Skip to main content

tv   Hearing on Digital Privacy  CSPAN  July 22, 2021 2:16am-4:00am EDT

2:16 am
2:17 am
the staff of any stripe not to mute members been sent when a member is not being recognized and there's inadvertent background noise. members are reminded that may participate in only one remote proceeding at a time so if you are participating today please keep your camera on and if you choose to attend a different remote proceeding please turn your camera off. this hearing is entitled "i am who i say i am: verifying identity while preserving privacy in the digital age" i now recognize myself for four minutes to give an opening statement. today we're here to explore how we can leverage the power of artificial intelligence to create a secure digital identity and how we can leverage those capabilities with digital infrastructure such as mobile id to make internet access safe or more available and equitable for all of us. digital identification is a long overdue and necessary tool for the united states economy to transition into the digital age. while preventing fraud, cheering privacy and improving equity.
2:18 am
especially since code we find yourselves ourselves increasingly working, transacting and interacting online and in hand with that identity theft is at an all-time high with over 1.3 million reports to the ftc in 2020. digital identity would provide americans with the way to prove who they are online anymore secure manner. people could use to sign up for government benefits, make withdrawal from the bank or to view their medical records. all with the risk of identity theft or fraud approaching zero. reducing identity fraud would not provide tremendous savings to individuals and consumers but would also create massive savings for our government as well. however, it's important to get this right. we must ensure that it digital identity from work is established with the utmost emphasis on privacy and security. that's why i've introduced the improving digital identity act of 2020, a bipartisan measure to
2:19 am
establish a government wide approach to improving digital identity. this bill would establish a task force in the executive office of the president to develop secure methods for federal, state and local agencies to validate identity attributes to protect the privacy and security of individuals and support reliable interoperable digital identity verification in the public and private sector's. this is the first step for the chairman -- determine what our government needs to implement this technology. using the power of ai we can detect suspicious activity, catch bad actors and greatly improve our outline validation and authentication process. i thank all our members and what witnesses for being here today. i look forward to this discussion to find out how we can best use artificial intelligence and digital identity to improve the lives of everyday americans. the chair now recognizes the ranking member for five minutes for an opening statement.
2:20 am
>> first off thank you, chairman foster for your leadership on this task force and convening today's hearing and witnesses. i want to commend all of your hard work on this issue and being a thought leader and codis added better protect personally identifiable information for americans across the country. i've enjoyed our dialogue on that and look for to continuing them. at today's hearing provides an opportunity of directly from industry experts and stakeholders on advancements improving the protection of america's personal identity. the task force held a similar hearing in 2019 and it is important to continue to consider gaps that persist and the proper role the federal government going forward. as the consumer it often feels like you need to share every important detail of your personal identity in order to even think about creating an account with a financial institution or other internet service provider. sharing her driver's license, social security number, sometimes your passport and other sensitive information online can be intimidating and
2:21 am
to make consumers question whether their information is safe and secure. and it's not hard to see why financial interest firmest, cybersecurity attacks approximate 300 times more quickly than other businesses. these have occurred as factors have become more sophisticated and have amassed troves of data on american citizens. this along with wealth of data americans share daily via social media has been about criminals to take advantage of the current identity system which they then used to commit theft and fraud. to the court of private industry we have seen tremendous advances in technology to secure americans private information and identity. the use of ai machine learning and blocking technology has allowed for new forms of analysis that can verify individual identity in a secure way. now it is time for congress to work with federal regulators to ensure the united states is equipped with the tools necessary to keep pace internationally. we should consider proposal such as improving digital identity
2:22 am
act which will establish a task force with the federal government to engage with relevant stakeholders. it requires us to build a framework of standards to follow when providing services to support digital identity verification. i commend him and my other colleagues for the work on this thoughtful legislation. beyond the obvious concern regarding fraud identity theft i'm looking forward to learning more about how other forms of verification can increase access to financial services and inclusion. this committee should champion new technologies and the ability to break down barriers that prevent low-income americans from accessing critical banking services. digital identity technology provide a lot of promise and opportunity to further inclusion in our financial services space. i look for it to the discussion today, and i yield back. >> thank you. today we welcome the testimony of our distinguished witnesses. first with mr. jeremy grant, coordinator of the better identity coalition. next we will have mr. david
2:23 am
kelts, director of product development for get group north america. next we have dr. louise maynard-atem, research lead, we identity. next we have professor elizabeth rené harris -- xt become founding director of the notre dame ibm technology at the clapton universe of notre dame. at last with mr. victor fredung, the chief executive officer of shufti pro. witnesses are reminded their oral testimony would be limited to five minutes. you should be able to see a timer on your screen that tells how much i have left and a timer will go off at the end guitar god ask you to my full of the timer and quickly wrap up your testimony when you hear it so we can be respectful of what witnesses time and the members time. without objection your written testimony will be made part of the record. i would just want to also take a
2:24 am
moment to visit government you on that high quality of your written testimony. it's worth reading more than once because of the deep and important observations that it makes about where digital identity is and what should be going in her country. mr. grant you are recognized for five minutes to give an oral presentation of your testimony. >> thank you, chairman foster, ranking member gonzalez, nevers of the committee thank you for the opportunity to testify today. i'm here on behalf of the better identity coalition an organization focused on bringing together leading firms from different sectors to work with policymakers to improve the way americans establish protect and verify their identity when they're online. our members include recognized leaders from financial services, health, technology, security. yesterday marked the three-year anniversary of the release of identity policy blueprint which outlined a set of key initiatives that government should launch to improve identity that are meaningful and, in fact, and practical diplomat. temperament.
