[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]



         IDENTITY MANAGEMENT INNOVATION: LOOKING BEYOND REAL ID

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                  TRANSPORTATION AND MARITIME SECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION

                               __________


                            DECEMBER 5, 2023

                               __________


                           Serial No. 118-42

                               __________

       Printed for the use of the Committee on Homeland Security
                                     




                 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________


                 U.S. GOVERNMENT PUBLISHING OFFICE

56-715 PDF                WASHINGTON : 2024










                     COMMITTEE ON HOMELAND SECURITY

                 Mark E. Green, MD, Tennessee, Chairman

Michael T. McCaul, Texas             Bennie G. Thompson, Mississippi, 
Clay Higgins, Louisiana                  Ranking Member
Michael Guest, Mississippi           Sheila Jackson Lee, Texas
Dan Bishop, North Carolina           Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida           Eric Swalwell, California
August Pfluger, Texas                J. Luis Correa, California
Andrew R. Garbarino, New York        Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia      Shri Thanedar, Michigan
Tony Gonzales, Texas                 Seth Magaziner, Rhode Island
Nick LaLota, New York                Glenn Ivey, Maryland
Mike Ezell, Mississippi              Daniel S. Goldman, New York
Anthony D'Esposito, New York         Robert Garcia, California
Laurel M. Lee, Florida               Delia C. Ramirez, Illinois
Morgan Luttrell, Texas               Robert Menendez, New Jersey
Dale W. Strong, Alabama              Yvette D. Clarke, New York
Josh Brecheen, Oklahoma              Dina Titus, Nevada
Elijah Crane, Arizona

                      Stephen Siao, Staff Director
                  Hope Goins, Minority Staff Director
                       Sean Corcoran, Chief Clerk

                                 ------                                

          SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY

                  Carlos A. Gimenez, Florida, Chairman

Clay Higgins, Louisiana              Shri Thanedar, Michigan, Ranking 
Nick LaLota, New York                    Member
Laurel M. Lee, Florida               Donald M. Payne, Jr., New Jersey
Mark E. Green, MD, Tennessee (ex     Robert Garcia, California
    officio)                         Bennie G. Thompson, Mississippi 
                                         (ex officio)

                  Vacancy, Subcommittee Staff Director
           Alex Marston, Minority Subcommittee Staff Director










                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Carlos A. Gimenez, a Representative in Congress 
  From the State of Florida, and Chairman, Subcommittee on 
  Transportation and Maritime Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Shri Thanedar, a Representative in Congress From 
  the State of Michigan, and Ranking Member, Subcommittee on 
  Transportation and Maritime Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     6

                               Witnesses

Mr. Ian Grossman, President and CEO, The American Association of 
  Motor Vehicle Administrators:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Jeremy Grant, Coordinator, Better Identity Coalition:
  Oral Statement.................................................    11
  Prepared Statement.............................................    14
Mr. Hal Wiediger, Senior Vice President, Client Success, Identity 
  & Security North America, Idemia:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Mr. Jay Stanley, Senior Policy Analyst, Speech, Privacy, and 
  Technology Project, American Civil Liberties Union:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23










 
         IDENTITY MANAGEMENT INNOVATION: LOOKING BEYOND REAL ID

                              ----------                              


                       Tuesday, December 5, 2023

             U.S. House of Representatives,
                    Committee on Homeland Security,
                        Subcommittee on Transportation and 
                                         Maritime Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 3:08 p.m., in 
room 310, Cannon House Office Building, Hon. Carlos A. Gimenez 
[Chairman of the subcommittee] presiding.
    Present: Representatives Gimenez, Higgins, LaLota, Lee, and 
Thanedar.
    Also present: Representative Foster.
    Mr. Gimenez. The Committee on Homeland Committee, 
Subcommittee on Transportation and Maritime Security will come 
to order.
    Without objection, the Chair may declare the subcommittee 
in recess at any point. Today's hearing will examine the status 
and challenges of identity management in the United States with 
a focus on the implementation of REAL ID.
    I now recognize the Ranking Member, the gentleman from 
Michigan, Mr. Thanedar, for the purposes of seeking unanimous 
consent.
    Mr. Thanedar. Thank you, Mr. Chair.
    I ask unanimous consent that Mr. Foster be permitted to sit 
with the subcommittee and question today's witnesses, please.
    Mr. Gimenez. So ordered.
    I now recognize myself for an opening statement.
    American identity management is fundamentally fractured. 
The REAL ID Act of 2005 was passed in response to September 11. 
The goal of the Act was to address the fact that hijackers were 
able to fraudulently obtain State drivers' licenses, and 
thereby enable their heinous acts of terrorism.
    Congress decided that there needed to be security standards 
for States when it came to identity documents.
    Eighteen years later, approximately 52 percent of the 
American population possess a driver's license that is REAL ID-
compliant. That means 48 percent do not. Only 4 States require 
REAL ID, which leaves 46 States and 5 American territories that 
provide non-REAL IDs as an option.
    The problem comes to a head on May 7, 2025. On this date, 
if you do not have a REAL ID, you will not be able to fly in 
the United States unless you happen to have a passport, a 
Global Entry card, or some other sort of Government-issued ID 
that is approved for air travel. Suffice it to say that May 7, 
2025, we're going to encounter utter mayhem at our airports.
    Since 2005, the Department of Homeland Security has awarded 
over $263 million in grant funding to assist in enhancements to 
driver's licenses. While this money has enabled individual 
States to update their processes, the REAL ID efforts have come 
in behind schedule and over budget.
    While all States are now offering REAL ID-compliant 
licenses, there's more work to be done to raise awareness and 
REAL ID adoption.
    Yesterday, I had the chance to meet with our Transportation 
Security Administration, which is now overseeing REAL ID 
efforts, given DHS headquarters' mismanagement of this 
important initiative since the beginning.
    In 2020, TSA took over REAL ID management and Congress 
passed the REAL ID Modernization Act, providing streamlined and 
innovative enhancements to REAL ID requirements. Since then, 
the work has expanded and become somewhat more efficient.
    Furthermore, the TSA's identity management team has sought 
to look beyond physical identity documents and engage the 
digital realm, bringing together experts from the National 
Institute of Standards and Technology, technology companies, 
and banks, to conceptualize the future of digital identity in 
the United States.
    I applaud these efforts, but I'm concerned that this is a 
bigger effort than just one agency and one department. It 
requires a whole-of-Government approach and leadership from the 
highest levels.
    Sadly, every American knows somebody or has themselves been 
a victim of identity theft. This year alone, the Identity Theft 
Resource Center recorded more than 2,800 data-breach notices, 
which included over 273 million individuals. The total 
financial losses for Americans is over $10 billion.
    The average cost for U.S. driver's licenses on the black 
market is between $150 and $200. The average cost of a Social 
Security number is worth only a few pennies. In other words, 
Social Security numbers are easy to forge and not a very secure 
way to identify yourself.
    There's also a darker side to identity theft. The Identity 
Theft Resource Center reports that 16 percent of identity crime 
victims contemplated suicide this past year due to the impact 
of their stolen identity.
    Simply put, this issue is about more--more than simply 
getting a driver's license. I firmly believe our current 
identity management challenges are solvable and provide us with 
an opportunity. However, it will require hard work.
    We need to fix the current problems by devaluing the stolen 
identity data of Americans that is already out in the open so 
that criminals cannot so easily leverage American identities 
for nefarious purposes. We must take a hard look at how we can 
protect future American identity by providing new ways to prove 
that you are, in fact, who you say you are--such as new mobile 
driver's licenses that are a digital counterpart to plastic ID 
cards and that can be used not only in person but also on-line.
    When it comes to the future of identity, Americans are 
rightly skeptical and concerned about privacy and civil 
liberties, especially the collection of biometric data. This is 
why in today's hearings we will draw the important distinction 
between biometric verification processes versus biometric 
recognition.
    As usual, the private sector has had solutions to identify 
management for decades, though, because the Government is the 
only authoritative issuer of identity, there are limitations on 
what the industry alone can deliver.
    We have with us today a panel of experts in the industry 
that have been involved in this discussion since the beginning 
of these discussions.
    The American people deserve a robust discussion about the 
time line of events, and how it is that we landed here 18 years 
after the passage of the REAL ID Act with even greater 
challenges than we had before.
    I look forward to the discussion and the solutions that are 
offered.
    [The statement of Chairman Gimenez follows:]
                Statement of Chairman Carlos A. Gimenez
    American identity management is fundamentally fractured.
    The REAL ID Act of 2005 was passed in response to September 11.
    The goal of the Act was to address the fact that the hijackers were 
able to fraudulently obtain State drivers' licenses and thereby enable 
their heinous act of terrorism.
    Congress decided that there needed to be security standards for 
States when it came to identity documents.
    Eighteen years later, approximately 52 percent of the American 
population possesses a driver's license that is REAL ID-compliant.
    Only 4 States require REAL ID, which leaves 46 States and 5 
American territories that provide non-REAL ID's as an option.
    The problem comes to a head on May 7, 2025. On this date, if you do 
not have a REAL ID, you will not be able to fly in the United States, 
unless you happen to have a Passport, Global Entry card, or some sort 
of other Government-issued ID that is approved for air travel.
    Suffice to say, on May 7, 2025, we are going to encounter utter 
mayhem at our airports.
    Since 2005, the Department of Homeland Security has awarded over 
263 million dollars in grant funding to assist in enhancements to 
driver's licenses.\1\
---------------------------------------------------------------------------
    \1\ Minimum Standards for Driver's Licenses and Identification 
Cards Acceptable by Federal Agencies for Official Purposes; Extending 
Enforcement Date, FEDERAL REGISTER (2023), https://
www.federalregister.gov/documents/2023/03/09/2023-04496/minimum-
standards-for-drivers-licenses-and-identification-cards-acceptable-by-
federal-agencies-for (last visited Dec 1, 2023).
---------------------------------------------------------------------------
    While this money has enabled individual States to update their 
processes, the REAL ID efforts have come in behind schedule and over 
budget. While all States are now offering REAL ID-compliant licenses, 
there is more work to be done to raise awareness and REAL ID adoption.
    Yesterday, I had the chance to meet with our Transportation 
Security Administration, which is now overseeing REAL ID efforts given 
DHS headquarters' mismanagement of this important initiative since the 
beginning.
    In 2020, TSA took over REAL ID management and Congress passed the 
REAL ID Modernization Act, providing streamlined and innovative 
enhancements to REAL ID requirements. Since then, the work has expanded 
and become more efficient.
    Furthermore, the TSA's identity management team has sought to look 
beyond physical identity documents and engage the digital realm--
bringing together experts from the National Institute of Standards and 
Technology, technology companies, and banks to conceptualize the future 
of digital identity in the United States.
    I applaud these efforts but am concerned that this is a bigger 
effort than just one agency in one department--it requires a whole-of-
Government approach and leadership from the highest levels.
    Sadly, every American knows somebody or has themselves, been a 
victim of identity theft.
    This year alone, the Identity Theft Resource Center recorded more 
than 2,800 data breach notices which included over 273 million 
individuals.
    Total financial losses for Americans was over $10 billion.
    The average cost for a U.S. driver's license on the black market is 
between $150 and $200.
    The average cost of a social security number is worth only a few 
pennies.
    In other words, social security numbers are easy to forge and not a 
very secure way to identify yourself.
    There's also a darker side to identity theft.
    The Identity Theft Resource Center reports that 16 percent of 
identity crime victims contemplated suicide the past year due to the 
impact of their stolen identity.
    Simply put: this issue is about more than simply getting a driver's 
license.
    I firmly believe our current identity management challenges are 
solvable and provide us with an opportunity.
    However, it will require hard work.
    We will need to fix the current problem by devaluing the stolen 
identity data of Americans that is already out in the open so that 
criminals cannot so easily leverage American identities for nefarious 
purposes.
    And we must take a hard look at how we can protect future American 
identities by providing new ways to prove that you are--in fact--who 
you say you are, such as new mobile driver's license that are a digital 
counterpart to plastic ID cards and that can be used not only in person 
but also on-line.
    When it comes to the future of identity, Americans are rightly 
skeptical and concerned about privacy and civil liberties--especially 
the collection of biometric data.
    This is why in today's hearing we will draw the important 
distinction between biometric verification versus biometric 
recognition.
    As usual, the private sector has had solutions to identity 
management for decades. Though, because Government is the only 
authoritative issuer of identity, there are limitations on what 
industry alone can deliver.
    We have with us today a panel of experts in the industry that have 
been involved in this discussion since the beginning of these 
discussions.
    The American people deserve a robust discussion about the time line 
of events and how it is that we landed here--18 years after the passage 
of the REAL ID Act--with even greater challenges than we had before.
    I look forward to the discussion and the solutions that are 
offered.

    Mr. Gimenez. I now recognize the Ranking Member, the 
gentleman from Michigan, Mr. Thanedar, for his opening 
statement.
    Mr. Thanedar. Good afternoon.
    Thank you, Chairman Gimenez, for calling today's hearing 
and thank you to our witnesses for sharing your expertise.
    A record number of passengers are traveling through 
Transportation Security Administration security checkpoints 
with TSA, recently screening a record 2.9 million people in a 
single day. TSA is charged with verifying the identities of 
each and every passenger entering a checkpoint and ensuring 
each passenger receives the appropriate level of screening 
based on the risk that they pose.
    As TSA approaches the deadline for requiring passengers to 
show REAL ID-compliant identification in May 2025, the agency 
must enhance public awareness efforts to ensure all passengers 
have compliant IDs.
    Our crowded aviation system cannot afford the challenge and 
the chaos of thousands of thousands of passengers arriving to 
TSA checkpoints without acceptable identification. Recently, 
TSA has begun piloting next-generation technologies for 
managing and verifying identities.
    In 8 States, passengers can now use mobile driver's 
licenses to access screening checkpoints, and in 25 locations, 
TSA's using facial recognition technology to match passengers 
to their IDs. Digital IDs and facial recognition technology 
both offer the potential for security enhancements and 
convenience, but the potential downsides are grave.
    TSA must prioritize protections for privacy, civil rights, 
civil liberties, and even to an extent, extreme degree. TSA's 
efforts to advance these technologies may set the standard for 
other sectors. So TSA must go out of its way and take the time 
to do the things the right way.
    TSA seems to be in a hurry to fast-forward into the future 
with these technologies, even as it allows vulnerabilities 
within existing identity verification process to persist.
    Last year, TSA notified Congress of security incidents that 
have occurred within the Registered Traveler Program operated 
by Clear. The program has allowed some travelers to enter 
security checkpoints using fraudulent identity. In one 
instance, an individual picked up a boarding pass out of a 
trash can and was able to use it to go through screening 
because a Clear employee falsely told TSA they had verified the 
individual's identity.
    Addressing these vulnerabilities does not require any 
futuristic technology or creative solutions. It simply requires 
TSA to stop outsourcing identity verification functions to a 
corporation seeking to make profit.
    Vetting and verifying passenger identities are inherently 
Governmental functions. For nearly a year, Ranking Member 
Thompson has been calling for TSA to require all passengers to 
go through TSA's own identity verification processes. TSA could 
mandate such a requirement today.
    I urge TSA to spend a little less time fast-forwarding into 
the future, and instead, focus on addressing security 
vulnerabilities that threaten the aviation system today.
    I look forward to hearing from our witnesses on these 
critical topics.
    Chairman Gimenez, I thank you for our witnesses again.
    I yield back.
    [The statement of Ranking Member Thanedar follows:]
               Statement of Ranking Member Shri Thanedar
                            December 5, 2023
    Record numbers of passengers are traveling through Transportation 
Security Administration security checkpoints, with TSA recently 
screening a record 2.9 million people in a single day. TSA is charged 
with verifying the identity of each and every passenger entering a 
checkpoint and ensuring each passenger receives the appropriate level 
of screening based on the risk they pose.
    As TSA approaches the deadline for requiring passengers to show 
REAL ID-compliant identification in May 2025, the agency must enhance 
public awareness efforts to ensure all passengers have compliant IDs. 
Our crowded aviation system cannot afford the chaos of thousands of 
passengers arriving to TSA checkpoints without acceptable 
identification.
    Recently, TSA has begun piloting next-generation technologies for 
managing and verifying identities. In 8 States, passengers can now use 
mobile driver's licenses to access screening checkpoints. And in 25 
locations, TSA is using facial recognition technology to match 
passengers to their IDs. Digital IDs and facial recognition technology 
both offer the potential for security enhancements and convenience--but 
the potential downsides are grave.
    TSA must prioritize protections for privacy, civil rights, and 
civil liberties, even to an extreme degree. TSA's efforts to advance 
these technologies may set the standard for other sectors--so TSA must 
go out of its way and take the time to do things the right way. TSA 
seems to be in a hurry to fast forward into the future with these 
technologies, even as it allows vulnerabilities within existing 
identity verification processes to persist.
    Late last year, TSA notified Congress of security incidents that 
have occurred within the Registered Traveler program operated by CLEAR. 
This program has allowed some travelers to enter security checkpoints 
using fraudulent identities. In one instance, an individual picked a 
boarding pass out of a trash can and was able to use it to go through 
screening because a CLEAR employee falsely told TSA they had verified 
the individual's identity.
    Addressing these vulnerabilities does not require any futuristic 
technology or creative solution; it simply requires TSA to stop 
outsourcing identity verification functions to a corporation seeking to 
make a profit. Vetting and verifying passenger identities are 
inherently Governmental functions. For nearly a year, Ranking Member 
Thompson has been calling for TSA to require all passengers to go 
through TSA's own identity verification processes. TSA could mandate 
such a requirement today.
    I urge TSA to spend a little less time fast-forwarding into the 
future and instead focus on addressing security vulnerabilities that 
threaten the aviation system today.

