The DHS Science and Technology Directorate (S&T) and the U.S. Citizenship and Immigration Service (USCIS) have joined forces to issue digital credentials using openly developed, free to implement internet standards. Here’s what this means and why it matters.
One of the critical challenges of our technology-driven, interconnected world is identity.
Without even speaking a word, we identify ourselves every day and in many different ways. Perhaps you enter a PIN to sign-in to a bank account or use a password to login to your health benefits. You scan your own face to unlock your phone to access some of the apps running on it. You swipe an ID card with a magnetic stripe to enter your office building. And of course, when you travel or work abroad, you must identify yourself with a passport. But what are you sharing when you identify yourself? Where does that identifying number or document come from, and who controls access to it?
S&T is working to help make your identity more secure, and to put control over your privacy and personal information into your own hands. Jared Goodwin, Chief of the Document Management Division within the Office of Intake and Document Production (OIDP) at USCIS, was also working on these issues. OIDP is tasked with the production of all immigration documents—they design the documents and acquire the vendors to produce them. USCIS wants to be able to issue digital credentials, like a green card, to a smartphone, which would be easier to carry and use, more secure, and it could be supported online. Actions like renewing and modifying immigration status would not require standing in line at an office somewhere.
Jared discovered S&T’s Silicon Valley Innovation Program was exploring similar solutions. “They’re going out to industry to look for ways to partner with agencies to prevent forgery and the counterfeiting of certificates and licenses,” he said. Jared contacted SVIP and the solution that they settled on together is to use two openly developed, global standards called Verifiable Credentials Data Model (VCDM) and Decentralized Identifiers (DID).
Created by the World Wide Web Consortium (W3C), a global standards development organization, with the support of S&T, USCIS, and many other like-minded partners, these standards describe how a secure, privacy respecting digital credentialing process can be implemented.
DIDs are unique identifiers that can be assigned to organizations, devices, or people. A DID, unlike a social security number, functions solely as an identifier and cannot be used for verification, as that role is deliberately separated and implemented using public key cryptography.
VCDM is a way to express credentials in a way that is cryptographically secure, privacy respecting, and machine verifiable. In addition, this standard enables a person to minimize the disclosure of personal data by implementing selective disclosure capabilities.
Selective disclosure allows digital credentials to contain many pieces of information but gives the user discretion to share only the specific information required for a particular transaction with the government or non-government entities, rather than disclosing the entire contents of the credential. So, the ability to selectively share, with consent, only pieces of information needed for a particular encounter is a highly desired capability.
Consider this example: a customer attempts to purchase a six-pack of beer at a convenience store. The way it works now, the cashier asks for an ID to verify the customer is old enough to buy liquor, but when they hand over their driver’s license…what else are they handing over?
Think about that very common transaction for a moment: a state-issued document from a department of motor vehicles, which is intended to demonstrate the qualification to drive a car, is presented to verify that you are older than 21. This document shares your date of birth, address, ID number, organ donation status, if you need to wear glasses, even your height and weight.
Part of the promise of the W3C standards is the ability to share only the data required for a transaction. In the scenario above, when the cashier asks for proof that you are older than 21, the customer could use the digital Permanent Resident Card on their phone to prove their verified age without sharing any other information (not even a specific date of birth). This is an important step towards putting privacy back in the hands of the people.
The DHS Privacy Office, charged with “embedding and enforcing privacy protections and transparency in all DHS activities,” has been brought into the process to review the W3C VCDM/DID framework and advise on any potential issues.
“Beyond ensuring global interoperability, standards developed by the W3C undergo wide reviews that ensure that they incorporate security, privacy, accessibility, and internationalization,” said SVIP Managing Director Melissa Oh, “by helping implement these standards in our digital credentialing efforts, S&T, through SVIP, is helping to ensure that the technologies we use make a difference for people in how they secure their digital transactions and protect their privacy.”
“Going forward, the government wants to ensure individuals have agency and control over their digital interactions,” said Goodwin. “The user should be able to own their identity and decide when to share it, and we don’t want a system that has to reach back to an agency for verification.”
Thanks to the work of SVIP, USCIS and many others, digital credentials using W3C VCDM and W3C DID standards are going to become more and more common in the near future. The work will make a big difference preventing identity theft and forgery, allowing individuals to control their own personal information and privacy, especially online.