[Senate Report 117-238]
[From the U.S. Government Publishing Office]
Calendar No. 616
117th Congress } { Report
SENATE
2d Session } { 117-238
_______________________________________________________________________
IMPROVING DIGITAL IDENTITY ACT OF 2022
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 4528
TO ESTABLISH A GOVERNMENT-WIDE APPROACH
TO IMPROVING DIGITAL IDENTITY, AND FOR
OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 12, 2022.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
39-010 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Lena C. Chang, Director of Governmental Affairs
Matthew T. Cornelius, Senior Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
Cara G. Mumford, Minority Director of Governmental Affairs
Laura W. Kilbride, Chief Clerk
Calendar No. 616
117th Congress } { Report
SENATE
2d Session } { 117-238
======================================================================
IMPROVING DIGITAL IDENTITY ACT OF 2022
_______
December 12, 2022.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 4528]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 4528) to establish
a Government-wide approach to improving digital identity, and
for other purposes, having considered the same, reports
favorably thereon with an amendment, in the nature of a
substitute, and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary.............................................. 1
II. Background and Need for the Legislation.......................... 1
III. Legislative History.............................................. 3
IV. Section-by-Section Analysis of the Bill, as Reported............. 3
V. Evaluation of Regulatory Impact.................................. 6
VI. Congressional Budget Office Cost Estimate........................ 6
VII. Changes in Existing Law Made by the Bill, as Reported............ 7
I. PURPOSE AND SUMMARY
S. 4528, the Improving Digital Identity Act, would
establish an interagency and public-private Improving Digital
Identity Task Force to coordinate and issue recommendations
relating to federal, state, and private-sector efforts to
develop and adopt digital identity tools, and ensure federal
agencies implement relevant recommendations.
II. BACKGROUND AND NEED FOR THE LEGISLATION
There is an urgent need to enhance digital identity efforts
across federal, state, and local governments, in coordination
with the private sector, to avert fraud, prevent identity
theft, and enable individuals to more easily and reliably
verify their identities online. Given the scale and frequency
of recent data breaches, including successful attacks against
consumer credit reporting agencies, financial institutions,
telecommunication providers, and even government entities,
cybercriminals have access to countless Americans' Social
Security numbers, driver's license numbers, and other personal
identifiers traditionally used to verify identity. This has not
only resulted in severe financial losses and privacy harms for
individual consumers, but also facilitated unprecedented levels
of fraud against governments and private entities alike. In
fact, more than 293,000,000 victims were impacted by data
breaches in 2021,\1\ and losses from identity fraud totaled
$56,000,000,000 in 2020.\2\ As highlighted by recent reports,
federal and state benefits programs similarly experienced a
surge of fraudulent claims during the COVID-19 pandemic,\3\ in
large part due to governments' inability to differentiate
between authorized and unauthorized uses of individuals'
identifying information on online application portals.
---------------------------------------------------------------------------
\1\Identity Theft Resource Center, 2021 Data Breach Report (Jan.
24, 2022) (www.wsav.com/wp-content/uploads/sites/75/2022/01/
20220124_ITRC-2021-Data-Breach-Report.pdf).
\2\Javelin Strategy and Research, 2021 Identity Fraud Study:
Shifting Angles (2021) (https://javelinstrategy.com/content/2021-
identity-fraud-report-shifting-angles-identity-fraud).
\3\See, e.g., `A magnet for rip-off artists': Fraud siphoned
billions from pandemic unemployment benefits, Washington Post (May 15,
2022) (www.washingtonpost.com/us-policy/2022/05/15/
unemployment-pandemic-fraud-identity-theft/).
---------------------------------------------------------------------------
Upgrading identity verification technologies and providing
individuals with the choice to adopt innovative digital
identity tools is critical to tackling these and related
challenges. Government entities, as authoritative issuers of
identity in the United States, are uniquely positioned to work
with the private sector to facilitate this transition. For
instance, some states, including Arizona, Colorado, Delaware,
Florida, Iowa, Louisiana, Maryland, Oklahoma, Utah, and
Virginia, have already started to issue mobile driver's
licenses to citizens who wish to have them. These licenses not
only are more secure than physical driver's licenses, but also
create opportunities to improve convenience for citizens, as
illustrated by the Transportation Security Administration's
acceptance of mobile driver's licenses at select airport
checkpoints, as well as next-generation approaches to know-
your-customer compliance being considered in the financial
industry. There are a variety of other promising digital
identity verification techniques also being developed in both
the private and public sectors.
More broadly, as high-value private transactions and
critical government-citizen interactions move online,
establishing digital identity standards is essential to
ensuring these transactions and interactions are secure,
private, and efficient. There must be a common set of
guidelines to ensure mobile forms of identification, as well as
digital identity verification processes, are interoperable from
a technical perspective, safe from a cybersecurity perspective,
and private and equitable from a civil liberties perspective.
By establishing an interagency and public-private Improving
Digital Identity Task Force to develop recommendations on such
matters, the bill will facilitate the increased and improved
usage of digital identity verification technologies, while also
ensuring the deployment of these tools is accompanied by
necessary oversight. By requiring federal agencies to implement
appropriate recommendations of the Task Force, the legislation
will also save taxpayer money through fraud prevention and
ensure that citizens' privacy and data are better protected
when the government engages in identity verification.