    Mr. Gimenez. Thank you, Ranking Member.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                            December 5, 2023
    The title of this hearing references ``Looking Beyond REAL ID''--
but in my opinion, we should not be focusing on the future of identity 
management until we address the glaring vulnerabilities present at 
security checkpoints today.
    Last December, TSA informed the committee of security incidents 
that have occurred within the Registered Traveler program. As carried 
out by the private sector, the Registered Traveler program has allowed 
some passengers to enter security checkpoints using fraudulent 
identities. In at least one known instance, the Registered Traveler 
program allowed a passenger to enroll in its program using a fake ID.
    In another case, a passenger found a boarding pass in an airport 
trash can, and a private-sector employee escorted the passenger into 
the security checkpoint without verifying their identity. Enough is 
enough. TSA must act to close these critical security gaps and regain 
control of identity verification. Vetting and verifying passenger 
identities is a core layer of TSA's approach to security. It should be 
carried out by Federal employees who are trained to a rigorous 
standard--not outsourced to a private company seeking to profit off the 
inconvenience of security screening.
    For the past year, I have called on TSA to require all passengers 
to go through TSA's identity verification processes. But instead of 
acting to address existing vulnerabilities that place travelers at risk 
every day, TSA has focused on developing next-generation technologies 
like digital IDs and facial recognition. These technologies are trendy, 
and they may offer some security and convenience benefits, but they 
also pose significant risks to privacy, civil rights, and civil 
liberties. Racial biases of some facial recognition algorithms have 
been well-documented.
    Though TSA has put its technologies through testing to prevent 
against bias, mass deployment of facial recognition threatens to 
normalize technology that could be easily abused in sectors not subject 
to such testing standards. Similarly, because of the breadth of TSA's 
operations, which screen millions of passengers each day, the agency's 
adoption of digital ID standards may drive the future of the identity 
industry. TSA must act responsibly to prioritize privacy protections 
above small improvements to passenger convenience.
    I also remain concerned that TSA is ill-prepared to enforce 
requirements for passengers to present REAL ID-compliant identification 
at TSA checkpoints. Though the current deadline for enforcement is not 
until May 2025, TSA must act now to push for increased REAL ID adoption 
rates to avoid major disruptions at checkpoints.

    Mr. Gimenez. Again, I am pleased to have a distinguished 
panel of witnesses before us today on this critical topic. I 
ask that our witnesses please rise and raise their right hands.
    Do you solemnly swear the testimony you will give before 
the Committee on Homeland Security of the U.S. House of 
Representatives will be the truth, the whole truth, and nothing 
but the truth, so help you God?
    Let the record reflect that the witnesses have answered in 
the affirmative.
    Thank you, and please be seated.
    I will now like to formally introduce our witnesses. Ian 
Grossman serves as president and CEO of the American 
Association of Motor Vehicle Administrators.
    Jeremy Grant serves as the coordinator for the Better 
Identity Coalition.
    Hal Wiediger serves as the senior vice president of Client 
Success at IDEMIA.
    Jay Stanley serves as senior policy analyst at the American 
Civil Liberties Union.
    I thank each of our witnesses for being here today.
    I now recognize Ian Grossman for 5 minutes to summarize his 
opening statement.

  STATEMENT OF IAN GROSSMAN, PRESIDENT AND CEO, THE AMERICAN 
          ASSOCIATION OF MOTOR VEHICLE ADMINISTRATORS

    Mr. Grossman. Thank you, Mr. Chairman, Mr. Ranking Member, 
Members of the committee. Thank you for the opportunity to 
appear before you today and discuss this important issue of the 
future of identity management.
    The American Association of Motor Vehicle Administrators, 
or AAMVA, is a nonprofit organization representing motor 
vehicle agencies and jurisdictional highway safety law 
enforcement.
    In plain speak, our association's primary members are the 
State DMVs and the State police throughout the United States 
and Canada. We enable collaboration to ensure safe drivers, 
safe vehicles, secure identities, all together to save lives.
    When first contemplated, driver's licenses were issued 
solely to indicate a person as having been granted the legal 
authority to operate a motor vehicle. Now the driver's license 
has become the de facto primary identity document in the United 
States. It serves as a document of choice for public services, 
financial institutions, and other entities seeking identity 
assurance.
    Americans use their State driver's license or 
identification card in countless everyday activities including 
making age-limited purchases, entering schools, visiting 
doctor's offices, and, of course, boarding an airplane.
    This is why driver licensing agencies has become the 
foremost trusted authority in identifying whether people are 
who they claim to be.
    As we live through the age of digital transformation, 
rapidly evolving in a post-COVID world of touchless 
transactions, it comes as no surprise that your driver's 
license is being transitioned to an electronic format. This 
improvement is the mobile driver's license, or MDL.
    The MDL is the future of licensing and proof of identity. 
In MDL, the driver's license hosts it on mobile device with the 
capability of being updated in real time. It contains the same 
data used to produce a physical license. However, MDL data is 
securely transmitted to a relying party's reader.
    The MDL is a significant advancement over physical 
credentials, which can easily be lost or stolen, become 
damaged, become outdated as information changes, or offer too 
much information. Unlike a physical credential which can easily 
be replicated by counterfeiters, the MDL offers a completely 
touchless transaction with selective information release, data 
protection, and so much more.
    The physical credential is limited by being a snapshot in 
time. The information it represents may change. But, once 
produced, it cannot be updated until it is reissued. Reissuance 
typically occurred infrequently, sometimes only after many 
years.
    Additionally, with a physical credential, the person 
inspecting the credential may be forced to draw conclusions 
about the validity of the document based on a visual 
examination. By comparison, a relying party authenticating an 
MDL, using a reader, will immediately know that the MDL was 
issued by a bona fide issuing authority, it was issued to the 
person presenting it, and the data is no more than 90 days old.
    Currently, to have adequate inspection of a physical 
credential, a relying party has to have extensive knowledge of 
security features or have tools to confirm that the security 
features are included in the correct places on the credential.
    In the case of an MDL, the authentication process can 
happen seamlessly behind the scenes so the relying party does 
not need to know what security features are part of the MDL. 
They only need to possess the public key, the encrypted public 
key which is used to authenticate the MDL, and if 
authenticated, the data is transmitted and displayed to the 
relying party. Without the authentication, no data is sent, 
protecting the credential holder's data and protecting the 
relying party from fraud.
    In the future, State driver licensing agencies will each 
publish their own public key. To support this, AAMVA has 
developed a Digital Trust Service to provide relying parties a 
trusted, central site to obtain all issuing authorities' 
public-issuing certificates.
    AAMVA's primary focus has been developing international 
standards and supporting early adopters of the process of 
issuing MDLs. However, regular interaction with relying parties 
will be critical in the future of identity management MDL 
proliferation. Educating and onboarding those who seek to 
access the data in the MDL must be prioritized.
    We urge Congress to consider investments critical to 
establishing these trust networks. This can include grant 
awards to States who invest in the foundational systems that 
support mobile driver's licenses or the expansion of identity 
transaction architecture.
    I appreciate your time and the opportunity to testify. In 
the realm of digital identity administration, the primary goal 
of State licensing agencies remains the preservation of 
identity as integrity as a public good by continuing for the 
DMVs to be the most secure, trusted, privacy-preserving, and 
convenient source of that identity.
    Thank you again for the time today, the commitment to this 
conversation, and I look forward to your questions. Thank you.
    [The prepared statement of Mr. Grossman follows:]
                   Prepared Statement of Ian Grossman
                            December 5, 2023
    Chairman Gimenez, Ranking Member Thanedar, thank you for the 
opportunity to submit testimony on the important issue of identity 
management innovation and the future of identity credentialing.
    The American Association of Motor Vehicle Administrators (AAMVA) is 
a tax-exempt, nonprofit organization that develops model programs in 
motor vehicle administration, law enforcement, and highway safety. The 
association also serves as an information clearinghouse in these areas. 
Founded in 1933, AAMVA represents the State and provincial officials in 
the United States and Canada who administer and enforce motor vehicle 
laws. AAMVA's programs encourage uniformity and reciprocity among the 
States and provinces.
    Since the advent of the driving credential, State driver licensing 
agencies have worked diligently to find effective ways to connect an 
individual's driving record to a specific individual. Because roadway 
safety is critical to the Nation's overall public safety, State driver 
licensing agencies have consistently sought to solve a complex issue--
ensuring that the person is who they say they are. This seemingly 
simple, yet critical and highly technical question, is the foundation 
of States' efforts in identity management.
    AAMVA members serve at the critical nexus of public safety and law 
enforcement by working to reach the goal of ``one driver, one license, 
one record'' for every individual operating a motor vehicle in the 
United States. What began simply as credential displaying a legal 
authorization to operate a motor vehicle has evolved over time to the 
becoming the de facto identity document. It is the State-issued 
driver's license and identity card that serves as the access document 
of choice for State services, financial institutions, and other 
entities seeking identity assurance.
    To support our members' evolving role in identity management, AAMVA 
provides guidance, standards, and best practices for the vetting of 
identities and issuance of a secure and interoperable identity 
credential. AAMVA is expanding members support with the fundamental 
understanding that identity management is not a commodity but the 
conveyance of a public benefit.
    The development of future credentialing cannot be performed in a 
vacuum. AAMVA is part of both national and international bodies that 
develop standards defining the identity ecosystem. AAMVA has provided 
leadership in the work within the bodies of the International 
Organization for Standardization's (ISO) which is responsible for the 
development and maintenance of the Personal Identification--ISO 
Compliant Driving Licenses international standard (18013) establishing 
guidelines in the format and content of motor vehicle driver licenses 
(DLs). AAMVA published and maintains the DL/ID Card Design Standard 
which localizes the international standard for use by North American 
jurisdictions. These documents create a common basis for international 
use and recognition of driver's licenses and identity cards across 
State and international borders.
    The most recent addition to the ISO 18013 standard is the Mobile 
Driving License (mDL) Application. This part provides the interface and 
data model requirements for safe, secure, trusted, and interoperable 
mobile driving licenses and IDs. AAMVA drafted the functional 
requirements that were used as a basis for the published standard and 
has served as convenor of the ISO working group for many years.
    The development of new standards in the identity space has been 
spurred by drastic technology change. As the world continues to become 
more technologically enabled and interactions shift toward digital 
channels, there is an obvious need for advancement of Government-grade 
identity management to address these new domains. It is becoming 
increasingly clear that the future of identity management lies in the 
credential's ability to be integrated onto a mobile device. It is for 
this reason that AAMVA and its membership have been thought leaders in 
transitioning the credential to a mobile driver's license, or mDL, 
platform. Within the realm of digital identity administration, the 
primary goal of issuing authorities remains the preservation of 
identity integrity as a public good by continuing to be its most 
secure, trusted, privacy-preserving, and convenient source.
    The mDL is the future of licensing and proof of identity. An mDL is 
a driver's license that is provisioned to a mobile device with the 
capability to be updated in real time. It is comprised of the same data 
elements that are used to produce a physical driver's license, however, 
the data is transmitted electronically to a relying party's reader 
device and authenticated.
    The mDL is a significant improvement over physical credentials 
which can easily be lost or stolen, become damaged, become outdated as 
information changes, offer too much information (including personally 
identifiable information not related to specific transactions), and 
more easily be replicated by counterfeiters. The mDL offers safe, 
secure, and trustable technologies that allow for completely touchless 
transactions, selective information release, data protection, and so 
much more. The mDL operates on the premise that the identity's owner is 
always in full control of what data is shared with the option of only 
providing those data elements (such as age) that are necessary for that 
particular use case.
    A physical credential represents a snapshot in time. It is a 
credential subject to change with no faculty for updating the 
credential once it has been issued until it is reissued, revoked, or 
modified (sometimes over the course of many years). Additionally, with 
a physical credential, the person inspecting the credential may be in a 
situation where they are making assumptions on the validity of the 
physical document by the very nature of visual examination. When the 
relying party authenticates an mDL using a reader, they immediately 
know that the mDL was issued by a bona fide issuing authority, was 
issued to the person with whom they are transacting, was issued to that 
specific holder's device, that the data is less than 30-90 days old, 
and that the data hasn't changed since it was provisioned to their 
device.
    Currently, for a relying party (or end-user) to adequately inspect 
a physical document's validity, they must meet complex conditions. They 
need intricate knowledge of security features the State uses on the 
credential, and they need the tools to confirm that the exact same 
security features are included in the document in the places they need 
to be. In the case of an mDL that authentication happens seamlessly 
behind the scenes, so the relying party does not have to know what 
security features are part of the mDL--all they need is the public key. 
The public key is used to authenticate the mDL data on the device, and 
if authenticated, the data is displayed on the relying party's device. 
If the data doesn't authenticate, no data renders for the relying 
party, protecting the credential holder's data.
    The process of authenticating a digital identity credential 
includes the technical trust point of relying party possessing an 
issuing authority's public key certificate. In a future environment 
where many issuing authorities (State driver licensing agencies) are 
each publishing their own public key certificate, it will be 
challenging for relying parties to obtain and trust all the issuing 
authorities' public key certificates. AAMVA's work in the mDL 
environment includes the development of a ``Digital Trust Service'' 
(DTS). The established AAMVA DTS collects public key certificates from 
vetted issuing authorities and ensures each key and the corresponding 
mDL product meets minimum international standards. The DTS aggregates 
the public keys so relying parties can easily access them in a singular 
and trusted location. The DTS provides validation that the State is a 
vetted issuing authority, validation that they are creating and 
maintaining their public and private keys per industry standards and 
comply with the ISO 18013-5 interoperability standard. Without the 
assurance of 18013-5 standard compliance, the credential may not be 
interoperable, the customer is not ensured control of their data, and 
there is no certainty that the mDL adheres to appropriate privacy 
protections.
    While AAMVA anticipates the mDL will eventually be used as a 
singular identity credential, we recognize for the immediate future 
both the physical card and the mDL must coexist for redundancy and 
operationally significant reasons. This includes the lack of available 
readers in all situations, including potential law enforcement 
interactions (or other unanticipated scenarios where a reader is 
absent). For these reasons, the mDL is currently viewed as an extension 
of the physical card rather than an immediate replacement.
    Additionally, AAMVA emphasizes that mDL interaction with relying 
parties will be a critical component in the future of identity 
management. Relying parties represent the other half of the identity 
equation, and in the sensible progression of identity management, the 
education and onboarding of those who seek access to the data 
provisioned on a device must be prioritized. While AAMVA and its 
members continue to work toward common goals in terms of public 
benefits, relying parties must also work collaboratively to fulfill the 
tenants and best practices of identity protection.
    As Congress continues its consideration of the future of identity 
management and its impact on constituent-Government interactions, AAMVA 
emphasizes trust as the determining factor for success. As we seek 
shared solutions on how to best build that trust, AAMVA urges Congress 
to continue studying what the future looks like and consider 
investments that will be critical to establishing trust networks. This 
includes availability of grant awards to States who invest in the 
foundational systems that support mobile driver's license platforms or 
expansion of identity transaction architecture. These investments will 
help ensure that as citizens make the transition to new identity models 
in the very near future, they are reassured that the Government is 
supporting that transition in the best way possible. Just as we have 
seen with traditional driving credentials, the purpose and opportunity 
of identity management extends well beyond the driving credential 
itself.
    AAMVA thanks the subcommittee for the opportunity to testify and 
stands ready to continue the important conversation of how we can help 
further the shared interests of security and identity management.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Gimenez. Thank you, Mr. Grossman.
    I now recognize Jeremy Grant for 5 minutes to summarize his 
opening statement.

