Better Identity Coalition wants to provide US with rules for verifiable credentials

The U.S. is seeing a rise in digital identity initiatives: 16 states have so far rolled out Mobile driver’s licenses (mDLs), while government agencies are considering introducing digital verifiable credentials (VCs) for passports, Social Security cards and birth certificates.

All of this, however, is happening without any government strategy to define how verifiable credentials should be used.

The Better Identity Coalition has stepped in to fill this gap. The organization has been working on a voluntary code of conduct that would restrict inappropriate or overly invasive requests for identity information from verifiable digital credentials.

The initiative argues that wallet providers – be they tech platforms, government agencies, or third parties – would embrace this code to clarify who can access digital credentials and under what circumstances, explains Jeremy Grant, coordinator of the Better Identity Coalition.

“This would basically be a self-regulatory effort,” Grant said at the Identity, Authentication, and the Road Ahead conference, held last Thursday in Washington, D.C.

The organization, which sprang from the Center for Cybersecurity Policy and Law, published an initial strawman of the voluntary code of conduct on GitHub in October and opened it for feedback. The project invites digital wallet providers, identity issuers, privacy and civil liberties advocates and major online service providers to discuss the proposal.

“Hopefully, sometime in Q2 this year, it will be signed by a number of players in the identity ecosystem,” says Grant.

The code wants to set “rules of the road” for government-issued digital identity credentials. In the best-case scenario, mDLs and other VCs could be secure, cryptographically signed and leverage information from authoritative sources.

But VCs can also go wrong: Users could be asked to present their IDs for the most pointless reasons, such as parking meters. Supercookies could be used to track people across sites, while the technology could also erode the ability to be anonymous or pseudonymous online.

One of the guiding principles of the upcoming code is that VCs should not have this impact. Digital wallet providers and other stakeholders should design VCs that enable individuals to share limited identity information in a way that doesn’t allow tracking.

The code will concentrate on three specific types of use cases: situations where organizations are legally obligated to gather identity information, like in financial services, healthcare, and employment; circumstances where legal mandates don’t exist but legitimate justifications do, such as hotel check-ins, building access control, and remote student enrollment; and lastly, scenarios where neither legal obligations nor valid reasons exist for collecting personal data, such as monitoring online activity for advertising purposes.

The document is not intended to solve other issues related to VCs, such as issuance, holder binding, wallet security requirements, portability between wallets, Grant highlights.

The effort draws inspiration from other industry-led initiatives, including the CARIN Alliance, which designed a Code of Conduct for Consumer-Facing Applications in healthcare, and the Financial Data Exchange (FDX), which created standards for consumer-permissioned sharing of financial data.

The Better Identity Coalition is hoping that the government will be able to lean on the results of the project in the future. Ideally, the use of government digital IDs would be ruled by government policy. But with the U.S.’ current focus on shrinking the government, that is not likely to happen soon, notes Grant.​

“As we have seen over the last few years, it’s been really hard to get the federal government or most states to focus enough on this issue to take concrete action, and we’re not expecting this to change,” he says.

Article Topics

Better Identity Coalition  |  digital ID  |  FIDO Alliance  |  mDL (mobile driver's license)  |  verifiable credentials