III. LEGISLATIVE HISTORY
Senator Kyrsten Sinema (D-AZ) introduced S. 4528, the
Improving Digital Identity Act, on July 13, 2022, with Senator
Cynthia Lummis (R-WY). The bill was referred to the Committee
on Homeland Security and Governmental Affairs. Companion
legislation was previously introduced in the House of
Representatives by Representatives Bill Foster (D-IL-11), John
Katko (R-NY-24), James Langevin (D-RI-2), and Barry Loudermilk
(R-GA-11).
The Committee considered S. 4528 at a business meeting on
September 28, 2022. During the business meeting, an amendment
in the nature of a substitute was offered by Senator Sinema.
This substitute amendment eliminated language establishing a
digital identity innovation grant program and authorizing
corresponding appropriations. Instead, the Task Force is
required to produce the design for such a grant program. The
substitute amendment also created a new mandatory interim
reporting requirement for the Task Force and made various
technical corrections. The substitute amendment was adopted by
voice vote en bloc. The bill, as amended, was ordered reported
favorably by voice vote en bloc. Senators present for the vote
were Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff,
Portman, Johnson, Lankford, Romney, Scott, and Hawley.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section designates the name of the bill as the
``Improving Digital Identity Act of 2022.''
Section 2. Findings
This section discusses the need for the legislation. It
highlights the prevalence of identity theft and fraud, and how
the inadequacy of current digital identity solutions degrades
security and privacy. The section further notes that next-
generation solutions are needed that improve security, privacy,
equity, and accessibility and that governmental entities, as
authoritative issuers of identity in the United States, are
uniquely positioned to work with the private sector and other
nongovernmental stakeholders to deliver critical components
that address deficiencies in our nation's digital identity
infrastructure. Finally, this section establishes that it
should be the policy of the Federal government to use its
authorities and capabilities, in coordination with State,
local, Tribal, and Territorial partners and the private sector,
to support consent-based digital identity solutions that enable
Americans to better prove who they are online and facilitate
trusted transactions.
Section 3. Definitions
This section defines the terms ``appropriate notification
entities,'' ``digital identity verification,'' ``Director,''
``Federal agency,'' ``identity attribute,'' ``identity
credential,'' ``Secretary,'' and ``Task Force.''
Section 4. Improving Digital Identity Task Force
Subsection (a) establishes the Improving Digital Identity
Task Force within the Executive Office of the President.
Subsection (b) provides that the purpose of the Task Force
shall be to establish and coordinate a government-wide effort
to develop secure methods for Federal, State, local, Tribal,
and Territorial agencies to improve access and enhance security
between physical and digital identity credentials, particularly
by promoting the development of digital versions of existing
physical identity credentials, including driver's licenses, e-
Passports, social security credentials, and birth certificates.
Through such activities, the Task Force shall enhance privacy
and security, reduce identity theft and fraud, enable trusted
transactions, and ensure equitable access to digital identity
verification.
Subsection (c) specifies that the Director of the Task
Force shall be appointed by the President and serve at his
pleasure. It further notes that the Director shall be
compensated at the rate of basic pay prescribed for level II of
the Executive Schedule and have relevant technical expertise
and managerial acumen gained from work in the fields of digital
identity management, information security, or benefits
administration in academia, advocacy organizations, or the
private sector. The Director may not hold his or her role
concurrent with another Federal appointment and his or her term
shall terminate upon conclusion of the Task Force's work.
Subsection (d) describes the membership of the Task Force.
Federal members shall include representatives of the Department
of Homeland Security, the Department of the Treasury, the
National Institute of Standards and Technology, the Financial
Crimes Enforcement Network, the Social Security Administration,
the Department of State, the General Services Administration,
the Office of Management and Budget, the United States Postal
Service, the Office of the National Cyber Director, and such
other Federal agencies or offices as the President determines
appropriate. Six State, local, Tribal, or Territorial members
shall also be appointed, representing agencies that issue
identity credentials. Finally, there shall be five
nongovernmental members, including a privacy and civil
liberties expert, technical experts in both identity
verification and cybersecurity, and representatives of both an
identity verification service provider and a party that relies
on effective identity management services.
Subsections (e) and (f) relate to various administrative
matters. The Task Force shall be organized into appropriate
working groups and shall convene at the call of the Director.
The Task Force shall further provide an opportunity for public
comment.
