Abstract: The United States currently relies on a decentralized approach to individual identification (ID). A government-backed digital identity system posits many advantages, including enhanced security, reduced identity theft, increased convenience and efficiency, and economic benefits. However, critics of a national ID card system raise concerns about privacy, civil liberties, and government overreach. Yet the digital age compels reevaluating identity management, and each of these concerns can be adequately addressed.
The international landscape shows acceptance of government-backed digital identities. The European Union has embraced efforts to promulgate digital identities with its European digital wallet initiative. Similarly, Estonia’s e-Residency program is a successful, longstanding government-backed digital identity system. These systems prioritize security, privacy, and interoperability, setting examples for the United States to consider.
To implement a government-backed digital identity in the United States, a comprehensive regulatory and legal framework is crucial. This framework would need to address concerns at the heart of the national ID debate and public aversion to technology. Federal legislation, compliance with existing data privacy laws, and regulatory oversight are key components. Further, assistance and cooperation with federal agencies will be helpful in establishing a trusted and secure digital identity framework.
A user-friendly, secure, and transparent system can foster trust and acceptance among the public, ultimately modernizing and securing digital interactions in the United States. In an increasingly digital and connected world, the United States should implement the legal framework necessary for a privacy-aware and user-controlled government-backed digital ID.
Citation: Brooke Norton, Comment, Navigating the Legal Framework: Implementing A Government-Backed Digital Identity in the United States, 64 Jurimetrics J. 169–99 (2024).
Digital identity is the online persona or virtual representation of an individual. Verification of digital identity applies identity proofing and authentication mechanisms. Identity proofing confirms whether the online persona corresponds to a specific real-world identity.
Government-backed digital identity, or electronic identification (eID), offers a mechanism for individuals to prove their true, legal identities online. The principal aim of an eID is to furnish citizens with a convenient and dependable means of accessing government services, executing secure online transactions, and engaging with various entities and enterprises within the digital landscape.
Individuals must undergo robust verification processes to create secure and trusted eIDs. This may involve submitting physical identity documents, undergoing biometric scans, or providing other evidence of identity. Once issued, an eID can authenticate an individual online. eIDs allow users to securely log into websites and access services without the encumbrance of managing multiple usernames and passwords.
Systems for eIDs include strong security measures to safeguard personal information, such as cryptographic data security. As multiple countries deploy eIDs, the systems should be made interoperable across state borders, government agencies, and private sector services to enable seamless access. Ensuring the technology is compatible internationally will also benefit travel and international business.
Most countries have a national ID card, including the majority of European, African, and South American countries. Many of these countries also have digital national ID cards. National ID cards provide a government-issued, standardized means of identifying individuals. Standardized identification streamlines administrative processes and improves access to online government services. Further, national ID cards allow individuals to move freely within a designated territory and participate efficiently in transactions.
The United States does not have a national ID card system. Instead the United States relies on ID documents issued by federal, state, and local authorities. The American Civil Liberties Union (ACLU) has been an opponent of national ID cards for decades, expressing both skepticism and resistance. This opposition is grounded in the ACLU’s work to safeguard individual privacy and apprehensions surrounding government overreach. The ACLU has also expressed fear that a national ID system increases government surveillance of U.S. citizens. In this way, national ID cards have been associated with more general apprehensions about government overreach and the potential for misuse of personal information.
The United States’ federal system also presents an obstacle to a national ID system. The Tenth Amendment provides that powers not delegated to the federal government are reserved to the states. The federal system allows for states to primarily oversee ID management. Any national ID system must comply with the Tenth Amendment and would require coordination between state and federal government.
Paradoxically, the absence of a national ID system has led to social security numbers (SSNs) being used as part of a de facto national ID system. SSNs were created to keep track of earnings, not to be a universal identifier. Because SSNs were not created to be national ID documents, they do not have the robust security backing of a national ID system. This Comment reviews the current landscape of digital identity in the United States at the state and federal levels. It then reviews the legal landscape, including privacy and identity rights, as well as related Constitutional arguments. As a point of comparison, this Comment then reviews the international landscape for eID implementation, focusing on the European Union and Estonia. Finally, this Comment analyzes potential advantages of an eID system for the United States, aspects of implementation, and potential issues with that implementation.
The absence of a federal government-backed digital identity system should not be misconstrued as a lack of government involvement. Many states have implemented mobile driver’s licenses (mDLs). Further, the Improving Digital Identity Act of 2023 coordinates federal, state, and private sector efforts to adopt and develop digital identity tools.
Several states, including Arizona, Florida, and Louisiana, have already introduced digital versions of state ID cards and driver’s licenses. Over twenty states, including California and New York, have either considered or launched digital versions of driver’s license such as mDLs. mDLs are digital versions of physical driver’s licenses using modern cryptography to produce tamper-resistance identity files. Stored virtually, mDLs serve as a form of government-issued ID. Authorities such as the Transportation Security Administration (TSA) accept the use of mDLs for identity verification. However, police acceptance of mDLs varies by state.
Major cell phone companies such as Google and Apple have incorporated support for storage of mDLs on their mobile devices. For instance, Apple enables users to securely store mDLs by mandating biometric verification for access. This ensures the person accessing the document on the phone is the owner.
