Hacker News new | comments | show | ask | jobs | submitlogin
NSW Digital Driver Licence (www.service.nsw.gov.au)
135 points by stockkid 6 months ago | hide | past | web | 193 comments | favorite

Can I use this without having a Google or Apple account? I guess the answer is no. It's crazy that we are allowing these duopolies to be the arbiters of so many critical functions.

Arguments like this are the strongest for forced regulation and split up IMHO.

And - just to underline this point - drivers license is the de-facto Australian ID card.

I can't think of an actual complaint against embedding US companies into what is in practice an important part of NSWs local governance; we might already do that credit and finance to some degree. But it just looks like another little step at creating a delicate system with single points of failure and unreasonably influential power-brokers.

All personal opinions:

It comes down to alignment of incentives. Google (for the sake of argument) has got into so many facets of peoples' lives that it's hard to tell what's what. If you're percieved to have contravened one of the TOCs, or your credit card fails or something, you could have your account suspended with no recourse. And Google have shown time and again that they have zero interest in universal due process, fairness or customer service. That's fine - it's their business model and their call to make.

But it is fundamentally out of step with the provision of essential services which should be afforded to all.

And then add to that the fact that when it goes wrong it disproportionally affects those more vulnerable. It starts to look a lot like disenfranchisement of minorities. What if you suddenly have no phone or email, and that's your only way of communicating with your support network? What if Google decides to pull the plug on your phone and you don't have money to buy a new one?

On the flip side, the government has a monopoly on welfare, violence, justice, etc. That's a good thing, and it's negotiated by democracy. However, using that monoploy to coerce people into using commercial duopolies is fundamentally anti-democratic.

Isn’t the TurboTax / Windows monopoly with the IRS a similar case? Defacto standard gone monopoly for digital tax returns. I agree that the government cannot lock consumers into duopolies but you still have a choice to go and get a piece of plastic. They also really don’t have a choice if the objective is digital convenience —- outside of Apple and Google, there really isn’t any competition. If there were a proper, open mobile platform with no vendor lock in, I am sure NSW would support that as well.

You can still use other tax return software, don't have to use windows with turbo tax and on top of it, use software that generates paper returns.

Yep, I've been filing my taxes digitally for seven years (used paper forms before that) and I've never used TurboTax.

I file using Turbotax using a web browser on linux. Why do you mention Windows?

Part of the plan under the Five Eyes intelligence sharing agreement perhaps?

As of the moment, the digital version can't be used as ID

"The NSW Digital Driver Licence is accepted by most pubs and clubs, and NSW Police."

Literally paragraph 3 of the article.

These are pretty informal usages, I'd be more curious if you could renew your passport using the digital driver's license.

Nope. You need id? Drivers licence or passport. Try getting by without a licence in aus? You need a "proof of age card" which is a driver's licence in every way except does not allow you to drive.

Anyone who thinks you don't need a driver's licence or equivalent proof of age card is 100% having themselves on, there is no meaningful opt out.

Or open a bank account.

I spoke to a JP a couple of days ago and she said they haven't been issued with a directive to accept it as ID when notarising forms so she wouldn't until she had received official word.

NSW liquor store employee, we were briefed on these last week and we accept them now.

I’m not sure there’s a single idea of what is an ‘official ID’ like you think there is. If I ask who you are and you show me your digital ID then you’ve just used it as an ID so clearly it can be used as ID. Just some organisations and people may choose not to accept it.

From the article:

"It’s optional and doesn’t replace the plastic card"


You can say that about absolutely anything, therefore by itself it's meaningless.

You are right, but at some point there will be a new generation of politicians and the promises will be lost to the old generation.

It's going to be many decades before plastic cards go away, or the government is going to get really annoyed with old people screwing it up.

I have until October 2020 to replace my State ID with one that the US will recognize for flights. Luckily I can still use my passport for 8 more years instead of ponying up $35 to replace it right now.

My point is the government can and will make your life a pain.

Real ID is completely different from this, it's totally unfair to compare the two.

You're right. And I'm sure Service NSW had the best intentions, but were ignorant to the wider implication.

Not Service NSW's remit to fix the world of tech. Most use Apple or Android, so that's what they did. It's logical and makes perfect sense. Want change? Demand it elsewhere. I love this app and initiative and am a user myself.

I have no doubt about good intentions of individuals. It's more about where the buck stops.

They're not exactly arbiters of critical functions, the government issuing the drivers licence is. This is just an additional convenience feature.