Subsection (g) describes the duties of the Task Force. The
Task shall identify Federal, State, local, Tribal, and
Territorial agencies that issue identity credentials or hold
information relating to identifying an individual; assess
restrictions with respect to the abilities of these agencies to
verify identity information for other agencies and
nongovernmental organizations; and assess any necessary changes
in statutes, regulations, or policy to address such
restrictions. It shall also create a standards-based
architecture to enable agencies to provide services relating to
digital identity verification in a way that complies with
safeguards to protect private and civil liberties, promotes
interoperability, and enhances shared identity proofing across
public sector agencies. Other responsibilities include
identifying funding or other resources needed to enhance
digital identity verification, including by designing a Federal
grant program to implement the recommendations of the Task
Force and facilitate the development and upgrade of State,
local, Tribal, and Territorial highly-secure interoperable
systems that enable digital identity verification, and
recommending funding models to provide digital identity
verification to private sector entities. Finally, the Task
Force shall determine what other additional steps are necessary
to improve digital identity verification and assess related
matters, including the potential exploitation of digital
identity tools by malign actors, privacy concerns, and ways to
improve Americans' access to foundational identity documents.
Subsection (h) ensures that the Task Force respects privacy
and civil liberties by specifying that the Task Force may not
recommend the creation of a single identity credential provided
or mandated by the Federal government for the purposes of
verifying identity or associated attributes, a unilateral
central national identification registry relating to digital
identity verification, or a requirement that any individual be
forced to use digital identity verification for a given public
purpose.
Subsection (i) requires the Task Force to consult with the
Department of Education, other appropriate Federal entities,
State, local, Tribal, and Territorial governments (including
departments of motor vehicles and vital records bureaus),
digital privacy and civil liberties experts, technology and
cybersecurity experts, users of verification services, experts
from academia and advocacy organizations, industry
representatives, and fraud prevention experts.
Subsection (j) establishes various reporting and
publication requirements for the Task Force. Not later than 180
days after the date of enactment, the Task Force shall submit
an initial report describing recommendations, including with
respect to the required standards-based architecture and
methods to leverage digital driver's licenses, distributed
ledger technology, and other technologies, and initial
consultations. 18 months after enactment, the Task Force shall
submit a mandatory interim report, which must address a number
of statutorily prescribed matters, including the standards-
based architecture, the proposed design of the grant program
for the development and upgrade of State, local, Tribal, and
Territorial digital identity verification systems, and existing
restrictions inhibiting related agency action. 180 days before
the Task Force's sunset date, the Task Force shall submit a
final report. The Task Force may also issue additional reports
to educate the public, and all reports shall be made publicly
available on a centralized website.
Subsection (k) specifies that the Task Force shall conclude
business 3 years after the date of enactment.
Section 5. Security enhancements to Federal systems
Subsection (a) requires the Director of the Office of
Management and Budget to issue guidance to Federal agencies for
the purpose of implementing appropriate recommendations
contained in the Task Force's initial report.
Subsection (b) instructs each Federal agency to produce an
annual report on its implementation of the guidance required
under subsection (a). It further provides that the Office of
Management and Budget shall annually make publicly available a
report describing the digital identity verification services
offered by Federal agencies, the volume of digital identity
verifications performed by each Federal agency, the
effectiveness of Federal digital identity efforts, and related
recommendations. Such reports shall initially be developed in
consultation with the Task Force. Furthermore, not later than
180 days after enactment, the Office of Management and Budget,
in consultation with the Cybersecurity and Infrastructure
Security Agency, shall submit a report to Congress describing
Federal agencies' implementation of the guidelines published by
the National Institute of Standards and Technology in the
document entitled ``Special Publication 800-63'' (commonly
referred to as the ``Digital Identity Guidelines''') and the
Office of Management and Budget memorandum ``M-19-17,'' as well
as other measures that have been taken or will be taken to
enhance digital identity verification services offered by
Federal agencies.
Subsection (c) ensures that updates regarding the matters
covered by the Office of Management and Budget's initial report
to Congress are subsequently incorporated into other reports
annually required to be submitted to Congress.
Section 6. GAO report
This section instructs the Government Accountability Office
to submit a report to Congress describing the estimated
potential savings that would result from the increased adoption
and widespread usage of digital identification tools. This
report would specifically outline the potential cost savings to
the Federal government from averted fraud, including the theft
of government benefits, and the economy of the United States as
a whole, including from averted consumer identity theft.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 21, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 4528, the Improving
Digital Identity Act of 2022.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 4528 would establish a task force to coordinate federal,
state, and private-sector efforts to develop digital identity
credentials, such as driver's licenses, passports, and birth
certificates. The task force would identify best practices and
publish guidelines for federal and state agencies to consider
when implementing digital identity programs. Under the bill,
the task force would submit periodic reports to the Congress on
its findings and would terminate three years after enactment.
The task force would consist of representatives from
federal agencies, state governments, and private entities.
Using information about the cost of similar efforts, CBO
estimates that implementing S. 4528 would cost $4 million over
the 2023-2027 period for staff salaries, travel, and other
administrative expenses to operate the task force. Such
spending would be subject to the availability of appropriated
funds.
Enacting the bill could affect direct spending by some
federal agencies that are allowed to use fees, receipts from
the sale of goods, and other collections to cover operating
costs. CBO estimates that any net changes in direct spending by
those agencies would be negligible because most of them can
adjust amounts collected to reflect changes in operating costs.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of
Budget.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation would make no change in existing law,
within the meaning of clauses (a) and (b) of subparagraph 12 of
rule XXVI of the Standing Rules of the Senate, because this
legislation would not repeal or amend any provision of current
law.
[all]