The fourth revision of the Digital Identity Guidelines advances the inclusion of equity, access, and privacy in identity management policies. The Center for Democracy & Technology said the draft, which is open to public consultation by the industry, looked to standardise ID access, equity and data privacy within regulation, in particular to have a positive effect on vulnerable people who claim public benefits.
Those citizens in particular need to be thought about whilst they have to navigate multi-modal identity verification to access life-saving benefits, which is also paramount to knowing who is using and potentially abusing government services. The development of digital management guidance benefits groups of society currently excluded by everyday public services being digitized. The CDT’s comments stated it was “critical” that NIST maintains these advances and “centers” core values explicitly within digital ID guidelines. Clear communication with agencies will make them consider the “diverse and complex needs of populations they serve”. NIST emphasised the importance of optionality in different modalities and formats to ensure citizens are not excluded from accessing critical services due to poor digital connectivity or limited technology access.
The structure of the Digital Identity Risk Management (DIRM) process passes down a duty on relying parties (RPs) to deploy robust identity systems that at the same time address the specific needs of their user population. Flexibility must be a hallmark of identity systems tendered for public benefits administration and other department services whose “users are disproportionately likely to face barriers in proving their identity due to a range of factors”. It is acknowledged in CDT’s comments that the DIRM is an interactive process with contractors. The suggested change to this part of the draft is to mention “documentation” which evidences knowledge about the adjustments, implementation and deployment of a system throughout its lifecycle.
Their other feedback on the drafted guidelines included seeking availability of identity evidence for specific sub-populations of their user group as well as populations as a whole. The public benefits administration should also provide in-person proofing options if the user population requires it.
The CDT also commented, “the distinction between users and impacted entities is helpful, and we appreciate the explicit inclusion of broader societal impacts of identity systems and the systems they aim to protect”.
NIST is commended for establishing a risk management approach that allows organisations to account for the specific needs of their population, but the phrase “mission delivery” to “specific context, users, and threat environment” should be added to underscore the need to maintain “core objectives when assessing their identity systems”. Another key objective for organisations should be to document any new risks, whether to the system being protected by the identity system or any other parties, particularly users.