The evolution of mDLs is intrinsically linked to the broader concept of establishing a government-endorsed digital identity framework. mDLs provide the groundwork for eIDs and allow for an interoperable approach. The authentication mechanisms used for mDLs can potentially be integrated into a broader government-backed digital identity framework, offering a standardized way to verify identity online. The active involvement of state governments in issuing mDLs further lays the foundation for the development of a digital identity ecosystem.
Utah was the first state to incorporate blockchain technology in digital identity management. Governor Cox signed H.B. 470 into law in February 2023. The bill requires the Utah Division of Technology Services to provide recommendations for certain digitally verifiable records. Blockchain allows digital identities in Utah to be mathematically verified, enhancing security and making identity documents tamper resistant. Overall, Utahns have embraced the recent technology bills, with concerns centered on ensuring community involvement.
Utah’s use of blockchain represents a remarkable advancement in the realm of digital identity management. Using blockchain in digital identity management is promising because of its decentralized nature, which allows users greater control over their personal information and increases security and privacy.
In March 2023, the Biden Administration unveiled its National Cybersecurity Strategy, which included Strategic Objective 4.5 entitled “Support Development of a Digital Identity Ecosystem.” The strategy objective touted the superiority of digital identity standards and stated that the federal government would encourage investments in broad digital identity solutions, including updating standards and governance. The strategy objective also emphasized the need for privacy and interoperability, setting a foundation for the evolution of U.S. digital identity practices.
Subsequently, in July 2023, the White House released the National Cybersecurity Strategy Implementation Plan. But a plan to implement Strategic Objective 4.5 is not provided. However, it is important to note the absence of such provisions does not preclude Strategic Objective 4.5 from being addressed in a later iteration. At a press briefing, Acting National Cyber Director Kemba Walden said the implementation plan is a living document, which will evolve in response to completion of initiatives and the current landscape.
The Improving Digital Identity Act is a bipartisan bill introduced by Arizona Senator Kyrsten Sinema in 2023. The Act calls for a public-private partnership to promulgate a digital identity system and promotes the development of digital versions of physical identity credentials. This Act also champions privacy by requiring individual consent in digital identity verification services. The Act has more traction than the 2020 version of the same name. If the new bill is adopted, the Act will establish an Improving Digital Identity task force that will provide recommendations in the digital identity sphere to federal and local governments.
Ultimately, the Improving Digital Identity Act lays the groundwork necessary to build an eID system. By encouraging states to establish digital identity platforms, the United States will be investing in the technology necessary to make the leap to a national digital identity.
Implementing any digital identity system in the United States necessitates compliance with existing privacy laws. Notably, the United States lacks a comprehensive federal privacy law. Consequently, an eID system must navigate a complex web of federal laws protecting various privacy concerns. Similarly, navigating state privacy laws is complex because state laws vary in scope and requirements. However, this Comment assumes that an eID system would be established through regulatory legislation and would potentially preempt state law.
One pertinent federal law is the Health Insurance Portability and Accountability Act (HIPAA), which covers health information and establishes rules for the use and disclosure of protected health information. HIPAA applies to covered entities and businesses that create, receive, maintain, or transmit protected health information (PHI) in relation to certain healthcare transactions. HIPAA also has a designation for hybrid entities that perform both healthcare and non-healthcare functions.
Because covered entities cannot disclose PHI under HIPAA, they cannot divulge this information to a potential eID regulatory agency. eIDs should not use PHI as part of identifying individuals. Compliance with HIPAA may help mitigate governmental overreach that critics fear.
Another vital federal regulation to consider is the Children’s Online Privacy Protection Act (COPPA). COPPA establishes a strict set of guidelines for online businesses to protect the personal information of children under the age of thirteen who use online services. COPPA also requires operators to obtain parental consent, provide notice and choice to parents, and implement reasonable safeguards to protect the child’s data. A regulatory agency overseeing eIDs would likely fall under COPPA’s purview if eIDs became accessible to children. Therefore, if children are eligible for eIDs, an agency must consider compliance with COPPA.
HIPAA and COPPA represent two important federal regulations that must be considered in implementing a digital identity system. An eID system must follow federal laws and create a safe and secure platform for users.
There is no definitive right to identity in the United States. Rather, federal and state laws form a patchwork of identity protection. State laws providing identity protection vary in their scope and the degree to which they allow individual control of identity. For example, the right of publicity is a state-level protection that gives individuals the exclusive right to license the use of their identities or likenesses for commercial purposes. State privacy laws can also protect against misuse of personal information and data.
At the federal level, identity laws primarily aim to protect individuals from identity theft and fraud. Federal privacy laws also provide individual protection over various aspects of private information.
eIDs have the potential to provide stronger individual control over identity. Moreover, eIDs can help mitigate the gaps left from the absence of an explicit right to identity.
National ID cards have been a longstanding subject of debate. Particularly, after the September 11, 2001, terrorist attacks in the United States, renewed debate surrounding national ID cards arose. The ACLU is a longstanding critic, arguing that national ID cards raise privacy and civil liberty issues. Critics fear national ID cards would enable abuses of power if linked to other government databases. However, eIDs can pass Constitutional muster. Respect for privacy rights and safeguards to prevent governmental overreach can be put in place when establishing an eID system.
