On July 15, 2022, Senators Kyrsten Sinema (D-AZ) and Senator Cynthia Lummis (R- WY) introduced the long-awaited Senate version of The Improving Digital Identity Act. The House version was introduced in June 2021 by Representative Bill Foster (D-IL) and Representative John Katko (R-NY). Bipartisan sister bills in both chambers of Congress is newsworthy itself in 2022, but what it can do for everyday Americans is very promising.
Per the legislation, “The public and private sectors should collaborate to deliver solutions that promote confidence, privacy, choice, equity, accessibility, and innovation. The private sector drives much of the innovation around digital identity in the United States and has an important role to play in delivering digital identity solutions.” It also notes that NIST’s Digital Identity Guidelines (Special Publication 800-63-3) does not include requirements for providing identity attribute validation services that could be used to support identity proofing. Of note, Kuma is the global market leader in assessing vendors for compliance with NIST 800-63-3.
Today, vendors to an arguably good job of identity proofing and verification. Using our smartphones, we are empowered to open a bank account by taking a photo of our driver license and snapping a selfie. The behind-the-scenes technology verifies that the license presented is a real license and using facial matching algorithms the person on the selfie is the same person pictured on the license. But wouldn’t it be more beneficial to augment this approach with the state DMV verifying the data is accurate and matches what is in their system or the USPS verifying the mailing address is current and accurate in real time, all with consent of the individual? The Social Security Administration is progressing in this area with its electronic Consent Based Social Security Number Verification (eCBSV) service introduced in 2021. However, the SSA’s service is limited by law to banking. I’m sure healthcare organizations and retailers would love to utilize eCBSV as well which currently will take an active of Congress to change.
If passed, all levels of government; federal, state and local would take a more active role in verifying individual’s identities. It makes perfect sense since government, and not the private sector are the issuers of identity including birth certificates, social security numbers, driver licenses, passports and government agencies are the authoritative sources to verify them. I realize the likes of Meta, Apple, Google and Amazon create digital IDs, but their acceptance is limited outside of their platforms.
A key provision of the bill is the creation of an Improving Digital Identity Task Force within the Executive Office of the President. Its mission is to establish a government-wide effort to develop secure methods for federal, state and local government agencies to validate identity attributes and support interoperable digital identity verification in both the public and private sectors. The task force would be comprised of cabinet secretaries, heads of other federal agencies, state and local government officials, congressional committee designated members, and a position appointed by the president.
Some of the duties of the Task Force are to:
“recommend a standards-based architecture to enable agencies to provide services relating to digital identity verification in a way that—
(A) is secure, protects privacy, and protects individuals against unfair and misleading practices;
(B) prioritizes equity and accessibility;
(C) requires individual consent for the provision of digital identify verification services by a Federal, State, local, Tribal, or territorial agency;”
In addition, the Task Force would recommend principles to promote policies for shared identity proofing across public sector agencies, which may include single sign-on or broadly accepted attestations. On a small scale Login.gov does that today, but currently few federal agencies utilize it, and state and local governments do not.
We often think of the United States as a leader in most things, but when it comes to digital identity, the US is a laggard and lacks a comprehensive digital ID strategy. Canada, Australia, Sweden, the United Kingdom and New Zealand are in various stages of trust framework development. Notably, the Digital Identity and Authentication Council of Canada’s (DIACC) Pan-Canadian Trust Framework (PCTF) launched in 2021 and its Voilà Verified Program was officially launched in July. As the DIACC notes, “the PCTF supports the establishment of an innovative, secure, and privacy respecting Canadian digital identity ecosystem.” Kuma is a member of the DIACC, a true public-private partnership, and the first DIACC Certified Assessor and Readiness Advisor in the DIACC Voilà Verified Trustmark program.
The United Kingdom Government’s Digital Identity and Attributes Trust Framework (UK DIATF) is currently in a beta version and is being used in nationwide pilots to verify identities for renting an apartment, applying for jobs, and conducting criminal background checks. The UK DIATF will have significant teeth to it, as the government has announced that it will introduce legislation “to make digital identities as trusted and secure as official documents such as passports and driving licences.” Organizations will need to gain a new trustmark to show they can handle people’s identity data in a safe and consistent way.
Kuma was recently accredited by Kantara Initiative – UK as an assessor for the UK DIATF making Kuma the world’s first and only assessor to offer identity certifications for the U.S., U.K., and Canada.
The global pandemic revealed holes pertaining to digital identity, data protection and cybersecurity that exposed individuals, businesses and government agencies to online fraud. The legislation includes some staggering statistics:
- “Incidents of identity theft and identity fraud continue to rise in the United States, where more than 293 million people were impacted by data breaches in 2021.” With a population of 329.5 million, that represents 89% of Americans. I question that number, but I think most would agree that the number is too high.
- “Since 2017, losses resulting from identity fraud have increased by 333 percent, and, in 2020, those losses totaled $56 billion.”
If now is not the right time to improve the U.S.’ approach to digital identity, when will it be? Get started on improving your organization’s approach with a free consultation today.