Utah’s Digital ID Bill SB260 is the New Frontier for User-Controlled Identity

Governments often face challenges in fully delivering on their commitments to enhancing both freedom and safety for their residents, as balancing the two can be very complex. Utah’s new State Bill 260 introduces principles for a state-endorsed digital identity that puts Utahns in control of their identities and includes a suite of guaranteed freedoms and protections to increase user choice, prevent surveillance, and respect privacy.

The Lehi, Utah-based civil libertarian Libertas Institute describes the bill as “an ambitious policy prescription of privacy protection, individual autonomy protection, and anonymity.” This bill comes at an important time to combat the rise of AI-enabled fraud, address violations of privacy practices, and growth in the adoption of digital IDs in the US. New technologies such as Verifiable Digital Credentials (VDCs) would now make the bill implementable. Most importantly, it offers an opportunity for major advances in autonomy, privacy, and security of individuals in the digital world, creating a bulwark for the next era of U.S. cybersecurity and cyberfreedoms.

Technology's privacy strengths can only reach their full potential if legislation supports and protects them. Utah SB260 strongly supports this goal by banning surveillance, enforcing selective disclosure, keeping digital identity fully optional, and notably preventing government officials from demanding “device handover.” These elements of SB260 can create a strong baseline for digital ID within Utah and even for other states.

The State Does Not Establish an Individual's Identity

Clearly stated in § 63A-16-1202(1)(b)/(c), “the state does not establish an individual’s identity” and “the state may, in certain circumstances, recognize and endorse an individual's identity.”

This is fundamentally different from programs where a government authority defines someone’s ability to be recognized and exist. Instead, it recognizes that human beings already exist in their own right and that the state’s role is to provide assistance to humans, so they can be recognized and have the ability to manage the state endorsement in the ways prescribed by the code.

Prohibiting Digital Surveillance and Data-sharing

The code further requires that when a state-endorsed digital identity is presented, any data from the interaction is only used for the reason intended by the document’s owner. The validator accepting the document, whether a bartender, law enforcement officer or TSA agent, can’t share data about the contents of an ID or the time or context in which it was presented for validation. That includes prohibiting data-sharing with private companies that might want to use it for marketing or other purposes.

The provision also prohibits “surveillance, visibility, tracking, or monitoring” by any government agency or other person who accepts a digital ID. This is important because, while the digital signatures that validate digital credentials can be confirmed “locally” by some validators–that is, without sending a message to a central server–some validators will need to query a server or database, which if not implemented with the proper safeguards can create “phone home” surveillance. The anti-surveillance provision of SB260 bans using those queries as a source of surveillance data. 

Further, the bill’s broader privacy demands incentivize the building of ID systems with anti-surveillance mechanisms, such as private information retrieval.

Selective Disclosure Protects Sensitive Personal Information

SB260 enshrines selective disclosure as a principle of privacy protection. Selective disclosure is a unique advantage of digital identity documents. A physical ID means handing over every bit of information to a validator, even irrelevant and risky data like your address. However, when a digital ID is presented, the user can select exactly what information they wish to share.

For example, SB260 specifies that a digital ID user must be able to “verify that the individual's age satisfies an age requirement without revealing the individual's age or date of birth.” This is particularly important because a birth date is so-called “personal identifying information,” or PII, that can be leveraged for cyberattacks. Keeping it and other sensitive information private when it’s not truly necessary to share helps keep users safe and in control.

No Forced Device Handover

Utah’s proposed bill also ensures that “a governmental entity or a person may not require an individual to surrender the individual's mobile communication device to verify the individual's identity.” That is, a user has the right to keep their phone when they are presenting a digital ID for scanning.

This is particularly important when it comes to law enforcement because privacy laws defining police access to phone data are still an ambiguous patchwork. Depending on many factors, it may be legal for a police officer in physical possession of a phone to access data the user didn’t intend to share, creating major privacy and security risks. This provision makes clear that Utahns have the right to refuse any such request from a police officer or any other government official.

Digital Identity is Optional

A final key provision of SB260 is that digital identity tools will remain entirely optional–no government entity can require a digital ID to provide benefits or provide any “material benefit” as an incentive for the use of a digital ID. This is important for accessibility and equity reasons since many residents may face challenges transitioning to new technologies, and others may simply choose not to use a smartphone.

However, overall public trust is also at stake here: nothing is more likely to make Americans suspicious of a digital tool than being forced to use it by the government. By keeping digital ID optional, while enforcing the core benefits that make it appealing to users, SB260 creates the best possible conditions for trust and adoption of a tool that will benefit users most of all.

A Defining Moment for User-Controlled Digital IDs

Digital IDs are here to stay. The rapid growth of digital ID programs in New York, California, and 11 other US states is not slowing down, and as digital IDs can be used over the internet, it will unlock a myriad of new use cases and mass adoption. That’s why it’s so critical that legislation and technology work together to convey a user-first approach at this moment. We believe that SB260 has the right stock for this, and many of its elements could be adopted in other states and even countries.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.