On April 13, 2022, the group Better Identity Coalition published a letter calling on President Joe Biden to draft and sign an executive order regarding digital identity. It urged the administration to address four key priorities:
The letter was signed by the Cybersecurity Coalition, the Electronic Transactions Association, the Identity Theft Resource Center, the National Cyber Security Alliance and the U.S. Chamber of Commerce Technology Engagement Center. Six months later, NIST released updated guidelines for digital identification to “help fight online crime, preserve privacy and promote equity and usability.” After a public review period, a second draft of those guidelines is now available.
This is a critical moment for the U.S. Digital identity is coming, and it must be implemented correctly on the first try. Unfortunately, there are still significant hurdles in the way, and an obvious blind spot is being overlooked.
Recent reporting from NOTUS suggests that the Biden administration will soon throw its weight behind digital identification, with an upcoming executive order stating: “It is the policy of the executive branch to strongly encourage the use of digital identity documents.”
An order like this, on its face, is a response to the billions of dollars the U.S. government has lost to fraudulent social program claims. But once government-issued identification goes online, it will have much broader implications. We’ve seen it already in other countries around the world. Spain recently implemented a “porn passport” that is meant to restrict minors from accessing adult content online. Australia’s digital ID system was introduced in May, but already critics are emerging about its security capabilities.
There is a fundamental issue with these initiatives. No matter the level of encryption, security protocols or penetration testing, they are essentially a big basket of IDs. Richard Buckland, professor of cybersecurity at the University of New South Wales, said he’s “never seen a system that’s not hackable.” Centralized repositories of information will always be vulnerable. Earlier this year, 404 Media reported on a security breach involving AU10TIX, an identity verification company serving platforms like Fiverr, X and Coinbase. Administrator credentials were stolen from AU10TIX and exposed online for more than a year, granting hackers access to names, dates of birth and identity documents. Even the companies that are hired to protect us have critical flaws, and centralizing all data only makes it easier to exploit.
Blockchain technology offers a potential solution to this problem. While no technology is completely failsafe, decentralized ID verification and authentication get us as close as possible. In simpler terms, imagine a king’s treasure room filled with gold, jewels and artifacts from across the land. It’s heavily guarded, surrounded by thick stone walls, iron bars and a deep moat. Nearly impregnable. Nearly. Decentralized technology is like taking each gold piece and stashing it in its own vault, in its own castle, behind its own guards. Each individual piece is worthless without the rest. The thief (and even the king himself) can never see the treasure in its entirety.
As governments continue developing digital identity tools, the public must demand accountability, transparency and privacy. Incorporating blockchain technology into these programs will not only make them more secure from identity theft but also keep citizen information out of the government’s hands.
Trust is earned, and more than 70 percent of Americans are already concerned about how the government uses their data, according to the Pew Research Center. All of us deserve protection against identity theft, and the administration deserves some praise for trying to solve the issue. But collecting more information and stuffing it into centralized government databases isn’t the answer. Doing that is begging for a bad actor—foreign or domestic—to breach the castle walls and take the gold.
Instead, they should work with experts to create a decentralized, verifiable ID system built on irrefutable trust. Concordium has already built a regulation-ready blockchain with an identity layer to authenticate users and documents. Instead of running from it, embracing this new technology is the way forward. Otherwise, we risk losing control of our unique identities.
The NIST guidelines are in public review and welcome comments. It’s a great opportunity for people to demand a different approach before it’s too late. As we’ve all seen so many times, undoing a completed government action is incredibly difficult. It will be too late to turn things around once digital ID wallets are introduced in the U.S., Europe and the U.K.
That’s not to say there will be a breach with the currently proposed systems. But if we’re going to build something new, why not do it right?
