How a National Digital ID System Could Improve the Internet
Late last month, Florida Gov. Ron DeSantis signed into law H.B. 3, a bill that will forbid children under 14 from signing up for social media accounts and require children ages 14 or 15 to obtain parental consent to access social media. The bill, along with others being considered at the state and federal levels, comes in response to growing concerns about the possibly detrimental effects of social media on children’s mental health.
The science on these questions is far from settled, and laws like Florida’s will inevitably face constitutional challenges on First Amendment grounds. These debates will continue to play out, and they’re worth having. But Florida’s regulation has been signed into law, and another, more pressing question will crop up if it goes into effect on January 1, 2025, as written: How will the government enforce it?
Doing so will inevitably require validating users’ online identities, a process that, given current technological realities, will either be ineffective or raise a host of privacy concerns. Similar issues exist with regulators’ efforts to crack down on deepfakes, bot-driven misinformation networks, and other forms of online identity fraud.
Each of these policy efforts has its political valence. Each is worthy of debate on the merits. Yet underlying them all are more essential questions: How do we make the internet governable? Can we?
The internet age has fundamentally shaken our confidence in tackling these uncertainties. Though American policymakers are certainly accustomed to debates about whether or how they should regulate a new technology, most agree that it’s generally possible for the government to do so (even if it’s not always prudent). The internet is different. It upends the concept of borders, as anything put on the internet is simultaneously “exported” to every country on Earth. Unlike physical goods, software can be easily and cheaply replicated. And perhaps most notably, anyone can broadcast to anyone else, under whatever identity he or she wishes to assume. It’s not clear that the state’s command applies as neatly in the world of bits as it does in the world of atoms.
The internet and technologies built upon it put policymakers in an unfamiliar posture, yes, but this does not mean that there is nothing the government can do. Success, however, will require a new frame of mind. Rather than simply commanding via the law, governments can build tools and capabilities that create value for citizens and help enable the policies lawmakers wish to enact. Among the best and most pressing examples of such a project is the development of a national digital identification (ID) infrastructure.
As of this writing, 67 senators have co-sponsored the Kids Online Safety Act (KOSA), legislation that aims to create safeguards for children using the internet. State governments across the country have approved bills with broadly similar aims. But setting aside the legitimate substantive debate about these bills, one common question looms over them: How does an internet user prove their age?
New legislation aims to alter age verification processes, which up until now have largely been governed by the honor system. Under KOSA, for example, the Federal Trade Commission and state attorneys general would be empowered to bring investigations against companies that expose children to content (and even user interface designs) that are deemed “dangerous” for them. Unlike earlier laws, such as the Children’s Online Privacy Protection Act (passed in 1998), KOSA carries potentially serious legal consequences for social media website owners. Thus, the honor system will not do, nor will inferences made by algorithms (which, incidentally, only a fraction of the companies covered by laws like KOSA are in a position to develop). Companies covered by these laws will need to prove their users’ ages somehow, likely by collecting their phone numbers or state-issued IDs.
Under KOSA, all types of firms—from publicly traded companies such as Meta to midsized enthusiast websites such as Strava (a social media network for runners) to purveyors of online pornography—could need to collect your ID. Already, this raises serious privacy concerns. Policymakers have railed against firms like Meta for their aggressive data collection tactics, yet these laws mandate the collection of sensitive user data. One shudders to imagine what a pornography website might do with such information.
Florida’s H.B. 3 is even more complicated: because it requires parental consent for children between 14-15, affected social media platforms will need to validate not just the age of children but also the identity of a child’s parent or guardian. The law does not provide any guidance on the specifics of how any of this is to be done.
It gets thornier. Artificial intelligence (AI) image generation models have been used to create convincing photos of fake driver’s licenses, and the odds of this capability improving over time are high. And, of course, these same image generation models will be used in countless other ways to impersonate people against their will and without their knowledge. The ability to do so with video and audio is similarly advancing rapidly.
There is a wide chasm here: We cannot robustly prove who is who online. In the physical world, the government is the source of canonical forms of identification, from driver’s licenses to passports and green cards. How might that function translate to the digital realm?
Ideally, such a system would be based on physical (and hence difficult to replicate) characteristics that uniquely identify an individual. It would also be provably secure so that no one, including the government, could monitor the activity of individual users. (When you present your driver’s license at a bar, no centralized government database is being pinged—that should be the case with any online verification.) Finally, such a system would ideally permit users to share only relevant, necessary information. For example, if a user wants to access adult entertainment online, all they should need to prove is their age. Not their name, not their specific date of birth—just a single data point: Are they at least as old as the law requires them to be?