2:25 am
our 24 members are united by common recognition the way we handle identity day in the u.s. is broken and by, desired to see both the public and private sector's each take steps to make identity systems work better. on that note i'm grateful for the ai task force for coal industry today as well as to chairman foster for his leadership on this topic and the legislation in congress when capco and others introduce two weeks ago improving digital identity act to 2021 is the single best way for government to begin to address the inadequacies of america's identity infrastructure. infrastructure at high level that should be one of the top takeaways from members of this task force today that identity is critical, infrastructure needs to be treated as such. dhs had as much an twin-engine when it declared identity is one of 55 national critical function defined as those services so vital to the u.s. that their destruction corruption or dysfunction would have the building effect on security but compared to other critical functions identity has gotten
2:26 am
scant investment and attention into proving identity act if approved will get us started. we are overdue to get started. the enormity of the problems, the magnified several times over the last 18 months and that's the pandemic that made it impossible to engage in most in person transactions. the pandemic may bear the inadequacies of our digital identity infrastructure enabling cyber criminals to steal billions of dollars and creating major barriers for americans trying to obtain critical benefits and services. more than $63 billion was dollars was stolen from state unemployment insurance programs i cybersecurity criminals according to labor department. on the flipside we sent hundreds of stories of americans who have been unable to get the benefit they desperately need because application for an appointment had been falsely flagged for fraud when they find themselves unable to successfully navigate the convoluted and complicated processes many states have put in place to verify identity. beyond and upon the inadequacy of identity infrastructure
2:27 am
remains a a major challenge in financial services. fincen flasher reported banks are losing more than $1 billion each month due get identity rooted cybercrime. in london's americans can't get a bank account because they don't have the foundational identity documents needed to prove who they are. id theft losses soared by 42% last year. why are the summary problems? hackers have caught up with a lot of the first generation tools we've used to protect and verify and authenticate identity. while bastion might've driven this point on the reality is these tools of invulnerable for quite some time. there's a lot of reasons for this but the most important question is, what should government and industry do about it now? if there's one message comitia take away from today's hearing is that industry said they can solve this alone. we are at a jumped with the government will need to step up and play a bigger role to help address critical bulletin was in our digital identity fabric. passing improving digital identity act is where we should start. why is government action needed? as one of our members noted the
2:28 am
title of this hearing, i amboise a.m., a stack in great because when it comes the duty you are who the government says you are. at the end of the big government is the only authoritative issuer of identity in the u.s. identity system that the government administers are largely likely stuck in the paper world where as commerce as increasing moved online. this idea of identity gap a complete absence of credentials built to support digital transactions has been actively exploited by adversaries to steal identities, money and sensitive data and to defraud consumers, governments and businesses like the one industry is come up with tools to get around this identity gap the adversaries have caught up with many of them. going forward the government will need to take a more active role in working with industry to deliver next-generation remote id and permit solutions. this is not about a national id. we don't recommend when be created. we have a number of nationally recognized authoritative government identity systems,
2:29 am
driver's license and passport, ssn. but because of this identity kept the systems are stuck in a papal rome while is moving online. to fix this america's paper-based system should be modernized around privacy protecting consumer centric model that allows consumers to ask an agency that issued a credential to stand behind in the online world by validating information from the credential. exactly what the improving digital identity act would do in a way to set the high bar for privacy security and inclusivity. thank you for the opportunity to get spy today and note i've submitted lengthier testimony for the record including some recommendations on ai and dignity. i look forward to answering your questions. >> thank you, mr. grant. mr. kelts, you are now recognized for five minutes to give an oral presentation of your testimony. >> thank you, chairman foster, ranking member gonzalez, members of the committee. appreciate the opportunity today. i am david kelts representing myself and support of forming aa global driver's licenses and forming governance for identity
2:30 am
ecosystem that reinforces american values of privacy equity and freedom while spurring innovation. i'm the director of product development for get group north america which is -- driver's license -- [inaudible] and have been a member for over five years of the working group that wrote the 18013-5 standard. i leave the evangelism task force for that group and i was lead author on the privacy assessment with the mini international collaborators. mto is a digitally assigned id docking place on a mobile phone the correct individual for example, to control. government issuers around the globe are the signers of the identity information and the signature allows for use in mdl when government issued id information is legally required including for in person transactions. you don't show your mdl to someone else. imagine if crucially red card numbers to merchants through our phone, screenshots and editing
2:31 am
tools would result in fraud. instead you tap or scant and share a token with a fire or reader and that token can be used to reflect a subset of the mdl data. the mdl holder has full consent of what they share and with this data people can get -- around the country, , around the globe. this minimizing of data is nested for the transaction -- [inaudible] where full data is always printed on the front and found in the barcode on the back. [inaudible] data transfer in person usage, design to fit next to other identity standards like open id connect and things like user authentication. there are challenges to empowering americans with this document in order for us to meet the values and goals of all the
2:32 am
people protect identity information, giving greater control and flexibility to the rightful -- supporting accuracy of these operations at least come with the goals of improved privacy and inclusivity and access for all. these goals for mdl in person are the same as the goals of identity in cyberspace. mdl itself naturally forms and ecosystem. the government issuers on the signers of the data so they have a passive role in lending trust to the transaction. this is a form of a public key used to validate the accuracy integrity and province of the data. the technology works today in a functional -- issuers must take the first move. this sets the challenges in funding a digital transformation that benefits the residents and businesses within any state. it's not always enough rationale. consumer pays model seems to be taking hold similar to our id
2:33 am
cards. so they can require legislative approval. support for this transformation at the state level -- american values at the forefront and kickstart -- [inaudible] market forces alone will not shape and identity ecosystem that meets our values and goals. price pressure has been driven by these privacy invasive data-gathering and advertising policies. the software is free, , then you on the product. and kickstarting market forces if they don't have it is possible that entities with very deep pockets could swoop in and meet the market needs to own and identity system. so challenges exist on this site as well and the verifier side. that can lead people with no place to use the digital id. across the globe to our government led frameworks like
2:34 am
australia, privately read frameworks and public-private partnerships -- [inaudible] i recommend initiating a public-private partnership to define a framework that meets our values and goals from the existing pieces and that can enforce those requirements. this can kickstart identity solutions of many types to meet our goals in the digital transmission. federal agencies can continue to lead and lend their expertise to this, and can be incentivized to accept mobile driver's licenses for things like tsa agents. dhs innovation programs can be focused from architectural goals to deployment of contactless id technology. we welcome -- expand the participation of the federal government and federal agencies. thank you.
2:35 am
>> you are now recognized for five minutes to give an oral presentation of your testimony. >> good afternoon and thank you, chairman foster, ranking member gonzalez and the other members of the task force. my name is louise maynard-atem, i'm the research late for the nonprofit organization women in identity an organization whose mission is to ensure that digital identity solutions are designed and built for the diverse communities that they are intended to serve. we are a volunteer led organization and we all work in the digital identity sector. entirely independent and not in the interest of any one organization or individual but we are all united by the belief we need identity systems that work for everyone by ensuring they are free from bias and that's a specific topic i'd like to talk about. so need have been a present requirement for many years as more businesses have moved their operations apply online te
2:36 am
pandemic accelerated that and the need has become more critical in the last 18 months. the shift -- unique opportunity for enable economic and societal value creation assistant to come the gatekeeper to services like online banking and e-commerce and interest. however we also need to recognize the use of technology in the systems has the potential to further entrench and exacerbate the exclusion of advised practices that exists in society. since we're digitizing what were analog processes and utilizing more data would be a missed opportunity deliver systems and services that benefit all. eliminating identity -- women in identity believes it doesn't happen under some. requirement must explicitly mandated. there's countless examples of where exclusion and buys have been mandated against and in many of those instances systems have been built often based on
2:37 am
characteristics like race, gender, culture, economic background or disability. according to a recent population poll, approximate 11% of adults don't have government issued id documents, approximate 80% of adults don't use -- and 5.4% of u.s. households are unbanked. government issued ids come smart phone, having a bank account can often be the building blocks use for creating digital identity for individuals. it's essential in solution we develop has to be accessible to all the groups i've mentioned and doesn't cause them to be for further excluded from opportunities for such technology might present. if you think about the physical world we would never erect buildings that were not accessible to welcome features like wheelchair ramps are mandated. we need to make sure we are mandating equipment accessibility in the digital world. women and identity we see the move towards identity trust frameworks being developed at the need for inclusion and testing is being explicitly
2:38 am
called out. the uk digital identity is a trust framework that women in a denny was consulted. this one looks at that recovers to help organizations understand what is good verification looks like. there are explicit coats the make products and services are inclusive and accessible and organizations require complete annual exclusion report to transparently explain it use groups are excluded and why. information commission in uk has funded the framework but lays caution digital identity in the system i rely on automated processing due to use of algorithms artificial intelligence within the systems. also making action major decision-making may have effects did a bias in the system does i come out of it and use for the data sets use integration of the products or service. at women admitting there currently is a research this seeks to understand the societal and economic impact of exclusion
2:39 am
in the context of digital identity is specifically within financial services. we hope this research will inform a creation of a code of conduct to up providers identify and mitigate potential areas of buys, exclusion and product design. to ensure the industry is moving products for everybody, not just select few. to conclude we believe in order to achieve the full system, closure requirements must be specifically and explicit mandated for with any regulation or legislation and also they must be vetted on ongoing basis. there are a number of examples in my written testimony why described how this is being done and i strongly believe the benefit in the benefit of sharing best practices and lessons learned with other industries and advocacy groups to ensure that we're delivering system that enable all citizens equally. thank you very much for your time and i look forward to your questions. >> thank you, dr. maynard adam.