Critics have long viewed any federal identity regulation as a Tenth Amendment violation. Pushback on the Real ID Act of 2005 provides an example of these concerns. The Real ID Act establishes “minimum security standards” for driver’s licenses. Opposition has delayed Real ID from a complete rollout, with a current deadline of May 2025. Critics see Real ID as an intrusion into state authority to regulate identification. Nevertheless, the Real ID Act has survived these obstacles and so too can a national digital identity system approach.
Implementation of eIDs in the United States could include features that demonstrate respect for state autonomy and individual rights. This could be achieved by allowing states to issue their own eID cards that meet federal standards for security and verification, while allowing for any state-level needs. This would mirror the E.U. approach, which allows member states to use national ID cards as identity and travel documents recognized by all member states.
eIDs can respect individual autonomy by allowing voluntary participation, limiting the scope of personal data they include, and limiting the purposes for which personal data can be used. This can potentially assuage some Tenth Amendment concerns. Similarly, the system should protect individual rights by restraining eIDs to contain only essential information and ensuring privacy safeguards.
In general, an individual must prove an invasion of a reasonable expectation of privacy to have standing under the Fourth Amendment. Information provided voluntarily to obtain ID documents is not considered a Fourth Amendment violation. Similarly, proper oversight should ensure eID information is safeguarded to prevent any Fourth Amendment issues.
Similarly, the device on which an eID is stored would remain protected from unconstitutional searches and seizures. This would follow the overall trend of providing protections to devices subject to a warrant and compelled biometrics. Individuals presenting their eIDs for identification purposes should not be compelled to hand over their entire phones. A warrant should be necessary to access an individual’s device with an eID, even if the eID on the device was being used for identification purposes with the police.
The Fifth Amendment requires due process of law before a person is deprived of life, liberty, or property. An eID system must provide accurate information with a fair and transparent process to correct errors and ensure that due process is not violated.
The Fourteenth Amendment prohibits government discrimination based on race, gender, religion, or nationality. An eID system must not discriminate or violate the Fourteenth Amendment. Constitutional principles of equal protection should be upheld within the framework of a national digital identity system.
Over 150 countries are either exploring or have implemented government-backed national digital identity management systems. The global stage showcases different ways to balance the benefits and challenges of digital identity management on a national level.
Article Eight of the Convention on the Rights of the Child establishes the right for children to have legal identities. Over 194 countries have ratified the treaty, making it one of the most widely ratified treaties in history. Notably, the United States is one of three countries that have not ratified the treaty.
The United Nations Agenda for Sustainable Development aims to provide legal identity for all by 2030. The United Nations has made substantial efforts to achieve Goal 16.9, including the launch of the Legal Identity Agenda (LIA). The LIA is a coordinated effort to reach Goal 16.9 and related targets.
In 2021, the European Commission introduced the European Digital Identity Wallet (EUDI) initiative. The EUDI initiative aims to provide individuals in the European Union with a secure and interoperable digital identity solution. EUDI is an integral component of the proposed European Digital Identity Framework Regulation, which aims to enable European citizens to securely prove their identities online. The European Parliament and the E.U. Council are currently discussing the regulation.
EUDI wallets are engineered to empower E.U. citizens with greater control over their personal data and facilitate seamless access to online services across E.U. member states. The European Commission provides a framework for linking and recognizing these identities across borders. Notably, EUDIs will not be compulsory; everyone in the European Union possesses the right to obtain an EUDI, but no obligation mandates their use. Europeans largely support the EUDI initiative with over eighty percent of Europeans supporting promotion of common digital rights and principles.
On June 3, 2021, the European Commission adopted a recommendation for member states to work toward EUDI development. On February 10, 2023, the European Commission published the first version of the common E.U. toolbox to implement the EUDI program. The E.U. toolbox serves as the technology backbone for EUDIs, ensuring safety, interoperability, and user-friendliness. Four large-scale pilot projects involving over 250 companies and authorities across twenty-five member states were launched on April 1, 2023. The pilot projects tested the wallets in real-life scenarios. The Commission provides a prototype of the wallet used in the pilot projects as an open-source reference for member states and other contributors.
Crucially, an EUDI is intended to be interoperable across E.U. member states. EUDI holders can seamlessly use EUDIs to access public services, such as filing taxes or checking social security information, regardless of their geographical location within the European Union. EUDI wallets give users control over personal data, so users can decide what information is divulged, and to whom. EUDIs place a strong emphasis on security and privacy. Robust authentication mechanisms and data protection measures are essential to ensure the trustworthiness of the digital identity ecosystem.
Before EUDIs were introduced, many Europeans expressed concern about cyberattacks and crime related to digital IDs. Like opponents of national IDs in the United States, some Europeans fear EUDIs will lead to government surveillance. Some digital rights activists worry EUDIs could allow the private sector to better access people’s government-certified information. Others fear EUDI will create a scheme where members of the private and public sectors consort to roll out digital identities for nefarious purposes. However, about half of E.U. citizens trust the European Union to protect their rights online, and there has not been a large-scale concerted effort to oppose the rollout observed thus far.
Overall, EUDIs contribute to a broader digital market. People and businesses can participate in online transactions and activities across E.U. member states. The European digital wallet, in this context, builds on the foundation laid by government-sponsored digital identity systems within E.U. nations while concurrently harmonizing standards and interoperability.
