Biden’s cyber EO says states might get funding for digital driver’s licenses

The Biden administration’s Thursday executive order on cybersecurity, which pushes for additional governance on a swath of federal tech policies, ranging from establishing new standards for secure software to addressing AI-fueled risks, also contains some notes on digital driver’s licenses that could soon become relevant for state governments.

In a section calling for action to combat cybercrime and fraud, the order notes that it is the federal government’s policy to “strongly encourage” the acceptance of digital identity documents for vetting access to public benefits programs. It also gives 90 days for federal agencies and the National Security Council to consider whether states should receive funding to develop digital driver’s license programs.

If new funding becomes available for state digital identity programs, it could support the roughly half of states to have already launched digital driver’s license programs or to have announced plans to start one. New Jersey Gov. Phil Murphy on Tuesday urged lawmakers during his State of the State address to pass a pair of bills that would create such a program in his state.

“This is just common sense,” Murphy said this week. “Mobile driver’s licenses allow people to update personal information in real-time, like changing their address.”

Biden’s latest order also directs the Secretary of Commerce to issue guidance designed to help identity issuers and verifiers adhere to best practices. On whether agencies administering benefits programs should accept digital credentials, the order only says they should “consider” it, but only if they can do so while meeting the latest federal security standards, which include data minimization, the practice of collecting only the bare information needed for a given task.

The American Civil Liberties Union issued a statement Thursday with mixed support for Biden’s push for digital identity, noting the technology’s potentially “disastrous consequences for privacy” absent strong federal policy.

“We applaud the administration for directing that the federal government only support digital driver’s licenses that incorporate privacy-protecting technologies and minimize the data that ID-holders must share,” Jay Stanley, an ACLU senior policy analyst, said in a statement. “There are numerous privacy-protecting technologies that must be included in any acceptable digital driver’s license scheme; without them, digital IDs could become an existential threat to Americans’ privacy. Though we do not agree with everything in the Executive Order, we are grateful that the administration acknowledged that digital IDs will produce harmful effects if civil rights are not incorporated by design.”

State government IT leaders have been especially wary of digital fraud within the last few years. The Government Accountability Office reported in 2023 that fraud against the federal Unemployment Insurance program alone during the COVID-19 pandemic totaled between $100 billion and $135 billion, but other estimates place the overall total much higher. Utah Chief Information Officer Alan Fuller said at a technology conference in 2023 that by his rough estimate, state governments distributed as much as $560 billion in fraudulent payments, a fact that he said made his “blood boil.”

Digital driver’s licenses and ID cards, which are not yet widely accepted, but are accepted by some airports, stores and government offices, include features designed to cut down on identity fraud, such as encryption and biometric checks. But as with any system, security analysts have shown that some digital driver’s license systems contain security flaws, such as weak encryption or lack of validation against a trusted database.

Security frameworks required by Biden’s Thursday order, like those established by the National Institute of Standards and Technology, could allay some security concerns, though any cyber efforts must also be weighed against the strong privacy language in the president’s order. It notes that digital IDs deemed acceptable for public benefits programs should be interoperable with federal standards and trust frameworks, so that wide adoption is possible across many platforms, and that it should not be possible for identity issuers, verifiers or any third party to track or surveil users.

The order notes that it should never, for example, be possible to later see “user device location at the time of presentation.”