2:40 am
professor renieris, you are now recognize for five minutes to give an oral presentation of your testimony. >> thank you, chairman foster, ranking member gonzalez and members of this task force for the opportunity to testify before you. my name is elizabeth ringers, i'm founding director of the notre dame ivy and technology ethics at the university of notre dame, technology and human rights fellow at harvard kennedy school and at the at stanford civil society lap. my research is focused on cross data from an ethical and human rights implications of did like in the systems, blockchain technologies. i'm testify in my personal capacity and my views do not necessarily reflect those of any organizations with which i'm fla. i begin my legal career as an attorney work insiders get a policy of the department of homeland security and what i do practice for the data protection privacy lawyer in three conus. i'm a console of that opportunity advise the world bank, yuki parnevik, others on data protection, blockchain, ai
2:41 am
and digital identity and i'm grateful for the opportunity for this important topic today. as labor the back the pandemic we depend on digital global services for work, school, healthcare, banking, and did all aspects of life. we have limited visibility into our what is on the other end of the digital interaction or transaction. even before the pandemic vulnerabilities of digital systems attacked her inch display, hospitals, financial institutions and of the critical infrastructure. as these sectors are digitized automated and manipulated, increasingly depend on secure digital identity. as we evolve into world with internet and everything with all manner of ip devices network technologies and other connected systems the digital is becoming the built environment. without secure reliable and trustworthy digital identity people entities and things this new cyber physical reality is increasingly vulnerable to a
2:42 am
task threatening individual safety and national security. digital identity is becoming critical infrastructure. presently -- profit maximizing biz upon the threat of privacy security and other fundamental rights of individuals and committees. often they incorporate new and advanced technologies such as ai, machine learning, blockchain and advanced by metrics that are not well understood and not subject to government frameworks. in order to engender trust and safety and security in the digital ecosystem we need trustworthy statement security identity. in order to engender trust safety and security in our society when he did a point it ethically and responsibly. recognizing the growing importance of digital identity in seeking to rein in the private control over it makes are prioritizing efforts to design and build the infrastructure needed to support
2:43 am
robust virtual identity. for example, the european commission has worked on a public electronic identity or eid to access digital fashions of including as altered to privacy and basic solutions such as log in with facebook or google. even as with hundreds of framework for ethical ai, we like any specific it identity. to remain competitive avoiding closure of the public sphere to privatize identity scenes and protect the salah human rights of americans the federal government must take the lead in shaping the technical commercial legal and ethical standards for the design development deployment of the systems and critical for such a great approving this this is a gt step in the direction. such as dams must not only include best practices which picked up right here security of data but also measures for fans, conspiracy and accountability on the part of entities designing and deploying the technology. strong enforcement oversight and adequate remedies and redress for the people impacted. they must also address the risk
2:44 am
of exclusion and discrimination in the specific challenges assays with use blockchain ai and other emerging technologies to we must avoid building digital id system in a way that would further -- [inaudible] when we move through the physical world today we are really rarely asked to identify ourselves. by exhibiting grayson has a digital component and as a market for digital id grows where at risk of slipping that paradigm. to avoid erosion of privacy we will also need guardrails around the use of the systems going when and why identity can be required. if we're not careful we might go from identity as exception identity as the rule. to summarize my recommendations to congress we must recognize that digital identity is critical infrastructure the federal government must lead to great standards for safe secure and trustworthy id. those standards must address specific challenges associated new and emerging technologies and assure public option and
2:45 am
finally we need guardrails around the use of id to avoid id become an enabler. thank you again for the opportunity. i look forward to your question questions. >> thank thank you, profess. and your timing was accurate to the second, so my compliments on that as well. mr. fredung, you are now recognize for five minutes to give an oral presentation of your testimony. >> thank you, chairman foster, ranking member gonzalez and distinguished members of the committee. i'm excited to beer and thank you for inviting to testify before you today on this very important topic. my name is victor fredung, cofounder and ceo of shufti pro. shufti pro is an identification and compliance platform that provides service to government agencies and companies throughout the world. our services primarily focused on identification are with more commonly heard as know your customers relax and use of tech doge such as artificial intelligence and machine learning and has been used by companies from all points of the world. also verify documents.
2:46 am
when it comes to identification most lines utilizer services that combine face recognition and -- [inaudible] we're taking appropriate steps. in addition we also refer to the approach of verification -- [inaudible] we allow clients -- how it should be performed. this is crucial for businesses to comply with requirements. i think we can all agree the timing of this particular subject is entirely in line. during the epidemic -- relied more and more on the use internet for everyday tasks. [inaudible] i would like to discuss a couple topics with you today come first
2:47 am
and only have can help customers. to give you the background story of ourselves we start our journey back in 2017 windows this is a relied on either use hybrid or -- to find customers. the hybrid approach -- [inaudible] the problem is for so it's not scalable. secondly is also very time-consuming. so we did use artificial intelligence and machine learning tool accident features. for example, -- [inaudible] we saw some coaches might try to tampa with some force of the documents so we develop our anti-spoofing technology combines verification to verify customers are who they say they
2:48 am
are and organizations verified identity. by experimenting with the usage of automated technology we not only saw verification could be processed at a much faster pace we saw identity theft increase significantly since sophisticated forces with security changes on secretary of labor the second topic is regards to data privacy and out in users can be secured providing their identity. as we all know -- [inaudible] it's the end-users that gets compromised. there is different ways to try to solve this and that's an example by utilizing one device were normally data is transmitted elsewhere. another software any as provided is -- [inaudible] they simply ask for confirmation the cast was successfully verified by the proper standards. here is unfortunate problems since most require data --
2:49 am
[inaudible] i would like to mention our research into the many different types of frameworks and documents combined. used in the united states we see different requirements and obligations from different sectors. in addition to each date own of unique set of documents. this provides a problem for a lot of companies that only in the united states but across all over the world where requirements, documents get -- no universal framework. we suggest continued pursuit of
2:50 am
universal framework for each state needs to follow when it comes to selection of id documents and the unified requirement when it comes to what information needs to verify i have verification should be performed. i support the digital identity act. thank you for inviting me to testify today and and i lood to your questions. >> thank you, and i will now recognize myself for five minutes for questions. just to get an initial idea of what the scope of improvement that we might be able to see if we're widespread use of high-quality and mobile id. if you look at the large hacks that it hit the headlines, the colonial pipeline, the dccc hack a few years back. what fraction of these would be largely unlimited if we're widespread use of mobile id second verification instead of
2:51 am
just passwords? >> i'm happy to jump in if i can. i think most of them, i think it's a monopoly these days when a major incident happens and identity is not the attack vector. though i want to differentiate, we talk about identity, to me we're talking two things. there is identity spoofing, which are due when you open an account and then i authentication, tiger login. a lot of the fraud we've seen in unappointed systems has been taking advantage of the identity proofing. you prove you're bill foster for first-time and which bill foster gillett there are probably several thousand of you. we basically saw stolen data used to cut to whatever protections a lot of states had in place or in some cases they had not at all to steal billions of dollars with regard to the other breaches we've seen, colonial pipeline, somethings with ransomware, much more focus on authentication, copper was a
2:52 am
password or compromise somma first-generation forms of multi factor authentication like ones based on the code that is texted to that is now fishable as well. overall, both identity proofing and it is occasionally big problem. if we could close both of those gaps unity to start to raise the cost of attacks for a lot of criminals and make it much harder for them to do the things they have been doing. >> okay. one of the things i think many of you mentioned in your testimony was how covid has sort of changed the profile of identity and the need, the fact were moving more and more online, is becoming more important. the other thing that's happened is that real operation agreement that we have to get a broadband connection to essential all-americans and that there's a real federal role in subsidizing that. i think that republican talking
2:53 am
number was $65 billion that should be dedicated, democratic counter offer was 100, as long as, if we end up anywhere between those numbers will have a real step forward for closing the digital divide and getting at least a low-end digital device in the hands of all-americans and broadband accounts. so given that, how would you then piggyback products, for example, digital driver's license or other ways, how do we get this so that's the second part of provisioning a broadband and digital identity people? >> anyone who wishes to grab it. >> so yes, i think that access to broadband, access to connectivity can increase accessible to everyone and i would say that fits into the same level of accessibility as getting an id card that you currently have.
