The Better Identity Coalition laid out a roadmap for states to tackle digital identity issues Monday, including how to deploy and oversee technologies like facial recognition.
States should not ban facial recognition and other identity technology outright, a trade group focused on digital identity says in a new policy blueprint focused on state-level policy recommendations.
The recommendations come from the Better Identity Coalition, part of the nonprofit Center for Cybersecurity Policy and Law and led by Jeremy Grant, former senior executive advisor for identity management at the National Institute for Standards and Technology.
The group launched in 2018 and has 27 member companies, including Equifax, IDEMIA, ID.me, Mastercard and CVS.
The group’s thesis is that the government’s patchwork approach to establishing identity through a variety of credentials and issued by a myriad of sources, from Departments of Motor Vehicles to the Social Security Administration, hasn’t yet translated to the digital world, but needs to.
Part of that process would require the government to step up as the issuer of authoritative identity documents and back those paper credentials digitally, the group contends, especially as the tactics used to verify identity remotely, like knowledge-based verification, become less effective.
Some recommendations from its 2018 policy report – such as an interagency task force on digital identity and opt-in identity validation services from government agencies – ended up in a bill the group backs, first introduced by Rep. Bill Foster (D-Ill.).
While calling for states to not ban facial recognition or other identity technologies outright in its new blueprint, the Better Identity Coalition also proposes that they instead follow National Institute of Standards and Technology guidance on digital identity that are already required for federal agencies.
Grant told FCW that although states aren't required to follow NIST guidance, many do, as do some foreign governments. NIST is working on its first update to the guidance in years, although it appears to be delayed: a draft NIST had slated for fiscal year 2022 still hasn't been released. Grant said that it is "safe to say that cybersecurity experts across the globe are very eager to see NIST release the draft ... since the last version was published in 2017, there’s been a big shift in threats against identity systems, as well as the technologies used to guard against those threats."
Some state-level security and privacy legislation has “inadvertently precluded” certain identity tech or created more risks, the blueprint says, pointing to California’s Consumer Privacy Act. The law gives residents the right to access, correct and delete their data, but if organizations holding that data don’t have strong identity controls, they could give it to bad actors, the blueprint points out.
As for facial recognition, the group’s policy proposal acknowledges that proposed bans to the technology stem from real misuses of it in criminal justice or demographic differentials in systems, as NIST found out itself in 2019 research.
But the Better Identity Coalition stresses that there’s a range of different use cases, some not appropriate for the tech, and varying levels of accuracy and equity implications among facial recognition algorithms, with some performing better than others.
Charles Romine, director of NIST's Information Technology Laboratory, told lawmakers in 2020 that “users, policy makers and the public should not think of facial recognition as either always accurate or always error prone.”
Policies aimed at biometrics should be targeted to specific uses, harms or risks and the government should give alternatives to facial recognition, the paper states.
The new recommendations come as government and industry are dealing with a spike in identity theft and fraud. There was at least a 70% increase in the amount that consumers reported losing to fraud in 2021 compared to the prior year, bringing the total to $5.8 billion, according to the Federal Trade Commission.
At the same time, the growing use of identity credentialing and fraud detection systems, and facial recognition technology in particular, has also elicited complaints and concerns about equity, demographic bias in systems and privacy.
The report also recommended that state governors and legislatures push motor vehicle departments to issue mobile driver’s licenses and offer identity validation services alongside vital records bureaus that issue birth certificates and other government documents.
For DMVs, that could include verifying that a driver’s license picture on file matches selfies submitted by someone trying to verify their identity – something third party companies currently offer as a service by matching selfies with photos taken of identity cards like driver’s licenses.
Other recommendations called for pushing virtual notarization services. The policy agenda also includes ensuring that states have accessible options and services for those without state identification like driver’s licenses and promote phishing-resistant multi-factor authentication and risk-based authentication.