Digital identity encompasses various aspects of an individual's identity that are presented and verified through the internet.

There's a substantial push for digital identification, with proponents highlighting potential benefits such as streamlined identity verification, faster access to government services, and increased inclusiveness. However, digital identity systems raise concerns about privacy and equity. While specifications for digital identification often recommend data minimization and privacy protections, these recommendations are not mandatory. We cannot base our civil liberties and freedoms on platitudes and promises. We question if digital ID schemes even need to be built in many cases that they are presented as a solution, such as increased accessibility to government services. We implore governments who are expediting digital IDs to do the same instead of creating a strong tide for digital IDs where it may not be needed.

Considerations for Planning Digital IDs

Governments should first lay out protections for citizens against any new digital ID system. Especially in situations with law enforcement and data sharing from private businesses. The collection and potential misuse of personal data by issuers and verifiers (issuer-verifer collusion) during digital identity transactions is a key concern.

Any digital ID system must have:
  • Data minimization
  • Transparency of creation, use, data retention
  • User control over data sharing and scope of digital credentials
  • Optional use of digital credentials
  • A right to paper/physical documents over digital ones
  • Adequate and accessible backup for when digital ID fails

Any digital identity system must not introduce new harms at minimum and strive to promote equity. The potential for digital identification to exacerbate existing social inequalities, particularly for marginalized communities, is also significant concern.

Addressing Harms. Any digital identity system must not introduce new harms at minimum and strive to promote equity. The potential for digital identification to exacerbate existing social inequalities, particularly for marginalized communities, is a significant challenge that should be addressed in assessment and with public consensus.

Mandatory National Databases and Biometrics. While tied to mandatory national databases and biometrics, not every implementation of digital credentials is storing biometrics for citizens to access these digital credentials in a monolithic and centralized database. However, no matter how much data minimization is involved we still strongly oppose any national ID scheme. No matter how decentralized it may purport to be or cryptographically strong. Any identification issued by the government with a centralized database is a power imbalance that can only be enhanced with digital ID.

Dangers of Long-Term Credentials. The more frequent long-term credentials such as mobile driver's licenses or other sensitive identification the greater the risk of that information leaking either though transit or being exploited by the verifier themselves. There have been efforts to utilize schemes and features such as selective disclosure, abstract claims, and unlinkability to combat the long term and specific information from being leaked over time. The standards that credentials like mobile driver's licenses are being built on are still young and implementations still need to include these privacy preserving features in the future by default.Which would guard against the harm posed by major leaks or the risk of correlation with other data sets over time. The privacy suggestions that are listed in these standards are just that: suggestions. Only mandatory guidelines will fortify privacy for citizens.

Age Verification. There are ill-advised bills requiring age verification that ultimately stifle civil liberties and further endanger our ability to have an open and free web. Digital ID vendors have been presenting themselves as the solution to the age verification problem. The concept of online age verification itself is the problem. As well as the scope of age gated content expanding to mean content the government deems inappropriate. We oppose any mandatory age verification that blocks people from accessing free web content just because they do not want to transit information about their government issued identity online.

Open vs. Closed Standards. There two major standards that are currently at the forefront of adoption for government issued credentials: International Organization for Standardization’s ISO/IEC18013-5  and W3C’s Verified Credentials (VC). While ISO/IEC18013-5  focuses strictly on mobile driver's licenses (mDL), VCs can be provisioned for any kind of credential. ISO's standard is notably a closed standard not built with wide public consensus and the W3C is much more open in its feedback process. While we promote open standards that can be easily audited and amended, just because open standards are being considered, it doesn't make the digital ID system or scheme inherently more safe or even a good idea to push forward on. All standards involved are still very young and need time to solidify privacy preserving solutions like selective disclosure. We urge governments to consider slowing their plans to think of protections for when these systems fail and establish checks on authorities that would abuse these systems.

Support Our Work!  We are currently hard at work providing feedback on digital identity standards, analyzing implementations, monitoring legislative efforts around digital ID, and opposing key elements that would create a system of surveillance from digital identity schemes.

Protect digital privacy and free expression. EFF's public interest legal work, activism, and software development preserve fundamental rights.
Protect digital privacy and free expression. EFF's public interest legal work, activism, and software development preserve fundamental rights. DONATE TO EFF