The incentive to do this is to: a) Get into a bar or b) Avoid being arrested on an open warrant. Either of which I can see someone paying and risk breaking the law to accomplish.

I don't see any details, but it would be straightforward to have a token (available as a bar code or a qr code) that represents a digital signature of the photo/identity information, with the signer being the state of Iowa. Or a TOTP to make it harder to use a screenshot for this purpose.

Or for police specifically, it could look up the token in the state's database to access a photo and have a human verify that the photos match (and match the person presenting the id).

The structured information is easy to sign; the photo is more difficult. I'd be curious if they had anything intended for this.

(comment deleted)
The problem with this is simple: IDs are meant as visual verification. By making an app to do this, you are now by definition allowing my machine to create my identity. Therefore, it stands to reason that you will need a visual way to verify that the machine created the right identity which in my opinion is a bad problem to have. Therefore, people suggest using a machine to verify the id, but that defeats the purpose of having visual identification.

A simple hack utilizing this vulnerability that would be hard to fix is getting someones phone and then replacing their image with yours (e.g. by running the real program in the background and an overlay to cover their image and replace it with yours, you could get fancier and find the distortions in the image below and apply them to yours as well). In any case, the key here is that a human looks at the image, not a machine.

In my state (Illinois), a police officer can retrieve the digital photo that was taken at the time the license was issued. A simple radio check can also verify the other information on the license.

In reality, if you know your license number you don't even really NEED to carry the card. The app just just an easier way to carry that number around. I've known people that have been stopped without a license on-hand but able to recite their number, resulting in no trouble at all.

Furthermore, it's not like physical licenses are particularly robust against identity fraud. Go to the nearest college campus and you'll find a dozen kids with fake IDs in 10 minutes.
The app would have to display an ephemeral UUID that a bouncer/cashier could scan and independently query to the central server on their device.
> Rather than digging through clutter in your glove compartment for an insurance card, you can simply hand the law enforcement officer your mobile phone.

Well that's one way to facilitate a warrantless search. Even without the obvious privacy element, "Sorry officer, my ID ran out of batteries" seems like a pretty common problem.

This - I can imagine how quickly a judge will find that handing your phone voluntarily to a police officer equals consent for the entirety of its contents to be searched, even if you just open the ID app.

And oh, the convenience. It's already unlocked for me.

Assuming this acts only as a glorified replacement for a memorized license number, it seems like a nice convenience.

But the nice thing (from a law-enforcement perspective) about plastic IDs is that they can be made expensive to forge/alter, and (forgeries aside) it's fairly easy to restrict the number of copies.

I find myself unable to comprehend how anyone could possibly think that this is a good idea. If your ID is tied to your phone, then you're one phone-drop away from not having an ID. Phones are fragile.
If you keep your ID in your wallet, you're one sewer grate away from not having an ID.
I find I pull out my phone far more often than my wallet, and most places I pull out my wallet are not right next to a sewer grate. On the other hand, I also find that most times I drop my phone it works afterward.
Phones can also be dropped through sewer grates. Guess which of the two happens more often?

Drop your driver's license onto concrete. It's fine, isn't it? Care to drop your phone from the same height?

I've been in contact with the said governor and Land Border Integration (WHTI) to see if they'll accept ETC (Enhanced Tribal Cards) along side the application. My hopes are that I can start creating digital cards for tribes, a long side hard cards.

This will save so much time imo, and more secure than you're standard hard card which is way to easy to replicate.

Does anyone know the project cost for developing this app? I've done a fair amount of google'ing to little avail.
(comment deleted)