    STATEMENT OF JEREMY GRANT, COORDINATOR, BETTER IDENTITY 
                           COALITION

    Mr. Grant. Chairman Gimenez, Ranking Member Thanedar, 
Members of the committee, I appreciate the opportunity to 
testify today. I'm here on behalf of the Better Identity 
Coalition, an organization that's focused on working with 
policy makers to improve the way that Americans can protect and 
verify their identities when they're on-line. Our members 
include leaders in sectors like financial services, health, 
technology, fintech, payments, and security.
    Our 26 members are united by a common recognition that the 
way we handle digital identity today in the United States is 
broken and by a common desire to see both the public and 
private sectors each take steps to make identity systems work 
better.
    Five years ago, we released a blueprint for policy makers 
on how to improve digital identity infrastructure in America. 
The blueprint highlighted the ways the Government can play a 
role in delivering more secure, inclusive, privacy-preserving 
digital solutions by closing the gap between the nationally-
recognized authoritative credentials that we have here in the 
United States that work in the physical world, driver's 
licenses, passports, and birth certificates--and the lack of 
any digital counterpart to those credentials that can be used 
when Americans need to prove who they are on-line.
    Digital driver's licenses, also known as mobile driver's 
licenses, or MDLs, play a big role in the blueprint by virtue 
of the fact that driver's licenses and State ID cards are, by 
far, the photo ID that's most commonly obtained by people in 
the United States, and are thus the documents that are most 
commonly used to prove one's identity today in the physical 
world.
    We're thrilled to see this subcommittee focusing on the 
issue of digital identity and what is needed beyond the REAL ID 
Act.
    There's five key points we'd like to emphasize today:
    First, when it comes to mobile driver's licenses the 
Government's prioritizing the wrong-use cases. There's 
essentially two core-use cases for digital versions of States' 
driver's licenses and digital ID cards. The first are in-person 
cases such as clearing the TSA security checkpoints or proving 
age at a bar to buy alcohol. This is where you're presenting a 
digital version of a plastic card in your wallet that's instead 
stored on your phone.
    The second is remote or on-line use cases where you need to 
prove who you are on-line, say, to open a bank account or apply 
for Government services. Of these two, the first is a ``nice to 
have,'' while the second addresses a critical cybersecurity 
priority, a wave of identity-related cyber crime that's 
impacting millions of Americans and costing us hundreds of 
billions of dollars each year. This has been documented by 
agencies like FinCEN and the GAO.
    Now, this is not to say there aren't some tangible benefits 
to the in-person use cases. But given what's happening in the 
on-line world, it's time we get our priorities straight.
    Second, our understanding is that the reason DHS and the 
States have been focused on the in-person use cases is because 
work is still on-going in the International Standards 
Organization, known as ISO, to craft a standard for the on-line 
use cases of MDLs. This is a terrible reason for the Government 
to avoid focusing on solving a problem that leads to hundreds 
of billions of dollars in identity-related cyber crime, most of 
it perpetrated by organization crime or hostile nation-states.
    If ISO's moving too slowly, the United States should take 
the lead on creating its own standard and work to advance it in 
ISO, rather than sit back and hope that ISO eventually figures 
it out.
    Now, while DHS does not create standards typically, DHS or, 
even better, the White House or Congress, should request that 
NIST lead an effort to create the standards and guidance needed 
to accelerate the deployment of secure, privacy-protecting MDL 
apps that Americans can use to better protect and assert their 
identity on-line. There's actually a precedent for this here. 
There's a lot of ISO cybersecurity standards that are more or 
less based on work that NIST led first.
    Third, TSA alone should not be in the lead here in that 
there's things that TSA's responsible for with regard to 
identity. But there are a relatively smaller subset of issues 
with regard to the broader set of issues that's at play. It's 
not TSA's mission to ensure a safe and privacy-preserving 
foundation for, say, digital transactions in banking or health 
or Government services.
    While I admire a lot of the work TSA's doing here, 
particularly how their team is taking some very forward-looking 
steps in their proposed draft regulations on MDLs to look ahead 
to maybe solving these other issues, there's just a bigger 
structural issues where TSA's going to be limited in what they 
can accomplish.
    This brings up my fourth point which is that digital 
identity is critical infrastructure and needs to be treated as 
such. DHS said as much in 2019 when it declared identity as one 
of 55 national critical functions defined as those services so 
vital to the United States that disruption, corruption, or 
disfunction would have a debilitating impact on security.
    But compared to the other critical functions in that list, 
identity has gotten scant investment and attention. It's a 
little puzzling that DHS, after calling out digital identity as 
critical function, has then opted to focus so narrowly here as 
it implements the REAL ID Modernization Act of 2020.
    Finally, on that note, the White House could and should 
play a bigger role here by launching a whole-of-Government 
effort to address critical vulnerabilities in our digital 
identity fabric. President Biden actually had language on this 
in the March 2023 National Cybersecurity Strategy. But when the 
implementation plan for that strategy was published in July, it 
inexplicably skipped over the identity section entirely.
    In the wake of that White House inaction, Congress can 
force the issue. There's a bipartisan bill--I know Congressman 
Foster will be here in a bit, who was a lead sponsor--called 
the Improving Digital Identity Act that cleared key House and 
Senate committees last year, but fell just short of package--
short of passage.
    As currently drafted, it falls under jurisdiction of the 
House Oversight Committee and not this committee, but we'd 
welcome the bill to explore ways this committee might be able 
to drive action forward. It was also actually sponsored by 
Democrats and Republicans on this committee.
    I appreciate the opportunity to testify today. Note that I 
have submitted some lengthier testimony for the record, as well 
as a copy of our policy blueprint. I'll look forward to 
answering your questions. Thank you.
    [The prepared statement of Mr. Grant follows:]
                   Prepared Statement of Jeremy Grant
                            December 5, 2023
    Chairman Gimenez, Ranking Member Thanedar, and Members of the 
committee, thank you for the opportunity to testify today.
    I am here on behalf of the Better Identity Coalition--an 
organization focused on working with policy makers to improve the way 
Americans establish, protect, and verify their identities when they're 
on-line.
    Our members include leaders in sectors like financial services, 
health, technology, FinTech, payments, and security. Our 26 members are 
united by a common recognition that the way we handle digital identity 
today in the United States is broken--and by a common desire to see 
both the public and private sectors each take steps to make identity 
systems work better.
    Identity does not always get much attention, but is an important 
topic, in that the way we handle identity in America impacts our 
security, our privacy, and our liberty. From an economic standpoint, 
particularly as we move high-value transactions into the digital world, 
identity can be the ``great enabler''--providing a foundation for 
digital transactions and on-line experiences that are more secure, more 
enjoyable for the user, and ideally, more respectful of their privacy.
    But outdated identity systems enable a set of great attack points 
for criminals and other adversaries, such as hostile nation-states that 
are seeking to steal data and money and compromise American systems. As 
these threats grow--and new systems are put in place to try to guard 
against them--they often create new burdens for consumers, businesses, 
and Government agencies who need to accurately verify identity to 
enable high-value transactions to be delivered on-line.
    Five years ago, the Better Identity Coalition released a 
``Blueprint'' for policy makers on how to improve digital identity 
infrastructure in America. The Blueprint highlighted the ways that 
Government can help deliver more secure, inclusive, privacy-preserving 
digital solutions--by closing the gap between the nationally-
recognized, authoritative credentials that work in the physical world--
like driver's licenses, passports, and birth certificates--and the lack 
of any digital counterpart to those physical credentials that can be 
used when Americans need to prove who they are on-line.
    Why is Government action needed here? Well, at the end of the day, 
Government is the only authoritative issuer of identity in the United 
States. But the identity systems Government administers are largely 
stuck in the paper world, whereas commerce has increasingly moved on-
line. This ``identity gap''--a complete absence of Government-issued 
credentials built to support digital transactions--is being actively 
exploited by adversaries to steal identities, money, and sensitive 
data, and defraud consumers, governments, and businesses alike.
    And while industry has come up with some decent tools to try to get 
around this identity gap, adversaries have caught up with many of them.
    Moreover, with the rise of artificial intelligence (AI) now 
enabling new types of attacks on digital identity (such as cheap and 
highly convincing deepfakes that can fool remote identity verification 
tools), the security and economic risks are more acute than ever. It is 
imperative that the United States develop a strategy to ensure we have 
digital identity infrastructure that can mitigate and stay ahead of 
these threats.
    Indeed most of our peer countries have either created robust 
digital identity infrastructure or has launched a national initiative 
to do so. Each year that passes without a comprehensive initiative to 
prioritize more robust, privacy-preserving digital identity 
infrastructure puts Americans at greater risk than the rest of the 
world and threatens our international competitiveness.
    Going forward, Government will need to take a more active role in 
working with industry to deliver next-generation remote identity 
proofing solutions. This is not about a national ID--and we do not 
recommend that one be created. We already have a number of nationally-
recognized, authoritative Government identity systems--the driver's 
license, the passport, the SSN. But because of the ``identity gap'' 
these systems are stuck in the paper world, while commerce is 
increasingly moving on-line.
    To fix this, America's paper-based systems should be modernized 
around a privacy-protecting, consumer-centric model that allows 
consumers to ask an agency that issued a credential to stand behind it 
in the on-line world--by validating the information from the 
credential.
    Digital driver's licenses--also known as ``mobile'' driver's 
licenses or mDLs--featured prominently in our Blueprint. This is by 
virtue of the fact that driver's licenses and State ID cards are by far 
the photo ID that is most commonly obtained by people in the United 
States, and are thus the documents that are most commonly used to prove 
one's identity today in the physical world.
    The single best way to prevent identity theft and identity-related 
cyber crime is to give Americans tools that they can use to protect 
themselves from identity thieves. mDLs have much to offer here, as they 
can enable Americans to reuse a high assurance credential they already 
have--their driver's license or State ID card--when they need to prove 
who they are on-line for high assurance transactions. And because the 
REAL ID Act of 2005 established a Federal standard for a robust, in-
person identity-proofing process for States to follow, consumers can 
derive significant benefit if REAL ID-compliant driver's licenses are 
enhanced to support digital transactions.
    By binding proof of identity to a digitally-signed mDL app housed 
securely in a smartphone, a mDL can help Americans be better protected 
against identity thieves. And if designed properly, a mDL can offer not 
just better security, but also better privacy and increased convenience 
when Americans need to prove who they are on-line.
    We're thrilled to see this subcommittee focusing in on the issue of 
digital identity and what is needed beyond the REAL ID Act.
    I expect a good deal of this hearing will focus in on the role that 
TSA is playing with regard to mobile driver's licenses and REAL ID. And 
I think it is important to say that I admire the work TSA is doing 
here, at least in regard to the subset of issues around identity that 
are a part of TSA's mission.
    The more important question for this hearing to explore, in my 
view, is whether TSA alone should be in the lead? In that the things 
that TSA cares about with regard to digital identity are a relatively 
small set of issues relative to the broader set of issues at hand.
    There are five key points we would like to emphasize today:
First, when it comes to mobile driver's licenses, the Government is 
        prioritizing the wrong use cases.
    There are essentially two core use cases for digital versions of 
State driver's licenses and ID cards:
   The first is in-person use cases, such as clearing a TSA 
        security checkpoint, or proving age at a bar to buy alcohol. 
        This is where you are presenting a digital version of the 
        plastic card in your wallet that is instead stored on your 
        phone.
   The second is remote or on-line use cases, where you need to 
        prove who you are on-line, say, to open a bank account or apply 
        for Government services.
    Of these two use cases, there are certainly some tangible benefits 
to the in-person applications--I discuss those later in my testimony--
but viewed against the backdrop of a wave of identity-related cyber 
crime that is costing Americans hundreds of billions of dollars each 
year, the in-person applications look like a ``nice to have.''
    This is because the numbers on the cybersecurity side are 
staggering, and they are impacting many different sectors:
   FinCEN recently revealed that $212 billion in transactions 
        flagged in 2021 Suspicious Activity Reports (SARs) filed by 
        banks were tied to some form of breakdown in the identity 
        verification process.\1\
---------------------------------------------------------------------------
    \1\ https://www.nextgov.com/digital-government/2023/09/212b-
suspicious-activity-reports-fin- cenin-2021-concerned-identity-
officials-report/390279/.
---------------------------------------------------------------------------
   The Government Accountability Office (GAO) reported that 
        between $100-$135 billion in pandemic Unemployment Insurance 
        (UI) benefits was lost to fraud during the pandemic. Funds were 
        stolen both by organized criminals and State-sponsored actors, 
        with compromised identities being used to enable the bulk of 
        the theft.\2\
---------------------------------------------------------------------------
    \2\ https://www.gao.gov/assets/gao-23-106696.pdf.
---------------------------------------------------------------------------
   The Identity Theft Resource Center (ITRC)--a non-profit 
        which helps victims of identity theft--has stated that 2023 is 
        shaping up to be the worst year ever for identity theft and 
        data breaches.
    Why are there so many problems here? As I stated earlier, attackers 
have caught up with many of the ``first-generation tools'' we have used 
to protect, verify, and authenticate identity on-line, to the point 
that it is an anomaly when a major breach happens and some sort of 
identity compromise is not the attack vector. There are many reasons 
for this--but the most important question is: What should Government do 
about it now?
    With nearly $350 billion in identity-related cyber crime documented 
in just two sectors--banking and Government benefits--the deficiencies 
in digital identity infrastructure that enable most of this crime 
should be getting a ton of attention.
    Instead--inexplicably, in my opinion--the U.S. Government has been 
prioritizing the in-person use cases for mDLs while giving little 
attention to the on-line use cases that could address this massive wave 
of identity-related cyber crime.
    This is not to say that the in-person use cases have no value; on 
the contrary, there are notable improvements to security, privacy, and 
convenience that can be delivered by a properly-designed mDL that is 
used for in-person use cases. The ability, for example, to let someone 
share elements of their ID such as age or State of residence on a 
granular basis--without revealing all of the information printed on 
their ID--can improve privacy. Likewise, having digitally-signed data 
in a mDL app can offer security and anti-counterfeiting benefits above 
and beyond the security features that are built into plastic cards. 
However, when weighed against our most pressing problems in digital 
identity, these in-person use cases should not be the lead priority.
    There is some background here worth sharing:
   The initial pilots of mDLs were funded by the National 
        Institute of Standards and Technology (NIST) between 2012-2015, 
        as part of the National Strategy for Trusted Identities in 
        Cyberspace initiative. It's worth sharing here that I ran that 
        program, and served as NIST's Senior Executive Advisor for 
        Identity Management. The pilots were focused on the ways that a 
        mDL could be used to help people when they had to prove who 
        they were on-line for a high-value service like banking or 
        Government benefits.
   However when Congress passed the REAL ID Modernization Act 
        in 2020 to reflect the emergence in the market of mDLs, 
        Congress did not specify which use cases were a priority. The 
        law just more generally directed DHS to update regulations for 
        REAL ID driver's licenses to support digital mDLs. Rather than 
        focus on the applications of mDLs that can prevent identity 
        theft and identity-related cyber crime, DHS instead delegated 
        implementation of the law to TSA, who has largely focused on 
        in-person use cases such as using a mDL to clear a TSA 
        checkpoint.
    One question to consider is if TSA alone should be in charge--
especially when DHS originally led the REAL ID regulations out of its 
policy office back in 2005? We assume DHS made this decision because 
the ``core use case'' for REAL ID that impacts most Americans is 
whether they can use their driver's license to clear a TSA checkpoint.
    However, that's a small subset of the use cases where digital 
identity matters, and many of these use cases are well outside of TSA's 
jurisdiction--among those, the on-line identity use cases that are not 
getting much attention.
Second, our understanding is that the reason DHS and the States have 
        both been focused on in-person use cases is because work is 
        still on-going in the International Standards Organization 
        (known as ISO) to craft a standard for the online use cases of 
        mDLs.
    This is a terrible reason for the Government to avoid focusing on a 
solving a problem that leads to hundreds of billions of dollars in 
identity-related cyber crime and millions of victims of identity theft. 
Indeed, it is hard to think of another security crisis where the 
Government's response has been to say ``let's hold off on solving it 
until the International Standards Organization gets things figured 
out.''
    If ISO is moving too slowly, the United States should take the lead 
on creating its own standard, and work to advance it in ISO rather than 
sit back and hope that ISO eventually figures it out.
    While DHS does not create standards, DHS--or even better, the White 
House or Congress--should request that NIST lead a timeboxed, 1-year 
effort to create the standards and guidance needed to accelerate the 
deployment of secure, privacy-protecting mDL apps that Americans can 
use to protect and assert their identity on-line.
    There is precedent for this here--indeed a number of ISO security 
standards are more or less based on work that NIST led first. For 
example, in 2013, when the Obama administration determined that 
cybersecurity risks had reached a point that Government action was 
urgently needed, President Obama signed an Executive Order that gave 
NIST 1 year to create a Cyber Security Framework (CSF). NIST released 
the CSF in 2014, and it has since become recognized across the globe as 
the preeminent framework for organizations to use to manage cyber risk. 
So much so that ISO then used it as the basis of a ``formal 
international standard,'' leveraging the CSF content as the basis of 
both ISO 27103 and 27110. None of this would have happened without a 
recognition from the U.S. Government that Government action was needed 
here to jumpstart progress.
    Note that NIST has launched a small project here out of its 
National Cybersecurity Center of Excellence (NCCoE) focused on 
developing a reference implementation of the digital identity standard 
in partnership with industry. Some of the Better Identity Coalition's 
members are participating with NIST in this project; NIST has noted 
that outcomes of this project may result in contributions to the ISO 
standard currently being crafted. It's a good project that will help to 
move the ball forward--but bluntly, it's too small and too slow an 
effort relative to what is really needed here to accelerate the rollout 
of robust digital identity infrastructure.
Third, TSA alone should not be in the lead here.
    I do want to complement the TSA team working on this, in that they 
get that there is a bigger set of issues at play beyond the use cases 
directly relevant to TSA's mission, and they have been working with 
NIST and other Government stakeholders. TSA's proposed draft 
regulations here also include some elements dealing with the security 
of how a mDL is provisioned for in-person use cases that can be 
leveraged to also ensure a secure provisioning process for on-line use 
cases--they seem to be looking beyond the use cases that are in their 
scope.
    That said, TSA's mission does not involve ensuring a safe and 
privacy-preserving foundation for digital transactions in banking or 
health or Government services, or other places where Americans might 
have a need for digital ID.
    Nor does it include issues around identity inclusion, such as how 
to help people who might not have a driver's license or other 
Government credential today--and who may not be able to easily get one. 
This is an important point to flag: Roughly 10 percent of adults do not 
have a driver's license or State ID, and in many cases, people lack 
critical identity documents like birth certificates and Social Security 
cards needed to get one. This disproportionately impacts the most 
marginalized communities, including people of color, the elderly, the 
poor, as well as survivors of domestic violence and those reentering 
society after time in prison. As we talk about investing in new digital 
identity tools, it is important to make sure our most vulnerable 
neighbors are not left behind.
    And so while I admire much of the work TSA is doing here--
particularly how their team has taken some very forward-looking steps 
in their proposed draft regulations on mDLs to look ahead to solving 
some of these other issues, there is a bigger structural issue where 
TSA is limited in how much they can accomplish.
    We desperately need to elevate protecting people from ID theft and 
identity-related cyber crime so that it is a national priority, not a 
transportation security priority.
This brings up my fourth key point, which is that digital identity is a 
        critical infrastructure issue and needs to be treated as such.
    DHS said as much in 2019 when it declared identity as one of 55 
``National Critical Functions''--defined as those services ``so vital 
to the U.S. that their disruption, corruption, or dysfunction would 
have a debilitating effect on security.''
    But compared to other critical functions, identity has gotten scant 
investment and attention. And it's a bit puzzling that DHS, after 
calling out digital identity as a critical function, has opted to focus 
so narrowly here as it implements the REAL ID Modernization Act of 
2020.
Finally, on that note, the White House could and should play a bigger 
        role here, by launching a ``whole-of-Government'' effort to 
        address critical vulnerabilities in our ``digital identity 
        fabric.''
    The administration actually had great language on digital identity 
in its March 2023 National Cybersecurity Strategy; Strategic Objective 
4.5 of the Strategy called for the Government to ``Support Development 
of a Digital Identity Ecosystem'' and stated:

``Today, the lack of secure, privacy-preserving, consent-based digital 
identity solutions allows fraud to flourish, perpetuates exclusion and 
inequity, and adds inefficiency to our financial activities and daily 
life. Identity theft is on the rise, with data breaches impacting 
nearly 300 million victims in 2021 and malicious actors fraudulently 
obtaining billions of dollars in COVID-19 pandemic relief funds 
intended for small businesses and individuals in need. This malicious 
activity affects us all, creating significant losses for businesses and 
producing harmful impacts on public benefit programs and those 
Americans who use them. Operating independently, neither the private 
nor public sectors have been able to solve this problem.''

