One of the leading voices in Congress for the adoption of digital identifications said a federal agency is needed to verify the security of the software and hardware underpinning mobile phones and other authentication technologies.
Speaking on Wednesday at Identity Week America, Rep. Bill Foster, D-Ill., voiced his continued support for the U.S. government to take more of a role in the development and use of secure digital IDs, including mobile driver’s licenses, that can be used to help prevent bad actors from committing identity theft or fraud.
Digital identifications allow individuals to store their personal data on phones or in apps to prove their identities. These often include the use of biometrics and passwords to protect the saved information. More than a dozen states now offer their residents the opportunity to receive digital IDs or mobile driver’s licenses.
Foster introduced legislation — the Improving Digital Identity Act — last year that would call for the government to look into the use of “consent-based digital identity solutions” to enable Americans “to prove who they are online.” He has introduced versions of the bill in each Congress since 2020, and voiced his desire to reintroduce it during the current 119th Congress.
In an interview with Nextgov/FCW last year, the congressman noted that the growing use of deepfakes and other artificial intelligence-generated content to manipulate or conceal users’ true identities means that “the next best thing you can do is provide people with at least the ability to prove they are who they say they are and not a deepfake.”
While his previous proposals have garnered bipartisan support — Foster mentioned that he is currently working with Rep. Mike Kelly, R-Pa., on the digital ID push — he said additional security steps will be needed on the federal level to ensure the security of the technologies used to verify peoples’ identities.
“There’s a danger there if you deploy, say, mobile driver’s licenses to millions of people, and then someone publishes a software kit to hack into the phone and get and extract the [security] keys that will allow you to impersonate that person online, and that will be a disaster for the whole effort,” Foster said. “So we have to — and it’s a missing piece of our effort federally — we need, somewhere, an agency that calls balls and strikes on trusted electronics. So electronics and software both.”
Although the National Institute of Standards and Technology has released guidance, frameworks and best practices to help organizations enhance their cybersecurity and overall security postures, the agency’s recommendations remain voluntary.
“They have defined the standards, but they do not enforce that,” Foster said about NIST, adding “that’s maybe a good division of effort, but we need someone to enforce it.”
Foster laid out a hypothetical scenario where a flaw is detected in a future Apple iPhone and said this type of body would be able to tell the tech giant “you cannot sell that as something that you can use to present digital driver’s licenses.”
Foster acknowledged that the effort would become “very political, very fast,” but said it’s “really important, because you cannot deploy digital driver’s licenses on cell phones that turn out not to be trustworthy.”
One current barrier to establishing a new agency, for instance, is the cost-cutting Department of Government Efficiency, which has carried out President Donald Trump’s edict to slash federal spending and trim back the government workforce through layoffs and deferred resignations.
Foster said, however, that he envisions this new federal entity also having the ability to verify the accuracy of the privacy claims made by the Transportation Security Administration about the facial recognition technology it uses in the airport screening process.
“When you go the kiosk at [Ronald Reagan Washington National Airport] and it says, ‘I promise I will throw away that picture we’ve just taken of you within 24 hours’ — whatever the promise is — that you’re going to have to have someone you trust, saying, ‘I’ve audited that, and it’s actually true. The hardware and the software that is running on that will, in fact, toss your image after some period of time.’”
TSA has been increasingly rolling out facial recognition technology, with plans to deploy the biometric scanners at more than 430 U.S. airports in the coming years. The agency said it also accepts digital IDs from states that issue them “at more than 250 airports to verify your identity at TSA checkpoints through platforms such as Apple Wallet, Google Wallet, and Samsung Wallet or a state-issued app.”
An official with the Department of Homeland Security, which oversees TSA, previously told Nextgov/FCW that photos of travelers are automatically deleted after their identities are confirmed, although they said the agency has “the ability in the field to change the system so that it actually can log data” when it wants to conduct a limited evaluation of the technology’s effectiveness.
Some Republican and Democrat privacy hawks in Congress, however, have pushed back against TSA’s use of the technology over concerns about its handling of Americans’ biometric data, as well as the tool’s accuracy.
DHS’ top watchdog announced in January that officials would look into the use of the technology. The investigation was launched after a bipartisan group of senators wrote a letter last year to DHS Inspector General Joseph Cuffari that asked him to investigate TSA’s use of the biometric scanners “from both an authorities and privacy perspective.”
