The better identity coalition report on improving digital identity in US
On July 19, 2018, The Better Identity Coalition, an organisation focused on developing better solutions for identity verification and authentication, published the “Better Identity in America: A Blueprint for Policymakers” (the “Report”). The report outlines a comprehensive policy agenda for improving the privacy and security of digital identity solutions.
According to the Report, $16.8 billion was lost in the United States due to identity fraud in 2017 and the same year saw a 44.7% increase in the number of data breaches. Nearly 179 million records containing personal information were exposed, illustrating the inadequacy of current identity systems. The Report puts forth a set of consensus, cross-sector, technology-agnostic policy recommendations (“Policy Blueprint”) to address existing inadequacies and to improve digital identity in America. Specifically, the Policy Blueprint outlines the following five key initiatives and corresponding action plan to achieve better security and privacy in identity systems and a more convenient and confident consumer market.
1. Prioritise the development of next-generation remote identity proofing and verification systems
Governments should prioritise the development of next-generation remote identify proofing and verification systems. As the U.S. does not have a formal national identity system, the private sector has responded by creating solutions, such as Knowledge-Based Verification, which relies on a subject’s ability to answer security questions to verify their identity. However, increased data breaches and identity fraud in recent years have exposed the weaknesses in privately developed systems.
The Report argues that governments are in a unique position to spearhead the modernisation of identity systems. Social Security Administration and state governments – the latter of which already issues driver’s licenses and identity cards, should offer new digital services to validate attributes. To finance the initiative, the Report proposes that the federal government institutes a five-year, $200 million-per-year Federal grant to support states’ development of forward-looking investment strategies for continuous R&D and eventual migration to digital identity systems. In addition, governments should encourage the active partnership between public and the private sectors by addressing barriers that inhibit private sector entities from innovating around identity and creating incentives that promote innovation.
2. Change the way Americans use the Social Security Number (“SSN”)
The Report argues that both public and private sectors should stop using the SSN as an authenticator and reduce its use as an identifier wherever feasible. After years of massive data breaches and millions of SSNs thefts, its value as an authenticator or identifier is largely diminished. Many members of the Better Identity Coalition also believe that using SSN beyond government-mandated applications has become a risk for companies. In response to this recommendation, the Report argues that Congress and/or the Administration should launch a task force to review and amend existing laws and regulations that require companies to collect and retain SSN. Government and industry alike need to move away from existing common practice of using the SSN as an authentication factor and migrate to alternative solutions that can more securely authenticate consumers. To ensure the government can lead the way in the movement away from SSN, the Report urges that the President should issue an Executive Order, first banning agencies from using the SSN as an authenticator. In Canada, individuals are usually under no obligation to provide the Social Insurance Number (SIN) to any private-sector organisations other than some that collect the SIN for income reporting purposes.
3. Promote and prioritise the use of strong authentication
The Federal government should continue the work already underway in promoting strong authentication in sectors such as financial services, health care, government and consumer applications. Strong authentication is an identity authentication method whose security system is stringent enough to withstand any attacks it is likely to encounter. To complement existing initiatives, governments should modernize regulations to govern digital authentication platforms and reduce barriers to adopting innovative security systems. Specifically, the Report suggests that new legislations on privacy and security should not be written so broadly that they might preclude use of promising technologies for risk-based authentication.
4. Pursue international coordination and harmonisation of identity standards
The Report provides that the U.S. should coordinate with international partners to align global efforts in developing better identity solutions. This multilateral effort is especially important in the financial services industry, which hosts a substantial number of cross-border activities and require reliable identity authentication to address special requirements for managing risks associated with Customer Identification Program requirements of the Bank Secrecy Act, as well as related Know your Customer and Anti-Money Laundering rules currently in place in the U.S. market. For example, the U.S. government should develop a plan to engage EU’s eIDAS office and Financial Action Task Force (FATF) to harmonise international account openings.
5. Educate consumers and businesses about better digital identity solutions
The Report encourages governments to partner with industry to educate both consumers and businesses on modern approaches and best practices in identity protection and verification. Specifically, the Report exemplifies the National Cyber Security Alliance (NCSA) as a potential partner, as NCSA already has a strong record of driving public-private partnerships to educate the public on cyber security.