    Of note, the National Cybersecurity Strategy noted the role that 
mDLs could play, encouraging ``a focus on privacy, security, civil 
liberties, equity, accessibility, and interoperability.''
    We agree that all of these are important, and, indeed, essential. 
It is critical as mDLs are emerging that Government defines what 
``good'' looks like with regard to these credentials, and puts a plan 
in place to make sure that we get there--and that we avoid bad outcomes 
that might arise if the architecture for mDLs is not properly designed 
to maximize benefits and minimize any potential harms.
    Unfortunately, when the implementation plan for National 
Cybersecurity Strategy was published in July, it inexplicably skipped 
over the identity section entirely--jumping from Strategic Objective 
4.4. to 4.6, as if the identity objective was never in the Strategy. 
The administration has said that identity might be addressed in future 
versions of the implementation plan, but for now this work has been 
sidelined. That means there is no vision of what ``good'' looks like to 
guide different agencies working on these issues, nor is there any plan 
to address some of the difficult inclusion issues I discussed earlier 
to make sure that we are not leaving anybody behind as we invest in 
better digital identity.
    In the wake of White House inaction, Congress can help to drive 
progress. Last year a bipartisan bill that is based on our Policy 
Blueprint--the Improving Digital Identity Act--cleared the House 
Oversight Committee and the Senate Homeland Security and Governmental 
Affairs Committee (HSGAC), but came up just short of passage. That bill 
has been reintroduced in the Senate and passed the HSGAC in March, and 
is currently awaiting further action. As currently drafted, it falls 
under the jurisdiction of the House Oversight Committee and not the 
Homeland Security Committee, but the bill was sponsored by Democrats 
and Republicans on this committee--former Ranking Member John Katko and 
former Congressman Jim Langevin were original authors of the bill--and 
we'd love to explore ways this committee might be able to drive action 
forward.
    Thank you for the opportunity to testify today. Note that I have 
submitted a copy of the Coalition's Policy Blueprint \3\ for the record 
to augment this testimony; I look forward to answering your questions.
---------------------------------------------------------------------------
    \3\ The Blueprint can be found at https://www.betteridentity.org/s/
Better_Identity_- CoalitionBlueprint-July2018.pdf.

    Mr. Gimenez. Thank you, Mr. Grant.
    I now recognize Hal Wiediger for 5 minutes to summarize his 
opening statement.

   STATEMENT OF HAL WIEDIGER, SENIOR VICE PRESIDENT, CLIENT 
       SUCCESS, IDENTITY & SECURITY NORTH AMERICA, IDEMIA

    Mr. Wiediger. Thank you, Chairman Gimenez and Ranking 
Member Thanedar, for inviting me to this important topic for--
to testify today.
    IDEMIA is on a mission to unlock the world and make it 
safer. IDEMIA provides unique technologies, underpinned by 
long-standing expertise in biometrics, cryptography, data 
analytics, systems, and smart devices that secure billions of 
transactions.
    With 15,000 employees, IDEMIA is trusted by over 600 
governmental organizations, and more than 2,300 enterprises 
spread over 180 countries with an impactful, ethical, and 
socially responsible approach.
    For more than 60 years, IDEMIA has been a trusted partner 
of Government agencies, offering unmatched expertise in 
identity management. We have produced over 1 billion driver's 
licenses in the United States and currently produce driver's 
licenses for 34 States and mobile driver's licenses for 5 
States.
    Additionally, the Transportation Security Administration 
relies on our Credential Authentication Technology, CAT, to 
authenticate and verify and identify millions of travelers 
every day.
    Identity verification is a critical part of the security 
mission of TSA. Our CAT machine helps TSA validate a 
passenger's identity, and provide real-time security data on a 
passenger's vetting status. The newest iteration of this 
technology will enable the use of digital IDs and facial match 
to further increase the security effectiveness of identity 
validation processes.
    As TSA implements the REAL ID mandate, the CAT machine will 
let the officer know if a REAL ID is counterfeit. Digital 
identity solutions provide consumers with unlimited benefits. 
Digital IDs are here today and will be increasingly relied upon 
in the future. Driver's licenses, passports, and other 
credentials can be accessible on our mobile devices, much like 
your credit cards today. This innovation fundamentally changes 
the identity security market, enhancing security and improving 
the customer experience, providing consumers with ultimate 
control over their identity.
    Digital IDs are derived from physical ID and the fidelity 
of the information is tied to how robust the initial proving 
process for the physical ID was. For example, a customer with a 
REAL ID-compliant physical credential has proven both their 
identity and their legal presence in the United States. A 
digital ID derived from a REAL ID-compliant physical credential 
provides the consumer with a digital document that enables them 
to verify both their identity and their legal presence in the 
United States.
    Unlike a physical ID, which can be lost, used by an 
imposter, or presented even if it has been revoked, a digital 
ID can only be unlocked and used by the individual to whom it 
was issued if the issuer allows it to be accessed, 
significantly reducing opportunities for fraud and ensuring 
only you can authorize the use and validation of your identity 
information.
    The use cases for this innovative technology provides 
significant consumer benefits, making it easier for disaster 
victims to file claims, preventing fraudulent transactions, 
enabling customers with accessibility challenges to enroll for 
important services wherever they are, faster provisioning of 
public aid to services to citizens, or creating a frictionless 
experience for travelers. Consumer demand and convenience will 
force ID verification to be digital. Digital identity solutions 
are secure, enhance privacy, and meet robust global standards.
    Like many tools and technology innovations, our technology 
is safe because we and our customers adhere to the highest 
ethical privacy and accuracy standards. We demonstrate our 
leadership and commitment by regularly taking part in tests by 
the National Institute for Standards and Technology, NIST, to 
check how our technology platforms and assess its accuracy to 
ensure it is safe, secure, and accurate.
    The test results confirm IDEMIA'S long-standing expertise 
and demonstrate how advanced our technology is, giving us and 
our customers confidence that they are using proven technology 
that has been tested to ensure both accuracy and fairness.
    However, we also have a role to play in determining who we 
sell our technology to and how our technology is used. Any tool 
in the wrong hands can cause harm. We ensure that our customers 
respect using our technology in a way that aligns with our 
values and makes it safe and easier for people to prove their 
identity in a secure manner that also enhances privacy 
protection.
    For society to unlock this potential, we need a legal and 
regulatory framework that ensures responsible use while also 
enabling and supporting continuous innovations and society 
benefits.
    In closing, we're grateful to work with the fantastic 
partners like the Department of Homeland Security, the 
Transportation Security Administration, the American 
Association of Motor Vehicle Administrators, and advocacy 
groups like The Better Identity Coalition and the American 
Civil Liberties Union.
    Thank you for inviting IDEMIA to engage in this important 
discussion today. We look forward to your questions and 
appreciate an open dialog to discuss digital identity solutions 
and the important benefits they provide society.
    [The prepared statement of Mr. Wiediger follows:]
                       Statement of Hal Wiediger
                            December 5, 2023
                              introduction
    Thank you, Chairman Gimenez and Ranking Member Thanedar, for 
inviting me to testify today on this important topic. IDEMIA is on a 
mission to unlock the world and make it safer. Backed by innovative 
R&D, IDEMIA provides unique technologies, underpinned by long-standing 
expertise in biometrics, cryptography, data analytics, systems, and 
smart devices that secure billions of interactions around the world. 
With 15,000 employees, IDEMIA is trusted by over 600 governmental 
organizations and more than 2,300 enterprises spread over 180 
countries, with an impactful, ethical, and socially responsible 
approach.
    For more than 60 years, IDEMIA has been a trusted partner of 
Government agencies--offering unmatched expertise in identity 
management. We have produced over 1 billion drivers licenses in the 
United States, and currently produce driver's licenses for 34 States, 
and mobile driver's licenses for 5 States. Additionally, the 
Transportation Security Administration relies on our Credential 
Authentication Technology (CAT) to authenticate and verify the identity 
of millions of travelers every day.
Digital Identity Solutions Provide Consumers with Unlimited Benefits
    Digital IDs are already here, and their issuance and adoption will 
only increase in the future. Drivers licenses, passports, and other 
credentials are now accessible on our mobile devices, much like credit 
cards are today. This innovation fundamentally changes the identity 
security market, simultaneously enhancing security and improving the 
customer experience--providing consumers with ultimate control over 
their identity. Digital IDs are derived from a physical credential, and 
the fidelity of information is tied to how robust the initial proofing 
process for the physical credential was.
    For example, a customer with a REAL ID-compliant physical 
credential has proven both their identity and their legal presence in 
the United States. A Digital ID derived from a REAL ID-compliant 
physical credential provides the consumer with a digital document that 
enables them to verify both their identity and their legal presence in 
the United States. Unlike a physical ID which can be lost, used by an 
imposter, or presented even if it has been revoked, a digital ID can 
only be unlocked and used by the individual to whom it was issued, and 
if the issuer allows it to be accessed, significantly reducing 
opportunities for fraud, and ensuring only you can authorize the use 
and validation of your identity information.
    The use cases for this innovative technology are endless and 
provide significant consumer benefits--making it easier for disaster 
victims to file claims, preventing fraudulent transactions, enabling 
customers with accessibility challenges to enroll for important 
services from wherever they are, faster provisioning of public aid and 
services to citizens, or creating a frictionless experience for 
travelers. Consumer demand will force ID verification to be digital 
where it is physical and in-person today.
Digital Identity Solutions Are Secure, Enhance Privacy, and Meet Robust 
        National and International Standards
    Like many tools and technological innovations, our technology is 
safe because we and our customers adhere to the highest ethical, 
privacy, and accuracy standards. We demonstrate our leadership and 
commitment by regularly taking part in tests by the National Institute 
for Standards & Technology (NIST) to check how our technology performs 
and assess its accuracy to ensure it is safe, secure, and effective. 
The test results confirm IDEMIA's long-standing expertise and 
demonstrate how advanced our technology is. This third-party validation 
gives us and our customers confidence that they are using proven 
technology that has been tested to ensure both accuracy and fairness.
    However, we as a company also have a role to play in determining 
who we sell our technology to and how our technology is used. Any tool 
in the wrong hands, can cause harm, and we are very selective to ensure 
that our customers are using our technology in a way that aligns with 
our values and mission to unlock the world and make it safer and easier 
for people to navigate the physical and digital worlds in total 
security. For society to unlock all this potential, we need to ensure 
that we create a legal and regulatory framework that ensures 
responsible use, while also enabling and supporting continuous 
innovation and societal benefits. We are grateful to have fantastic 
partners like the American Association of Motor Vehicle Administrators 
(AAMVA), and advocacy groups like the Better Identity Coalition and the 
American Civil Liberties Union
                                closing
    Thank you for inviting IDEMIA to engage in this important 
discussion today. We look forward to your questions and appreciate an 
open dialog to discuss digital identity solutions and the important 
benefits they provide to society.

    Mr. Gimenez. Thanks, Mr. Wiediger.
    I now recognize Mr. Stanley for 5 minutes to summarize his 
opening statement.

   STATEMENT OF JAY STANLEY, SENIOR POLICY ANALYST, SPEECH, 
PRIVACY, AND TECHNOLOGY PROJECT, AMERICAN CIVIL LIBERTIES UNION

