SecureMac, Inc.

Checklist 236: ID in Apple Wallet with Nick Leon

June 24, 2021

On this Checklist, we’ll talk about ID in Apple Wallet. We’ll cover what it is, why some people are worried about security, and more.

Checklist 236: ID in Apple Wallet with Nick Leon

On this week’s Checklist, we’ll talk all about ID in Apple Wallet. We’ll cover:

An end to physical wallets?

At this year’s WWDC, Apple introduced an upcoming feature called ID in Apple Wallet.

The concept is very simple. Apple Wallet will be able to store your official identification — things like driver’s licenses and state-issued ID cards — on your iPhone.

In a way, this is just an extension of how people already use Apple Wallet. At the moment, the app can store credit cards, loyalty cards, airline tickets, and more. But ID in Apple Wallet is an important development, because up until now, you still had to carry around your physical ID for official purposes. As Apple puts it, the new feature aims to make iPhone users “fully free of their physical wallets”.

To begin with, ID in Apple Wallet will only work with a few participating US states. But in time, it should be more widely available. Apple says that its first major partner organization will be the Transportation Security Administration (TSA), which will soon begin accepting ID in Apple Wallet at airport security checkpoints.

The functionality appears to be straightforward as well. You use the Apple Wallet app to scan your ID card and store the data on your iPhone. Then, when you come to a participating ID checkpoint, you just tap your device to identify yourself. ID in Apple Wallet works the same way that Apple Pay does — transmitting data via NFC — so there shouldn’t be any need to hand over your actual device to anyone else.

But … is it safe?

ID in Apple Wallet sounds interesting, to be sure. But there are security and privacy concerns about the technology.

The first major worry is data breaches. What happens if Apple loses all of your ID information, letting it fall into the hands of the bad guys?

It’s an understandable concern, but probably not something to be overly worried about. We don’t know all of the technical details of how Apple will implement the new Wallet feature, but we do have a general outline. Apple has said that ID data will be encrypted and stored in the Secure Element. The Secure Element is a special chip in your iPhone designed to store Apple Pay data safely. It protects data with strong encryption, and walls the data off from the other apps on your device. The Secure Element chip also sends stored payment data directly to the merchant via NFC. In other words, during a point-of-sale transaction, no data is actually routed through Apple’s servers.

In terms of ID in Apple Wallet, all of this tells us several things:

  • Any ID data you put into Wallet is going to be protected by strong encryption, because it’s stored in the Secure Element.
  • Your data isn’t going to be accessible to other apps on your iPhone. This rules out the possibility of a rogue app sneaking a peek at your ID info.
  • Your information will be transmitted directly to whoever is asking for it by NFC. It’s not going to have to go through Apple’s servers each and every time you use ID in Apple Wallet.

However, this doesn’t mean that Apple will never have your ID data on its servers. In fact, that’s one of the big unanswered questions about ID in Apple Wallet: To what extent will Apple itself process and store ID data?

Again, Apple Pay provides a clue. When you set up new cards, data is routed to Apple during the card verification process. Something similar might be needed in order for states or government agencies to verify your ID. If so, there’s every reason to believe that Apple would use strong encryption to protect your data during the process, and that it wouldn’t hang onto your ID data any longer than it had to.

In general, it’s a pretty safe bet that Apple won’t store ID data if it doesn’t have to. The company already makes a point of not hanging onto credit card data. They also exclude certain types of financial data from iCloud backups. It’s still not clear if your ID in Apple Wallet info will be part of your iCloud backups, but if it is, it will be protected by strong encryption.

Social concerns and long-term effects

Some experts have voiced concerns about the long-term effects of ID in Apple Wallet. 

They point out that if digital ID becomes commonplace, this could produce unintended social consequences, as well as a thorny legal situation for people in the United States.

For example, they say that ID in Apple Wallet may lead companies and authorities to assume that everyone has ID on them at all times. They worry that this could lead them to ask for ID in situations where they never did before. As one expert puts it, this could create a society in which “we always have to identify ourselves”. 

One legal expert points out that the US doesn’t have a strong national data privacy law like the EU’s GDPR. If Apple did mishandle user ID data, it could be very hard to hold them accountable.

These are valid concerns, but there’s reason to think that ID in Apple Wallet won’t create massive social change overnight.

For one thing, it’s only going to roll out in a few US states at first. That is to say, not everywhere in the United States, and certainly not worldwide. In addition, the technology can only be used by people with compatible iOS devices. And in terms of the general US population, that’s not even close to a majority. It’s therefore unlikely that there will be a sense that “everyone” has ID in Apple Wallet. Realistically, only a limited number of people will be able to use the feature for the foreseeable future.

In terms of data breaches, again, legal experts are right to be concerned about the lack of a national data privacy law in the US (especially when it comes to holding big companies to account). But in terms of ID in Apple Wallet, Apple is using the exact same tech that they already use to secure highly sensitive data such as payment information. As a company, they’ve demonstrated time and again that they prioritize user privacy and security, and tend not to collect or retain data if they don’t have to. In short, Apple probably isn’t going to store much ID data that could be leaked — and anything they do store is going to be very well protected.

That said, we still need to learn more about how Apple will implement ID in Apple Wallet. We also need to keep watch over which organizations want to partner with Apple to accept digital ID. As with all things life and tech and social change, we’re going to need to keep an eye on the consequences of all of this — both good and bad.

That brings us to the end of this Checklist, but if you’d like to go on learning about digital security and privacy all week long, check out our show archives. You’ll find audio for every single episode of The Checklist along with complete show notes and links to the articles and resources discussed. If you want to ask an Apple security question, or just a general cybersecurity question, please write to us! We’ll always try to help you with an answer, and we may feature your question on an upcoming segment of the podcast.

Join our mailing list for the latest security news and deals