NIST, Beeck Center, CDT to collaborate on digital identity and public benefits

Administrators of government benefits looking to better understand when and how to implement identity proofing and authentication in their programs will soon have new resources to turn to.

The National Institute of Standards and Technology — which fields digital identity proofing and authentication standards for the federal government — announced a new collaborative effort with the Digital Benefits Network at Georgetown University’s Beeck Center for Social Impact and Innovation and the nonprofit Center for Democracy and Technology on Monday.

“To improve benefits delivery to the U.S. public, it is vital that agencies balance access and security,” said NIST Director Laurie Locascio in a statement. “Different populations have different needs, barriers and circumstances that must be considered, and this collaboration will bring together a diverse set of communities to do just that.”

The goal is to develop voluntary resources to help government administrators of public benefits, especially those at the state level, think through when identity proofing and authentication are needed and how to navigate security, privacy, equity and usability issues.

The work will fill a gap in resources for states, said Elizabeth Bynum Sorrell, a project researcher at the Digital Benefits Network.

The technical NIST term for the forthcoming product is a “profile” of its digital identity guidelines, something the standards agency has already done in other parts of the cyber arena to help users understand its guidance in their context.

The effort will involve extensive stakeholder engagement, including a first draft and public comment period before the profile’s final publication, slated for summer 2025, said Bynum Sorrell. 

The work comes as NIST is drafting an update to its digital identity guidelines. The first draft included edits meant to allow for alternatives to facial recognition and expanded use of digital evidence like mobile drivers licenses. 

“This gives us a really practical opportunity to look at what some of those alternatives can look like in implementation, and I think also can serve as a future feedback loop for us,” said Ryan Galluzzo, identity program lead for NIST’s Applied Cybersecurity Division.

The benefits-focused project will build off a new, forthcoming draft of the NIST digital identity guidelines, which is expected “fairly soon,” said Galluzzo. NIST will also be taking comments on that draft.

Among the issues the team wants to dig into is, “how do we make good service delivery with these technologies,” said Ariel Kennan, who leads the Digital Benefits Network. “Because when it works well, it actually opens up an incredible amount of access to people… like asking people once for a lot of information and then being able to use it again in other benefits applications.”

At the same time, identity proofing can also “become a new barrier to access,” said Kennan. “It can almost become like a new eligibility requirement.”

During the pandemic, many benefits agencies added digital identity proofing into their online portals for citizens as they faced fraud and cyber threats at times fueled by identity theft and vulnerabilities. Last year, the Government Accountability Office offered an estimate for unemployment insurance fraud during the pandemic of between $100 and $135 billion.

But the addition of digital identity systems also surfaced concerns about privacy, data security, due process and the potential for bias in facial recognition systems, as well as systems backed by data brokers and installed as front doors to benefits. 

The Labor Department’s watchdog, for example, issued a call for “extreme caution” early last year around the use of facial recognition in state unemployment systems, pointing to concerns about bias and calling for the federal government to issue more guidance to states on the topic.

“People should be able to access public benefits programs without facing unfair technical barriers or compromising their privacy,” said Alexandra Reeve Givens, president and CEO of the Center for Democracy and Technology, in a statement. “And they need to be able to trust that agencies’ systems will work effectively, fairly and securely.”

The hope is that the work forges a conversation about access, security and integrity, said Kennan.

For NIST, the process of profiling its digital identity guidelines is novel, as is the focus on state-level practitioners, said Connie LaSalle, a senior technology policy advisor in the NIST IT Lab.

“Getting a community together to actually have a conversation about it based on what they've seen from the field, I think could be really impactful,” she said. “We can talk generally in our guidance, which is written for a broad audience, about considering certain categories of impact. But to know the ones that are most obvious and pressing for people who are working with communities that receive benefits day-in, day-out is a data gap right now.”