Guardrails must come before digital ID, says state privacy leader
Jajah-sireenut via Getty Images
By
Chris Teale
Utah Chief Privacy Officer Christopher Bramwell said some governments have not yet done enough work to build trust and policy before launching themselves into tech solutions.
Earlier this year, Utah Gov. Spencer Cox signed a law outlining a framework for how the state will implement its own digital identity program.
The law, which received unanimous support in both chambers of the state legislature, introduced principles for a state-endorsed digital ID, including defining terms, outlining state policy, creating various requirements and mandating that the Department of Government Operations study the issue further. Since then, the state’s Division of Purchasing issued a request for information to garner insights from vendors in the identity space.
This law came around three years after Utah passed a comprehensive state-level consumer data privacy law, which governs how residents’ data is protected and places certain requirements on companies in the state that collect that data. Other states have stepped up with their own privacy laws in the absence of Congressional action, but few are as comprehensive as Utah’s.
Christopher Bramwell, Utah’s chief privacy officer, said in a speech last week that without that comprehensive privacy law and the guardrails it has put in place, the state could not pursue digital identity. Too often, he said, states have tried to skip the policymaking and rushed straight to technology, which will hamstring them in the future. And that creates distrust, he added.
“If you don't have comprehensive public policy that dictates how data should be processed, how you need to implement it, how do you protect the rights of your citizens?” Bramwell said during Identity Week in Washington, D.C. “If you don't do it the right way, you're going to end up in a really bad situation. And that's why many of you feel very uncomfortable about the state of privacy. You feel uncomfortable in your homes because the hard work hasn’t been done. Government keeps adopting technology without doing the actual public policy work.”
Bramwell said Utah focused on several key principles when crafting its digital identity roadmap: protecting individual rights; treating it as critical infrastructure; having open standards and protocols; ensuring individual control; having zero surveillance or tracking; ensuring backward compatibility and continuous improvement; and making laws and policies that support adoption.
Lawmakers and executive leaders have been reluctant to touch a state-backed digital identity program, which could include all manner of personal information, including biometrics, physical characteristics, images, signatures and other identifiers. That lack of trust plays into elected leaders’ reluctance, Bramwell said.
“There's so much distrust across America right now that elected officials don't want to be talking about this,” he said. “There's a reason almost no governors, none of your legislative leadership, your senate leadership, we're not talking about digital identity, because it's a losing issue for them. Nobody trusts it right now. You have a lot of identity being pushed through back channels coming up through government, through departments, through divisions, that they're using it to supplement technology.”
Treating digital identity as critical infrastructure means that state governments should invest the same time and resources into its safety, reliability and cybersecurity as they do water, power and other sectors deemed critical. That is especially important given the number of data breaches and cyberattacks that state and local governments have suffered in recent years, which have shut systems down.
“You cannot have privacy if you do not have security,” Bramwell said. “And there's going to be some arguments about that, but you are seeing breach after breach after breach after breach, and we can do everything we can to protect privacy, but at the end of the day, there will still be breaches, and if all that data is compromised, what good did the privacy end up doing?”
Digital ID must have individual control and not be tied in with one vendor or company with no interoperability, Bramwell said. If it is limited in this way, an ID’s use cases could also be limited, he added, explaining that ensuring openness will thus ensure that residents keep control.
“The whole reason that everybody kept moving west was they just wanted self-determination,” Bramwell said. “They wanted to choose how they were going to live, and that's the promise of digital identity. It doesn't mean we're actually going to achieve that promise, but we're going to keep moving toward it and ensure we keep building the systems, building public policy to say, ‘This is the direction the market needs to go.’ This is the one of the few chances we have to shift control to the people, give them as much control as possible of their documentation.”
The benefits of state government-backed digital identity could be tremendous, Bramwell said, although states must first wrestle with the complex policy issues they face on data privacy. By doing so, they can deal with issues around trust and individual liberties, he added, although he acknowledged a long road ahead. He said he is “very bullish” on digital ID, and that it is something everyone will have inside 20 years.
“When we get into our communities, and you get into your homes and you still feel uneasy about privacy, that's actually where privacy comes from: your local communities, from your cities, your counties, your states, where they have the obligation to be protecting your privacy rights,” Bramwell said.