What do you need an account for? Does the APK not work if you sideload it?

Completely guessing here. But these kinds of things often defer to Google Play services for part of their trust model.

In that case, the government should publish an official version of the APK for people to use.

Just happened to randomly stumble across a reverse engineering talk about this very app a couple of hours ago:


The crux of the issue is that the verification only tells you if the barcode is valid. However, there are no strong relationships between the barcode and the rest of the visual content (photo, numbers, dates, etc). Therefore, one can overlay malicious data around the barcode.

The fix would be to allow the verifier to independently retrieve the license details after scanning the barcode, instead of just seeing a valid/invalid message.

In Queensland, our Police carry iPad. They can basically look you up and get your details on that iPad. I would imagine NSW Police would have something similar: scan the barcode, it verifies it's correct, and then they compare the face on the phone to the one they get on their iPad.

What is the point of each person holding a driver license at all (digital or otherwise) if the only thing that is trusted is the device of a police officer looking up an individual in a database and confirming a face match and/or passcode match?

Could a police officer just ask "I need to look up your license in the database. What is your name, date of birth and passcode so I can find your face in the database and confirm you gave me the correct passcode?"

Yeah, feels like we're getting there. But then again, you need ID for more than just interactions with government officials and law enforcement.

I take it you're one of those lucky people who don't need to have the NATO phonetic alphabet rendering of their first, middle and last names memorized, because otherwise nobody will get them right.

To be fair though, how do you even pronounce the name, "9nGQluzmnq3M"? ;-)

The police would surely have that, but the app allows verifying anyone else's digital ID as well. Imagine the post office checking your address before handing over a parcel, etc.

Realistically it would be way better if the app didn't even show the face and other details, just the barcode which has to be looked up with a trustworthy device. Everything else is just noise

This is precisely what the South Australian Digital ID does.

Great talk, just finished it!

Thanks for sharing that was indeed a very good talk!

I have had one of these for years in South Australia (app store release data may 2017). Our car rego is all digital as well which used to cause confusion interstate as we don't have rego stickers. I don't adopt a lot of digital technology like social media because I think it is of dubious value with potential risks but nfc payments and a digital licence lets me travel with just my phone which suits me really well. I hate carrying a wallet.

One potential issue with having this on your phone is that you are unlocking your phone and handing it to the police which could be a problem for some people. Though people can still carry a card.

> One potential issue with having this on your phone is that you are unlocking your phone and handing it to the police

FWIW Android has a (somewhat hidden) "pin app" function that prevents users from switching to a different app without entering the lock code.

Same with iphone. Accessibility settings -> Guided access. Can turn on a setting so that when you triple click the home button it locks use to that app until you unlock.

Thank you for teaching me something today. Had no clue about this feature and it looks pretty interesting.

That being said... while testing it I was able to escape to the Messages app by clicking a share btn in an app, or long pressing a link in a webkit ui object to share the link.

From the Messages i was able to get to contacts and see contact info. If you create a 'new message' with an existing contact it will actually load all the previous messages for that contact. I assume it would also load group messages for a group as this behavior is present in normal messages mode.

At first i didn't think images where loading, but if I scrolled up till it had to load in older messages it shows images

Same for other apps that register in the share functionality. I was also able to go to the 'more' and enable other apps like Slack and One Note and was able to gather a lot of details from the dialogs they provide.

Messages seams to have the most 'out of bounds' gonna play with this some more.

I wanna also say I have a kinda older iPhone, running 12.1.4 in case some of this has been improved.

Still happens on 13.2.2. Looks like they should disable the share sheet in it.

Or require your PIN to access the share sheet in this scenario.

Thanks. Just turned it on and learned how to use it. A few too many steps to the UI. I think I would prefer if an app like this was pinned from the moment it was opened.

> One potential issue with having this on your phone is that you are unlocking your phone and handing it to the police which could be a problem for some people. Though people can still carry a card.

NSW resident. If I was driving I'd carry my physical license which I'd hand to police. If I was heading out by foot to a pub, bar, bottle shop or tobacconist I'd use my phone because that's how I pay for things. I'm not young looking but if I were, at least the phone would save me carrying a wallet.

Opal, NSW's public transport payment system, works directly with contactless payment i.e. credit cards, debit cards, phones (all phones - hi Myki!), smart watches and, unsurprisingly, dedicated Opal cards. Making licenses app-based opens up the option to leave home without anything but your phone.

In NSW you are not required to hand it over to police.

