When Verification Calls Home: Three Views on Privacy, Risk, and Digital Credentials
“There’s been renewed attention lately on mobile driver’s licenses (mDLs) and the ISO/IEC specification that defines them. One of the more surprising aspects of the specification, even to long-time standards contributors, is that it allows the entity verifying a credential to contact the issuer directly in real time, a capability known as ‘phone home.'”
That real-time lookup can serve legitimate needs, like revocation checks. But it also opens the door to targeted location tracking and behavioral profiling, especially if it’s implemented without transparency or user controls.
You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.
And be sure to leave me a Rating and Review!
I’m less concerned here with how we got to this point—though it’s worth reflecting on the impact of paywalled standards and quiet design compromises—and more concerned with how we talk about it now. Too often, we respond to surveillance risks or fraud threats with hardline positions that don’t allow room for healthy disagreement or practical tradeoffs.
Imaginary Perspectives
To unpack the complexity, I’ve imagined three personas who reflect common but well-reasoned positions in the debate over real-time credential verification. Each has a valid point. As a friend wisely said, “A world without any surveillance and uncontrolled fraud is bad, no matter what some think. A world without any fraud because there is complete overhead control is also bad. We need to focus on finding an acceptable compromise.” These personas were not modeled on any particular individuals, so if you do see yourself here, think of yourself as an archetype, not a target.
Dr. Rhea Jamison, Privacy Researcher
“Surveillance should never be the default. If it must happen, make it visible, optional, and rare.”
Rhea has spent two decades advising civil liberties groups and participating in privacy-focused standards work. She sees invisible surveillance capabilities not as a theoretical risk, but as a historical pattern. When surveillance infrastructure is built into technical architecture, it tends to get used, often without meaningful consent or transparency.
Her concern with “phone home” verification models is twofold:
- They enable real-time, fine-grained tracking of when and where a credential is used, turning the verifier-issuer relationship into a persistent surveillance channel.
- The user may never know this is happening. As demonstrated in recent analysis of ISO/IEC 18013-5, an issuer can silently switch a credential from device-only to server-retrieval mode during a routine update.
She draws a sharp distinction between linkability, where transactions can be correlated later, and active surveillance, where every verification pings the issuer and generates a time-stamped log.
Rhea does not consider herself an absolutist. She acknowledges that in rare cases, real-time checks may be warranted. But only if:
- The user is clearly informed that network contact will occur;
- There is a viable offline alternative;
- All server retrieval events are auditable by the user.
“Surveillance infrastructure rarely stays dormant. If we build systems that can track people invisibly, we have to assume someone, somewhere, eventually will.”
Marcus Lee, VP of Fraud Risk
“You can’t prevent fraud with stale data. Some level of real-time validation is necessary.”
Marcus runs enterprise fraud strategy at a multinational financial services firm. His team handles fraud mitigation across banking, healthcare, and payment systems. For Marcus, the risk isn’t theoretical: fraudsters already exploit credentialing gaps to create synthetic identities, steal controlled substances, and bypass onboarding checks.
He makes three key arguments for phone-home capability:
- Regulatory compliance: Banks must meet Know Your Customer (KYC) and Anti-Money Laundering (AML) standards that often require verifying the current status of a credential at the time of use.
- High-risk scenarios: From dispensing opioids at a pharmacy to controlling access to critical infrastructure, static credential models can’t flag suspended, stolen, or recently revoked identities in time to prevent harm.
- Operational integrity: Real-time revocation and risk signals are critical for dynamic threat environments, such as when a compromised credential is detected and must be disabled immediately.
Marcus doesn’t ignore the privacy conversation. He believes enterprises must:
- Minimize data retention
- Disclose verification policies
- Use contractually bounded systems
But banning real-time issuer contact outright? That, to him, is a risk too far.
“Fraud isn’t solved with good intentions. If we strip out risk signals in the name of privacy, we’ll end up rebuilding surveillance tools elsewhere with less transparency and with fewer guardrails.”
Priya Banerjee, Identity Standards Architect
“Both concerns are valid. Let’s design systems that make phone-home capabilities visible, limited, and accountable.”