Recent technological developments present a unique opportunity for the government to create a digital public infrastructure for such identification. Most Americans carry around devices with biometric authentication hardware everywhere they go (fingerprint, iris, and face scanners have been common in smartphones, tablets, and laptops for more than a decade), making unique identification easier. We have also made great strides with end-to-end encryption, a cryptography technique that allows two parties to exchange information while keeping the information fully secure while it is in transit. Cryptography researchers and startups (often working on blockchain technologies) have made substantial progress on so-called “zero-knowledge proofs” that enable the kind of selective disclosure where users only prove specific information.
These developments suggest a national digital ID system is possible in the U.S. But how would the various components fit together? Here, international examples can offer some guidance.
India, for instance, has implemented the Aadhaar system, which provides citizens with a unique 12-digit ID number linked to their biometric and demographic data. To enroll, citizens visit an authorized center to provide fingerprints, iris scans, and a photograph. Once the ID number is issued, it serves as a universal proof of identity for a wide range of services—from opening a bank account to filing taxes and receiving government benefits.
Estonia is perhaps the most celebrated digital infrastructure innovator. Its system, called e-Estonia, is based on a digital ID card that allows citizens to securely authenticate their identity online. A chip-enabled card is used in combination with a PIN code and serves as a legally binding digital signature. This allows Estonians to easily access more than 5,000 e-services spanning health care, voting, education, banking, and more. Essentially all government services are digitized and accessible online. Estonia has also implemented X-Road, a data exchange layer that enables secure, decentralized data sharing between public and private databases.
Neither country’s system is perfect, and both would undoubtedly need to be modified for the U.S. Americans, with our healthy tradition of federalism, are more used to identity being provided by state driver’s licenses. Obviously, there are security concerns with a centralized database of citizens’ biometric data. The system would need to be used more sparingly than elsewhere in the world because of our robust protections for free speech. It is inconsistent with most interpretations of the First Amendment, for example, to forbid anonymous speech as a matter of law. Therefore, social media platforms probably shouldn’t be required to connect every account with the account holder’s real identity. Perhaps most importantly, Americans’ trust in government is low and unlikely to rise in the foreseeable future.
On the other hand, a capability of this kind would be a useful countermeasure against social media bots. It would be possible, for example, to have a “blue check” indicating one’s personhood, even if the account in question is anonymous. “Spear phishing” emails involving the impersonation of a specific individual could become much easier to spot. Identity fraud and cybercrime, while not disappearing by any means, would become more challenging. Debates over bills like KOSA could focus on the substantive merits (is it right to censor the internet for children?) rather than on implementation details and user privacy concerns.
Digital public infrastructure is not easy. Nontrivial technical challenges abound, and some might reasonably debate whether the government or private companies should build these capabilities. While it would make sense for the government to collaborate with the private sector to build such a system, the state may end up carrying the load for the same reason that our passports and driver’s licenses are not handed out by corporations: because infrastructure of this kind is ultimately a public good. In an ideal world, digital identification would be free, widely available, and fully private, but it is not clear how a privately owned solution would satisfy all three criteria. Nonetheless, there is an ecosystem of startups approaching this problem from a variety of angles. If the federal government does not provide this service, it will likely be provided by market actors with all the strengths—and weaknesses—that implies.
Even if the technical challenges can be delegated to private firms, the political obstacles cannot be. Convincing Americans that digital ID technology really is secure and reliable will be an uphill battle—as it should be. Digital IDs are still a new idea relying on recent technology, and the government has not always shown itself to be a capable tech developer or a faithful steward of Americans’ privacy. Public skepticism is justified. For that reason, policymakers would be wise to find small-scale ways to deploy and test this technology before rolling it out broadly. In the same vein, the overseers of the system will likely need to iterate rapidly to real-world conditions and user feedback—another characteristic of successful 21st-century organizations that our federal government has largely failed to cultivate.
In a deeper way, then, digital public infrastructure offers an opportunity for the federal government to demonstrate to its citizens that it can evolve to meet the needs of our current era—an opportunity to earn trust. Perhaps that, even more than the infrastructure itself, is what America needs most.