Estonia is renowned for its government-backed digital identity system. It has been a pioneer in digital innovation and e-governance for over twenty years. In 2014, Estonia established its e-Residency program, marking itself as the first country to launch an entirely digital government-backed identity. The program provides e-residents with a transnational digital identity that can be accessed anywhere. In 2018, Estonia launched an identification mobile application, Smart-ID, which allows users to prove their identities.
A key element to Estonia’s success in digital governance is its strong national ID card system. Estonia issues every citizen a smart ID card containing a microchip embedded with encryption keys. The ID card is linked to a unique personal identification code. A code-based infrastructure called KSI Blockchain powers Estonia’s digital record, which allows users to verify the authenticity of any record. The eIDs can be used across sectors and to provide digital signatures.
Estonia’s government-backed digital identity system has been successful in fostering digital innovation, promoting entrepreneurship, and improving government efficiency. However, the Council of Europe criticizes Estonia’s openness in allowing people not located geographically within the country to become “e-residents.” Because e-residents can access the Estonian business environment, the Council sees this as a potential money laundering issue. Nevertheless, many e-residents conduct business legally and provide larger tax contributions based on the profitability of their businesses.
An eID system could offer several advantages for U.S. residents. eIDs provide elevated security measures compared to their physical counterparts. eIDs also promote efficiency in government services and transactions, and they facilitate both international and domestic travel. A digital identity system can bolster innovation, streamline administrative processes, and increase efficiency in both the private and public sectors.
In 2022, approximately 15.4 million U.S. adults fell victim to identity fraud, resulting in roughly US$20 billion in losses. Among the top ten stolen data attributes were individuals’ names, SSNs, and driver’s licenses. An increase in identity scams has also been seen in applications for government benefits. For example, in North Carolina, scammers stole US$1.3 million from the Supplemental Nutritional Assistance Program (SNAP) in the first half of 2023, compared to approximately US$338,000 in 2022. These types of scams result in a waste of resources for the entire system. Similarly, scam applications for benefits can have a huge impact on individuals who may not be able to apply for benefits because of a scam.
An eID system would reduce dependency on unsecure physical documents that exacerbate identity theft and fraud. Similarly, using smart chip technology can help reduce the risk of skimming information from magnetic card swipes. eIDs would also need robust authentication methods and a securely designed system, which could mitigate identity theft and fraud. Reducing these risks may help ease public anxieties and save money invested in preventing these crimes.
eIDs also facilitate secure online transactions, which can mitigate identity theft and prevent harm from fraud. Instead of using a social security number as proof of identity, a unique identifier or token representing an individual’s identity should be used. This, in turn, will ensure the parties to a transaction are verified and will decrease the ability of identity thieves to use stolen identifiers.
In the same way, digital identity systems can help lessen security risk factors linked to cyber security threats. If eIDs are securely designed with an emphasis on user privacy and consent, they should allow for individual control over a user’s data.
An eID system could enable users to access a wide range of online services and websites with a single set of credentials, eliminating the need to remember multiple usernames and passwords. By facilitating secure online transactions, an eID system could also reduce personal or work time spent on activities such as signing contracts, completing financial transactions, and accessing government services.
Further, remote access to government services is not only efficient but also invaluable during emergencies. eIDs provide a faster verification process for governmental aid during emergencies, even if their physical counterparts are lost. For example, during Hurricane Laura, Louisiana residents were encouraged to use their digital identities via the Louisiana digital wallet to apply for disaster aid. The Department of Children and Family Services said this would speed up the process and make it easier for applicants to receive approval for benefits.
Digital identity verification can significantly speed up processes and reduce paperwork, including accessing healthcare records, applying for government benefits, and completing financial transactions. Being able to access government services quickly and easily will reduce the administrative burden on agencies and provide an efficient and accessible experience for the individual. eIDs also allow for efficient delivery of government services and reduce human error in identification.
Additionally, eIDs can streamline border control and international travel, making it easier for individuals to cross borders and for goods to move among countries. As eIDs become more ubiquitous on the international sphere, they will also facilitate smoother international travel by providing a secure and recognized digital form of ID.
Efficiency can also drive participation in and accessibility of government services. Providing secure remote access to services will lessen the burden of participating in government programs. People are often required to go to government buildings during work hours to seek services. With eIDs, people do not have to take valuable time off work to receive benefits such as welfare or nutrition assistance.
Further, eIDs have the potential to revolutionize voting in the United States. As a secure authentication mechanism, eIDs can assuage concerns surrounding electronic voting by allowing secure electronic access. Using eIDs will improve the integrity, accuracy, and security of voting.
Some U.S. citizens already vote electronically, but online voting is largely seen as a security concern. Online voting has the potential to increase voter turnout, especially for individuals who face barriers to voting such as those living abroad. Online voting also saves time and resources. Because they are a secure authentication mechanism, eIDs can provide a step toward being able to safely and securely vote online.
eIDs have the potential to streamline and optimize government agency operations. A study by the McKinsey Global Institute estimated the United States could realize up to a four percent increase in gross domestic product, or US$995 billion, by 2030 with the adoption of digital IDs. This economic value is established from digitizing services, formalizing economic flow with regulations, and promoting inclusion in such services.