    Mr. Stanley. Chairman Gimenez, Ranking Member Thanedar, and 
Members of the subcommittee, thank you for inviting me to 
testify today. Thank you for your attention to the emerging 
issues around digital IDs.
    Let me start by saying that our immediate concern is that 
the TSA is pushing ahead with a set of digital ID standards 
that aren't ready for prime time. If we are to have a digital 
ID system, it's vital that we take the time to do it right.
    The TSA proposes to incorporate into U.S. regulations an 
MDL standard set by the international standards body, the ISO. 
That standard, which allows for centralized tracking of how we 
use our IDs, was created behind closed doors by a secretive, 
international committee made up of Government agencies, tech 
giants, and for all we know, the Chinese and Russian 
Governments.
    We don't know because, when we ask the ISO for the list of 
who was in the group that wrote this standard, they refuse to 
disclose it. The standard is not even available to the public 
without paying thousands of dollars. That is no way to make 
policy in a democracy on something that will affect us all, as 
Mr. Grant said, will be a piece of our critical infrastructure.
    We're concerned that the TSA appears to be working 
extremely closely with one company, Apple, even for mysterious 
reasons signing over to Apple the agency's patents governing 
the operation of its airport digital ID checkpoints.
    It's also unclear that the TSA has the authority for its 
proposed digital ID plan, and there are larger questions about 
why the TSA with its relatively narrow mission has been 
positioned to determine the shape of the Nation's identity 
system.
    The TSA is pursuing an initiative not important to its 
mission, but that will have wide-spread spillover effects on 
American society. Let me flesh this out by making three overall 
points:
    First, a digital identity system would have far-reaching 
consequences. The idea might sound simple, but the creation of 
a digital ID, especially one that could be used over the 
internet, would be a turning point that could have enormously 
harmful effects. Once it starts to become easy to share your ID 
with the press of a button, the danger is that we start getting 
identity demands from all quarters.
    Want to enter a 7-Eleven? Scan your ID. Want to browse a 
clothing store? Scan your ID. Buy a cup of coffee, park your 
car, scan your ID.
    If we get a digital ID that can be used on-line, we may 
wake one day and find, if you want to watch a video or log on 
to social media or look at a news site, we get a demand to, 
quote, press a button and send us your driver's license.
    There's already far too much tracking that takes place of 
us on-line and polls show that Americans are very uncomfortable 
with it, but that tracking is far from perfect. A digital ID 
could make it inescapable.
    A digital ID system, if not built carefully, could send a 
report back to the Government every time you show your ID, a 
record of every bar, club, casino, bank, and doctor's office 
visits and, once it goes on-line, every website and on-line 
service you use, too. The ISO standard permits this.
    The second point I would like to make is that any digital 
ID system must come with safeguards. If we are to have a 
digital ID, on a technical level, the system should have 
privacy built in. We need legal safeguards. For example, we 
need to make sure that police officers do not and cannot access 
our phones during ID checks. We need protections to make sure 
we aren't swamped by identification demands at every turn. We 
need to ensure that a digital ID remains optional.
    My third point is that we need to take the time to do this 
right. If we must have a digital ID system, we can design one 
that makes use of the newest innovations in technology to 
protect our privacy, while at the same time, making legitimate 
ID requests easier and more secure. There's an enormous amount 
of innovation, invention, and discussion still under way around 
identity and encryption technologies, but there are still many 
missing pieces that need to be worked out.
    We are at a formative moment. It would be a pity to find 
ourselves locked into a suboptimal standard, an ID system, the 
way we're stuck with our QWERTY keyboards where the keys are 
intentionally placed to slow down typists because early 
typewriters jammed easily.
    There's no hurry here. Digital IDs are not going to speed 
people through airline security. ID checking is not the 
bottleneck, and it won't free people from having to carry their 
physical ID cards. The TSA warns on its website, quote, ``You 
must still carry your physical ID.''
    Nor is there any popular clamor for digital IDs from 
residents of the State. Those that have rolled out digital ID 
have not had substantial public sign-on except where people 
have been forced to use them. Digital IDs are being driven by 
vendors and other corporations, not by any public excitement 
about the technology.
    So again, to summarize, my three points are that a digital 
identity system could have profound consequences, could become 
a major piece of our public, critical infrastructure, and it 
needs technological and legal safeguards, and we need to take 
the time to do this right. It's too big to leave to the 
Nation's Departments of Motor Vehicles. It's too big to leave 
to the TSA. It will become a significant thing.
    Thank you very much. I look forward to your questions.
    [The prepared statement of Mr. Stanley follows:]
                   Prepared Statement of Jay Stanley
    Chairman Gimenez, Ranking Member Thanedar, and Members of the 
subcommittee: thank you for your attention to the emerging issues 
around next-generation identity proofing and thank you for inviting me 
to testify today. I would like to focus on one component of this still-
developing ecosystem: digital IDs and the Transportation Security 
Administration's role in setting applicable Government-wide standards. 
I will touch on three dimensions of digital IDs and TSA's related work: 
the risks to security, privacy, and equal opportunity; necessary 
safeguards; and the importance of the TSA slowing down adoption of 
digital driver's license standards to address those risks and 
corresponding safeguards.
    We believe that a digital identity system could have far-reaching 
consequences for people's privacy and other civil liberties, 
potentially leading to an explosion in identification demands. A 
digital identity system could allow for new ways of tracking us, and 
further disadvantage those who don't use the technology. Any such 
system, therefore, must be accompanied by careful technological and 
legal protections.
    If we are to have a digital ID system, it's vital that we take the 
time to do it right. There is a lot of innovation under way in the 
digital identity space, including when it comes to privacy protection. 
The TSA proposes to adopt a ``mobile driver's license'' standard set by 
the International Organization for Standardization (ISO)--a standard 
that was created behind closed doors by a secretive committee at the 
ISO that, so far as we can tell, was made up of representatives of U.S. 
security agencies like DHS, tech giants, and authoritarian governments. 
This ISO standard is inadequate and incomplete when it comes to the 
protection of our privacy.\1\
---------------------------------------------------------------------------
    \1\ See Jay Stanley, ``Identity Crisis: What Digital Driver's 
Licenses Could Mean for Privacy, Equity, and Freedom,'' American Civil 
Liberties Union (May 2021), https://www.aclu.org/sites/default/files/
field_document/20210913-digitallicense.pdf.
---------------------------------------------------------------------------
    In particular, it is vital that any digital ID system this Nation 
adopts be based on open, non-proprietary standards. We are concerned 
that the TSA also appears to be working extremely closely with one 
company, Apple, Inc., even signing over to Apple the agency's patents 
governing the operation of its airport mobile drivers' license 
checkpoints.\2\
---------------------------------------------------------------------------
    \2\ See Jason Mikula, ``Apple's Homeland Security Deal Yields 
Checkpoint, KYC, Voter ID Patents, Documents Suggest,'' Fintech 
Business Weekly (Sept. 11, 2022), https://
fintechbusinessweekly.substack.com/p/apples-homeland-security-deal-
yields.
---------------------------------------------------------------------------
    It's also unclear that the TSA has the authority to issue interim 
compliance waivers for digital IDs, as the agency proposes to do in its 
August Notice of Proposed Rulemaking.\3\ There are also larger 
questions about why the TSA, with its relatively narrow mission, has 
been positioned to determine the shape of an identity system that will 
affect all of the Federal Government, and indeed all of U.S. society.
---------------------------------------------------------------------------
    \3\ Minimum Standards for Driver's Licenses and Identification 
Cards Acceptable by Federal Agencies for Official Purposes; Waiver for 
Mobile Driver's Licenses, 88 Fed. Reg. 60056, 60072 (proposed Aug. 30, 
2023).
---------------------------------------------------------------------------
 i. a digital version of our id might sound simple but would have far-
                         reaching consequences
    A movement is under way to create a digital identity system that 
would allow people to carry their ID on their phones or on digital 
smart cards and, eventually, use them over the internet. That might 
sound handy at first blush, but it would not be as simple as it might 
sound. The creation of a digital ID--especially one that could be used 
over the internet--would be a turning point that could have enormously 
harmful effects on our privacy, on the right to anonymous speech, on 
financial access, and more. The adoption of any such system must be 
approached with great care and deliberation, and accompanied by both 
technological and legal protections against the negative side effects 
the creation of a digital ID is likely to have.
    The current discussion centers largely around digital versions of 
people's plastic driver's licenses that can be used for in-person 
presentations such as at TSA checkpoints, known as ``mobile drivers' 
licenses.'' But the real game for big tech companies and Government 
agencies is a digital ID that can be used on-line, and while the former 
is not without potentially significant ramifications, it is the on-line 
digital ID that will be a real game-changer. Since the dawn of the 
internet, on-line speech and activity has been relatively anonymous, 
and much policy discussion in the past three decades has centered on 
questions of whether, when, and how to verify identities on-line. Those 
questions--and their answers--would be fundamentally altered by the 
development of an easily presentable and ubiquitous digital ID. The 
possibility that our digital IDs would be required to access not just 
on-line governmental services but also social media platforms, news 
sites, and digital services is reason for great caution in this space. 
As I will touch on soon, the future of digital IDs and the future of 
these questions can very much be shaped by Congress and the TSA.
    Some say a digital ID is inevitable. We don't know whether that's 
true. There do seem to be a lot of forces gathering to make it happen, 
including big banks, tech companies, and other on-line advertisers. 
Digital driver's licenses currently being adopted in a number of States 
are based on a standard created by the International Standards 
Organization (ISO)--and that organization is currently working to 
expand the standard to cover on-line, at-a-distance ID presentations. 
Even if another standard is adopted instead, it is likely that we will 
see a continued push for an ID that can be used on-line. Some of these 
institutions just want to make existing verification systems easier, 
while others likely would love to use a digital identity system to 
track people. If a digital ID system does come about, we do know that 
this new infrastructure will have a lot of unanticipated consequences, 
as is always the case with a major new technological and identity 
infrastructure, going back to the Social Security card created in the 
1930's.
    Some of those consequences, however, we can anticipate. Negative 
side effects that a digital ID would predictably create include:
a. An explosion in demands that we prove our identity
    A digital ID would make it much easier to present one's full, 
cryptographically-signed, DMV-vetted proof of identity. That also means 
it will become much easier for all manner of stores and on-line sites 
to request or demand proof of identity, since it wouldn't be a big ask. 
A digital ID could create a world where we get asked for ID at every 
turn. Want to enter a 7/11? Scan your ID. Want to enter a national 
park? Scan your ID. Want to browse a clothing store, buy a cup of 
coffee, or park your car? Scan your ID.
    And that dynamic becomes even more intense once it's extended to 
the internet, where every web site and service demands not just an 
email address, but your full, DMV-vetted ID. We already live in a 
digital ecosystem that goes to great lengths to connect our on-line and 
off-line activity to key identifiers. If not properly guarded, digital 
IDs may simply facilitate that effort. We may wake up one day and find 
that overnight, if we want to watch a YouTube video, or log on to 
social media, or look at a news site, we are asked to ``press a button 
and send us your driver's license.''
    A powerful Big Tech motivation for that is likely to be marketing. 
As some other techniques for tracking people on-line, such as cookies, 
lose their utility, companies are hungry for alternate ways of 
identifying people so they can collect reliable personal data for 
advertising, have a reliable unique identifier so they can track us 
across different sites, and increase the value of the data they 
collect.\4\ Other motivations are likely to be cybersecurity (``We need 
to know who is on our site in case they turn out to be a bad actor''), 
enforcement (``We need to make sure you aren't someone we've previously 
banned due to violations of our terms of service''), and age 
verification (``For our legal due diligence, we need to know you're 
over 13 or we can't market to you'').\5\
---------------------------------------------------------------------------
    \4\ The loss of utility comes from several sources, including the 
``death of tracking cookies,'' the influence of E.U. privacy law, and 
changes to the operating system on Apple's phones, which limit 
advertisers from accessing an iPhone user identifier. Google has also 
moved toward limiting the tracking technology in its Chrome browser and 
in the Android phone operating system. See Owen Ray, ``Tracking Cookies 
are Dead: What Marketers Can Do About It,'' Invoca Blog (Oct 2. 2023), 
https://www.invoca.com/blog/tracking-cookies-are-dead-what-marketers-
can-do-about-it; Brian Chen, ``To Be Tracked or Not? Apple Is Now 
Giving Us the Choice,'' The New York Times (April 16 2021), https://
www.nytimes.com/2021/04/26/technology/personaltech/apple-app-tracking-
transparency.html; Brian Chen and Daisuke Wakabayashi, ``You're Still 
Being Tracked on the Internet, Just in a Different Way,'' The New York 
Times (April 6, 2022), https://www.nytimes.com/2022/04/06/technology/
online-tracking-privacy.html.
    \5\ The Children's Online Privacy Protection Act bars the on-line 
collection of personal information from children under 13 without 
parental permission. 15 U.S.C.  6502.
---------------------------------------------------------------------------
    Without protections in place, any digital ID that emerges that can 
be used on-line is likely to lead to an explosion in on-line identity 
demands. The ease and convenience of using a pre-built, Government-
sanctioned identify proofing as a single sign-on method is likely to 
prove game-changing. Currently people have the flexibility to offer 
different log-in information for different accounts. Depending on how 
much we trust a web site, we can use different email addresses, 
different login handles, and real or fake names and other data. This 
flexibility empowers individuals. It allows us to choose when we wish 
to reveal our identity, and when we want to remain anonymous or 
pseudonymous. To provide your real identity is to enter a lifetime 
relationship with a company or web site--they will always be able to 
find you. People don't always want that.
    These kinds of dynamics could lead us toward a ``checkpoint 
society'' where an increasingly dense net of identity checkpoints and 
access controls is woven throughout American life, on-line and off-. It 
could also become impossible to do anything without proving your 
identity. That would mean a significant loss not only of privacy, but 
also an erosion of Americans' ability to engage in anonymous speech. 
Anonymous speech has been an important American tradition since the 
Nation's founding--the Federalist Papers and many pro-revolutionary 
pamphlets were written anonymously, for example--and it brings many 
benefits, including the ability to speak truth to power, to freely 
associate and exchange ideas, and to seek support on-line for 
conditions and experiences that many find shameful to disclose.\6\
---------------------------------------------------------------------------
    \6\ McIntyre v. Ohio Elections Commission (1995) (anonymous 
election- and issue-related leaflets); Talley v. California, 362 U.S. 
60 (1960) (anonymous handbills).
---------------------------------------------------------------------------
    Verification of a person's real identity is currently difficult, 
cumbersome, and expensive, and as a result is not usually asked of 
customers unless absolutely necessary. Once we create a way of proving 
our identity that is quick and easy, demands will proliferate.
b. Centralized tracking of presentations
    Another danger posed by a digital ID is that, depending on how an 
ID system is architected, it could allow people's presentations of 
their ID to be tracked. When I present my plastic driver's license at a 
wine store to prove I'm over 21, generally, no record of that 
interaction is created, and it remains between me and the clerk.\7\ 
Digital technology, however, magnifies the potential for those 
presentations to be recorded, reported, and tracked.
---------------------------------------------------------------------------
    \7\ See Heather Brown, ``What Do Driver's License Scanners Do With 
Our Information?'', WCCO (Mar. 3, 2022), https://www.cbsnews.com/
minnesota/news/drivers-license-scanners; Dana Fowle, ``Retailers 
Scanning Drivers Licenses Raises Privacy Issues,'' Fox 5 Atlanta (Jan. 
21, 2022), https://www.fox5atlanta.com/news/retailers-scanning-drivers-
licenses-raises-privacy-issues.
---------------------------------------------------------------------------
    In digital identity systems that permit such tracking, information 
could be gathered by the issuer (in the case of digital driver's 
licenses, that would be motor vehicle departments or the contractors 
that they hire) about every bar, club, casino, office lobby, bank, 
pharmacy, doctor's office, sporting arena, concert venue, and airport 
that an ID holder visits; every convenience store beer purchase, 
equipment rental, or hotel check-in; any applications for social 
services; and any other circumstance in which they may be asked to show 
an ID. And again, if a digital identity system starts being used on-
line, that list could grow exponentially to cover the websites and on-
line services a person uses. Digital IDs would also make it trivial for 
those stores, bars, banks, and other establishments to tie every 
transaction to your real identity and monetize that data, unless 
Congress provides meaningful safeguards.
    The ISO standard that the TSA proposes to embrace allows for 
systems in which the verifier (such as a liquor store or web site) 
electronically pings the ID issuer to confirm that the ID is valid. 
That ``server retrieval'' method gives the ID issuer a variety of data 
that can give them a bird's-eye view of when, where, and to whom a 
person is presenting their ID. The ISO standard also permits off-line 
verifications, which unlike remote over-the-internet verifications 
don't require the verifier to connect to the issuer or any other third 
party when doing an ID verification.\8\ This is how any digital 
identity system should work, but we are concerned that some States may 
use the server retrieval method, thereby creating an infrastructure 
that allows for the tracking of ID holders.
---------------------------------------------------------------------------
    \8\ The verifier will need to periodically download verifiers' 
public encryption key, which is used to cryptographically verify that 
the digital ID has been digitally signed by the DMV or other issuing 
party and has not been altered.
---------------------------------------------------------------------------
    Some digital ID systems, such as the ISO standard, may also provide 
for IDs that ``phone home'' to their issuers at regular intervals. This 
also threatens to invade identity holders' privacy by providing the 
issuer with information about the holder such as their IP address, 
which can reveal location and other information.
c. Further disadvantaging those without technology
    If digital IDs become mandatory, either legally or practically, it 
could also have significant implications for equity and the ``digital 
divide'' by disadvantaging those who don't have a smartphone or other 
necessary devices. That is a surprisingly large group of people, 
including many from our most vulnerable communities. Studies have found 
