With SB 260, Utah looks to change the rules around who defines identity

A new bill in Utah provides a good illustration of how “identity” is still an evolving concept. State Bill 260: Updating IDs in the Digital Age, challenges the idea that identity is established by the state, instead framing it as something you have inherently, which the government “endorses.”

In other words drawn from the bill, “the state does not define an individual’s identity,” but “states may recognize and acknowledge an individual’s identity in certain circumstances.”

State lawmakers say the law is a necessary step in moving Utah’s digital identity program forward. As it develops mobile driver’s licenses (mDLs) and digital identity cards, it aims to build a system that gives users sovereignty over their own data.

In another move that strays from convention, it is also looking to “decouple” the notion of a primary identity credential from driver’s licenses. Quoted in StateScoop, Utah’s Chief Information Officer Alan Fuller says “it’s really an accident of history that the driver’s license in every state has become the primary form of identity credential, and we’d really like to separate that so you have an identity credential, regardless of whether you’re a driver or not.” Utah has offered a mobile driver’s license since 2021.

All of the changes in the new law are intended to establish a suite of guaranteed freedoms and protections, increase user choice, prevent surveillance and preserve privacy. Commentary from Spruce ID says the bill “offers an opportunity for major advances in autonomy, privacy, and security of individuals in the digital world, creating a bulwark for the next era of U.S. cybersecurity and cyberfreedoms.”

“It recognizes that human beings already exist in their own right and that the state’s role is to provide assistance to humans, so they can be recognized and have the ability to manage the state endorsement in the ways prescribed by the code.”

Privacy-preserving age assurance to get another look if SB 20 passes

However, the bill also touches on age assurance – a hot-button issue for Constitutional rights advocates, and a frequent point of collision for varying definitions of freedom.

A post from Utah-based Libertarian think tank the Libertas Institute notes that SB 20 would direct the Department of Government Operations to “figure out” how to implement age assurance that preserves privacy and doesn’t step on First Amendment rights. It says this would “require a systemic redesign of the way people may identify themselves and prove that identity is theirs.”

Libertas says a key element in their ultimate decision to support the bill is the inclusion of a clause on anonymity that points to the tokenized or “double-blind” solutions required by French law. It highlights the following lines:

“The state may not endorse an individual’s digital identity unless: (e) the state-endorsed digital identity enables an individual to: (ii) verify that the individual’s age satisfies an age requirement without revealing the individual’s age or date of birth.”

Utah has an age assurance law on the books, but many sites still opt to use the “Yes I’m 19” button system. The state legislature recently passed S.B. 142, the App Store Accountability Act, which requires app stores to impose age assurance measures on app downloads. But Fuller is pushing for a digital identity credential for minors – both to further establish digital boundaries for adult content, and to make certain processes easier.

“For example, when someone goes to kindergarten, usually now the parents have to go get a birth certificate to say ‘I am the guardian of this child.’ Wouldn’t it be great if they already had a digital credential issued by the state that says this is who the child is and this is who the guardian is?”

Protections restrict data sharing, demands for device handover

The law’s commitment to privacy extends to prohibitions on digital surveillance. Anyone asking for data can only ask for data pertinent to that specific transaction (i.e., selective disclosure or data minimization) and is prohibited from sharing it with private companies. “Surveillance, visibility, tracking, or monitoring” by any government agency or other person who accepts a digital ID is not allowed – including “phone-home” surveillance that results when a validator relies on a “call-back” to a central server for ID validation.

The bill would make it illegal for police or government to force someone to hand over their device during identity checks.

All of this is optional. As Spruce ID points out, “no government entity can require a digital ID to provide benefits or provide any ‘material benefit’ as an incentive for the use of a digital ID.”

The trust required for mass adoption of digital ID has to come naturally. “Nothing is more likely to make Americans suspicious of a digital tool than being forced to use it by the government,” says the post. “By keeping digital ID optional, while enforcing the core benefits that make it appealing to users, SB260 creates the best possible conditions for trust and adoption of a tool that will benefit users most of all.”

International standards for mDL, digital ID can help law work

Back on StateScoop, Nick Doty, a senior technologist at the Center for Democracy and Technology, says the spirit of the law is good – but it will require a lot of buy-in across private industry, and need the support of international standards such as those from the W3C Consortium and the ISO.

As to where the regime in Washington stands on the matter, Doty concedes he is “not optimistic about good federal policy on this at the moment.”

Article Topics

data privacy  |  digital ID  |  identity management  |  mDL (mobile driver's license)  |  United States  |  Utah