Priya has helped draft standards at several of the more open standards organizations. She sees herself as a translator between idealism and operational need. She agrees with Rhea that invisible surveillance is unacceptable, but also agrees with Marcus that some environments can’t function responsibly without up-to-date credential data. (Priya is kind of my hero.)
Her view is that technical architecture should support both offline-first and risk-aware models, with strict boundaries. She proposes:
- Device-based verification as the default
- Explicit and visible consent if server retrieval is needed
- Mandatory signaling by the verifier so users know which mode is active
- Logged retrieval history that users can inspect (or challenge)
She also raises a quiet but critical point: when standards prohibit real-world use cases outright, implementers will often fork the spec or build their own tooling, often without the privacy protections the standard might have enforced.
“Designing for flexibility doesn’t mean compromising values. It means making systems that work in the real world, while ensuring the user stays informed, in control, and protected.”
Comparison Table
| Concern | Rhea (Privacy Advocate) | Marcus (Fraud Prevention) | Priya (Balanced Architect) |
| Default verification mode | Device-only | Context-dependent | Device-first, fallback allowed |
| Real-time server retrieval | Strongly opposed; privacy risk | Required in high-risk sectors | Permitted with consent and logging |
| Consent model | Must be explicit and revocable | Not always practical | Required and user-visible |
| Revocation handling | Local proofs, time-limited creds | Real-time checks essential | Hybrid: periodic updates + fallback |
| Transparency mechanisms | Mandatory user logs | Controlled via policy | Technically enforced signaling |
| Acceptable tradeoffs | Very few; privacy is paramount | Some surveillance justified | Boundaries + adaptability |
Conclusion
There’s no one-size-fits-all answer here. And that’s the point. These aren’t just technical choices; they’re governance decisions that shape what our systems can and can’t do. They are risk management decisions; no one size will fit all. The phone-home debate should be about recognizing that the needs of privacy, security, and accountability are not mutually exclusive, but they are in tension.
We build better infrastructure when we acknowledge those tensions rather than ignore them. That means creating room for high-risk use cases to function responsibly without turning every ID scan into a tracking event. It means embedding consent and transparency into the architecture, not just assuming policy will save us later.
These debates are worth having and revisiting as technology, regulation, and use cases evolve. Let’s keep listening, keep adjusting, and keep building systems that are worthy of the trust we expect users to place in them.
📩 Want to stay updated? I write about digital identity and related standards—because someone has to keep track of all this! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here]
Transcript
Introduction
00:00:00 Welcome to the Digital Identity Digest, the audio companion to the blog at Spherical Cow Consulting. I’m Heather Flanagan, and every week I break down interesting topics in the field of digital identity—from credentials and standards to browser weirdness and policy twists. If you work with digital identity but don’t have time to follow every specification or hype cycle, you’re in the right place.
00:00:26 Let’s get into it.
Episode Overview
00:00:29 Hi there and welcome back to A Digital Identity Digest. In today’s episode, we’re diving into a topic that’s been grabbing attention, especially among those of us who spend our time thinking about infrastructure standards and users’ rights.
00:00:44 Initially, this episode almost began as a rage blog—a cathartic response sparked by a lively signal chat. Although I wasn’t the one raging, that conversation inspired the post you’re about to experience.
Understanding Phone Home and MDLs
00:01:00 The discussion centers on the Phone Home feature built into the specification for mobile driver’s licenses (MDLs). On the surface, MDLs are more than just a digital version of your government-issued ID—they’re designed to be stored on your phone, offering convenience, enhanced security, and reduced risks of forgery.
00:01:09 Yet, as with every innovation, the devil is in the details. The ISO specification includes a Phone Home functionality that allows systems verifying your ID—whether by a bartender, a TSA agent, or a pharmacist—to contact the issuer in real time to check its status.
Key Points:
- Real-Time Verification: Ensures immediate feedback on license status.
- Privacy Concerns: Opens the door to tracking when, where, and how often your ID is presented.