that more than 40 percent of people over 65 and 25 percent of people 
who make less than $30,000 a year do not own a smartphone.\9\ People 
with disabilities are 16 percent less likely to own a smartphone, and 
many who are homeless also lack access.\10\ Some may lack the resources 
to afford a smartphone and mobile data access, while others spurn 
smartphones to protect their privacy or because they just don't see the 
need. In other cases, a single phone may be shared among family 
members.
---------------------------------------------------------------------------
    \9\ See ``Mobile Fact Sheet,'' Pew Research Center (April 7, 2021), 
https://www.pewresearch.org/internet/fact-sheet/mobile/.
    \10\ See Andrew Perrin and Sara Atske, ``Americans with 
disabilities less likely than those without to own some digital 
devices,'' Pew Research Center (Sept. 10, 2021), https://
www.pewresearch.org/short-reads/2021/09/10/americans-with-disabilities-
less-likely-than-those-without-to-own-some-digital-devices/.
---------------------------------------------------------------------------
    To worsen inequality, digital IDs need not become legally mandated, 
just practically required. There's no law that says anybody has to get 
a credit card or driver's license, but it's hard to participate fully 
in society without one, and those who lack them suffer significant 
disadvantages in today's world. If digital credentials become similarly 
practically required, the effects would be even worse. This is why we 
have called for a ``right to paper'' (see below).
            ii. any digital id system must offer safeguards
    If we are to have a digital ID, we need to make sure we build it in 
a way so that it does not become an infrastructure that allows us to be 
tracked and regimented in new ways. That means building both technical 
and legal safeguards that protect our privacy and guard against 
overuse.
a. Technological safeguards
    The technological protections that should be incorporated into a 
digital ID include (but are not limited to):
   No tracking.--A system must not allow ID issuers visibility 
        into where and when an ID is presented to a verifier, as 
        discussed above.
   Holder control.--An ID holder--the individual to whom the ID 
        belongs--should have technological control over what data they 
        reveal to a verifier, allowing them to reveal some fields of 
        data and not others, and to reveal characteristics such as 
        ``over age 21'' without revealing details the holder's date of 
        birth, or ``resident of county'' without revealing their 
        address. This is one area where a digital ID can have 
        advantages for privacy over a physical ID, and that advantage 
        should be made use of.
   Unlinkable presentations.--When the holder presents their 
        digital credentials, the verifier should be unable to link that 
        presentation with others from the same holder. For example, the 
        verifier should not be able to tell that the ``over 21'' person 
        buying a case of beer today is the same person who bought a 
        bottle of wine last week. This limits the ability of any 
        verifier (or their vendors) to assemble a map of data about who 
        does what where.
   Verifier transparency.--An ID holder should have 
        transparency into who is requesting identifying or 
        authenticating information, their authority for making that 
        request, what the specific circumstances and purpose of the 
        request are, what information is and has been transmitted, and 
        if that transmission involves third parties.
   Open not proprietary.--If the United States is to adopt a 
        digital ID, it's also vital that that ID be open and free of 
        proprietary corporate strings. There must be no one 
        corporation, or small handful of corporations, that Americans 
        are de facto required to deal with in order to participate in a 
        digital identity system. The system must be clearly documented 
        and open enough that it is possible for any party with the 
        relevant skills to build an interoperable digital wallet that 
        any legitimate ID holder can use or an interoperable verifier 
        tool that any legitimate verifier can use. No system that our 
        society depends upon should be built on proprietary 
        specifications, proprietary hardware, or patent-encumbered 
        technology.
b. Legal safeguards
    In addition to technical protections built into digital IDs, 
Congress should consider establishing legal safeguards to protect 
individuals from surveillance and Governmental incursions:
   No police access to phones.--By placing people's mobile 
        phones at the center of law enforcement driver's license 
        checks, a digital identity system raises the risk that police 
        officers will gain warrantless access to people's phones, a 
        potentially severe violation of privacy. No one seems to be 
        contemplating a system that as a technological matter requires 
        people to hand over their phones, but that is not enough. Many 
        people, especially vulnerable people such as the elderly, 
        immigrants, and members of marginalized communities, may not 
        feel able to decline a police request to hand over or unlock 
        their phone. Despite a crystal-clear Constitutional requirement 
        that police must obtain a warrant for smartphone searches, 
        questionable ``consent-based'' police searches of people's cell 
        phones happen thousands of times a day.\11\ A police officer's 
        request--``mind if I look at your phone?''--may make a search 
        ``voluntary'' in the eyes of the law, but few searches based on 
        such police requests are truly voluntary. That is especially 
        true for members of poor and marginalized communities. Police 
        officers should be legally prohibited from making requests for 
        ``voluntary'' taking or search of people's phones.
---------------------------------------------------------------------------
    \11\ Riley v. California, 573 U.S. 373 (2014); Logan Koepke et al., 
``Mass Extraction: The Widespread Power of U.S. Law Enforcement to 
Search Mobile Phones,'' Upturn (2020), https://www.upturn.org/work/
mass-extraction/.
---------------------------------------------------------------------------
   Protections against excessive identity demands.--As 
        discussed above, a digital identity system, by making it very 
        easy to share our ID, is likely to lead to a significant 
        expansion in the times and places where our IDs are demanded. 
        As a result, no digital identity system should be rolled out 
        without legal limits on when those engaged in commerce or other 
        regulated activities may demand that people identify 
        themselves.
   ``A right to paper''.--We believe that people should have a 
        right to obtain and use paper, plastic, or other physical 
        identity documents instead of or in addition to a digital ID. 
        The use of digital IDs should never become mandatory as a legal 
        or practical matter. Digital IDs should be accompanied by 
        policies that bar those engaged in commerce or other regulated 
        activities from refusing to accept physical IDs on a reasonably 
        equal basis.
   Protections against data collection by verifiers.--Verifiers 
        in any system of digital IDs should come with concrete legal 
        obligations to minimize collection and retention of data, with 
        appropriate consequences for violations. One tempting business 
        model for verifiers will be to offer free verification 
        terminals (for in-person use) or software (for network use) in 
        order to collect data about where and when a person is using 
        their ID. This could be for marketing, surveillance, or other 
        purposes. Even where vendors are well-intentioned, these data 
        collections are attractive targets for hackers, criminals, and 
        espionage agencies.
             iii. we need to take the time to do this right
    Because the emergence of a digital identity standard is likely to 
have significant consequences and to require development of mitigating 
policies such as those we outline above, it is important that the 
United States take care to minimize the negative impacts a digital ID 
would have. That will take some time.
a. A lot of work is still under way on ID standards and technology
    The standards and technologies we need to build an identity system 
that protects the interests of ordinary people including privacy are 
not yet ripe. There is an enormous amount of innovation, invention, and 
discussion still under way with regards to this technology and to 
encryption technologies that can allow us to protect privacy even while 
retaining many useful functions of an ID card.
    As the TSA itself has pointed out, the privacy protections 
governing mobile driver's licenses are ``evolving and unsettled.''\12\ 
The ISO standards for mobile driver's licenses (currently ISO/IEC 
18013-5:2021) are currently incomplete and address only some aspects of 
a digital identity system.
---------------------------------------------------------------------------
    \12\ Minimum Standards for Driver's Licenses and Identification 
Cards Acceptable by Federal Agencies for Official Purposes; Waiver for 
Mobile Driver's Licenses, 88 Fed. Reg. 60056 (proposed Aug. 30, 2023), 
at 60072.
---------------------------------------------------------------------------
    One example is the provision in the ISO standard under which IDs 
``phone home'' to their issuers. Under a privacy-protective 
architecture, an ID holder who needs to perform a specific task such as 
an update or renewal should be in control of when and how they connect 
to the DMV (or another issuer) rather than having that built into their 
phone. These sorts of check-ins should be minimized and infrequent, 
should be doable over anonymized networks such as Tor and Apple Private 
Relay, and should be subject to strict data destruction requirements on 
any metadata gathered by the issuer or their vendor during these check-
ins. None of these considerations have been addressed, and if they were 
debated at all within the ISO the public had no role in or visibility 
into it. These are the kinds of considerations that need more mature 
development.
    Another example of the system's current immaturity is the 
implementation of unlinkable presentations, in which a verifier has no 
way of knowing that the person who is proving they're over 21 is the 
same person who proved that last week. One way to do this is with a 
stack of unique, single-use ``tickets'' (cryptographic tokens signed by 
the issuer). But there has been little if any discussion of that kind 
of functionality as part of the ISO standards process, so far as we 
know.
    Other missing components include standards governing the design of 
digital wallets and their privacy protections, protections for data 
stored on the phone, mechanisms for the ID holder to receive 
information about the legitimacy of the requester, and provisioning 
(the process States use to install a mobile drivers' license in 
people's wallets).
    Even the incomplete ISO standard that the TSA proposes to embrace 
is only one of a number of approaches to digital identity that are 
being developed around the world. Interest in digital identity systems 
has fueled the emergence of an entire community that has been working 
on the problems of on-line identity and authorization for many years, 
including privacy. That movement has created a variety of proposed 
systems, including a promising open standard created by the World Wide 
Web Consortium (W3C) called Verifiable Credentials (VCs). VCs are 
regarded as superior by many in the digital identity community, and 
should be given time to further evolve and ripen before TSA pushes a 
standard that is likely to become locked in. Simply put, people are 
still figuring things out.
    That is also true when it comes to the field of privacy-enhancing 
cryptography, which is advancing quickly with a great deal of creative 
research that promises to allow us to ``have our cake and eat it too'' 
when it comes to privacy and security across a wide variety of 
applications. For example, a privacy-enhancing technology called ``zero 
knowledge proofs'' allows people to prove they know certain things 
without revealing what those are--a technique that is still in the 
process of being applied in new areas.\13\ As a Federal Reserve Board 
report put it, privacy-enhancing technologies remain ``an emerging 
category of tools.''\14\
---------------------------------------------------------------------------
    \13\ See Jay Stanley, ``Paths Toward an Acceptable Public Digital 
Currency,'' American Civil Liberties Union (March 3, 2023), https://
www.aclu.org/sites/default/files/field_document/
cbdc_white_paper_0882_0.pdf (on encryption tools in digital payments); 
Jay Stanley and Daniel Kahn Gillmor, ``New Mobile Phone Service Shows 
We Can Have Both Privacy and Nice Things,'' American Civil Liberties 
Union (February 15, 2023), https://www.aclu.org/news/privacy-
technology/new-mobile-phone-service-shows-we-can-have-both-privacy-and-
nice-things (on the use of privacy-enhancing technologies in a 
telephone network).
    \14\ See Kaitlin Asrow and Spiro Samonas, ``Privacy Enhancing 
Technologies: Categories, Use Cases, and Considerations,'' Federal 
Reserve Bank of San Francisco (June 1, 2021), https://www.frbsf.org/
banking/wp-content/uploads/sites/5/Privacy-Enhancing-Technologies_FI- 
NAL_V2_TOC-Update.pdf.
---------------------------------------------------------------------------
b. Any standard that emerges is likely to become ``locked in''
    We need to be extremely careful about the details of any digital 
identity system we adopt, because it's going to need to be 
interoperable across all the States, and potentially across the world. 
It will likely be adopted by Federal agencies, companies, and small 
businesses across the Nation. Therefore, once put in place, it is going 
to be very difficult to change.
    It would be a pity to find ourselves locked into a sub-standard ID 
system that doesn't make use of the newest innovations in technology, 
the way we're locked into our QWERTY keyboard standard, where the keys 
are intentionally placed to slow down typists because early typewriters 
jammed easily. Yet that is what is in danger of happening.
   iv. there is no need for the tsa to rush a digital id system into 
                               operation
    The TSA's rapid movement toward setting standards (even supposedly 
interim ones) for State digital driver's licenses is premature and 
unnecessary, and threatens to create just the kind of lock-in of a 
substandard system that we should seek to avoid.
a. The Federal Government has the power to rapidly standardize a 
        digital ID system
    Whatever rules the TSA comes up with for Federally-compliant 
digital IDs will force the States to comply and are likely to govern 
what the Nation ends up with. Requirements and standards that the TSA 
sets for Federal acceptance of digital identification are going to 
force States' departments of motor vehicles to meet those requirements. 
The Nation's DMVs, in turn, put credentials in the pockets and purses 
of most Americans, an enormous power that could stifle efforts to 
create other, superior ID systems. While it's possible that 
alternative, parallel, competing identity systems emerge and find broad 
acceptance--which would be a good thing--it's likely that the driver's 
license will continue to remain the primary ID that Americans use when 
asked to prove their identity, age, or residency.
b. TSA is adopting standards that are not optimal
    The TSA proposes to adopt an ISO ``mobile driver's license'' 
standard that was created behind closed doors by a secretive committee 
at the ISO that, so far as we can tell, was made up of representatives 
of U.S. security agencies like DHS, tech giants, and authoritarian 
governments. This ISO standard would allow for IDs that ``phone home'' 
to the DMV (or its corporate contractor), and allow tracking of where, 
when, and to whom an ID holder is showing their ID. As discussed above, 
it is also incomplete.\15\
---------------------------------------------------------------------------
    \15\ See Jay Stanley, ``Identity Crisis: What Digital Driver's 
Licenses Could Mean for Privacy, Equity, and Freedom,'' American Civil 
Liberties Union (May 2021), https://www.aclu.org/sites/default/files/
field_document/20210913-digitallicense.pdf.
---------------------------------------------------------------------------
    The TSA also appears to be working extremely closely with Apple, 
Inc. Documents obtained by journalist Jason Mikula reveal that the TSA 
has entered into contracts that appear to give Apple significant power 
over the implementation of mobile drivers' license checkpoints. For 
puzzling and unclear reasons, the TSA even signed over to Apple the 
agency's patents governing the operation of its airport mobile drivers' 
license checkpoints.\16\
---------------------------------------------------------------------------
    \16\ See Jason Mikula, ``Apple's Homeland Security Deal Yields 
Checkpoint, KYC, Voter ID Patents, Documents Suggest,'' Fintech 
Business Weekly (Sept. 11, 2022), https://
fintechbusinessweekly.substack.com/p/apples-homeland-security-deal-
yields.
---------------------------------------------------------------------------
c. There's no hurry for the TSA
    Any increased use of digital driver's licenses won't speed people 
through airline security--ID checking is not the bottleneck--and it 
won't free people from having to carry their physical ID cards, since, 
as the TSA warns, ``You must still carry your physical ID.''\17\
---------------------------------------------------------------------------
    \17\ See ``Biometric and Digital Identity Solutions For TSA 
PreCheck Members,'' Transportation Security Administration, https://
www.tsa.gov/digital-id.
---------------------------------------------------------------------------
    Nor is there a popular clamor for digital IDs from residents of the 
States. Those that have rolled out digital driver's licenses have not 
had substantial public sign-on. Alabama, for example, has had a digital 
driver's license available to residents since 2015, but was rarely used 
even as mobile payments skyrocketed. Digital IDs are being driven by 
vendors and other corporations, eager to define digital driver's 
licenses as ``the future'' and conjure a non-existent public excitement 
about the technology.\18\
---------------------------------------------------------------------------
    \18\ See Lauren Walsh, ``Alabama's digital driver's license: What 
you need to know,'' ABC 33/40 (Oct. 8, 2018), https://abc3340.com/news/
local/alabamas-digital-drivers-license-what-you-need-to-know.
---------------------------------------------------------------------------
d. There are serious questions about the TSA's authority to dictate ID 
        standards for the whole U.S. Government
    The authority of the Department of Homeland Security to regulate 
the forms of identity that are accepted by the Federal Government stems 
from the Real ID Act of 2005 and the Real ID Modernization Act of 
2021.\19\ Those acts direct the Secretary of DHS to promulgate 
regulations specifying compliance requirements, and to certify State 
compliance therewith. Those acts do not contemplate the issuance of 
interim compliance waivers that permit the Federal acceptance of 
identity documents that are not subject to requirements created through 
the regular regulatory process, which is what the agency proposes in 
its August Notice of Proposed Rulemaking.\20\
---------------------------------------------------------------------------
    \19\ REAL ID Act of 2005, Pub. L. 109-13, div. B, title II,  
202(a)(1), (c)(3), 119 Stat. 311 (2005) (codified as amended at 49 
U.S.C.  30301 note); REAL ID Modernization Act, Pub. L. 116-260, div. 
U, title X,  1001(b)(2)(D), 134 Stat. 2304 (2020) (codified at 49 
U.S.C.  30301 note) (amending the REAL ID Act  202).
    \20\ Minimum Standards for Driver's Licenses and Identification 
Cards Acceptable by Federal Agencies for Official Purposes; Waiver for 
Mobile Driver's Licenses, 88 Fed. Reg. 60056, 60072 (proposed Aug. 30, 
2023).
---------------------------------------------------------------------------
    Also questionable is DHS's decision to delegate its authority under 
these acts to its sub-agency TSA. This creates a situation, not 
contemplated by Congress, in which an agency with a narrow mandate of 
protecting the safety of aviation, and which has an interest only in 
one narrow use of identity documents (matching against airline 
tickets), is positioned to determine the shape of an identity system 
that will affect all of the Federal Government, and indeed all of U.S. 
society.
v. conclusion: this is a big decision with far-reaching ramifications, 
              and we should take the time to get it right
    The major questions about any digital identity system are whether 
it will be designed to protect privacy to the maximum extent possible, 
and whether people will be forced to participate in it. Will it be 
built to give control to people, or built to spy on people and increase 
the control of Government agencies and companies over people? Making 
somebody show ID is sometimes necessary, but it's also an act of power. 
Who should be able to require someone else to identify themselves? What 
can the requestor do with that information once they have it? What 
recourse does the identified person have if the requestor misuses the 
information? These questions should be answered before we rush into 
locking in a sub-optimal digital identity system.

