The Senate Commerce Committee today passed legislation that could create national standards for authenticating people's identities on the Net without the privacy protections pushed by consumer advocates.
Sen. Spencer Abraham's (R-Michigan) Government Paperwork Elimination Act requires agencies to put more forms online and to set up systems to accept "digital signatures" within 18 months of the bill's passage.
Digital signatures are attached to email messages or forms sent over the Net to verify a person's identity and to ensure the message wasn't tampered with during transmission. Digital signatures could be handed out by certification authorities such as the government, which would have to take certain steps to confirm a person's identification.
The technology is seen as critical to bolster the security of e-commerce as well as legal and contractual transactions on the Net.
Congress is considering several bills that deal with digital signatures, but today's vote advances this bill more than others thus far. The bill would help set up an infrastructure to let people conduct government-oriented business online, such as renewing a driver's license or filing for permits.
But groups such as the Center for Democracy and Technology (CDT) are concerned that the bill doesn't include privacy protections for information collected by third parties that certify digital signatures.
Based on the intended use of the signature, a third-party certification authority could collect various data including a person's Social Security, credit card, or driver's license number, along with contact or employment information.
Whereas information collected by the federal government is protected by the Privacy Act of 1974, many electronic signature systems use commercial third parties that are not governed by that law, the CDT said.
"While CDT supports the idea of making government more accessible online, the bill would give the federal government overly broad discretion to set standards for the emerging digital signatures marketplace, with very little guidance from Congress and with no privacy protection for new information collected in the process," the CDT said in a statement today.
"A [third-party certification authority] may also collect information about how the signature is used, creating a rich database of a person's communications with the government about such topics as social security benefits, health care, taxes, or other sensitive topics," the CDT added. "Nothing prevents signature providers from selling this information or using it for their own marketing purposes."
Privacy advocates say digital signature legislation should encourage various certificate authorities, not favor particular technologies, industries, or certificate providers, and should adopt fair information practice principles such as not passing on data without the knowledge and consent of the subject.