2:54 am
and being able to use that. the technology in mdl, i speak about that come is geared to use on really any fun because there are multiple ways you can interact with that for in person, and we expect we can cover vast majority of phones that are out there provide them something that allows for the transmission. i think that would be a huge step towards accessibility for everyone for mobile identity. >> when we do this how do we make sure the equity issues are addressed properly? let's go to the phd material scientists to weigh in on this who seemed very interested and involved in this set of issues. >> as soon as you start to drive access for everybody then there are lots of different solutions you can put in place. we're establishing a a baselif a point have access to some kind of device, then i think that
2:55 am
really levels the playing field. undressing avenues have a smart phone. everyone needs to have access to something and that's a big hurdle serling uk going about on that .6 don't have access you could say someone says you are you and we can take that a steady but if there's -- to provide a a duty with some kif technology so they can use services then that really knows the policy debate far forward. >> you mentioned in your testimony the eid effort in the eu, is that correct? i'm out of time. okay. for members who are interested, if there's time we will probably people have time for a second round, and if that fails will continue our tradition at the end of the formal part of the hearing i will gavel it closed and we can just sit around and talk, sort of the zoom equivalent of just hanging around in the room and talking with the witnesses, which is
2:56 am
often the most valuable part of the hearing. i will now recognize a ranking member for five minutes. >> thank you, mr. chairman for holding this hearing and for our witnesses here today. before i get stored i ask unanimous consent to add to the record a letter from the national association of convenience stores. >> without objection, so ordered. >> thank you. mr. grant, i want to start with you and look forward to reconnecting down the road. as we were talking yesterday off-line, i told you i'm excited to support mr. foster's improving digital identity act. it's a step in the right direction for sure. my question is, beyond the improving digital identity act, what additional areas should this committee be focus on from a legislative standpoint with respect to digital id? >> data for the question,
2:57 am
congressman. good to see you again. i say starting with the foster bill, look, it's a great place to store in that it finally starts to pull together what i would call a whole of government approach to looking at this issue. one of the challenges we have in the u.s. is we have nationally recognized authoritative identity systems but there's --, per certificate from the county i was more income state dmv gives my driver license and other passport from state farm. what's great about that bill is it looks at how to take a consistent standards-based approach so any american could ask any of those entities to bat for them when they're trying to prove that the our online at the peak was mentioned also has ass a high bar for student privacy. the questionable come -- has missed makem particularly in the states where i know david talked about the work you do with mobile driver's licenses. i think there's a concern that
2:58 am
while there's a handful of states doing things now, if you're not going to actually invest dollars in trying to jumpstart productivity in the states, that it might be say 15 years before we start to get to critical mass of people having some digital corollary to the paper documents, and that's going to be a real issue. the infrastructure bill is being negotiated as chairman foster border pointed out would be a great place to put someone in to help accelerate that. beyond that the more a i is going use the republic be more questions to be asked, and this task force is currently a a gt place to evaluate some of those considerations. >> great. ms. renieris, eric goosby on the legislation we should be considering at the committee level to foster greater digital identity act. >> thanks for the question. i would say firstly on the legislation in particular i would like to point out flags
2:59 am
unconcerned about which is a reliance of consumer consent. as we've been having conversations around state and federal privacy legislation, i think there's growing awareness around limitations on consent-based framework in this context. going forward it might be worth reconsidering the basis for some of the personal data processing involved in these identity systems. separate and apart from that really a lot of this is quite of the idling infrastructure and other sectors. for example, even if you had a robust whole of government approach and created the technical standards for nist or otherwise used on the problem for example, if her healthcare infrastructure can't adjust the stands or those technologies. you have to think about other upgrades across critical infrastructure and other sectors in order for this to be woven in and layered on top. i think the third thing is really something that's already been pointed out around
3:00 am
mandating inclusion in the conversation. as we've expressed in our testimonies and as we've seen in the field there can be lack of diversity of conversation. in addition to the interagency diversity i think the divergent expertise at the table is really critical. >> thank you. and mr. kelts, in utah, what are the biggest learnings, and i'm looking for sort of areas, things have been difficult that this committee should have on our minds as a program moves forward. >> so i think what we've seen from consumer is larger than expected in which is been great. we are very early in the pilot program and position people, that's the key thing. as will the demand from businesses. the bill before the state government to engage businesses along the whole process right from the beginning to engage
3:01 am
stakeholders has been a huge advantage for making this work in utah. >> great. i see i out the tiger i yield back, mr. chair. >> thank you. the chair will now recognize the chairwoman of the full committee, representative waters, for five minutes of questions. >> thank you very much. i'm on now. first of all, monster hunter mr. fosdick and i want to thank you for the attention your paid to this i can vacation issue and the work that you are doing that is so important. i would like to ask doctor maynard added a question f this been answered already been i won't proceed with this and i can talk about it with you later on. it's about the use of artificial intelligence of course the individual identification that is raise concerns about algorithms bias. as you know smart phone authentication can employ voice
3:02 am
facial recognition technologies but these technologies have been shown to exhibit bias against women and minorities work in fact, researchers have found that facial recognition technologies false identified black and asian faces ten to 100 times more than white wines, and false identified women more than they did men. do you have any concerns that a digital identity system could also have this kind of bias? if so what steps need to be taken to eliminate this bias? >> thank you for that question. i think there is always a risk, but if you're starting to produce emerging technologies like artificial intelligence, you run the risk of bias creeping into penny on the way that the systems have been built and the data the systems have been tested upon. a lot of the issues from homogeneous test data being used
3:03 am
to test the system. when they are learning how to recognize faces they are tested and trained on a very homogeneous data set so that might be all-male. that might be majority male or majority of people at one particular race. i think the way we over correct for that is by ensuring that the data we're using could build algorithms to build these things up, to test facial cookers amend and women to make sure that test data is as diverse as the population that the system is then going out to serve. we need to make sure we are equally representing both genders, all races and all that test data so the algorithms learn to recognize that even equally while the situations we had previously where they lead specifically to recognize one person or one type of person at the detriment potentially of others. >> but what you are describing is precisely what was discovered a long time ago, and the lack of
3:04 am
diversity in the testing that has not led to the ability to deal with some of the problems that we have found and minority commuters, black communities in particular. and so you do think that this is part and apart of moving forward with any identification, is absolutely having the kind of diversity in the testing that will bring us to the results that we need. how far -- i don't know if thiss is a good question or not, but i think we have improved, you know, the testing in medicine and particularly with certain diseases where they had to work hard to get minorities in the testing programs here but do you know whether or not it is proven that this is really taken place with medicine and that the corrections have been made and they been able to advance the
