"Phone home" refers to digital identity systems that send usage data back to the credential issuer every time a credential is presented. When your mobile driver's license "phones home," the issuer may learn that a credential was checked and when, depending on the system's architecture and logging practices.
Why civil liberties groups are concerned
Organizations including the ACLU, EFF, and EPIC have launched campaigns urging federal agencies to avoid technical designs that phone home. Their concern is straightforward: even if governments promise not to abuse such logs, the data becomes an irresistible target for hackers, advertisers, or future administrations with different priorities.
The coalition's message is clear: "It's not enough to promise not to track, we need systems that make tracking impossible."
Technical solutions
Privacy-preserving systems avoid phone-home behavior through offline verification. The verifier checks the credential's cryptographic signature against preloaded public keys and status lists, without contacting the issuer.
For revocation checking (confirming a credential hasn't been suspended), privacy-preserving approaches use compressed, anonymized status lists. These allow verifiers to check validity without revealing which specific credential is being verified. Status mechanisms can be designed so that validity checks do not reveal which specific credential is being verified or the context of use.
Online verification tradeoffs
Some scenarios benefit from real-time status checks, for example, verifying that a professional license hasn't been revoked since yesterday. Online verification can provide higher assurance by confirming status at the exact moment of use.
However, this creates privacy risks if every verification event is logged. Well-designed systems mitigate this by employing privacy-preserving transports and short-lived tokens, which reduce metadata exposure, ensuring that even online checks don't create detailed activity logs.
Policy and technical requirements
Because privacy protections aren’t guaranteed by technology alone, strong programs combine legal guardrails with architecture choices that minimize data collection and tracking. For example, Utah Code § 63A-16-1202 requires that use of a state-endorsed digital identity be free from “surveillance, visibility, tracking, or monitoring,” limits how records of use can be used/shared, and prohibits forced device surrender.
Want to keep learning?
Subscribe to our blog.