Likewise, the private sector stands to benefit from the adoption of an eID system. Digital identity systems can reduce administrative expenditures in the private realm as well as stimulate innovation and transactions. Simplified identification processes can attract businesses to invest and operate in a jurisdiction, driving economic development.
The establishment of a U.S. eID system would require legislation to lay the legal foundation. This legislation would need to define the scope, purpose, and governance of the system, as well as address key privacy and security principles. The legislation would coordinate with current law and address which agencies would assist with overseeing the digital identity system.
The priority for implementing an eID system should be ensuring the framework is consistent with current laws. This would require a coordinated effort between federal and state authorities, which would help ensure interoperability and accessibility of eIDs. The framework would also need to balance the goals of enhancing security, privacy, and convenience for individuals with the goals of fostering innovation and economic growth.
When a robust framework is in place, the government should then focus on establishing a secure enrollment process. This step will require physical documents that are used in identity verification such as passports, social security cards, and drivers’ licenses. Likely, this will have to be done at a government office to ensure security in verification. Thereinafter, the issued eID should be able to operate the same as a physical document would.
As with any platform, a national digital identity system carries some privacy and cybersecurity risks. Addressing privacy issues will encourage adoption and ensure no harm is done because of the system. Because the United States lacks a comprehensive federal privacy law, a digital identity system must proactively address privacy concerns in the absence of an explicit legal obligation.
The foundational step to protecting privacy in a digital identity system is implementing privacy and security by design. Privacy and security by design will help manage risks related to privacy in a digital identity system. This can be achieved by inputting a data privacy centered framework into the digital identity system. Regardless of the technology architecture used in the system, ensuring a data privacy centered implementation will mitigate personal privacy issues.
Regulatory oversight of an eID system is indispensable in assuring compliance with privacy, security, and interoperability standards. Regulatory agencies must possess the authority to investigate and enforce these standards. Given the paramount importance of privacy and safety standards in an identification system, a new regulatory agency might be warranted.
The Department of Homeland Security (DHS) is responsible for ensuring the security and resilience of the nation’s critical infrastructure. One initiative DHS oversees is the implementation of the REAL ID Act, which was enacted as a national security measure in the wake of the September 11, 2001, terrorist attacks. Real ID standards ensure the security and integrity of ID documents. Real IDs also ensure interoperability, which is crucial for national security and law enforcement agencies because they need to verify identification.
Given the alignment of scope and purpose of eIDs and Real IDs, DHS is well suited to oversee implementation. Like Real IDs, eIDs should be interoperable and provide consistent identity management. DHS could provide valuable assistance in implementing digital identities.
The National Institute of Standards and Technology (NIST) is a nonregulatory agency within the Department of Commerce. NIST promotes innovation by publishing guidelines for best practices in science and technology. For example, the Special Publication 800-63 series provides technical requirements for identity proofing, authentication, and federation that would be incredibly helpful in establishing eIDs. Although these guidelines are voluntary, they provide a framework to adhere to when developing a more robust regulation for digital identities.
NIST would be extremely helpful in establishing guidelines and assurances for eIDs. NIST could provide recommendations for both public and private actors after the rollout of eIDs. NIST would likely also encourage collaboration among federal government, local government, private industry, and international actors to ensure interoperability.
The General Services Administration (GSA) is an independent agency with the primary goal of providing the best customer experience for U.S. citizens and residents. The GSA works to streamline digital services. One of the GSA’s strategic goals is enhancing a trusted, accessible, and user-centric digital government.
The GSA operates the Federal Identity, Credential, and Access Management (FICAM) program. FICAM coordinates the development and implementation of identity, credential, and access management across the federal government. This ensures only trusted individuals are accessing government systems. FICAM provides a set of policies and tools for federal agencies to provide exemplary services.
The GSA would likely provide services, standards, and infrastructure to help support the implementation of eIDs. Moreover, the GSA could assist in technology procurement or advancement for eIDs. The GSA would also likely be called upon to assist if a new regulatory agency were created to manage digital identities.
The Office of Management and Budget (OMB) serves the President in overseeing implementation of the President’s vision across the Executive Branch by meeting objectives. In 2019, the OMB issued Memorandum M-19-17, which provides a policy framework for enhancing the federal government’s identity services. As the agency responsible for developing the federal budget, the OMB would be essential in allocating funding to implement an eID schema. The OMB would ensure the implementation of an eID system is well planned, funded, and aligned with the government’s policies.
Several federal agencies would be involved with the implementation and maintenance of an eID system. However, the broad oversight needed would likely call for a new federal agency. While the Improving Digital Identity Act proposes a task force, the Act has a sunset provision after three years. Further, the task force has the primary objective of overseeing the implementation of digital identity systems. A regulatory agency overseeing eIDs would have a broader scope in overseeing the regulatory framework of eIDs from conception to maintenance.
A new federal agency would also provide a centralized authority for coordinating and developing digital identity standards and solutions. This would offer consistency and ensure interoperability, security, and privacy. Although many agencies oversee parts of this, having a dedicated agency for eID oversight would be preferable. With something as important as identity, ensuring standards are met is imperative.
A regulatory agency could also provide mechanisms for adjudication of any issues or grievances associated with the digital identity system. With digital identity, individuals should be able to bring to light issues faced or challenge decisions related to their digital identities. As with any regulatory agency, a digital identity agency would require careful planning to ensure specialized expertise.