3:05 am
pharmaceutical products based on the testing that was done? because they know what's needed any particular minority group. do you know anything about that? >> i don't know specifically whether it's been proven but i think a key point is like a sit in my testimony, these things, inclusion, calling out bias don't just happen under own. i think they need to be mandated. i think we need to call that specifically in legislation you have to do task for these things come jeff to test for bias and make sure people are included and you to test on an ongoing basis. this isn't just something you do want and put on the shelf and never addressed again. you have to test. in the uk its proposed it is done on an annual basis. we need to be testing and retesting to ensure any device that does exist in the system is called out, as explained and that action plan to put in place to make sure that exclusionary technique or system doesn't then
3:06 am
been thick report. >> thank thank you very muc. i appreciate that information. i will follow up with my colleague mr. foster and you as we move forward with his whole issue to thank you and i yield back the balance of my time. >> thank you, and the chair when i reckon it's colleague from north carolina, mr. budd, for five minutes or i think the chair and also what you think the witnesses for being here today. very insightful. mr. fredung, i want to address the questions you in the brief time with. with continued growth and expanding use of cryptic urges we see an increase rollout by exchanges becoming compliant with anti-money-laundering. so how are these know your customer programs performing compared to traditional finance counterparts? >> first of all thank you for the question. as we all of cryptic urges getting more and more used in the world for investment for
3:07 am
everyday tasks. when it comes to legislation and catching criminals as well we do see happening a few different -- unfortunate probably seen -- not too many legislation. in europe we have -- u.s. has started issuing different licenses. for a few selected clients. this is a problem we see in the space where there needs to be an easy way for businesses that operate to become license. i would like to bring up as well -- [inaudible] they also discussed the bad actors using cryptic currency. they also mention it was a number around 0.4% which was a which was a decrease in previous years as well. [inaudible]
3:08 am
i wouldn't say most businesses have pretty much -- [inaudible] >> very good, thanks for that. so as technology continues to advance and will look for new ways to identify consumers, without jeopardizing their data, so that's key, i can utilize blockchain as a tool for digital identity verification? that will also be for you. >> sorry. i accidentally hit minute button. it's very interesting. as mentioned that something we operate in the future. by enabling blockchain, unauthorized access to customer data, circa way of transferring user data, better user
3:09 am
experience as well, i guess we can all understand for customer -- over and over again it's not really a good use x-rays. in addition, there are other collections of elections will so they could be -- one device reputation where data is transferred elsewhere as well. >> so financial institutions are subject to a patchwork of identification breach laws in the u.s. state-by-state. so in addition to federal regulations that we saw in the claim leach -- gramlich bliley act years go there's no federal standard for data security for nonfinancial institutions that handle consumer data. what regulatory improvements would you suggest? >> that's also -- >> yes, sorry. when it comes to progress in the regulatory framework, there are
3:10 am
differences. the first one being universal flame work requirements. the cycle would be an update existing documents issued by state by modernizing security features making it -- [inaudible] may be requiring outlined ship before him and something you see not a requirement in all different frameworks this is a great tool. we do conduct heavily researched and universe in medicine and we shared. >> really appreciate it. that's all the questions i have. i appreciate your generosity and time for the whole panel. yield back to the chair. >> thank you. the chair will now recognize my colleague from illinois for five minutes. >> thank you so much, and really want to thank you for doing this here. you have a bleeding on this for a long time, mr. foster, so
3:11 am
thank you. want to direct my questions to ms. renieris. the first is over the last couple of years there's been talk of google and apple a talked about introducing a digital driver's license, digitization of a driver's license other mobile apps. do you have any ethical concerns with essentially a private digital id supplanting a government managed digital id? >> thank you very much for the question, congressman. so this isn't a shy little to do my testimony and they go into more depth in my written testimony. what apple and google have basically screwed digital infrastructure to post a digitized version of your government issued driver's license or your analog physical id. it's quite telling that what they could is not necessary a
3:12 am
digital native id but rather a digital version of those artifacts that we're all used to. that's an important distinction. it is true they are very sophisticated capabilities now, smartphones, including other technologies localize machine learning and data processing that improve some of the data security and privacy aspects of the mobile digital law but there are ethical and privacy concerns i have going beyond the data itself. specifically i have concerns around business models. what we've seen over and over again is a lot of the business models for commercial centers around the products and services provided by some of the competition region including apple and google are not necessarily business models that support business interest and the values that we are really concerned about and the actual very often cut against those. for example, with the apple id
3:13 am
we don't know exactly what the business model is however it's the same technology as apple bay which we know has transaction fees associated with it for different players or ecosystems. you can start to set depend on the business model and commercial incentives this could create perverse incentive for the use of id reps in contexts where it's necessary or there's also concerns about the ease of use. the easier sleeker these credentials are, it feels like not a big deal. we normally sings like my metrics, preventing her id and context where perhaps it shouldn't be appropriate or required. i think there are concerns go beyond the data and images think about the security privacy data with the sight of security privacy of people. those are different things and the technology designing and building the system have a very narrow definition of privacy. this is a tactical mathematical view of it. we have to put in the context of the system that it is in the
3:14 am
context of law and economics and all these other things to think about what the true impact of the of people rather look at specific floor or specific technology. >> so thank you for that. this is a question that gets pian digital id and, of course, spent to be committed and congress because when the financial services committee, we spend a lot of time and we have crafted love legislation about what happens if i give my money to someone who is a custodian of that money and we have developed fiduciary rules of looking after the best interest of that money. arguably our data is linked to earn money and a lot more as you point out. there vincente will talk about you should we create a fiduciary role to apply to people who hold our data. i'm curious if you've heard any of that, if you forget those proposals, thinly with them and have any thoughts on that as a possible way through some of this morass should the private
3:15 am
sector get ahead of this? once people turn the data over you can't put the ginnie back in the bottle. so your thoughts on fiduciary role for data. >> certain fiduciary duties, confidentiality and other associated with entities for processing and storing data can make sense. i don't think i think it sort of a small approach. an approach at the moment is very -- across state and federal proposals come side you think we need to think about what's the underlying legal if research rather in terms of privacy and data security and data protection but again those are just sort of one piece of a more copperheads a framework that we need. ..