From the site: "You don’t need to hand over your device to the licence checker. If a licence checker is struggling to view your digital driver licence, adjust the tilt of your device or turn up your brightness settings. "

Isn't this the same state where they have been strip searching 12 year old girls without a parent or guardian? Most police I have encountered are great but good to know how to protect your phone incase you encounter one of the rare idiots.


Although as others have posted, apparently the police are not allowed to touch the phone, but people are used to handing over the current plastic license so would likely hand over their phone unless instructed otherwise.

It was news to me that you can lock android and iOS to a certain app so that would be a good thing to do if your license is requested.

The worst thing about this system is that if your battery dies, well you can’t prove your identity.

I guess cops carry chargers now ?

Do you have to show your license in NSW?

In the UK we have to give our name and address, then turn up to a police station within 7 days with our license.

In europe we have phone app for public transport, in my city, if your phone is out of charge they will help you charge it so you can show ticket to them.

"here, plug your phone into this USB cable that I happen to have in my car. Honest, it's just a charger..."

Although I was a first day adopter of the new NSW digital license, I'm only going to use it as a backup for my physical license. I really don't trust the NSW government, and I've come across enough dodgy cops in this state to know better.

Most cops are fine, but the ones that aren't can destroy you for the rest of your life.

Most phones do nothing (except charge) when plugged, until you actively choose the option (file sharing, usb debugging,...).

Usb ports are the attack surface for standard gvt issue phone snarfers. Thought this was common knowledge.

Your car can provide energy.

The police may not touch the phone.

And when you tell them no what's the chance they listen and don't suddenly volunteer you for a search.

Can you reference the legal documents regarding this?

Photo Card Act 2005, Section 13B Use of digital Photo Card

"Despite any other provision of this section, a person who displays or purports to display a digital driver licence is not required to give or hand over, to the person who is requiring the driver licence to be produced or handed over, the mobile phone or other electronic device on which the digital driver licence is displayed or purported to be displayed."


There was talk the permissions used were a bit worrying: https://www.lifehacker.com.au/2019/10/nsws-digital-driver-li...

On Google Play it included access to Calendar, Camera, Photos, Location, Storage...

And for some strange reason, the ability to pair with Bluetooth devices. Which I have no idea why it exists, I can't find a single service that the app has access to which would require that feature.

This probably has something to do with the ISO 18013-5 standard.


To communicate with Bluetooth readers instead of using QR code scanning.

Probably to use Bluetooth beacons.

Google Play includes permissions that have been taken out in the latest version of an app https://twitter.com/ServiceNSW/status/1189390044273856513

IIRC a former developer explained (on reddit?) they explored other functionality like bluetooth LE verification rather than QR code

The photo permission is to verify someone else's digital ID by capturing their QR code.

Sounds like a creative way for law enforcement to get people to hand them their unlocked devices during a search.

The app itself recommends only showing the officer your screen, and not handing your phone over. As for Android, you can also pin the app before handing it over, if you so wish to. Pinning is a feature whereby the foreground app is the only app that can be interacted with until the next time you unlock the phone. All notifications are also hidden.

From the article "Avoid handling a customer’s phone. If you have difficulty viewing or scanning, ask the customer to adjust the phone to make checking easier. "

I don’t think that suggestion is going to prevent anyone from doing otherwise if they find it advantageous.

So I unlock the phone and hold it in front of an officer? At which point the office relieves me of my phone and takes it as evidence.

There's an opportunity for mobile OSs to support this usecase with a "guest" account: lock the phone to a single app so you can hand it to a less trusted person. Also useful for toddlers gaming.

The last Android version had a weak guest mode; the current one does not seem to.

iOS has had "Guided Access" since almost forever.

Not quite a guest account, but you can use the Accessibility shortcut (from the Control Center or triple-clicking the sleep button) to quickly prevent app switching before handing a device to someone.

You can even use it to disable interaction with parts of the screen by drawing regions, or disable the hardware buttons, and set an autosleep timer.

What operating systems really need though, is a "fake OS" mode. It should display an alternative launchpad with some random apps with random photos, notes, messages etc. When someone tries to do something it should stall with poor network connectivity dialogs or other fake issues.

Maybe someone can make an app like that? :)

Yeah, a "duress" mode. Maybe activated if you unlock with a different finger or PIN.

There's various tweaks that enable this if you're jailbroken.

Wouldn't that just shift the burden of trust upon the jailbroken apps?