- Implementation Flexibility: Depending on the issuer, this capability can be toggled silently.
Privacy vs. Practicality: The Debate
00:02:05 At first glance, real-time verification may seem entirely reasonable. After all, if an ID is revoked, expired, or flagged, shouldn’t the system know instantly?
00:02:16 However, there are notable catches:
- Surveillance Risks: The same capability enables individual tracking.
- Silent Activation: This feature can be turned on without the user’s knowledge.
These trade-offs highlight that implementation matters—a theme that will continue throughout our discussion.
Persona Spotlight: Dr. Rhea Jamieson
00:03:19 Let’s introduce our first fictitious persona, inspired by real-world conversations. Meet Dr. Rhea Jamieson, a dedicated privacy researcher with decades of experience collaborating with civil liberties groups and contributing to privacy-focused standards.
00:03:33 Dr. Jamieson’s core concerns include:
- Default Avoidance of Surveillance: She argues that surveillance should never be the standard.
- Visibility and Consent: Any real-time verification must be visible, optional, and auditable.
- Risk of Inadvertent Activation: Once surveillance is technologically enabled, the pressure to use it grows.
00:04:12 In her view, cryptographic proofs and time-limited credentials should be leveraged to build systems that inherently avoid default surveillance—even if there are rare situations (such as border crossings) that might justify such features.
Persona Spotlight: Marcus Lee
00:05:11 Shifting to a different perspective, meet Marcus Lee, the imaginary Vice President of Fraud Strategy for a global financial institution. His world revolves around combating synthetic identity fraud, money laundering, and managing relentless regulatory audits.
00:05:37 Marcus believes:
- Stale Data Is Risky: Static credentials, which can’t be updated or revoked in real time, are a liability.
- Necessity of Real-Time Risk Signals: Fraud prevention demands immediate validation.
- Controlled Usage: While he doesn’t advocate for Phone Home as the default, he insists on its availability where risks and liabilities are pronounced.
00:06:02 To him, privacy policies, audits, and enterprise-wide safeguards can accommodate real-time verification without sacrificing necessary safeguards.
Persona Spotlight: Priya – Bridging Both Worlds
00:06:43 Finally, let’s meet Priya, an imaginary standards architect who encapsulates the balancing act between privacy and practicality. With extensive experience across multiple standards development processes, Priya strives to bridge philosophy with real-world deployment.
00:06:50 Her approach is all about designing systems that are:
- Visible: Phone Home capabilities should be transparent and clearly communicated.
- Limited: Device-based verification should be the default, with strict limits on server retrieval.
- Accountable: Every network retrieval must be logged for user review.
00:07:23 Priya’s vision emphasizes that designing for informed use with visible, enforceable boundaries allows for a dual benefit—supporting both privacy-first applications and high-risk scenarios.
Key Takeaways
00:08:06 The episode delivers a crucial message: designing flexible digital identity systems does not have to mean compromising core values. Consider these essential points:
- Surveillance vs. Fraud Prevention: One perspective argues to design out surveillance, while another insists on embedding risk signals to prevent fraud.
- Balanced Implementation: A middle ground is not only possible but necessary—standards can support both privacy and security with transparency and accountability.
- Informed Consent: Ultimately, users should be kept informed, in control, and protected at every step.
Final Thoughts & Call to Action
00:09:03 In conclusion, these perspectives are not mutually exclusive. As we build, standardize, and deploy digital credentials, let’s:
- Stay Engaged: Keep the conversation open rather than viewing it as a zero-sum game.
- Listen to Diverse Viewpoints: Every perspective—privacy, fraud prevention, and balanced standards—adds value.
00:09:22 Let’s build systems that truly reflect the trust we’re asking people to bestow upon us.
00:09:26 Thank you for listening to this episode of A Digital Identity Digest. If it helped clarify or spark your interest, please share it with a friend or colleague. Connect with me on LinkedIn at alflanagan and subscribe to the podcast on Apple Podcasts or your preferred platform.
00:09:38 Stay curious, stay engaged, and let’s keep these essential conversations going.