3:16 am
>> thank you mister chairman. i appreciate this hearing. i think this is an important topic and mister grant was talking to you and you mentioned in your written testimony that rounds, talked to my colleagues that were defined by the billions that were stolen by the unfortunate loopholes in the administration of those programs and i realize digital is a component of guarding against that fraud. how do you see ai working with the existing frameworks being a way to combat fraud in unemployment insurance? >> i think what the way i look at it there's both a
3:17 am
what would i say, when i look at identity, identity is one part of a broad reduction and can we risk there and i think solving this issue presents an issue, it presents a couple different dimensions where even outside of the thing you might be doing on identity for verification you might have ai running broader prevention systems to look at different signals. i'll say i think it's two thirds of the reporters of those are going to be identity related in terms of are you able to see how somebody's potentially using stolen data or see something about the device they're walking in on that is exhibiting signs that might be our box entering the data rather than an individual. i think a lot of it will come to identity at the end of the day but there's broader places that were seeing these same companiesin this space look at things that touch other elements beyond
3:18 am
individual identity >> to my colleagues , i'll be trying to work on getting ai language into some of their appropriations try to prevent fraud. that is something we should begin to look at and start to think about being in the ai task force it's germane to what we do. shipping, just to ask you a question about identity technology gone wrong. and i mean obviously it's really important. i think the idea is we want to have it in any system which is consistent with our values as americans of protecting identity and protecting information and i kind of think about china and how they were, the chinese communist party their control of digital payments was able to control people's goodness and help stop people who are not in favor of what the
3:19 am
chinese communist party for being able to buy plane tickets and they're not even favored by the trade ticket or even ride a bus so the thing about the technology being in my mind abuse to really suppress people in a way that is orwellian. can you give us examples of other ways that identity technology has gone wrong not necessarily inthis country but other countries ? >> thank you for the question congressman. there are many examples. i think one of them, the most important thing to pointout is in a lot of other countries , the digital identity systems are basically mandated national id scams that are with vital statistics so if you can't obtain a digital identity in this country are essentially blocked. there is basically nothing you can do and you don't exist so i think that's a broad level.
3:20 am
the second layer of that is that in a lot of countries what we've seen digital id schemes gone wrong is it tries to integrate, they basically use a single identifier . that single identifier is able to track your activity across all facets of your life and employment healthcare, school, everything you do . another area where you can't retain autonomy over a specific domain of your life. for example you can't separate your personal professional, you can't have this kind of contextualized identity so i guess that's also really problematic. it's also problematic from the standpoint of data security so i think going back to the point around intrusion, a lot of us are buying outside of this technology so there are companies where women are disproportionately less connected and don't have access to things like mobile devices so in those countries
3:21 am
where digital identity is not for a mobile device they are at the mercy of a partner or someone else to exist and to operate in that country. reasons to look beyond the privately secure privacy security data to think about operating a national platform . i can go into more detail in my testimony. >> thank you for that answer, i yields that. >> we will now recognize our colleagues from north carolina for five minutes. >> thank you chair, ranking member gonzalez and also to our chairwoman for holding this hearing and to the witnesses, thank you for your testimony aswell . ai algorithms is a prominent and widespread concern as the technology has become more entrenched in our daily lives . i recall a few years back when they show recognition software identified my congressional caucus
3:22 am
colleague john lewis as a criminal. this real problem that biased ai is having real-world impact is the reason we are having these discussions and that's why i want to successfully include language in our annual packages that asks the national science foundation to partner with ceos and academic institutions to study algorithmic data. professor, in your testimony you noted that ai and id verification can have significant consequences so how can we stop the ident digital identity process being overreliance on potentially flawed ai algorithms and what role should the federal government and state government play in the distribution of digital identity ? >> thank you for the question congresswoman.
3:23 am
i think this is one of the most important conversations we've had around digital identity so going back to the comment around the quality of data that an important consideration and i do think we are makingprogress there . these systems are more cognizant of the need for the data sets to reflect the population that these systems will operate in but i think we're not looking at it closely as who's designing and building these technologies in the first place. regardless of how good the underlying data is risks are not going to be identified by people if we only have so much in this people buildings these things because they only see the risks they understand so the reason you need a diverse set of people building these is to be able to supply and mitigate and build them into design of the technology so there's concerns around bias in algorithms but there are concerns and all thedifferent components that flow throw out . earlier we talked about
3:24 am
different kind of biometrics like face and voice which are subject to racial and gender bias but increasingly in the future it's looking into things like behavioral biometrics work which are essentially profiling technologies . those are going to raise concerns about equity so again, to make this sustainable and forward-looking , bad actors are always going to be able to outsmart the of the art technology so the only way to get ahead of this is to think about how these operate broadly in these technical systems. but you're right that that is a primary concern. >> despite some of the problems nato benefits from employing ai to protect consumers so with the increase in data breaches particularly on the reporting agencies where large amounts of personally identifiable information has been exposed, how can ai help with distinguishing between
3:25 am
legitimate and illegitimate activities to detect or prevent digital identity fraud? >> thank you for the question congresswoman. before i answer i would love to piggyback on what elizabeth has said in that i think as we are concerned about bias and i think this plays into yourquestion as well here , so much of what we're dealing with with ai are predicted systems that are trying to use ai and machine learning to guess at the end of the day only the government really knows and i talked in my written testimony, one of the best things the government can do would be to advance the bill foster introduced which brings out a deterministic layer which is an authoritative government identity systems to complement the probabilistic layer is going to be one way to address concerns about bias. in terms of how it's being used more constructively when
3:26 am
we got terabytes of stolen identity data is being used to commit identity fraud, one thing we're seeing is a lot of vendors out there when they can identify what organized crime rate is doing ai can study how they enter data and then be able to analyze that and learn whether it's, what it looks like somebody's doing when they'reinteracting with a device , how they are holding it. some of these things are behavioral but if you can learn what it looks like it might be malicious behavior and then you can start generate allure that might kick some of those applications in a way that if they blocked it at least takes it off to a secondary layer for examination where you can make a more informed decision . >> mister chairman, i yelled back. >> we will recognize our colleague massachusetts for five minutes. >> thank you for putting this together and i want to echo what the congress set at the beginning of the session complementing, i thought it was superb.