The book Little Brother by Cory Doctorow mentions an innocuous home screen or desktop that is accessed via alternate password and I've always wanted to see it actually implemented.

There's an opportunity for Apple to integrate it with Wallet, as they did for the Japanese public transport tickets. You can bring up cards from wallet without unlocking your iPhone.

Just put it in the emergency medical information section that can already be accessed when the phone is locked.

(On an iPhone, anyway. I haven't tried To set this up on my Android.)

Let's not turn this phone robbery into a stolen identity thing.

If you can, enable Screen Pinning in Android. I use it all the time for airlines that give me the option to use an app to present my boarding pass... to the TSA.

You can just hold your phone up to the QR code scanner yourself. You don't need to hand them your phone.

This is true. Do you want to argue otherwise with the TSA?

I mean you should argue, but I'd also consider if I want to miss my flight because of additional screening.

I wonder if it works with Apple Wallet or similar? Those cards can be accessed without unlocking the phone fully.

A good way to make people run proprietary software they control.

I wouldn't give NSW police that much credit.

They may not have planned it, but I'd give them enough credit that this kind of abuse is almost a certainty.

Some say that New Orleans is so far behind, that it's ahead. Definitely true. The information systems in SF all feel like they were built in 2010. I've had a digital ID (https://apps.apple.com/us/app/la-wallet/id1386930269) for over a year now and it's so much more convenient when I lose my actual ID -- about 4x/year. The LA wallet has a verification system that anyone can use to verify anyone else's ID. I was in SF for blockchain week last week and I misplaced by physical ID on the way to the airport. I wanted to see a friend of mine perform at a bar in Berkeley and they wanted a physical ID. I ended up eating tasty Nepalese food next door and met up with my friends after the show because there's no digital ID in California. Once I got back to New Orleans, no-one ever batted an eye when I showed them my digital ID. I'm hoping the next step is issuing a public/private key along with the ID. It would come in handy for so many blockchainy/dapp possibilities.

I might be less ecstatic if I had a car and got pulled over and asked to show my ID. I wouldn't be comfortable handing my unlocked phone over to the state. I trust the internal walls of the mobile walled gardens more than I trust a cop.

You lose your ID 4x per year?! I lost my (British) passport once and later that same year it was in a bag that was stolen - I was warned that I wouldn't be issued with another one if it happened again. I am now super paranoid when I have to carry it, in fact now that I type this I realise I'm extra edgy because I'm about to leave for a trip in a few minutes with my passport :-O

Most countries will forgive two lost passports within a 10 year period. After that they may refuse or give you limited duration documents. This is of course at the discretion of the country issuing the documents - but if they are overly generous it will cause problems with other countries expected to accept the documents.

The main concern is they don't want a bunch of unaccounted for passports lying around. It dramatically increases the risk of fraud.

I was visiting my parents in New Orleans a few weeks ago when my mom showed me the LA Wallet app and said "we have this cool new ID app now. I'm sure other states must have had it for ages, but we finally got it". Nope, not at all.

It's cool to see my hometown progressing on at least one front.

"I'm hoping the next step is issuing a public/private key along with the ID."

If I need a key pair, I'd prefer to generate it myself. Otherwise, the private key isn't really private.

> It’s illegal to access your Digital Driver Licence when driving, including when stationary, unless you’re asked to do so by a police officer. Penalties apply.

"We made this thing you only need while driving, especially when stationary and stopped by the police, but it's illegal to do so unless specifically requested."

I wonder how this will be applied in reality. Will individuals stopped have to wait for the police to ask before readying their documentation without being cited in addition to whatever they were stopped for?

>We made this thing you only need while driving

Drivers licences in Australia are the de-facto ID. Including proof of age to purchase cigarettes/alcohol, many bars scan IDs as you enter in case you cause damage or start a fight. To proving identity for a variety of things including (but not limited to) new phone plans, bank accounts, etc.

Most Aussies carry their drivers licence with them everywhere.

Regarding the stationary part. Though it varies state by state, my state (Victoria) considers it an offence to use your phone while stationary. If the vehicle is legally parked and engine off you're fine. This is to cover those using their phone while stuck in traffic.

I am curious to know how the Uber/Lyft drivers operate with such laws. Often they need to access maps, how does the law apply to such drivers?

Concessions exist for operating a mounted GPS device or phone.


That's Victoria, similar laws in NSW. Technically though, using NFC to buy Mcdonalds in the drive through is illegal.

