September 10, 2024 | The National Interest

How to Give Americans Back Control of Their Digital Identities

Putting data privacy first amounts to more than a technical upgrade; it will be nothing short of a strategic shift toward a more secure and resilient society.
September 10, 2024 | The National Interest

How to Give Americans Back Control of Their Digital Identities

Putting data privacy first amounts to more than a technical upgrade; it will be nothing short of a strategic shift toward a more secure and resilient society.

Our digital infrastructure is becoming more vulnerable. A single cyberattack on Ticketmaster exposed data from over 500 million customers. Chinese state-affiliated hackers secretly accessed email accounts at approximately twenty-five organizations, including the U.S. Commerce and State Departments. These incidents are not merely breaches of personal data; they are attacks on our national security.

Hostile nations and organized cybercrime groups exploit our vulnerabilities to steal sensitive information, undermine our critical infrastructure, and ultimately destabilize our society. The increased adoption of financial technology services such as digital wallets, peer-to-peer payments, and on-demand credit—many of which operate outside the strict regulatory frameworks of traditional financial institutions—means that every stolen identity and every data breach can potentially be weaponized against the United States.

Digital identity technologies such as Decentralized Identifiers (DIDs) offer a promising approach to addressing this threat. By leveraging decentralized blockchains, DIDs allow individuals to limit access to their personal identifying information (PII) instead of handing it over to third parties every time they make an online transaction. This means personal information is no longer held on third-party servers susceptible to hacking. Similarly, Compliance-backed Verifiable Credentials (CVCs) act as secure digital badges capable of validating whether the information someone presents—i.e., an individual’s age, address, nationality, or licensed professional qualification—has been verified through rigorous due diligence processes.

By integrating these technologies across the public and private sectors, we can make it significantly more difficult for adversaries to exploit stolen data. A January report published by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) found that “[e]merging technologies such as digital identity…may help mitigate customer identity process exploitations and combat a wide variety of illicit finance typologies.” This is particularly critical for sectors such as financehealthcare, and essential public services that are high-value targets for cyberattacks.

The European Union has already launched four large-scale pilot projects involving the development and implementation of such digital identity solutions, specifically the EU Digital Identity Wallet. According to the European Commission, “[t]hese pilots involve approximately 360 entities, including private companies and public authorities from 26 Member States, Norway, Iceland, and Ukraine.” Likewise, the UKCanada, and Australia have all created programs aimed at enhancing the adoption of privacy-preserving digital identity tools.

The United States, however, is lagging behind. The Biden-Harris administration’s latest National Cybersecurity Strategy Implementation Plan underscores the urgent need for a robust digital identity ecosystem. Similarly, the Consumer Financial Protection Bureau released a notice of proposed rulemaking late last year, which was partially finalized in June, highlighting the importance of consumer data rights and identity verification within financial services.

Implementing digital identity solutions will require collaboration across the public and private sectors. Already, at least five million Americans have signed up for mobile driver’s licenses, which are available in eleven states and being tested in a dozen others. You can even use a mobile driver’s license to get through airport security. But this is just a small step forward.

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) launched an initiative last year called “Accelerate Adoption of Digital Identities on Mobile Devices.” It seeks to establish “a reference architecture(s) for digital identities that protects privacy, is implemented in a secure way, enables equity, is widely adoptable, interoperable, and easy to use.” If successful, this initiative will establish the groundwork for a digital identity future. Fortunately, following a nearly yearlong delay, the program now appears set to begin with a cohort of fifteen collaborators from the public and private sectors.

Other consortia are also forming to set standards, develop technologies, and implement digital identity solutions across sectors. These efforts would strengthen personal privacy and consumer control while enabling essential controls, transparency, and regulatory compliance. Their efforts would benefit from more institutions across the public and private sectors embracing a proactive mindset toward securing personal information. However, the traditional response to data breaches has often been reactive, offering temporary protections like free identity theft monitoring.

While these measures provide some relief, they do not address the root causes of digital vulnerabilities related to the sharing or verification of PII. A proactive stance that incorporates digital identity solutions can shift the focus from damage control to prevention, enhancing security and allowing individuals (including those in high-risk jurisdictions) to not only control their personal data but also be evaluated based on their unique, verified identities rather than on broad, generalized categories. This ensures that legitimate customers retain access to essential services and are not unfairly excluded due to broad risk assessments that fail to capture their true risk level.

Putting data privacy first amounts to more than a technical upgrade; it will be nothing short of a strategic shift toward a more secure and resilient society. Yet, digital identity solutions are not a panacea for all cybersecurity issues, nor can they prevent every type of attack. They are, however, emblematic of the kind of innovative, proactive measures needed to address these pressing vulnerabilities and deserve the focused attention of policymakers and industry leaders alike.

Amit Sharma is the founder and CEO of FinClusive, a provider of modernized financial crimes compliance (FCC) and identity solutions for a new era of financial services, and a board advisor to the Center on Economic and Financial Power at the Foundation for Defense of Democracies. Max Meizlish is a Senior Research Analyst for the Center on Economic and Financial Power at the Foundation for Defense of Democracies.

Issues:

Issues:

China Cyber Sanctions and Illicit Finance

Topics:

Topics:

Americans Australia Canada China Consumer Financial Protection Bureau Decentralized identifier European Commission European Union Federal Communications Commission Financial Crimes Enforcement Network Iceland National Cybersecurity Center of Excellence National Institute of Standards and Technology Norway Personal data Ticketmaster Ukraine United Kingdom United States Department of the Treasury