3:27 am
i appreciate that. mister grant, in your written testimony and your oral testimony you talk about the identity at and what elements of that would be asking the national institute of standards and technology to really take the lead on setting the protocols and the standards for what identity cruising which as you said is at the heart increasingly would look like. i want to dig into that a little bit. could you tell us maybe the 3w's of that. who shouldbe involved , what this product might look like and when we would be looking for that to be accomplished, what kind of time frames are we seeing? >> i think in terms of background, congressman fosters bill focuses a lot on this as a way to try to address the concerns we've heard about today. in terms of whether it's the
3:28 am
public sector or private sector developing the systems you come up with standards and best practices that can set a high bar for privacy and inclusion? a lot of concerns that people might have about different industry solutions or even a government solution running amok and losing sight of the importance of the high bar in all those areas can be accomplished with standards. so i think one of the great things this does and a backdrop for the community i used to lead the trust trusted identity group several years ago. this is a great way to engage with holders not just nationally but globally across the private sector so i think the benefit of having them leave this is they can bring in whether it's technical experts like david and louise or academics like elizabeth or entrepreneurs like victor, they can all provide different inputs and weighthem and synthesize them in a way that gets outcomes that might address all those issues . i think it's not just
3:29 am
technical standards but it's also business practices. how do you collect data, what recourse do people have if something goes wrong ? what do i know beyond just following technical standards and the whims, we have tackled this for the privacy framework. it's elevated or escalated time frames. my former colleagues will be frowning at me if you're watching out because it's a lot of work to get done in a year. but this is a national crisis, we will get it done. >> you mentioned identity as a sociotechnical construction which i think is a great way to frame that. from your perspective what would you want to be seen from this product that would give you confidence that we are architecting government identity proofing in a way that is not going to lend itself to abuse and also to my colleague that's not going
3:30 am
to lend itself to an inappropriate amount of governmentconcentrated power . >> thank you for the question congressman . my first two questions in regards to myth, it's focused on technical standards and i would say the advantage of having a bead on this front is there not subject to some of the perverse incentives i was talking about in that they have a very long and comprehensive track record of design standards with these considerations in mind. that said i think it's important within this support that other experts are consulted and there's are the different types of expertise that go beyond the narrow mathematical and technical engineering sections of these. and in their identity guidance they've also been mindful ofsome of those considerations . it's considered a relatively expert side but to mister
3:31 am
grant! i guess the reason it's so important is because it is really the gateway to all of it. it's a critical first step what's nice about that is if we rely on authoritative government issued identities those are already helping for some of those things i was talking aboutthere not being designed by scientists exclusively . so there rooted in real-world technical concepts as it is so it's part of good foundation there. this is something i can go into in a bit more detail. >> the last 15 seconds for mister grant. let's go to the subject of conversation, two-step verification as a means of identifying yourself with a password oryour text message or google or whatever . is that still the best i standard for authentication? >> there's no such thing as a secure password these days and my colleague says the
3:32 am
only guidance of m lowercase, even a 64 case password to get finished. some key factors, they can phish the one-time passcodes. i used hardware key that can't be phished. that's where things need to move to is based on the cryptography. >> i'm out of time mister tillman so i yelled back. >> we have another round of questions so i will begin by recognizing myself for another five minutes. if we do proceed as part of the infrastructure package to federally subsidized the deployment of mobile id it gives us an opportunity to set standards for privacy and other important aspects. what are the redlines for privacy that we should keep our eye on and insist have to be present? ones that get mentioned
3:33 am
frequently are violent interrogation of your app. that the user should be aware anytime there id ispresented . another one is at a traffic stop when they're asked to present your digital id you do not have to turn over your physical cell phone that they simply have some form of electronic communication so that the law enforcement officer doesn't get to claw around your cell phone and find what elsemight be in their . is there a group list and what should be at the top of that list from the privacy point of view? >> i think there are very good ledgers and in my written testimony put together a number of them that can be used and represent a diverse cross-section of what's been looked at so far rightly. i would ask that you include it chairman as one of the most difficult trains things
3:34 am
to try toprotect against his surveillance , cracking or aggregating data and then sifting through that data to find usage patterns. the ability to use individual identifiers for each transaction, uniform identifiers and enforcing not having to report usage i think that's one of the tougher problems but it's absolutely key to enforcing privacy for people who are going to use their digital identity. >> do the other witnesses havesomething dad on that ? >> i just flagged what's important is to have a process that looks at privacy risk realistically and one of the things that we launched out of the nsa program at the time was the privacy engineering initiative which was focused on how do you sort of a soup to nuts approach of privacy from
3:35 am
different contexts and identify risks in any system and come up with technical or policy mitigations to architect around them that led to this privacy framework and it was something the previousadministration asked us to do . one reason i'm excited that your legislation would have this focus here is it's the one place rightly government or industry i've seen that have a comprehensive framework geared towards identity in security systems. beyond that i think the ability to regularly lead certain data to yourself without others. when i look at how manycopies of my drivers license when the online , it's not important for a lot of those entities to know everything about me. they just need to know over 21 if i was ordering whiskey during the pandemic which i mighthave done once or twice or that i'm eligible for something else . i think we need to focus on sharing certain things about myself with all my data, that's going to be important.
3:36 am
>> if i could also jump in i think one of the important things to recognize is we need to go upstream by the time the data is collected, it's often too late to have effective protections in place so we do need to think about data and other techniques certainly of privacy enhancing can play a role here but they often are very complex which can result in a lot of user error so we have to think about things like design. we're moving away from the other types of interfaces are moving into the future so we're not going to be able to present long and cumbersome as he notices and expect people to be able to invest in them and understand what's happening so design is critically important there, particularly the faster and sleeker credentialing can be used and the quicker they interact the more important that designs on the backend and front-end and also the standards in engineering is really front and centerbefore we talk about what we do .
3:37 am
>> thank you. one of the killer apps for this as it were is the central bank digital currencies which the financial services committee is very involved in that immediately gets into international usage because digital dollars should be useful for people around the world and we're going to have toauthenticate those . and so what is the status of international interoperability of these various idea machines? >> i'd say at least from a regulatory perspective about a year and a half ago the financial action task force which is the body of local financial regulators that work together put out digital identity guidelines but i say it's much more of a cookbook in terms of how each country should design digital identity systems or some of these applications including potentially cdc. in terms of true operability a lot of it will have to focus on the prince countries including the us developing
3:38 am
digital identity infrastructure and then finding ways to its through treating negotiations or other mechanisms to mutually recognize them and i don't think we're there yet. >> thank you and we now recognize the ranking member. >> thank you mister chairman. i'm going to probably just stay on one track and this is for the first variant, it's widely reported the basics of traditional identity information the government requires his name, address, social security are widely for sale on the dark when. i too have purchased things online during the pandemic and you can just never quite know where all that information and some but it doesn't give me the best feeling when you turn on the news every day, sophisticated banks and think tanks are using ai-based schools to verify information and multiple data sets instead of
3:39 am
government required info. can you speak just from a cybercrime standpoint about what the move to digital id in the united states is? >> i think it makes it a lot harder for the attackers who are exploiting what in some cases is nonexistent digital identity infrastructure or legacy tools at work a few years ago but the attackers have caughtup with . though so much of what i think about what comes not just with identity but anything when it comes to cybercrime cyber security, how do you prevent scalable attacks or raise the cost of attack so it's not easy for an attacker to do what we have seen in banking or government benefits over the last year to slide through some of these systems? the more whether it's looking at some of the deterministic factors we can bring in with what congressman fosters bill would do in terms of being able to activate it and vouch for you like you can use your
3:40 am
card in a pay wall and use it digitally, how do you augment that as well to try and i mentioned before congressman adams had asked how is ai used? aican study how criminal rings do things . we're in a bit of an arms race again seeing these increasingly organized criminal gangs. there are starting to use ai as well. i think we're going to need unfortunately every weapon at our disposal to guard against these increasingly sophisticated attacks . >> same question to you from a cyber security protection standpoint, what is moving towards digital id do for you? >> i would like to follow along with the more sophisticated closures as well. what we've seen in spaces like the attacks, this is pretty much.
