A bipartisan push in Congress is calling for the creation of a federal agency to regulate digital identity systems, at a time of growing concerns over the digital ID push.
Representatives Bill Foster of Illinois and Mike Kelly of Pennsylvania are leading the initiative, which would give the new agency broad authority to certify and audit both the software and hardware used to verify identities online.
Current federal guidance, such as that from the National Institute of Standards and Technology, remains optional.
The proposed agency would go further by establishing rules that digital ID systems must follow. It would serve as an independent authority to evaluate whether a technology is secure enough for government or commercial use, particularly as digital ID tools become more widespread.
Foster, a longtime proponent of government involvement in digital identity policy, has previously introduced versions of the Improving Digital Identity Act. That legislation called for the development of consent-based systems to allow people to confirm their identity online without relying on private platforms or vulnerable credentials.
“The next best thing you can do is provide people with at least the ability to prove they are who they say they are and not a deepfake,” he said last year.
But the push for a national digital identity framework raises serious alarms for privacy advocates who warn that such systems could erode the last vestiges of online anonymity.
By tying identity verification directly to state-issued credentials and biometric data, digital ID programs risk creating a surveillance infrastructure where every online interaction, transaction, or login is linked back to a traceable individual.
This fundamentally changes the nature of the internet, replacing pseudonymous participation with state-verified presence.
Privacy protections promised by digital ID proponents often hinge on enforcement by government agencies that have a long history of overreach.
While lawmakers emphasize that these tools will help curb fraud or impersonation, they rarely address how digital identity mandates could chill free speech.
Digital driver’s licenses, now offered by more than a dozen states, are central to the discussion. These IDs allow users to store government-issued credentials on smartphones, often protected by passwords and biometric data.
Foster warned that a weak point in this infrastructure could be catastrophic. He raised the scenario of hackers developing a tool to extract security keys from millions of phones, which could enable widespread identity theft. “That will be a disaster for the whole effort,” he said.
At Identity Week America, Foster described the need for an impartial body that could evaluate whether devices and platforms meet minimum security standards.
Foster did speak to some privacy concerns and also pointed to the importance of having a trusted authority verify claims made by government agencies, particularly regarding how biometric data is handled.
Referring to TSA’s facial recognition systems, he cited a common message seen at airport kiosks: “I promise I will throw away that picture we’ve just taken of you within 24 hours.” He argued that without third-party validation, there is no guarantee those promises will be kept. “You’re going to have to have someone you trust, saying, ‘I’ve audited that, and it’s actually true.’”
TSA has deployed facial recognition scanners at hundreds of US airports and says it deletes images after identification is confirmed. Officials from the Department of Homeland Security, which oversees TSA, have acknowledged that the system can be reconfigured to retain data temporarily when the agency conducts technology evaluations. TSA also now accepts digital IDs from participating states through platforms like Apple Wallet and Google Wallet at more than 250 airports.
The biometric rollout has prompted pushback in Congress, with lawmakers raising questions about how the data is collected, stored, and used.
