At a glance.
- State of the Union addresses digital privacy.
The US State of the Union address and online privacy.
US President Joe Biden gave the 2023 State of the Union Address last night, and he dedicated a portion of his speech to digital privacy rights. As CyberScoop reports, he reiterated a message from last year’s address, calling on Congress to hold technology companies accountable for how they handle user data, especially information collected on minors. He urged Congress to “pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.” A fact sheet released in preparation for the speech included further details. “There should be clear and strict limits on the ability to collect, use, transfer, and maintain our personal data, especially for sensitive data such as geolocation and health information, and the burden must fall on companies – not consumers – to minimize how much information they collect,” it reads. Biden has been vocal about his administration’s desire to protect personal data online, especially that of minors (see his recent Wall Street Journal op-ed in the asking Congress to take a legislative stand against Big Tech), but so far efforts to pass federal legislation have been stalled by partisan debate and disagreements over how national laws will impact legislation at the state level.
Insiders say that now that the State of the Union address is behind us, a much-anticipated executive order focused on digital privacy is on the horizon. FedScoop explains that the Biden administration had plans to release the Digital Theft EO earlier this week, but the publication date was pushed until after the President’s annual speech. While details are still being finalized, sources say the directive will introduce new measures to fight against identity theft linked to public benefits, and it will urge government agencies to use Login.gov, the single sign-on identity authentication platform built by the General Services Administration. Although federal government agencies are required by law to use Login.gov, so far the law has not been fully enforced by the Office of Management and Budget.
Raj Dasgupta, Director of Fraud Strategy at BioCatch, finds this regulatory tendency welcome:
“It is heartening to see that the federal government is paying attention to the very serious problem of identity fraud that is rampant in today’s world, but we should not speculate on the final details of the EO, as the official policy could vary in potential requirements for companies to use Login.gov.
"It is important to note that any type of sensitive account is vulnerable to attack by cybercriminals. Identity theft, and the malicious actors behind it, are constantly evolving their tactics to gain access to consumer accounts and other sensitive areas in need of authorization, and they are successful. In fact, in a recent study, 72% of global banks cited account takeover as a leading cause of concern.
"Over the last couple of years we have seen egregious forms of fraud targeting covid relief/unemployment benefits that fell into the wrong hands. We hope that Login.gov leverages the latest in fraud detection technology to protect users.
"A single platform or portal behaving as a nexus for public services makes it a prime target for malicious actors to explore and exploit found vulnerabilities. At the very least, an identity management platform needs to follow three key aspects of authentication and data collection, especially one of this caliber. These include:
- "Knowledge of consumer - static information of the consumer like phone number, address, etc. should ONLY be known to the user.
- "Personalized identification - users should be required to use unique tokens to log in to their accounts.
- "Unique identification - Biometrics such as fingerprint or specific user behavior should be used to authenticate the user.
"Any identity management platform should follow these aspects of protecting digital identities or their user information may be at stake. As cyber-attacks grow more complex it is critical to adopt advance solutions where older technology have often been proven inadequate.”