America needs trustworthy digital identity
It’s well past time for the public sector to build a digital identity ecosystem that works for everyone.
Digital identity is critical infrastructure that at its core relies on trustworthy approaches for verifying that the right person is accessing the right service for the right reason at the right time.
When this goes wrong, Americans are left to suffer — unable to receive the services they need or worse, someone else benefits at the expense of taxpayers. For too long, government agencies have relied on outdated approaches to digital identity verification and fraud risk management. We all witnessed how during the pandemic billions were lost to bad actors, nation-states, and fraud rings while many Americans who were eligible to receive benefits, often from vulnerable demographics, were forced to jump through unnecessary hoops just to prove who they were online.
Sadly enough, we knew this could happen years ago. When I served in government, many of us saw the problem on the horizon and raised the alarm in the 2018/2019 president’s budget. We called for the creation of a dedicated project to identify a diverse set of modern approaches to digital identity, including public-private partnerships, new technologies, new acquisition approaches, and new processes.
The goal was to foster a diverse marketplace of identity-proofing solutions that protect the American people’s privacy, as well as prevent the misuse of their taxpayer dollars in improper payments due to fraud. Although this project was funded, unfortunately, a lack of accountability and focus resulted in little to no changes in the years that followed – a recipe for disaster as the country headed into an unprecedented health emergency. If we are to avoid repeating history, the status quo must change.
Earlier this month, the White House recognized the need for a trustworthy, scalable, and accessible digital identity verification in its National Cybersecurity Strategy. It says: “Today, the lack of secure, privacy-preserving, consent-based digital identity solutions allows fraud to flourish, perpetuates exclusion and inequity, and adds inefficiency to our financial services and daily life…Operating independently, neither the private or public sectors have been able to solve this problem.”
This is a strong message, but it’s the execution that counts. To provide good service, any public-private partnership on digital identity needs to measure success, share information, and learn how to improve. Creating these foundations is vital for building trust and security for the nation’s digital identity ecosystem.
So how do we build this foundation? To start, the government should require digital identity providers (both commercial and government) to publish their auto-approval rates – meaning the ability of a provider to successfully confirm someone’s identity online without subjecting them to forms of manual review or human intervention that might cause someone to abandon the process as a result of undue friction such as online video chats, in-person processes, or other
types of manual reviews.
Careful focus should also be paid to meeting standards for accuracy, precision, security, and equity. These are essential metrics that indicate what percentage of people can be verified with a high degree of confidence. Without these metrics, it’s impossible to determine if identity verification is working as intended. This scale of transparency is not a novel idea – the IRS publishes its auditing performance and impact and the GSA provides an interactive dashboard that shows government contract acquisitions.
Right now, a lack of transparency is hurting trust among the public and within the government itself. In December, a House Oversight Committee investigation found an identity provider misled the IRS by giving inaccurate wait times for manual verification. This month, GSA’s Inspector General found the agency misrepresented privacy protections around Login.gov.
When it comes to a heavily used and vital service like digital identity, these issues are unavoidable unless agencies and private vendors provide clear metrics and reporting mechanisms. Increasing transparency will increase public confidence in digital identity and guide government officials on best practices.
The White House has already committed $1.6 billion from the American Rescue Plan to start fulfilling its digital identity objectives. These once-in-a-lifetime investments will be wasted if steps aren’t taken to ground decision-making in the analytics needed to optimize approaches to confirming that good people aren’t blocked from getting the support that they need while simultaneously taking proactive measures to stop fraudsters in their tracks.
The Biden administration has signaled the time has come for a serious rethink of digital identity — I for one agree it is long overdue. Only through a greater push to increase accuracy, measurement, and transparency can we instill the accountability mechanisms to create the changes needed for delivering trustworthy digital identity.
Jordan Burris is vice president of public sector strategy for Socure. He was formerly the chief of staff in the White House’s Office of the Federal CIO, where he was responsible for orchestrating the execution of technology and cybersecurity efforts across two presidential administrations to include the oversight of the federal government’s $90 billion+ technology budget.