    Mr. Gimenez. Thank you, Mr. Stanley.
    Members will be recognized by order of seniority for their 
5 minutes of questioning. An additional round of questioning 
may be called after all Members have been recognized.
    I now recognize myself for 5 minutes of questioning.
    I want to make it very clear that I'm not here to advocate 
for digital anything. My issue is really the fact that we have 
a standard, which is REAL ID, in order to pass a TSA checkpoint 
and that maybe 50 percent of the American public will not have 
REAL ID come March--May 7th of 2025. A digital ID doesn't solve 
the problem.
    So, Mr. Grossman, a digital motor driver's license is based 
on a driver's license issued by a State. Yet, only 5 States out 
of the 56 issuing jurisdictions that we have actually will only 
give you a REAL ID with the requirements of a REAL ID.
    So the other jurisdictions, you may get a REAL ID or think 
they may ask you to pay more to get a REAL ID and that's up to 
the individual whether they want a REAL ID or not. At the end 
of the day, whether--if it's not a REAL ID, even if it's a 
digital driver's license, it won't get you past TSA. That's 
what this committee's about. OK. So we can talk about some 
other issues.
    By the way, some of the issues you brought up, Mr. Stanley, 
are provocative. Actually, you know, some caught me, starts me 
to think. Those are outside the purview of this committee. If 
TSA is, in fact, involved in that, then, you know, I think we 
need some further hearings on what is TSA doing to set 
standards for digital ID, and why is TSA the only Government 
agency doing that. That's for another day.
    Today what I'm really thinking about: What are we going to 
do on that day when you're trying to get into the airport and 
you have 2.9 million people going through airports and 50 
percent of them can't get in, get on their plane because they 
don't have a REAL ID?
    So the push for digital IDs, is there any--Mr. Grossman, 
maybe you can answer this question. Is there a push to convert 
all of that digital ID to REAL ID, or are we going to still 
have some people have ID REAL ID, some people don't have REAL 
ID?
    Mr. Grossman. So certainly in the current State, most 
States offer that option of you can either access a REAL ID or 
have a non-REAL-ID-compliant credential. The focus of States 
right now are to continue to provide that option when they're 
providing it. Then working with TSA for the ones that an REAL 
ID-compliant, is there a way to reflect that in the mobile 
device, as well? That's the rule making that was referred to by 
other testimony.
    So the States' focus as relates to REAL ID has always been 
following the Federal guidelines. It said if you want to use 
your State-issued driver's license or identity card for Federal 
purposes, meet these standards. That's why all States have 
provided the option for their constituents to receive that 
Federally-accepted credential.
    Mr. Gimenez. Correct. But isn't it true that also some of 
these States or some of these jurisdictions will charge you 
more for that REAL ID?
    Mr. Grossman. The fees certainly do vary across the States. 
That's correct.
    Mr. Gimenez. OK. I don't know if any of you can answer this 
but I know that--you know, what percentage of the American 
public actually has a passport? That's another way to get 
through, have a REAL ID. Does anybody know the answer to how 
many--what percentage of the American public actually has a 
passport?
    Mr. Grant. I think it's a little less than half. The 
numbers surged a little after 9/11 when some of the land-border 
points required some sort of ID, but it's not something that's 
a viable alternative for at least half the country.
    Mr. Gimenez. All right. So there we go back to my original 
premise is that come that day on 2025, we will have utter chaos 
at our airports because a great number of people will not have 
the identification that is required by TSA in order to board a 
plane.
    So, what is it that we're going to do about it? 
Unfortunately, I don't think any of you really have the answer 
to that question.
    That's a question--yes, Mr. Stanley.
    Mr. Stanley. I will say that the TSA has been threatening 
chaos in airports for the last 18 years. It has been its main 
hammer to try to get recalcitrant States into line.
    You may recall, after REAL ID was passed, it was enormously 
unpopular. Over half the States passed either resolutions 
against it or laws that banned their DMVs from complying with 
it. We opposed it. We've worked with a lot of conservative 
allies and State legislators to get these. The TSA has 
consistently threatened that it's going to cause chaos in 
airports and forced State legislators to pull back on those--in 
that opposition to REAL ID.
    The TSA is engaged in a game of chicken that I don't--I 
think it's highly unlikely that TSA would actually make half 
the population of any State have to go through secondary 
screening at an airport because of the chaos that would ensue 
and I would not--and each time they set a new deadline, we say 
to people, They will probably push this back, and they always 
have so far.
    So I would be unsurprised if they don't push it back again.
    Mr. Gimenez. But that would also take Congressional action, 
right, to do that?
    Mr. Stanley. My understanding is, no, because they never 
got Congressional action the last 4 or 5 times they kept 
pushing the deadline back.
    Mr. Gimenez. Fair enough. But if it's something that was 
mandated by Congress, I think that maybe it takes--it should 
take Congressional action to push it back. So, maybe that's the 
reason why we're having this hearing so that I can educate our 
colleagues that, Hey, we have a problem looming in that we 
are--are we going to hope that TSA pushes it back or are we 
going to do something about it?
    Then if we are going to do something about it, how can we 
fix this problem? Because this problem has been going on for a 
number of years. Do we continually kick the, you know, can down 
the road?
    The testimony that I've seen opens up a whole can of other 
worms, OK, that--that maybe we, maybe not this subcommittee 
will take up. But if TSA's actually involved in those 
activities, maybe this subcommittee will take them up. So the--
my time is up for right now.
    So I recognize the Ranking Member, the gentleman from 
Michigan, Mr. Thanedar.
    Mr. Thanedar. Again, thank you, Chairman Gimenez, for 
scheduling this hearing.
    This is important. You know, I'm a scientist by training. 
I'm an innovator. I love technology, and can't wait for my 
Christmas presents hopefully with some good technology in the 
market.
    As a scientist, I recognize we need to continue to 
innovate, improve our processes, make people's lives better. 
But the question here that I raise and the concerns I have 
about using technology before it is completely baked.
    You know, I represent Michigan's 13th Congressional 
district. I represent the city of Detroit with 78 percent 
African-American population. We have seen use of facial 
technology, facial IDs. The police department has used some of 
that and seen some horror situations, people incorrectly 
identified, wrongly accused, using a technology that I'm not 
quite sure, you know, is appropriate or has been fully tested, 
that it does not have biases and discrimination against people 
of color, for example.
    So my concern here is, you know, are we rushing this so 
much that we are affecting people's privacy and rights and the 
potential, although the potential to enhance security and 
convenience of those benefits may be outweighed by the risk 
they pose to privacy.
    Mr. Stanley, what risk does it pose to privacy and people's 
civil liberties?
    Mr. Stanley. Thank you, Mr. Ranking Member.
    The face recognition is a very, very powerful biometric. In 
many ways, it's the most powerful biometric. If somebody wants 
to take your fingerprint, they can't do it unless you know that 
you're doing it, whereas if you're walking down the street, you 
can be subject to face recognition.
    We have, given the enormous number of cameras in our 
society, if we were to plug face recognition into all of them, 
it would be basically--it could come close to the same as 
putting a GPS tracker on everybody. That can reveal a lot of 
information about people.
    So, people in the privacy and civil liberties community 
have been, rightly, very wary of face recognition technology 
and it's especially--it's used before it's ready for prime 
time, which I thought you said very well, before the biases are 
worked out, or procedures are worked out and, you know, in 
police departments and the like. We have called for a 
moratorium on its use by law enforcement until we can get all 
that straight.
    Face recognition also plays a role in the identity context, 
and that's a very complicated issue, again. For example, every 
time you show a digital ID, does it transmit a digital photo of 
yourself to the person that is verifying you? Now they can--now 
they have your digital photo. Or do you self-verify to your 
phone?
    There are a lot of complex issues that need to be worked 
out around there, and I think that that is part of what makes 
the current digital identity technology immature.
    Mr. Thanedar. Thank you.
    Mr. Stanley and Mr. Grant, what recommendations do you have 
for TSA and the Federal Government for developing digital ID 
standards in a responsible manner?
    Mr. Grant. Well, from my perspective, as I mentioned in my 
opening statement, I would get this--I think TSA deserves a 
seat at the table but this is something that's much bigger than 
TSA in that the issues we're trying to deal with, particularly 
with this wave of ID-related cyber crime that we've seen and 
sort-of this new threats that are emerging there, you know, 
both to the technical side, the security side, and also the 
privacy side that you're talking about. We have other parts of 
government that are quite good at this.
    In fact, you know, this is a place where it would be great 
to see NIST, the National Institute for Standards and 
Technology, be directed to play a bigger role.
    You know, I think one thing Jay and I agree on is that we 
need to get this right. I'm saying go fast. He's saying go 
slow. But at least from our perspective, let's get this to the 
experts, you know, within the digital identity team at NIST, at 
the privacy engineering team at NIST, you know. Give them a 
time box deadline, say, a year, to try and actually bring the 
right stakeholders together and get this figured out.
    We actually know how to do this. In fact, I say a lot of 
the technologies that, perhaps, we would have dreamed of a few 
years ago are now starting to become mature and we know how to 
build robust and privacy-preserving digital identity systems.
    But tying this into REAL ID compliance, I think we're 
conflating two different objectives right here and not 
necessarily focusing on the right ones.
    Mr. Thanedar. Thank you.
    Mr. Stanley, if you have time.
    Mr. Stanley. Yes, I would agree that TSA is not the right 
agency to lead. As I said in my comments, I would urge that TSA 
not to exert pressure on the States to move to build a digital 
identities around the ISO standard which is basically what 
they're doing.
    I would urge them to be very careful about working with 
particular vendors. At the end of the day we need a system is 
that open and where an American who wants to participate in our 
identity system doesn't have to deal with one company or a 
small number of companies but can deal with a whole variety of 
competitive companies.
    So those are two of the recommendations I would make.
    Mr. Thanedar. Thank you. Thank you.
    Sorry, Mr. Chairman. Thanks for letting me go over a little 
bit more of my time.
    Mr. Gimenez. It's fine. It's fine, Mr. Ranking Member. I'm 
pretty lax here. We don't have a big crowd.
    So I now recognize the gentlewoman from Florida, Ms. Lee.
    Ms. Lee. Thank you, Mr. Chairman.
    Mr. Grant, I'd like to pick up just where Ranking Member 
Thanedar left off with you there.
    You mentioned in your written testimony that Congress 
passed the REAL ID Modernization in 2020, but did not give TSA 
direction on what use cases should be a priority.
    So I'd like to hear a bit more about whether you believe 
Congress should give TSA a directive to prioritize the on-line 
identity use cases, or, rather, give a separate entity the 
authority to be prioritizing, like NIST, the authority to be 
prioritizing and the direction to prioritize these types of 
cases.
    Mr. Grant. Thanks for the question.
    So I'd like to see NIST more involved. I also think one of 
the things that was interesting is when the original REAL ID 
Act was passed in 2005, DHS, in general, was given directions 
to figure out the standards and the regulations. It was led out 
of their policy office at the time.
    When the Modernization Act was passed in 2020, which 
essentially said a REAL ID could either be a plastic card or it 
could be digital, the assumption was that the same team in DHS 
might lead it again, but then TSA was basically given the 
authority.
    Jurisdictionally, this becomes a bit of a tricky issue. But 
there is certainly, as I talk about the cybersecurity 
implications of digital identity writ large, and the way that 
mobile driver's license could play a role in solving those 
problems, one of thoughts has been that CISA could play a role, 
but CISA does not seem to be engaged on this particular issue.
    I don't know that CISA would be ideal necessarily. I would 
personally prefer to see this at NIST. But even within the 
scope of DHS and the current legislation that we have, DHS has 
the ability to bring in a cybersecurity set of experts as 
opposed to just TSA with its more limited focus.
    Ms. Lee. Mr. Grossman, I would like to go back to your 
testimony about MDLs. I believe you described that they could 
offer better security and better privacy for consumers if 
they're designed properly. I'd like to hear more from you 
about: What are the elements of that proper-designed that could 
ensure the security and the privacy?
    Mr. Grossman. So there's a number of elements that are laid 
out both in the standard, as well as the AAMVA implementation 
guidelines, and a couple of that I'll highlight for an example.
    One is to not track where it is being used. So when someone 
uses it and it's red, that is not what we call calling home, 
phoning home back to the State agency. The State agency doesn't 
know where and how you're using it. Making sure the protocols 
and policies are in place is a key protection.
    Another key protection of the mobile driver's license is 
you as the holder can decide what elements of my information am 
I going to share with this individual. By contrast right now, 
if you think about every time you use your driver's license or 
identity card, you're physically handing that over to that 
person who may only need to know you're older than 21. Yet, 
you're giving them your name, your address, information about 
you, whether or not you're an organ donor. The list goes on and 
on and, whereas you only need to know I am old enough to make 
this purchase.
    So the ability for, as an individual, to say I'm only going 
to give you what you need, nothing more and nothing less, is 
the opportunity to protect that information.
    Ms. Lee. Thank you, sir.
    Mr. Grant, back to you, one of the things that you 
mentioned was attributing the lack of progress to DHS to their 
desire to wait on the International Standards Organization to 
develop standards. We've touched on CISA, NIST.
    Can you elaborate on the advantages of DHS not waiting for 
the International Standards Organization to finish their work, 
both in terms of immediately protecting millions of victims 
from identity theft, in addition to wanting to remain the world 
leader in the digital identification space?
    Mr. Grant. Yes, thanks for the question. So I'll preface 
this by saying that I mentioned in my written testimony, I used 
to work at NIST. I used to lead digital identity efforts there 
from 2011 to 2015.
    Generally speaking, the voluntary consensus-based standards 
process that we embrace, along with a lot our peers across the 
globe, is the best way to go. Every now and then, we have a bit 
of a crisis where we need to move a little quicker, and that's 
where I can think of at least two situations over the last 20 
years, where the White House or Congress have turned to NIST 
and said you've only got 9 months, 12 months and you've got to 
act.
    The first was in 2004 when President Bush issued Homeland 
Security Presidential Directive 12 in response to the need to 
have stronger IDs for Government workers and contractors. That 
was a Presidential directive. NIST provided FIPS, Federal 
Information Processing Standards, FIPS 201 within 9 months.
    The second was in the Obama administration when Congress 
deadlocked on cybersecurity legislation. So, they said, well, 
let's at least come up with a cybersecurity framework that can 
be voluntary that not only Government agencies but also 
industry can start to use to manage cybersecurity risks.
    It was an Executive Order in February 2013. A year later, 
because NIST only had a year, they rolled out the CSF. In fact, 
that's become the basis of an ISO standard today.
    I think we're at a moment right now with FinCEN's 
documented $212 billion in suspicious activity reports in 2021 
tied to compromised identity. The GAO said between $130- and 
$135 billion in pandemic unemployment benefits lost to 
fraudsters, again, mostly organized criminals in hostile 
nation-States.
    You add those numbers up, that's between $300- and $350 
billion just in two sectors, just in 1 year. We can't afford to 
wait, and I think this is why we're at a point where we should 
stop deferring to ISO in hoping the voluntary process works. 
Instead, we basically put NIST and really I think we really 
need a broader whole-of-Government effort to address what I 
really think is a crisis right now when it comes to identity-
related cyber crime.
    Ms. Lee. Thank you.
    Mr. Chairman, I yield back.
    Mr. Gimenez. Thank you.
    I now recognize the gentleman from Illinois, Mr. Foster.
    Mr. Foster. Thank you, Mr. Chair, for waiving me onto this. 
You know, we have been wrestling with this and, you know, for 
some years now. It's, you know, we're forced to sort-of spread 
our effort into multiple committees and multiple agencies, and 
that's slowed things down.
    I had a Zoom earlier this morning with a gentleman, Norbert 
Sagstetter, who is leading the European Union effort on this, 
and they're making impressive progress.
    You know, their goals are that I think by February, they 
will have passed the enabling legislation, and that by some 
time around 2026 or 2027, every E.U. citizen will have the--who 
wants one, will be able to get a secure digital ID they can 
present on-line to prove they are who they say they are.
    They are wrestling the same things that we have, where the 
States are going to be holding the biometrics and a lot of the 
key databases which people are comfortable with, and yet you 
need something which interoperates and prevents, you know, 
synthetic identity fraud and things like that.
    So, they are really doing the same, going through the same 
things we are and it seems to me like maybe a year ahead, which 
is sort-of ironic because their biggest collaborator is NIST, 
because all the standards that they're rolling out were 
actually developed at NIST years ago and they still consult 
with NIST.
    They're very eager also to collaborate with the United 
States, which I thought was very interesting, that they 
repeatedly approached me with the idea that we should be--the 
free democracies of the world should be working together on 
this because we are the--that's where you want to draw the 
fence on these efforts.
    So actually, Mr. Grant, could you say a little bit about 
your perception of what the rest of the world is doing compared 
to the United States?
    Mr. Grant. Thank you, Congressman Foster, and thanks for 
your leadership on this issue.
    We're at an interesting inflection point. I'm going to 
digress for about 15 seconds to say back in 2011, when I first 
joined NIST, I learned that when it came to payment cards, the 
United States had 25 percent of the transactions, but 50 
percent of the fraud, in other words, an eight-times-higher 
fraud rate because we were the only country that had not 
migrated away from insecure magnetic to more secure chip-based 
smart cards.
    It was only after the Target breach happened in 2013 where 
we had so much damage that finally the banks and retailers and 
other stakeholders said we need to start to move toward the 
rest of the world so we can erase all of this massive crime 
that we're seeing tied to our reliance on insecure technology.
    I think we're at an inflection point right now when it 
comes to identity where we are seeing all our peers across the 
globe--be it European Union, Canada, Australia, Singapore--you 
know, other countries that we tend to think of as our, you 
know, both often competitors, but also peers, every one of them 
has a strategy right now to try and address this issue of 
digital identity on-line. The United States is the only country 
that has no strategy whatsoever.
    So I worry that in a few years from both an economic 
competitiveness standpoint, along with the security losses that 
we're suffering because of identity-related cyber crime, 
compared to the rest of the world, we're going to be in 
somewhat of a dark place.
    Mr. Foster. You didn't mention India which is making 
really--you know, they came up with a basic identity, mandatory 
identity program for every Indian.
    There are lots of things that Americans would not be 
comfortable about their system. But after having established 
that, there's an incredible ecosystem of financial innovation 
that's come into being based on the ability to prove you are 
who you say you are on-line.
    When you get past that hurdle, then the start-up costs for 
fintechs are much smaller. There's a lot of enthusiasm, 
particularly among smaller banks, where one of their biggest 
costs is the cost of on-boarding customers. You remember during 
COVID when we had to bring a lot of unbanked individuals into 
the system? It was costing $400 to bring an un-banked person 
in.
    You know, in India it's essentially free. You just get out 
your cell phone, prove you are who you say you are, consult the 
list of bad actors. If you're not on it, boom, you've opened 
your bank account. That is, you know, that's an impressive step 
forward.
    Other countries are noticing it, and it's in the process of 
being adopted. The Indian system and their payment rails are 
being adopted by, you know, Singapore and Indonesia and the 
Philippines and so on, and as well as some of the Gulf states.
    So, you know, there's a danger that usually we spend a lot 
of time worrying that the Chinese currency is going to take 