Actually, you are in control of the vehicle if you're in the driver's seat with the key in the ignition, engine on or not.

That may be true, but is not the language used in the phone legislation:

> (1) The driver of a vehicle must not use a mobile phone while the vehicle is moving, or is stationary but not parked [...]


> Drivers licences in Australia are the de-facto ID. […] Most Aussies carry their drivers licence with them everywhere.

Same as in the USA.

Most days, I only carry my driver's license because, despite a head of rapidly graying hair, I might need it to buy tobacco. Otherwise, what the hell do I need a license for when I ride the scooter/bicycle to work?

I can already leave all of my cards at home when I go to work, save that license, because the gas station that cards me when they sell me tobacco also takes NFC payments. Digitize that license, and I can just carry my phone even when I drive to work.

In NSW it is illegal to ride a bicycle on public roads without government issued photo id (normally a drivers licence).

Sometimes if I go for a walk or to the park without my wallet I feel like a criminal. I have the misfortune of living in one of the states where going out in public without ID is illegal.

At least it was the last time I looked at the ACLU web site.

Are you speaking of the AZ "show me your papers" law? As a white guy, I would so not carry ID. I can afford lawyers and a few nights in jail to make a stink about it, and others might not be so fortunate. But, of course, I'm not the target so it's easy to be Anonymous Internet Justice Guy.

Not that it would be a massive change in my behavior. With NFC payments and wearable communications devices, a lot of times I leave the house with nothing but an Apple Watch on my wrist (and at a minimum, running shorts; you're welcome). Dog walk? What am I going to buy in our suburban neighborhood? Go for a run? Same difference, though if I run by a 7-11 I can buy a Gatorade with my watch. I ass-u-me the EMTs know how to get my medical ID on an Apple device. Soooo, I kinda don't need a wallet a lot of times. Is it legal in the state of WA? I have no reason to believe that it isn't, but OTOH I don't really care. You want to know who I am? We have a legal process for that, at which time I will have my ID fetched.

I think "when driving, including when stationary" means in stationary traffic, or at a red light. Not when your car is parked and handbrake on

It does include when parked actually. Allows you to be arrested for drunk driving when you are stopped.

For the over-confident skeptic, a nuanced legal answer: https://www.turnbullhill.com.au/articles/when-are-you-actual...

I’m not sure that was much more nuanced. The examples provided boiled down “this is probably legal, but the police will still try to prosecute you”.

I don't read that. It's undefined, in the sense that there is imprecise legislative guidance, and case law will determine the law asymptotically. But it's best not to be the case law yourself.

> I wonder how this will be applied in reality. Will individuals stopped have to wait for the police to ask before readying their documentation without being cited in addition to whatever they were stopped for?

That's what they've been telling people, yes. Honestly, it seems rather over the top legalism.

I understand the point about the danger of using mobile devices while driving a moving vehicle. But, what exactly is the danger of using one when you are stationary, especially if you have been pulled over by a police officer? It is a law without a rational justification, and laws lacking rational justification are harmful.

"Honestly, it seems rather over the top legalism." In Australia? I can hardly believe it /sarc

I would guess it's to eliminate a loophole of 'No Officer I wasn't checking Snapchat, I was just getting my digital licence out for you.'

> I understand the point about the danger of using mobile devices while driving a moving vehicle. But, what exact is the danger of using one when you are stationary, especially if you have been pulled over by a police officer? It is a law without a rational justification, and laws lacking rational justification are harmful.

This is the core of the issue, in my opinion.

The danger is loss of police revenue. In Australia it’s illegal to use your phone to pay at a McDonald’s drive through if your the one sitting in the drivers seat. Even if the car is in park.

Got a reference for that? Road rules typically apply to... roads, not private property.

This is basically the same thing as getting a seat-belt ticket because you unbuckled to get your ID before the officer arrived at your window to see you do it. I expect citations would be handed out in a similar manner.

Is this a step towards more surveillance? I get that it doesn’t have to be, but surely it brings it closer, and easier to get there.

It might be a step towards the goals of the Face Verification Service project [0] of the Home Affairs office, which is a wide-reaching facial recognition service which seems to want to do things that aren't really possible with current technology.

Eventually these services can be integrated, or they might already be trialing integration silently.

> The Document Verification Service checks whether the personal information on an identity document matches the original record. Importantly this includes verification of the date of birth on Australian passports, driver licences and birth certificates.

> The Face Verification Service complements the Document Verification Service by preventing the use of stolen as well as fake identity information.