3:41 am
[inaudible] the more sophisticated ones are using a id for example. switching from this data you mentioned earlier it's also in regards to the other corridor on the database. that's out of date to be completely honest because anybody can steal anybody else's information, it doesn't give you a particularly accurate result so while we're moving towards the verification which combines a digital verification alongside a pragmatic identification is out of ourexperience . >> thank you, mister chairman i yelled back. >> thank you and we will now recognize mister cassidy for five minutes. >> thank you and i'm glad we
3:42 am
have the second round because i ran out of time with professor renieris. i want to pick up some on some stuff that i think you alluded to this in your conversation with mister budd and mister aunderclos. distributed technology as far as obviously creating a record of this digital id and where it is and making sure there's integrity to stores it, there's also as we said in the crypto space the potential for anonymity that comes from that can be abused . i guess i have a two-part question. number one, are you satisfied that block chain is the right technology to store the data around the digital id. let me answer the second question before i go. >> so i addressed this in my written testimony and quite explicitly point out that i think blockchain is the wrong
3:43 am
technology for personal identity management. i've worked directly with blockchain startups. various inter-governments, so blockchain is an accounting technology . it's traceability and permanent mutability so these are things you might want to use for example management but they're not things that you want to use for personal identity management if you're concerned about the privacy and security of individuals. over the last 4 to 5 years as i've been part of this conversation with governments and industries there has been many many technical solutions proposed to get around some of these concerns so a lot of different conversation on techniques, a lot of different methods of encryption . but conceptually at the heart of what blockchain does and
3:44 am
what it's designed to do is with things like data so for example if i want to prove who i am don't want that data located around theworld . if i do that i have indefinitely so to me it's a complete misfit between the purpose but i know you have more questions. >> that's helpful so the reason i tie this to my earlier question is because in my business this is tied to is there going to be a private, privately owned for-profit digital id that will get out ahead of us because the value of that data, there's a narrow part in my mind that this is me and this is you and there's all the metadata around which is of course where the money is, are you connected to, where was the gps tag and what did you start your id for, etc.. however we store this and i'll stipulate you've got an idea about where we should
3:45 am
store this digital id, should we also be using that for the metadata? where should the metadata live because someone's going to use it and what are your thoughts on that ? >> it's an important point to make and i think sophisticated blockchain teams working on this have recognized that it's a bad idea to store the actual identity credentials on the ledger so they have a workaround for that ultimately the lender is a record of the made upmetadata that you're describing . and i think the really important thing and it's very overlooked in the conversation is that the commercial incentives i was talking about with the business model can really undo a lot of the features intended to provide privacy and anonymity so for example a lot of the blockchain enabled identity schemes really lack of business model
3:46 am
and a common one proposed is kind of a scheme where the verifying party pays for credentials when that credential is used and to recoup some of the cost of issuing its credential. you have this scheme where you pay for verification and ultimately you have to be able to separate the transactions and that's a more sophisticated problem to solve and a lot of them have thought about if they've even thought about the question so again, it has nothing to do with encryptiontechnologies , you might have a specific benefit of the technology. >> we're out of time but maybe there's a longer conversation. if i take my government issued passport right now that's got a whole lot of metadata in it area there's some value togovernments and having that information . if we do a perfect government digital id, should we be collecting and humanizing that minute metadata? we've got privacy issues but i realize i'm out of time.
3:47 am
>> i think the question is to what end and what purposes and those have to be statedup front . i think this is certainly something i also have in my testimony and i'dbe happy to provide feedback on the record . >> i yield back. >> you could possibly implement a with witness protection program by using a blockchain enabled id which is government-sponsored identity fraud. we will now recognize mister taylor for five minutes. >> mister cason, i think if you go back last year professor renieris resigned from the id 20/20 project objecting to blockchain you asked the exact right person about blockchain and identity . it was a really bad conversation, would you like
3:48 am
to take you down this radical? >> i'll defer to your time but maybe we can set up a time for the three of us if you'd like to gettogether . >> anyway, i appreciate your passion for this particular topic and the importance you feel of not using blockchain technology for identification . just going back down the horror story and it's really instructive to me to know what not to do. it's alsosort of what to do . and doctor adam in your written testimony you talked about the health system in kenya and the ability to access that because of identification systems they've put in place. do you want to expand what you've seen in terms of how not to do it and how we shouldn't do it? >> thank you for the question.
3:49 am
i think in my written testimony i do share the ways that it has gone wrong and other platforms i think miss renieris mentioned this earlier not taking into account your users are not taking into account what it is they are trying to do with these solutions put in place so in the instance in kenya that i referenced, lots of people in that city , lots of women don't tend to have access to the required documents. mobile phones, etc. that allow them to make their way through the process of saving their identity and if i think about here in theuk , a lot of this previously the schemes that have been tried relied on having certain documents of access to the internet for example and don't quote me on that of the uk that don't have those government issued documents. so if you are predication of
3:50 am
physical identity is based off of having access to particular things whether that document or etc., then automatically you are excluding a percentage of your population that you are designed to serve. the requirements gathering all of these exercises need to take into account the situations that people are in and we need to be to account for those so yes, all of us on the call have access to technology and the government issued ids. we need to do something about the people that don't have access to those things or may not be able to access those things but people who can't use technology to get to the systems they need to. i think it all starts at the very beginning of the process and being able to identify all the different factors you're trying to serve rather than the commonuse cases by the biggest majority of people . you can make sure your accounting for those solutions . >> just going back to you,
3:51 am
you talked briefly in my prior question. could you talk about how in your mind india went wrong, i don't know if that's your words or not but i'll hold that phrase . >> i think that situation was as far in india, they had a couple places where they went wrong. they attempted the single unique identifier. so there's literally nothing you can access without using it and it's entirely traceable across all these facets of life by the government. the constitutional court looked into the system and quickly said that it was an overreach that there are concerns about dialing some of that back but in terms of the questions about inclusion , that was also a big concern there where because of the complexity of india and the complexity ofthe population , everything with the different
3:52 am
cultures to infrastructure and different places in the country there wasn't enough consideration around how those might be impacted that sector might be included and i think they had a problem here when you were talking about broadband where we don't have a homogeneous population. we don't have this universal aspect to things so if we only fall for the majority, then it's already there and we don't have a pluralism that we need to design a system that is actually inclusive and will work for most people. >> i appreciate that, i yield back. >> iq and i will recognize the representative for five minutes. >> cyber attacks are the fastest growing crime in the us and one of the largest tests of data in electronic infrastructure today . studies have predicted a
3:53 am
business will fall victim to ransom where every 11 seconds this year. centralized digital id space or peoples personal information would be a huge project. can you discuss, the cryptography techniques available so that there would be no need for centralized digital id database? >> i think that there's multiple different architectures that can support what you're referring to and not having a centralized database. there is the global drivers license, there's obviously taking that data and putting it on to the smartphone itself along with the cryptographic signatures but then when data is shared , the signatures can be shared with it and the verifier can take the signatures and check on that data. i think there are other architectures as well. similar to that and i actually think that it's
3:54 am
something like a distributed letter or blocking that has that capability might have the data. and i present to you as a business for verifier of the data you can then go and check the veracity of that data. in addition i think to not centralized databases, having access to verifiable data can reduce the need for businesses themselves to store the end result. because they know the next time that comes along that they will get fresher, validated data and they don't have to keep large records this is the potential also to reduce not just internalized databases but peripheral databases that are ultimately the targets of that. >> thank you mister chairman, i have no furtherquestions . >> thank you madam and i'd like to thank our witnesses for their testimony today and without objection all members
3:55 am
will have five legislative days with which to submit additional written questions for the witnesses of the chair which will be forwarded to the witnesses with their response. i'd ask our witnesses to please respond as promptly as they are able without objection, all members will have five legislative days with which to submit extraneous materials for inclusion in the record i remind members written questions should be submitted to email addresses provided to your office runs
3:56 am
3:57 am
3:58 am
3:59 am
an hour -- this runs an hour, ten minutes. >> the subcommittee on transportation and maritime security will come to order. without objection, the chair is authorized to declare the subcommittee in recess at the any point. welcome to the transportation and maritime security subcommittee's hearing entitled taking to


info Stream Only

Uploaded by TV Archive on