over for the U.S. dollar. But I think there's a more real worry 
that the payment rails that were developed in India based on a 
secure digital ID will take over. So we have to--we have 
competitive worries to look at on that.
    So the other thing that I guess has been mentioned and 
talked about is the business of AI, AI and deepfakes which are 
really frightening.
    All the banks--I serve on Financial Services. The banks are 
all terrified by this because they use voice recognition. When 
people say what can Congress do about deepfake and AI 
generally, the No. 1 thing that we could do today is to have 
Federal recognition of mobile ID on-line to prevent people from 
being impersonated from this. That's--that should be a 
bipartisan thing that we can really move the ball forward on 
this.
    So thank you again for letting me participate in this.
    Thank you to our witnesses.
    Mr. Gimenez. You're quite welcome.
    I now recognize the gentleman from Louisiana, Mr. Higgins.
    Mr. Higgins. Thank you, Mr. Chairman.
    I thank our panelists for being here today.
    Mr. Stanley, having been on other side during the course of 
my life, many interactions with the ACLU, I look forward to us 
agreeing to something today. It would be a first in history.
    So I say that lightheartedly, because we are a free nation. 
Generally speaking, the purpose of this committee is to 
maintain the security of our homeland. But that's the security 
of our homeland is to maintain without sacrificing individual 
rights and freedoms of our citizenry. Or else what's the 
purpose of the security of the homeland?
    So this hearing touches on subject matter that is 
reflective of that need for balance. In my State of Louisiana, 
we were one of the first to push through, through our State 
legislature, digital identification. It was official through 
the State, recognized by the State.
    So as a cop, if I interact with you and I ask for your ID, 
for your driver's license, you can show me your phone. There's 
an official app on the phone that State--that's recognized by 
the State, that I can look at your documentation. So retail 
stores and State government offices and police officers, you 
know, recognize this digital ID, but TSA does not.
    So a common question that, you know, a conservative 
Republican like me, we hear back home is: Why we have 9, 10 
million illegals coming across the border, and I can't use my 
digital ID to get on an airplane but these guys get tickets 
from the Department of Homeland Security? You know, we pay to 
send them wherever they want to go anywhere in the country. 
That's sort-of a generalization of what's happening, but it's 
very accurate. It's pretty much true.
    So, Mr. Grossman and Mr. Grant, could you speak to what are 
the benefits of the expansion of official digital IDs as it 
relates to both enhanced security and protected individual 
rights and freedoms, which is, for Mr. Stanley, I'm going to 
hope we can agree on.
    Mr. Grossman and Mr. Grant.
    Mr. Grant. Sure. Well, it's great question. I'll say with 
regard, first, to Louisiana's mobile driver's license, 
Louisiana's definitely been an innovator here. It was one of 
the first States out of the gate.
    I will say with the draft regulations that TSA's put 
forward on MDLs, if the Louisiana ID or any other State ID 
that's gone forward on the mobile driver's license side meets 
those rules, they would be able to use that to board a plane. 
That's my understanding. I'll let TSA tell you that 
authoritatively.
    I think the balance between security and privacy is an 
important one, and where, as somebody who's generally--I've 
generally been a privacy advocate.
    Mr. Higgins. Between security and freedoms.
    Mr. Grant. Freedoms, yes.
    Mr. Higgins. Yes, sir.
    Mr. Grant. I think we can give people more privacy than 
they have today by architecting these solutions the right way 
in that, for example, if I hand my ID over at a bar, you can 
read everything about me, when what you only need to know is 
that I'm over 21. I don't get that question a lot these days, 
but there was a time when it mattered.
    Digitally, I can just share one attribute about me. The 
same with trying to do something on-line, everything that's on 
my driver's license might not be needed to be shared with the 
bank or with the fintech app that I'm trying to apply for an 
account with. But they can get those validated details about me 
that they need directly from the authoritative source rather 
than relying on some other solutions that are looking at other 
sources to try and guess if it's you or not.
    So I do think that, again, with the proper design, and this 
is why we're really calling for, sort-of a whole----
    Mr. Higgins. So if the digital designs, in the interest of 
time, would comply with, say, REAL ID, then you would see a 
path forward for not just for Louisiana but every sovereign 
State to be able to allow the citizenry the option of using a 
hard ID versus a digital ID?
    Mr. Grossman. That's under way already.
    Mr. Higgins. Yes, sir.
    Mr. Grossman, you concur?
    So, Mr. Grossman, do you concur?
    Mr. Grossman. Yes, I concur, and I would add, the reason 
why States are going down the road of mobile driver's licenses, 
as fascinating and as exciting as new technology is, the core 
driving purpose is, where does this technology allow us to 
improve on safety, security, freedom from the physical world?
    Mr. Higgins. Right.
    Mr. Grossman. So through all these testimonies, through the 
privacy, through the security, through getting it right, it all 
has to do with that driving purpose of making it better than 
the status quo of the physical world.
    Mr. Higgins. So, Mr. Chairman, my time has expired, but I 
would ask the indulgence of the Chair to allow Mr. Stanley to 
agree or disagree. It would be a historical moment.
    Mr. Gimenez. Yes, go right ahead, Mr. Stanley. Let's make 
some history here.
    Mr. Stanley. I thoroughly agree with you that----
    Mr. Higgins. That's it, I'm out.
    Mr. Stanley [continuing]. That it is vital to keep an eye 
on freedom even as we look at what a digital ID----
    Mr. Higgins. Thank you, Mr. Stanley.
    I appreciate the indulgence, Mr. Chair.
    Mr. Gimenez. All right. We have some time for a second 
round, and so I'll start with myself.
    Mr. Grossman, you know, we're talking a lot about the 
digital, the digital world and all, and digital IDs, but 
digital IDs are going to be based on a standard just like a 
hard copy ID right now is.
    So, while States may be offering digital IDs, there's no 
guarantee that they will be REAL ID. They may not be REAL ID. 
So that is not going to be as secure as REAL ID, or do you 
think that a State-issued non-REAL ID, you know, driver's 
license is as secure as a REAL ID, that that individual, in 
fact, is who they say they are?
    Mr. Grossman. Fundamentally, yes. This is because States, 
even before 9/11, even before the REAL ID Act, States were 
already recognizing the challenges of the vetting, identity, 
and credentialing process, and making significant changes and 
investments to producing a more secure credential, and a more 
secure vetting process to make sure someone is who they say 
they are.
    All credentials that U.S. DMVs issue, there is an 
enormously high level of confidence that that person is who 
they say they are. It is fundamental to their mission, and is 
something that they provide a high level of insurance 
regardless of the type of credential they're carrying.
    Mr. Gimenez. So what's the difference between a non-REAL ID 
and a REAL ID issued by a State?
    Mr. Grossman. So there are certain steps and documentation 
that Department of Homeland Security has identified as, we 
would like States to follow these steps to meet the REAL ID 
requirements in order to use the State driver's licenses for 
Federal purposes.
    The non-REAL ID credentials in the States that offer it, we 
would have to provide you a list by State. Some are very close 
to the REAL ID process, and some have different gaps in between 
the REAL ID process and the non-REAL ID process.
    Mr. Gimenez. Would it be easier for somebody to go into a 
State and say, I'm Mr. Grossman, and you may be Mr. Grossman, 
but then Mr. Stanley may go and say, I'm Mr. Grossman, and get 
a driver's license that says that actually that he's Mr. 
Grossman if it weren't a REAL ID? Which is easier to do?
    If it's not a REAL ID, would it be easier for Mr. Stanley 
to become Mr. Grossman or vice versa? Which is the more secure?
    Mr. Grossman. That would be--I can't answer that question 
of which one is more secure because our States are dedicated to 
making sure they're both secure.
    The fundamental challenge of someone coming in and claiming 
to be someone else is something DMVs are battling every single 
day, and that's why they're using every tool in the toolbox to 
fight that fraud, to stop that fraud, regardless of which type 
of credential someone is trying to get.
    Mr. Gimenez. OK. Now, my question, Mr. Stanley, why are 
States fighting the standards for REAL ID?
    Mr. Stanley. Largely the States have given up that battle. 
I think that a lot of REAL ID was about strengthening the 
security protections--you know, physical security protections 
on physical IDs, and that ship has basically sailed.
    Today's digital IDs are much more physically secure, as Mr. 
Grossman said, than they were before 9/11. That was going to 
happen anyway probably.
    Mr. Gimenez. I'm not talking digital ID. I'm talking REAL 
ID----
    Mr. Stanley. No, no, no.
    Mr. Gimenez [continuing]. Versus non-REAL ID, because the 
majority of the jurisdictions, they do not issue just solely 
REAL ID. They issue--they issue REAL IDs, but they also give 
you an option not to get a REAL ID, the majority of the 
jurisdictions.
    So why are States not just saying everybody's going to get 
a REAL ID in order to get a driver's license?
    Mr. Stanley. The REAL--I don't know exactly what a lot of 
the thinking is, but generally the objections to REAL ID is 
that it's a huge unfunded mandate from the Federal Government 
that imposed a lot of very particular regulations on exactly 
how the DMVs did their business.
    REAL ID was rammed through without hearings, without 
consulting with the DMVs, and the experts in the DMVs, exactly 
how they should proceed, and that led to a lot of the 
objections. In addition to objections, people saw it as a 
national identity system.
    I think that--you know, the answer of--the answer of, like, 
what is a REAL ID, it's whatever Homeland Security says it is. 
Under the regulation, under the law, they get to make up the 
regulations for what it is.
    The same thing will apply to digital ID, which is what the 
concern about digital ID is, is that we're leaving it up to 
Homeland Security, and specifically they've delegated it to 
TSA, to decide for the whole Nation what is and is not a REAL 
ID-compliant----
    Mr. Gimenez. What the standards are to get that digital ID, 
that's being left up to TSA and Homeland Security?
    Mr. Stanley. Correct.
    Mr. Gimenez. OK. I understand the issue now. All right. 
Thank you. My time is up.
    I now recognize the Ranking Member.
    Mr. Thanedar. Chairman, I'm good. Thank you.
    Mr. Gimenez. OK. Back to the gentleman from Louisiana, Mr. 
Higgins.
    Mr. Higgins. Mr. Wiediger, am I pronouncing your name 
correctly?
    Mr. Wiediger. You're close.
    Mr. Higgins. Wiediger? Mr. Wiediger, IDEMIA is rolling out 
the CAT 2 technology, correct?
    Mr. Wiediger. That's correct.
    Mr. Higgins. So one of the airports where that's being 
deployed is New Orleans. I anticipate, of course, it will be 
well-received, reflective of the training that our TSA agents 
and the CLEAR personnel and the airline personnel, the staff on 
the ground there, interact with the general public. Have you 
had pushback in any of your deployments that this committee 
should be aware of----
    Mr. Wiediger. We've had no----
    Mr. Higgins [continuing]. That's notable?
    Mr. Wiediger. We've had no pushback. TSA plans the activity 
closely with all the jurisdiction, all the airports that are 
gaining CAT 2s. Our teams go out and deploy them. There have 
not been issues that have arisen in the deployment of the 
assets. They've generally been very well-received.
    Mr. Higgins. If there's an update on the boarding pass, 
like in the absence of a boarding pass, which is one of the 
ways that this new technology can function, am I correct, is to 
coordinate the ID as presented and scanned with the records for 
the airline regard so a person would not have to have their 
boarding pass? Is that correct?
    Mr. Wiediger. That's correct.
    Mr. Higgins. OK. So that means that the technology would 
have some record of a boarding pass. Is that correct?
    Mr. Wiediger. So the----
    Mr. Higgins. In the absence of the traveler presenting a 
boarding pass, if you're saying that the technology will locate 
and confirm the boarding pass that's associated with the ID 
that's been presented and scanned and compared with the image 
of the person that's standing before it, then you're saying 
that the technology has possession of the boarding pass data 
for that individual, correct?
    Mr. Wiediger. In essence, that's correct. The platform is 
updated by TSA through their software back-end processes.
    Mr. Higgins. OK. So--and if--what if there's a variance of 
what the traveler believes is their accurate boarding data? 
They've upgraded or something like that, or if they've arranged 
to have seats adjoining with their traveling companion or 
something like that, like how fast is the technology updated 
from the airlines?
    Mr. Wiediger. I apologize. I don't have an answer for that. 
TSA controls that part. We don't do that piece as it relates to 
the boarding data. As it relates to their seats and the 
assignments, I don't believe that's a conversation at the TSA 
checkpoint, but I'd have to defer to TSA on that.
    Mr. Higgins. So that's just something we have to watch?
    Mr. Wiediger. I'm sorry?
    Mr. Higgins. It's just something we'll have to watch?
    Mr. Wiediger. Generally my understanding, based on the 
airline processing, is that's handled by the airline. So what 
TSA gets is the flight manifest to know that you're----
    Mr. Higgins. Right. But that's the boarding pass?
    Mr. Wiediger. Correct. Correct.
    Mr. Higgins. So you see what I'm saying, there's an 
intersection there between the new technology and the traveler 
and the airline as it relates to the details of the boarding 
pass. Don't want to get in the weeds there.
    So the gentleman, my colleague, brought up AI. Do any of 
you have concerns, in my remaining minute here? I mean, TSA is 
not deploying, is not using AI, but it certainly--at least not 
on the front line where there's intersections.
    I'm not saying there's no research being done, but at the 
point of intersection with American citizens, TSA is not using 
AI. Do you see it as an issue and a challenge, and if so, how 
and why? Because we certainly see it as an issue.
    Mr. Grant. I think the threat from AI when it comes to 
identity will probably be less acute in person and more on-
line, where we're seeing cheap deepfakes. You know, I can get 
15 seconds of your voice or a photo of you and suddenly you're 
on-line saying something you've never said before, never 
recorded before. I think this is going to be the new frontier 
in attacks in the cyber world where particularly, you know, I 
mentioned before, it's a bit of an anomaly when we see a big 
breach in identity, does it not provide the attack vector?
    I think that might be about to explode if we don't have the 
right defenses in place to be able to block some of those. But 
I think that's going to--this is actually an area where I think 
mobile driver's licenses, because they're rooted in public e-
cryptography, they can't be spoofed by AI----
    Mr. Higgins. OK.
    Mr. Grant [continuing]. Really important in the cyber 
world. The in-person world, my personal view is that's less of 
a threat.
    Mr. Higgins. Well, we certainly have to build guardrails 
into everything we do as we look at the emerging technologies 
of AI. Apologize, my time is expired, gentlemen, Mr. Chairman.
    Mr. Gimenez. Thank you. So that video I saw of you praising 
the former President, that wasn't you? OK.
    I recognize the Member from Illinois, Mr. Foster.
    Mr. Foster. Thank you. I appreciate it, again.
    Could you return a little bit to the phone-home problem? 
Because I, this morning, had a long discussion with the E.U. 
representative, because the worry that I understand is that if 
every time you present your mobile ID, there's a query made to 
the database to say, is this--the database maintainer, is this 
really valid or not then, which is a sort-of innocuous thing, 
until you realize that means they have a record of every time 
you presented it and potentially even where you were when you 
presented it.
    They believe, the European Union, believes that they have 
technological solutions that will make that not a worry. You 
know, Mr. Stanley, you're on the leading edge of this. Do you 
believe that that is something, if you pay attention to the 
rules under which you can demand a mobile ID, you know, maybe 
even license, making the collection of data from the mobile ID 
a licensable activity, which I think is the E.U. approach, 
whether this can actually be made into something that isn't 
really a privacy concern?
    Mr. Stanley. Yes. I mean, we have definitely called for 
off-line only, you know, verifications so that the verifier is 
not phoning home because, as you said, it creates a record--it 
gives a record to the DMV, whatever, you know, their vendor or 
whoever, of everywhere that you've showed your ID.
    Instead, they can just pre-download the public key of the 
DMV, and use the public key to verify that your digital token 
is: (A), was signed by the DMV, and (B), has not been altered 
by even one bit, and that solves that side of the tracking 
problem.
    There are other tracking problems where----
    Mr. Foster. There is also a revocation problem that if you 
say, there's the proof that I live in Naperville, Illinois, 
whereas I've, in fact, moved 2 months ago, at some point you 
have to consult the database. I have been told that there are 
ways to publish the revocation list in a way that's encrypted, 
so that the questioner can just sit there and ask a question of 
the encrypted database, and whoever's maintaining it won't even 
know which individual is being asked about.
    So, I was just wondering if that is ready for prime-time 
technology that could actually pretty much make this a 
nonissue?
    Mr. Stanley. So, No. 1, that's a question for a 
cryptographer, but my general understanding is that, yes, with 
new technologies such as zero-knowledge proofs, you can prove 
that you know something without revealing what it is that you 
know.
    There's currently a lot of exciting research and 
applications of these new cryptographic techniques that's being 
explored by cryptographers and others, and this is part of the 
reason we're saying let's take our time and do this right. 
Let's make use of those technologies.
    If they exist, it would be a pity if TSA and, you know, 
DMVs barrel ahead with this somewhat privacy-protective--on 
privacy-protective terms, primitive ISO standard rather than 
taking the time and working in these kinds of technologies that 
the European Union is looking at and so forth, so that we can, 
to some degree, have our cake and eat it too here, have the 
advantages that come from, you know, high technology but 
protect our privacy at the same time.
    Mr. Foster. Yes. It really highlights the difference 
between the end-use case. If you're getting on an airplane, the 
Government knows you're getting on the airplane. You know, 
there isn't an issue of phoning home there.
    But if you're buying something on-line, maybe the 
Government shouldn't know that you presented your mobile ID for 
that purpose.
    So, you know, it's really encouraging. I've been told by 
some cryptography types that this is actually a semi-solved 
problem at this point, and the European Union is trying to get 
that--we'll find out in February, I guess, when they roll out 
their official technical specifications and so on.
    Do you have any other comments on the whole concept of 
having collection of information a licensed activity, so that, 
you know, if you decide, OK, I'm holding a rock concert, I'm 
worried about terrorists sneaking in, and so for 24 hours 
afterwards, I want to maintain a record of who walked through 
the turnstile, maybe that's OK, as long as you get a license 
for collecting that information from everyone who walked in.
    If there's no terrorist event in 24 hours, you have--the 
terms of your license makes you destroy that kind of 
information. Is that the sort of thing that is contemplated in 
the United States?
    Mr. Stanley. I know that the European Union is looking at 
that approach. In many ways it seems like a characteristically 
European approach to things, and we don't have an opinion on 
whether that's the best way to, you know, impose limits.
    But we do think that one way or another, we need to make 
sure--because, you know, the fact that a digital ID makes it 
much easier and cheaper for a bank to know who you are--they 
don't have to go through these kludgy, face-recognition things 
and exploring databases to see if you can answer questions.
    It makes it much easier and cheaper for banks to know you 
are who you say you are, but that means it makes it cheaper an 
effort for everybody as well. So everybody is going to start 
asking you for your ID, and we have to pay attention to that 
flip side.
    So whether it's by putting in place laws that restrict who 
can ask for an ID and when, or a licensing scheme like that, we 
haven't thought deeply enough about that. We don't have a 
position on that, but one way or another it's the right goal.
    Mr. Foster. OK. Well, thank you. Again, I appreciate it, 
the witnesses.
    Mr. Gimenez. Thank you. From what I understand, one of the 
things that is actually at risk with AI is encryption and 
cryptology, and so, we put too many eggs in that basket. That's 
a subject to--that's a subject for another hearing, which by 
the way I think we're going to have a couple more hearings.
    This hearing actually is going to lead to more hearings, 
one with TSA about what's going to happen on May 7, 2025, 
specifically, and then, what are they doing as far as digital--
digital IDs themselves and their role in it.
    So with that, I want to thank the witnesses for their 
valuable testimony and the Members for their questions.
    The Members of the subcommittee may have some additional 
questions for the witnesses, and we will ask the witnesses to 
respond to these in writing. Pursuant to committee rule VII(D), 
the hearing record will be held open for 10 days being.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 4:28 p.m., the subcommittee was adjourned.]

                              [all]