Interoperability is essential in a digital ID system to ensure an individual’s eID carries the same weight as a physical ID document. This allows travel and trade in different regions. Interoperability also facilitates access to services regardless of physical location. Ensuring interoperability for eIDs is important on both a national and international level.
In the United States, interoperability is particularly important because of our state system. To achieve interoperability, a digital identification system would need appropriate systems and governance frameworks. Compliance with existing standards such as those issued by NIST would be essential.
Coordinating implementation among federal, state, and local governments is something a regulatory agency created for eID implementation would be helpful for. The agency in charge could also facilitate interoperability by providing a common platform or service, which would allow users to access government services at all levels.
Interoperability is also important in the international sphere. However, more challenges exist on the international level. Nine countries have worked to implement an interoperable framework for digital identities, creating the Digital Exchange Digital Identity Working Group (DIWG). The DIWG collaborates to ensure mutual recognition and interoperability of digital identities and posits that consistent standards for digital identity show that cross-border interoperability is possible. International interoperability of eIDs could be achieved in the same way passport interoperability has been achieved.
By implementing common technology and standards, eIDs can be interoperable. The regulatory framework in the United States should align with international standards to garner cross-border recognition and acceptance. By emphasizing security standards such as those established by the DIWG, the U.S. eID system would likely be interoperable on the international stage.
To unlock the potential of eIDs, the government should have and use adequate technology. This includes using current technology and investing in secure methods for the future. Further, there should be anticipation of exclusion risk or grievances, and internal support mechanisms such as consumer support should be added.
The eID ideally would start with an eID credential or token representing a user’s identity. This token could be stored on a device such as a smart chip or a smartphone. The user would then have a biometric or multifactor authentication mechanism for security.
eIDs should have multiple secure access points. First, a government-issued smart chipped ID card would be issued that is similar to the Personal Identity Verification (PIV) cards used for federal government employees. Second, individuals should be able to access their eIDs through smartphones or other smart devices. Third, there should be a mechanism to access eIDs through a web browser.
The government-issued ID card should have the individual’s identification token stored on it. PIV cards operate in this manner with an integrated circuit chip. Similarly, all passports since 2007 have radio frequency identification (RFID) chips. RFID passports use radio waves to communicate between a token in the passport and Customs and Border Protection systems. Enhanced Drivers Licenses (EDL), issued in five states, are beginning to integrate RFID chips. EDLs primarily facilitate travel over the U.S.-Canadian border by providing enhanced identity proofing at the border. Physical ID cards with eIDs could easily integrate RFID chips that are already commonly used in the U.S. ID system.
In early 2021, eighty-five percent of U.S. adults owned a smartphone. Making an eID accessible through mobile applications would therefore be convenient and efficient for a large portion of the population. Major cell phone companies such as Apple and Google have already started initiatives to store digital identity in their products. Further, biometric authentication such as fingerprint or facial recognition are commonplace in mobile devices and could be used to secure the eID login process.
Next, it is important to enable web accessibility to access eIDs. If an individual loses a smartphone or smart chip, the ability to access an eID from a web browser would be a helpful backup. Similarly, eIDs could support the ability to place a “hold” on an identity document’s use while securing a replacement or finding the lost item. Alternatively, anyone who does not have access to a smartphone would be able to access an eID in this way. With website accessibility, it will be important for users to have their identification tokens and to implement a backup multifactor authentication. Because there is not a biometric component to website use, multifactor authentication could be done through passwords, pins, or other more traditional authentication mechanisms.
The government should continue to prioritize the development of next-generation remote identity proofing and verification systems. The GSA is working on an equitable identity verification system. Equitable verification mechanisms are essential for an identity verification system for everyone. Identity proofing and verification should continue to evolve. A higher level of assurance and accuracy will increase participation and ease anxiety about current technology.
Another route for eID management is blockchain technology. Blockchain allows for the creation and verification of distributed and immutable records of data. Estonia and Singapore both use blockchain in their digital identity systems. Blockchain provides a secure and decentralized method of digital identity management. Estonia has been using its KSI blockchain system for years to great avail. Utah is similarly using blockchain strategies in its identity management system. This use case will be valuable in seeing how blockchain-based eIDs operate in the United States.
One major advantage of using blockchain for an eID is the level of control it gives users over their data. By using cryptography and consensus mechanisms, only authorized parties can access data, which keeps fraud at bay. Similarly, users could verify the authenticity of their data by checking the blockchain ledger. This would enhance the security and privacy of an individual’s eID because only authorized parties can access and modify the data. The immutability and tamper-proof nature of the blockchain also creates a management system extremely immune to fraud or identity theft.
Nevertheless, using blockchain in an eID presents challenges. First, blockchain involves a type of technology many people are not comfortable with. Because blockchain is still becoming commonplace, using it for something as ubiquitous and important as identity management may discourage people from using eIDs.
Blockchain’s immutable nature may make changes to identification challenging. If information is incorrect on the blockchain, then updating it may be difficult. Similarly, making a change such as updating a last name after marriage may present challenges.