[0] [PDF] https://www.aph.gov.au/DocumentStore.ashx?id=903112ab-f5e9-4...

I feel like I am pretty security conscious and thought the same thing at first. but realistically isn't all this just data the government already has on us?.

Sort of, it depends if they ask for extra permissions at some point in the future and there is not alternative option. I saw an Android screenshot showing requests for an insane amount of access - it may have been faked though.

For a moment a read NSFW Driver Licence, it would be beautiful <3

NSW stands for the New South Wales, an autonomous state in Australia.

Non-rhetorical question: What's the point of this?

For many years it has been possible in many countries for a police officer to enter a vehicle's number plate and get details of the registered owner, including a photo, on the screen of their own device, one which they trust. If I'm driving a friend's car I could tell the police officer my name, the number plate of a vehicle that I am linked to or some other identifier and the officer could then look me up. Why should a driver need anything beyond a good enough memory to recite some kind of identifier?

Someone who can't remember their own name arguably shouldn't be driving.

I'm looking forward to the day when we won't need passports either. (I'm sure my great-grandchildren will find it much more convenient.)

Perhaps the point of this is that it lets you give someone else, not a police officer, temporary read-access to a subset of the data on the server. Is that it perhaps? That could be useful. For example, to a club bouncer I might choose to reveal my photo and the fact that I'm over 18 without giving away my date of birth and my address, which would be shown on my physical driving licence.

Potentially some interesting technical questions about how to stop people from using someone else's licence with the other person's collaboration: an older sibling's licence, for example.

One benefit is ultimately there would be a few million less plastic cards produced. If it successful, perhaps others states / countries rollout something similar. That could be hundreds of millions fewer plastic cards produced.

Admittedly this is unlikely a significant factor in the state governments decision making. Yet it’s a benefit all the same.

That sounds nice but is it really meaningful to cut such a small amount of waste?

Consider all the other various cards which also might be digitized. Gov ID doesn't seem like the place to start, seems like maybe the one that should always have a physical form even if everything else has become digital.

One problem may be that not all roads have cell phone coverage, at least where I live, so a cop pulling you up may have no way to access an online database. It's also possible for the communications or back-end database to fail at any time.

I've tried this out so I can report the experience. First, I can confirm the only permission requested is camera, and that's only when I first try to use the "scan a license" function. It seems like a Google Play bug that the play store allegedly shows legacy information if you click "permissions"[0] on the website, as these aren't reflected in the actual store.

Secondly, being able to press a button and get shown my current demerits is extremely useful. Last time I wanted to check this I spent a good two hours on hold on the phone.

My license expires in two weeks and this is the first I found out about it. Undoubtedly due to some bungle in the traditional system.

I can see why people are concerned, and it's not going to be accepted in clubs for a while as the scanners physically won't fit a phone.

(Having deployed those scanners a few years back, I'm frankly more concerned about their privacy situation than this app).

[0] https://play.google.com/store/apps/details?id=au.gov.nsw.ser...

Yes, I like being able to see my licence expiry, demerit and rego expiry all on one place.

Our rego is all digital in SA and we don't have rego stickers. I have been getting text reminders for years but sometimes you just want to check when things expire without logging into a website and navigating through lots of layers.

I expect NSW is the same but our app also takes boat licences, heavy vehicle licences, occupational licences as well as vehicle reg. I get that it isn't for everyone but it is a convenience.

For comparison: https://play.google.com/store/apps/details?id=au.gov.sa.my

Here in the States, Delaware and other states have also been trying mobile driver's licenses. Alarmingly to me, it seems police officers might eventually be able to remotely access the driver's license information of a person with a mobile license when the officer is physically nearby the phone, though perhaps that is less bad than having to hand over and unlock the phone outright.

You can learn more about the Delaware experiment from the same places I did:

- https://www.youtube.com/watch?v=4FYUU4wP9s8

- https://www.usatoday.com/story/news/nation-now/2018/03/14/mo...

Why on earth would you install an app provided by a nation/state?!

Because it's obviously more secure than letting someone access a webpage with the same functionality. /s

I can see digital imitations coming in 3,2,1... Starting by reversing and modifying the official app. The QR might not verify (assuming network connectivity), or it might be someone else, but will it be checked? Doubtful, because it only returns a name, not a photo.

It is disappointing this is an online-only system. There is a continuation of a number of privacy violating practices, such as giving your DOB and driver's licence number to bars/clubs/venue security (often run by criminals, esp OLMCs). It should only show 18+ and a photo.

