After decades of cautiously watching from the sidelines, governments around the world have started investing in, rolling out, and regulating digital identity systems on aggressive timelines. These foundational changes to government infrastructure and the economy are happening largely outside public awareness, despite their generational consequences for privacy.
Digital identity systems implemented by governments today will shape privacy for decades. Whatever ecosystems and technical architectures are established in the coming years could ossify quickly, and it would take enormous political will to make changes at such a foundational level if society develops buyer's remorse once the ripple effects become clear.
That's why nearly 100 experts across technology, policy, and civil liberties have united around one principle: digital identity systems must be built without latent tracking capabilities that could enable ubiquitous surveillance. Thus, the nophonehome.com petition.
Who's Behind This
Civil society groups working on legal advocacy and industry oversight (ACLU, EFF), cybersecurity experts (including Bruce Schneier), privacy-by-design software companies of various sizes (Brave, many DIF members), and experts from university faculties (Brown, Columbia, Imperial College London) all signed on. The list includes authors of collaborative open standards, chief executives, state privacy officers, and other public servants. This is not a coalition of "activists" so much as a broad coalition of experts and policy-watchers sounding an alarm about consequential decisions passing largely unnoticed by the average citizen and end-user.
The breadth of this coalition reflects widespread concern about the technical and policy implications of embedded tracking capabilities.
What "Phone Home" Means
As a general rule, "phone-home" is a shorthand for architectural principles of tracking enablement (just as "no phone-home" refers to tracking mitigation, broadly speaking). When a verifier of credentials interacts directly with the credential's issuer—even if just to check validity or revocation status—they are "phoning" the credential's "home." This opens the subject and/or the holder of that credential to privacy risks, no matter how well the request is anonymized or handled. These API connections create data that can be combined, correlated, and abused, especially when verifiers share information or when issuers abuse their role.
The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning. Over time, little mismatches and slippages in how these protocols work get exploited and stretched, amplifying glitches.
In the worst-case scenario, some systems enable real-time revocation decisions, giving issuers—potentially governments—immediate control over citizens' ability to access services, travel, or participate in society. A natural tendency to "over-request" foundational documents in situations where such strong identification is unjustified is amplified by familiarity, lack of friction, and other UX catnip; all the SHOULDs in the world won't stop verifiers from doing it. And verifiers over-asking without also providing a fallback or "slow lane" can make a sudden or temporary unavailability of foundational credentials painful or even exclusionary. The side-effects and externalities pile up dangerously in this industry!
Technologists see these kinds of capabilities (phone-home of any kind, remote revocation, low-friction foundational identity requests) like loaded guns in Act 1 of a Chekhov play: "If this capability exists within a digital identity system, even inactively, it will eventually be misused."
The Scale and Timing Problem
Most foundational identity systems being implemented for national-scale deployment include system-wide phone home tracking capabilities, either actively or latently. Many policymakers involved in these rollouts are not even aware of the tracking potential built into the standards they are adopting.
Four factors make this moment critical:
- Scale of deployment: These systems will serve billions of users across developed nations, effectively replacing physical credentials.
- Precedent-setting effects: When one jurisdiction adopts tracking-enabled systems, it influences global practices and standards.
- Infrastructure persistence: Technical decisions made today will persist for decades, becoming prohibitively expensive to change once embedded.
- Mission creep inevitability: Capabilities developed for legitimate purposes like fraud prevention naturally accrue new private-sector and/or public-sector use-cases over time due to natural market pressures. Today's private-sector usage is tomorrow's public-sector secondary data market.
The Fallacy of "Privacy by Policy"
The fundamental problem with latent tracking capabilities is that policies change, but technical architecture persists. If a system has surveillance capability—even if unused—it will eventually be activated. Emergencies, changing administrations, or shifting political priorities can quickly justify "pressing the button" to enable widespread tracking.
The solution is simple: they cannot press a button they do not have.
Consider AAMVA's recent decision to prohibit the "server retrieval" capability throughout the U.S.—a positive step that we welcome. However, most low-level implementations (e.g. core libraries) will likely implement the entire specification and leave it to the last-mile implementers to honor (or not) this policy. As an incubator of new specifications and prototypes, DIF feels strongly that jurisdiction-by-jurisdiction policies is just "turning off" what the specification still instructs software to implement for later policies to turn back on at the flick of a switch. We believe the underlying ISO specification needs to remove "server retrieval" completely, lest every authority in the U.S. remain one emergency away from activating broad, identity-based surveillance of all citizens.
Privacy-Preserving Alternatives Exist
The choice between security and privacy is false. Offline-first verification operates without server communication—the credential contains cryptographic proofs that can be validated independently. The ISO 18013-5 standard itself includes "device retrieval" mode, a privacy-preserving alternative that functions entirely offline.
Even credential revocation can be implemented without phone home capabilities. Privacy-preserving revocation systems are in production today, proving that security and privacy can coexist.
The technology exists. The standards exist. What has been missing is commitment to prioritize privacy over the operational convenience of centralized tracking.
Moving Forward
Awareness is growing. We welcome developments like AAMVA's prohibition of server retrieval, but more work is needed across the broader digital identity ecosystem to eliminate latent surveillance capabilities entirely.
The Decentralized Identity Foundation develops standards that prioritize privacy, supports implementations that respect user autonomy, and advocates for technical architectures that prevent tracking and add friction to data misuse. Our membership includes many technologists and vendors designing tracking-free alternatives for these and other use cases.
We encourage you to read the full No Phone Home statement at https://nophonehome.com. Whether you are building, deploying, or using these systems, your voice matters at this critical juncture.
The question is not whether we can build privacy-preserving digital identity—it is whether we will choose to do so. Let's build it right.
The Decentralized Identity Foundation (DIF) is an engineering-driven organization focused on developing the foundational elements necessary to establish an open ecosystem for decentralized identity and ensure interoperability between all participants. Learn more at identity.foundation.