Blockchain technology is also slow and requires computing power from a peer-to-peer network, which can make it resource heavy for identity management. Blockchain relies on consensus protocols to verify and validate transactions. Therefore, using blockchain in identity management may present challenges because most transactions using IDs are fast, and we want them to be efficient. Similarly, computing power does not present the most environmentally friendly system of identity management. This could deter some countries from adopting an interoperable eID system because of a lack of resources. Similarly, countries that do have abundant resources may not want to divert mass amounts to an identification system that could be achieved by cheaper means.
Further, although the blockchain can keep third parties from seeing data, blockchain networks are transparent. This enhances the trust and accountability of the blockchain network; however, additional measures to protect privacy would need to be implemented if blockchain were to be used as the technology for eIDs.
Adopting a digital ID system will not likely pose additional accessibility issues in the United States. As with the current system of identification, underserved communities or marginalized groups may face barriers to identity services. This can be because of a lack of awareness, a lack of technology, or a lack of documentation. However, a digital identity system can address some of these barriers.
In 2023, eighty-nine percent of U.S. adults held driver’s licenses and forty-eight percent of citizens held passports. Although an eID would require an appointment and a fee to receive a smart card, most people in the United States are going through a similar process for identification cards or driver’s licenses. Similarly, in 2021, eighty-five percent of U.S. adults owned a smartphone. In the same year, seventy-seven percent owned a laptop or desktop computer and fifty-three percent owned tablet computers. Since eIDs would be accessible via a website browser, individuals could access their eIDs via any computer, not just through smart phones and tablets.
Adopting a digital identity system is unlikely to increase any technological divide that exists in the United States. Even without personal devices such as a smartphone or a laptop, users could still access their eIDs through a website portal. Any desktop computer could be used to access the eID portal. Similarly, eID smart cards could be issued in a similar way to current driver’s licenses or ID cards.
An eID framework would empower individuals with enhanced control over their personal information, allowing users to selectively share specific data elements. This approach minimizes unnecessary data exposure and bolsters privacy safeguards. Further, it mitigates many fears expressed by adversaries to a national digital identity system.
eID use in the United States entails the development of a secure and standardized infrastructure for the unique identification and authentication of individuals within the digital domain. Under this framework, each citizen would receive a distinct digital identifier, potentially comprising biometric data, a secure token, or a cryptographic key. Initially, this identifier would complement and augment existing identification methods. The secure storage and management of digital identity information would be entrusted to either a centralized database or a distributed ledger.
The system would require robust authentication methods to ensure individuals are who they claim to be. Such factors might encompass multifactor authentication, biometric scans, or cryptographic keys. Strong privacy measures would be implemented to protect individuals’ personal information. Users would have control over what information is shared and with whom.
To encourage adoption, the system would have a user-friendly interface. Most likely, this interface would manifest as a mobile application or web portal, facilitating effortless management and use of eIDs. The system would need to work seamlessly across various government agencies, private businesses, and online services. Standards and protocols would be established to ensure interoperability. Crucially, mechanisms would be put in place to prevent any unauthorized connections or information sharing with the issuing department, unless explicit consent is granted. This too, would address concerns by digital identity adversaries.
The ACLU fears national ID cards could lead to government overreach. Consequently, a digital identity system must implement safeguards against overreach.
One measure to counter government overreach is keeping participation in the eID system voluntary. Obtaining consent to collect and store participants’ data is imperative to keep the system voluntary. Further, the government should not make eIDs required to receive government services or exercise fundamental rights. There should be an option to use physical documents as a verification process.
Data obtained by the government for an eID should be limited in purpose. This will help mitigate critics’ fear of government surveillance based on linking a national ID to other government databases. Collection of data should be used for identity authentication purposes and traditional uses of identity documents. There need to be safeguards to prevent linking the data for other uses within the government.
The eID system should be based on principles of transparency. This includes transparency in operation, governance structure, and practice. The system should be open by having the operation of data collection, use, and storage publicly available. This would keep eIDs as a transparent mechanism and encourage participation.
The eID system should also emphasize accountability and oversight. For instance, regulatory agencies in charge of implementing and administering the system should have publicly known governance structures. This allows public insight into who is responsible for decisions related to eIDs and how to submit comments or complaints. Public records could also help the public identify the appropriate mechanisms to appeal decisions or actions. Further, by subjecting agencies to public procedural processes, it allows the public to be involved in certain decisions such as submitting comments in rulemaking decisions at the agency level.
An important consideration is that presenting an eID as identification to police does not constitute consent for the officer to search the entire device. Some states with mDLs have enacted statutes declaring presenting mDLs to police does not constitute consent to access the entire phone. Similarly, mDLs are increasingly being designed so the identification document can be shown without handing over the physical device. A national eID stored on a mobile application should also be accessible without transfer of personal property. This can be done through a QR code or another form of wireless verification. This increases security and mitigates problems with police perception of consent for a smartphone search.
Public perception would play a critical role in the acceptance and success of an eID system in the United States. Demonstrating tangible benefits such as improved convenience, reduced bureaucracy, and enhanced security could positively influence public perception.
Worries about surveillance, data misuse, or unauthorized access to personal information may hinder public acceptance. Clear and transparent privacy policies as well as procedures detailing data collection, use, and sharing are imperative to mitigate these concerns. The establishment of robust security measures is equally indispensable in fostering public confidence.
Public perception can be positively influenced by effective and transparent communication. Allowing citizens to understand the benefits and functionality of the digital identity system will encourage adoption. Similarly, ensuring accessibility will assuage some criticisms. Effective education and awareness campaigns can help communicate the advantages and address misconceptions. A user-friendly and intuitive interface combined with individual control over digital identities will likely help public perception.
To secure the success of eIDs in the United States, government agencies and stakeholders must proactively address these factors. Active engagement with the public, coupled with a steadfast commitment to transparency, security, privacy, and inclusivity, is imperative. Recognizing that public perception may evolve over time, proactive endeavors to address concerns and cultivate trust stand as essential prerequisites for the system's acceptance and long-term sustainability.
Because participation in the digital identity system should be optional, there is a risk of low participation and slow adoption. For example, the United Kingdom experienced slow adoption of its eID system with only about ten percent of the population adopting eIDs by 2018. Similarly, digital IDs seem to be used habitually or not at all. In the United Kingdom, those with eIDs used them approximately ten times per year, while in Estonia, digital IDs were used one hundred times or more per year.
To combat the risk of low adoption, the United States should set up an effective operating model with all the privacy verifications and interoperability assurances discussed in this Comment. By easing fears around privacy and government overreach, more people will be willing to partake in a digital identity system.
Similarly, offering high-value use cases such as accessibility to government services will encourage adoption. One of the primary benefits of a digital identity system is the efficiency and convenience it offers. Allowing eID use for government services and processes saves the user time and money by not having to be present in the office.
Finally, establishing trust and providing a convenient experience will encourage adoption. Implementing a high-functioning government system using eIDs, will encourage people to participate. Anything that can save time and increase efficiency in daily life is desirable and will encourage use.
Concerns about increasing technological use in society are prevalent. This is often seen along generational lines; however, that gap is lessening. Users over sixty-five are more likely to adopt technology now than ten years ago. Lacking access to technology or having limited digital literacy can exacerbate apprehension about technology. This longstanding aversion to technology can affect the use of a digital ID system. To mitigate this, a push for accessible digital literacy and access would be helpful.
The fear of dependency on technology is common. People worry relying on digital identities could leave them vulnerable if technology fails, leading to a loss of identity verification capabilities. However, physical documents will likely keep a place in identity management. eIDs will provide a convenient and more secure method of identity management, but backup documents such as birth certificates and social security cards can assist if an eID fails.
Concerns about government overreach and surveillance can also affect public perception. However, with proper safeguards as discussed in this Comment, these concerns should be mitigated. Similarly, identification and authentication functions will be separated to minimize government overreach.
COVID-19 vaccination cards are an example of a government-backed digital identification management system. Concerns were raised about the amount of personal health information on the vaccination cards, including full names and dates of birth. Individuals worried about the potential for identity theft or privacy breaches if the cards were lost or mishandled.
One major issue with the vaccination cards was the slow transition to a digital system. Users were given physical cards with the idea that later their records could be accessed online. However, only some vaccination providers and health departments provided online access. With an eID system, this process would be streamlined, consistent, and more secure. Similarly, the physical smart card would not have sensitive information on its face; rather, this information would be stored on a smart chip in the card.
Vaccine passports provide an example of people pushing back on a digital identification mechanism. Critics discussed fear of data being collected from use. eIDs will have defense mechanisms to keep data from being tracked. Reports also emerged of counterfeit vaccination cards being sold online during the pandemic. eIDs, on the other hand, will not be easily counterfeited. The smart chips employed will not be able to be counterfeited as easily. Similarly, authentication will be assured by a robust federal framework. This will represent an inherent advantage to the patchwork of regulations the COVID vaccination cards had.
Although vaccine passports were met with public distrust in the United States, eIDs may not have the same fate. While vaccine passports presented barriers and increased effort on the individual’s part, eIDs present increased convenience. eIDs offer convenience by streamlining access to services and reducing the need for physical documents or multiple passwords.
In conclusion, implementing eIDs in the United States offers numerous advantages over the current ID system. An eID system would enhance security, increase efficiency, reduce identity theft, and significantly benefit individuals.
The absence of a national ID system and the patchwork approach to ID documents have stymied significant progress toward digital ID. However, with state-level initiatives and the advancement of digital governance at the federal level, there is a growing recognition of the need for improved digital identity infrastructure. Overall, the development and implementation of government-backed digital identity systems are integral to the future of digital governance. This rings true based on the development of digital identity systems across the globe.
To successfully implement an eID system, a well-defined regulatory framework must be established. Clear legal guidelines, strong privacy protections, and robust security measures will be essential components of this framework. Similarly, compliance with the complex legal and regulatory framework in the United States is essential. This will likely require the involvement of various federal agencies or possibly the creation of a new agency. The technology to implement eIDs in the United States exists and can be integrated in an accessible way. The public should receive clear communication about what a digital identity system would look like, and which government agencies would be overseeing implementation. By being transparent, emphasizing privacy, and addressing public concerns, stakeholders implementing an eID system can encourage people to participate. The digital identity system should empower individuals to control their personal information and restrict data exposure. Public perception and acceptance can be influenced by transparent privacy policies and robust security measures. It is essential to address concerns related to technology access, digital literacy, and fears of overreliance on technology. Ensuring accessibility and optional identity management methods can mitigate these concerns.