NSW Govt will now know exactly who goes to which venue, in real time. Insane surveillance of the citizenry.

Can't wait to see what data is in the real QR codes. Almost sounds like a TOTP code and a user/device serial number. Malware that rips these TOTP codes will be made and available to criminals in short order.

I'm not sure it is online-only? They do say to carry your card as a backup but also say it works offline after initial setup:

"The NSW Digital Driver Licence is available offline as long as you are logged into the Service NSW app"


I took that to mean that your licence app will work offline, but not that it will validate offline.

I've set it up now just to check.

The initial setup is online. All you need to do is make an account (verified via an emailed code), log in, and enter your surname and 2 numbers on the physical license and it will download the information.

You can then go offline and still view it. There's a QR code which doesn't directly contain a URL or anything, so I'm not sure if the police need to be online to validate using it, I didn't look into it much.

It also says the last refresh time and pulling down will refresh the information however this fails when offline (the app doesn't seem to check network availability, it just tries to load forever). So I'm not sure if this is a problem.

It also seems to be really poorly optimised on Android, the UI is basically unresponsive on my phone and slows the whole system down.

Regardless needing to carry the real license as a backup is a problem, since it sounds like they'll make no concessions if you left it at home for a short drive and your phone dies.

Depressingly poor engineering.

> Starting by reversing and modifying the official app. The QR might not verify (assuming network connectivity), or it might be someone else, but will it be checked?

Done, in August. [0] And the QR Code validates.

> Can't wait to see what data is in the real QR codes.

According to the talk, it's a timestamp, and id and what seems like a session-cookie-ish encrypted blob.

[0] https://www.youtube.com/watch?v=oux3tI2V0sY

Does the app encrypt the blob? Presumably, because otherwise why have a serial.

Wonder if they can fall victim to validate after decrypt attacks.

From the rules linked here:


> Restricted licences holders including learner, P1 and P2 drivers and riders are not permitted to use their phone at all while driving or riding. This includes use of hands-free and Bluetooth functions.

Am I misunderstanding this? Are they saying that teenagers with a learner's permit are prohibited from using their phones while riding in the passenger seat?

I think that refers to bicycle (and/or motorcycle?) riding - not being a passenger.

It's referring to motorbike riders.

I imagine it's really trivial to download the Android APK, decompile it into it's source code, modify the code, and then push the modified app back on to the phone. You can be anyone you want to be. This idea does fall apart after the officer looks up the license number on his device. Do you think this would work at taverns?

In the US I’ve been to plenty of bars and grocery stores with ID scanners. I’d imagine this would be no different.

Wonder if this can be used as ID to get into clubs, etc? The page doesn't seem to mention it, but I doubt it would be.

YES it can be. It’s there in the 3rd paragraph.

“The NSW Digital Driver Licence is accepted by most pubs and clubs, and NSW Police.”

Missed that completely, thank you! Now for a certain backwards northern state to implement this so I don't have to take my wallet into gigs and nights out at all...

Colorado launched one recently as well, apparently the first US state to do it: https://mycolorado.state.co.us/

As a CO resident I haven't really found a use for it yet. There's even a disclaimer to take your physical ID with you wherever you go.

My state has digital insurance and registration cards. I guess this is the next logical step.

But I do worry about when people get used to using these digital identification and then get pulled over after their phone battery dies or when their phone breaks on vacation or something.

A simple traffic stop with a warning suddenly becomes a day in jail while the police "verify"a person's identity.

There was a case in the UK recently where some one got a £500 fine on the train because their phone died and they could not show their electronic ticket.

I was only after the press got involved that it was over turned.

One problem I have personally encountered is I am unable to obtain a digital form of identification while my license is suspended for a speeding offence. This is more annoying than not being able to drive as I still have to carry a wallet for the 1 remaining card I can't get on my iPhone.

I have no problem with someone suspended for speeding having an extra piece of annoyance.

Really? I mean they already are suspended for driving, that is the punishment. This feels petty to me.

I originally read this as "NSFW Drivers License" and thought it was going to be a funny link.

> The NSW Digital Driver Licence is accepted by most pubs and clubs

How to get user acceptance 101

Drivers License as ID is used at a number of places in Australia including as age proof for venues serving alcohol, for phone connections and widely as a key KYC document. Carrying one less card is certainly welcome to remove the need for a wallet.

