As part of its Vision 2023, state technology officials are proposing a system to enable California residents to use a single username and password to access any state government service online. The system would allow users to easily update their information, as needed, on a single website.
The proposal, dubbed the “Digital ID Ecosystem,” envisions a day when Californians don’t have to have separate log-in information for each service they use, whether scheduling a driver’s test, making an unemployment claim or enrolling in Medi-Cal. To get started, Governor Gavin Newsom asked for $1.1 million in Fiscal Year 2021-22 and 2022-23 to deliver a proof of concept.
“It’s a question of convenience for the residents of California,” said Rick Klau, the state’s new California Chief Technology Officer. “Anyone who has any digital interaction with more than one state department or agency, like renewing a license, getting a campground permit or paying taxes, knows that many of them require a username and password. That is an inefficient process.”
Klau emphasized that the program prioritizes user privacy and consent. As proposed, the system would be fully compliant with applicable state and federal statutes and policies, including the Information Practices Act, and the Health Insurance Portability and Accountability Act (HIPAA). Also, every user would be required to consent to and designate each service authorized to receive personal information for the creation of the digital ID.
Because every agency and department now runs its own login systems, the proposed ID ecosystem would facilitate better oversight and monitoring for potential fraud through centralization, Klau said.
“Currently there are 50 sets of login systems where there is no centralization of visibility into the log-in activity, which means if there is bad actor who is trying to compromise accounts or attack the systems, it’s not visible at the state level,” he said. “When you centralize information, you give us better insight to be able to distinguish good activity and bad activity that we would want to stop.”
Approved in budget legislation, the funds will pay for a “Digital ID Product Owner” to develop the product vision, strategy, and roadmaps, and a “Business Relationship Manager” to lead the partnership with state entities to build and evaluate the business cases to support investment decisions. The product owner would determine which two entities to engage in the proof-of-concept effort.
In a letter to the Governor and legislative leaders, ACLU California Action and the Electronic Frontier Foundation, wrote that the proposal is “vaguely justified and poorly articulated.” The letter questioned why the program is needed and how it will work and cites serious concerns about user privacy and security. The letter said, for example, that the proposal does not stipulate that every level of government that has access to the system’s data is bound by the state Information Practices Act, nor does it require an independent oversight agency or auditor to guard against privacy abuses.
The Assembly Budget Subcommittee No. 4 also raised concerns. Committee staff documented in its May agenda that the proposal’s assertions of privacy protections “are not durable” because they are not included in statutory or budget language.
In response to cited privacy concerns, Klau emphasized that the system will be designed to put users in control of the information they provide and how it will be used.
“It’s fundamental that in order for residents to trust us they need to know their information is theirs, and should they choose to share it in order to effect a transaction or update their information, that they can control it,” Klau said.
He added that the California Department of Technology would report back to the legislature every six months on the project’s progress and to address any concerns as they emerge.