Digital IDs Must Be Safe, Secure and Accessible

The digital replacements for the ID cards in our pockets and purses have already arrived. 

Fourteen U.S. states have created some form of digital IDs, with more piloting and exploring mobile driver’s licenses, and the European Union will require member states to offer them as an option. Digital IDs are typically stored in a digital “wallet” on a user’s mobile phone, and they promise the ability to quickly verify users’ government-issued identities both in person and online.

While digital IDs offer convenience if implemented correctly, they may bring unwanted consequences, such as the potential to track people for reasons innocuous or nefarious. If it’s easy for us to present a digital ID, it’s also easy for a retailer to ask for it when someone wants to enter a store or access a website. And unlike traditional physical ID cards, by default digital credentials leave electronic trails. Companies could match IDs to consumer databases and gain a granular view of consumers’ behavior, which they could then resell for digital ad and direct mail targeting along with other commercial uses. If that data is vulnerable to being hacked or stolen, digital IDs could offer potent avenues for theft and fraud.

Digital ID verification systems could also be configured to “phone home” to a government agency or contractor, potentially creating a central record every time users present an ID. The keepers of the information would gain a powerful way to surveil ID-holders, which would only grow as more and more social and business interactions require people to show their digital papers. 

Conversely, systems based on ubiquitous digital IDs tied to smart phones may exclude some people entirely. Not everyone will have a sufficiently-advanced phone or be able to operate one, perhaps because of age or disability. Cell phones also have a habit of running out of power, and someone with a dead phone might not gain entry to an event or access to important information online if we become over- reliant on digital credentials. Technology for instant ID verification makes it much easier for companies to exclude people they don’t want to serve or block content from certain groups of people, based on age, citizenship or immigration status, financial records, etc.

As of now, states in the U.S. are implementing digital ID systems individually, with little or no federal coordination on the horizon. They’re also facing pressure to create these systems from industries that see clear benefits from the ability to seamlessly verify customers – for instance, car dealerships vetting buyers or age-restricted businesses like bars verifying their patrons’ ages. If digital ID mechanisms are set up too hastily, however, the public has no guarantee that they’ll protect privacy effectively and ensure the broadest access possible.

Digital IDs potentially have good use cases, as long as these systems are built in safe and secure ways. What’s needed is coordination, led by an engaged, inclusive program of stakeholders including technology companies that produce digital IDs, corporations that use them, governments that oversee the process, and civil society organizations and consumer representatives who can advocate for the public interest throughout. 

CDT was recently invited to participate in a meeting hosted by the Better Identity Coalition, an initiative of Venable’s Center for Cybersecurity Policy and Law. The coalition includes major banks and tech companies and is focused on working with states to design digital ID systems. At the event, CDT made clear that ensuring users will be protected by systems that put privacy and security at the center of their design is the best path forward for digital IDs that work for everyone. Concrete improvements – including both legislative safeguards and technical protections – are necessary to prevent inappropriate overasking, coercion, exclusion, and breaching of users’ digital IDs, and to enable meaningful consent and proper accountability.

CDT is actively collaborating with colleagues at Georgetown’s Beeck Center for Social Impact and Innovation to develop clear, actionable guidance for managing identity in digital contexts to enable access to government benefits, including by maintaining analog approaches for those beneficiaries for whom digital approaches simply aren’t viable. 

The widespread use of digital IDs may seem almost inevitable at this point, but avoiding annoying, harmful, and discriminatory outcomes is far from assured. We’re eager to participate in multi-stakeholder collaboration — including corporate, government, and civil society actors — to make it more likely that digital IDs benefit users rather than expose them to harm.