That's great until your phone gets broken or runs out of battery. Personally, I like to keep my phone, wallet, and keys as three separate things.

India has something similar for driving licenses and many other documents: https://digilocker.gov.in/

Looking at the conditions, this one is a bit odd:

> It’s illegal to access your digital driver licence when driving, including when stationary, unless you’re asked to do so by a police officer. Penalties apply.

So, does that mean that an officer can ask to see the license _while driving_? That's such a weird scenario!

And the part "including when stationary", does that mean that you're allow to check your digital license if you're in your care, alone, parked somewhere, without any police officer around?

Source: https://www.service.nsw.gov.au/campaign/nsw-digital-driver-l...

You can only touch your phone if its secured and its for navigation so they are avoiding the problem when people are pulled over for using their mobile phone and saying they were getting their license ready etc. They have created a problem where people know not to touch their phone, but if you get pulled over and get your license ready you are breaking the no touch rule.

It's illegal to use your phone while in command of a motor vehicle in NSW, regardless of whether you're moving or stationary. If you're parked you're fine, but if you're stopped at the lights, for instance, it's illegal.

"While driving" could mean you've stopped the car, but you haven't put it in park, applied the handbreak, and switched off the engine. The police are a bit vague at what constitutes "driving" because they want to fine people who check Facebook at traffic lights.

An officer can ask for your license if they flag you over and you haven't totally stopped the car (thus you are legally "driving"), as long as you're being safe they just want to check for drunk drivers as quickly as possible. "License, how many drinks have you had tonight, count to 5, have a good night". Unlike America they don't need suspicion, they just flag over everyone they can on a Friday night. On the other hand an officer can fine you if you start playing on Facebook while the car is stopped but you're still legally "driving".

Are you confused by phone use when driving?

What part of my comment are you answering to? I didn’t express confusion.

Seems pretty easy to fake. Make an app that shows a photo and QA code.

One word: signatures.

All QR codes or whatever the phone is displaying or transmitting should be signed by a trusted authority. The checking device can verify whether it’s been signed. You can’t generate a valid signature unless you have access to the private key that’s supposed to be signing them.

The code changes continually. Also the background moves when you tilt the phone.

In this [0] PyCon talk the app is reverse-engineered, and a version that produces a fake QR code that gets verified successfully is created.

It would seem the current approach is fundamentally broken.

[0] https://www.youtube.com/watch?v=oux3tI2V0sY

It's trivial to hack Android apps. Please see the reverse engineering talk link I posted a few comments up that demonstrates this very app being hacked.

EDIT: Probably shouldn't single out Android. iOS apps can also be modified and resigned with a developer certificate.

Accepting digital licences as identification in nightclubs in QLD is entirely optional. Seems counterproductive to have a half valid form of ID.

Isn’t accepting any ID in a nightclub already optional and at the discretion of the licensee? They can always turn people away as long as it’s not based on a protected category can’t they? How’s it any different to before?

I get that, I was sober on a Wednesday at 4pm and the casino wouldn’t let me in.

I should add that clubs here scan your ID which contains your full name and DOB, and can be used as half the proof required to open a bank account online.

Am I the only one who read the title in HN and saw "NSFW Digital Driver Licence"?

The QR code updates - is that online or using a "secret" stored on the phone?

Sounds fun for the <18 kids.

May I ask what this would make easier for <kids?

I can think of clubs scannings IDs, but scanners only store identification details for some period of time, until they're deleted, and not compared against a database. [0] A spoofable/transferable QR code could contain all the information normally scanned on a license plus information unique to each code refresh.

I'd love to hear what the other implications of this could be if I'm missing something.

[0] https://www.liquorandgaming.nsw.gov.au/operating-a-business/...

I was thinking if they're used offline at a bottle shop, it's a lot easier to seamlessly alter a date of birth or photo on a phone app than a physical license.

Also makes it easier to share an older sibling's ID.

Not really. If the offline license is in a digital format (QR code, etc) it can still be checked whether it’s been signed by a trusted authority (the state’s digital certificate, etc).

So you can very well have an offline system where the documents are signed during enrolment but then stored offline.

Only if the trusted authority sends back a copy of all the details too, and person at the counter looks at those instead.

Otherwise the altered app can show a different photo to that which was enrolled, etc. The signature is on bytes, not the offline visual representation.

Unfortunately that does not seem to be what they have done, i.e. no signatures involved.

In this case it’s a problem with the current implementation, but does not prevent a proper implementation from existing in the future.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact