Utah passes amendments to State-Endorsed Digital Identity law

Utah’s state legislature has voted unanimously to pass SB 275, the State-Endorsed Digital Identity Program Amendments bill. The law makes Utah unique among states, in that it defines identity as something that is inherent to a person and endorsed by the state rather than bestowed by the state.

The distinction has implications for discussions about data sovereignty – who gets to control a person’s personal information – as well as for other states pursuing digital identity programs.

In comments made during the recent FIDO Identity Policy Forum, Utah Chief Privacy Officer Christopher Bramwell sums up the SEDI concept: “You need to engage in the free market, but do it according to your choice without being tracked, without being surveilled, without undue influence on how you’re operating. So you can live your life in the digital realm according to the dictates of your heart and how you and your family see fit.”

As in theory, so in practice. SEDI enables selective disclosure of identity attributes, with privacy preserving age assurance held up as a use case, allowing holders to “demonstrate that the individual meets a specified minimum age without disclosing the individual’s age or birth date.”

“A state-endorsed digital identity,” reads the bill, “shall incorporate state-of-the-art safeguards for protecting an individual’s identity, including compromise detection, recovery mechanisms, and cross-context correlation protections; include methods to establish authenticity and integrity; be compatible with a wide variety of technological systems while maintaining strong privacy or security; allow a holder to choose a digital wallet that conforms with the requirements established by the department; and be easy for a holder to adopt and use.”

The State-Endorsed Digital Identity is optional. Anyone over 18 can apply; minors may apply with parental consent.

Requirements for verifiers dictate strong privacy protections

The section on identity proofing goes into more detail on the application process. Identity proofing requirements must “follow a generally accepted identity proofing standard.” The process must be able to establish that the holder is a real individual and confirm their identity with identity verification. The resulting credential must provide “a level of confidence in the individual’s identity that is “sufficiently robust to support reliance by governmental entities and private-sector relying parties where required by law or policy for online age assurance; and appropriate for use in both online and offline presentations.”

The state’s endorsement of an identity through proofing processes “reflects verification at a point in time” and cannot require continuous monitoring or tracking.

For verifiers, requirements dictate that their digital identity systems hew to similar privacy guidelines. They must “incorporate state-of-the-art safeguards for protecting an individual’s identity in the verification process; and process an individual’s identity attributes in a secure manner, accessing only “the minimum identity attributes reasonably necessary to achieve a specified purpose defined by the relying party requesting the presentation.”

Should anyone have a complaint, the amendments mandate the governor to appoint a data privacy ombudsperson to hear it.

All in all, the law shoots to enshrine the module Bramwell describes with the phrase, “whoever controls the key controls the identity.”

SEDI finds common ground between digital ID advocates, civil rights groups

Utah’s leaders have held up SEDI as a catalyst for fast-tracked implementation of digital ID, in coordination with W3C verifiable credentials, MDOC, mDL, SEDI, biometrics, wallets and other key nodes in the digital identity ecosystem. The scheme strums the right American chords: liberty, privacy, market freedom and individualism. And it has even won the endorsement of the American Civil Liberties Union (ACLU), which is generally not a fan of digital identity schemes, but says of SEDI, in a piece titled “There’s Only One State That is Asking the Right Questions About Digital Identity,” that its documentation “outlines strong privacy protections for digital ID of the kind that we have been advocating for.”

Could Utah’s digital identity law be the one that everyone can agree on? That’s a tall order in a divided nation, but Utah’s pioneering framework takes it a few steps closer.

Article Topics

digital ID  |  digital identity  |  identity proofing  |  legislation  |  Utah  |  Utah State-Endorsed Digital Identity (SEDI)