Identity Tech Meets the Fourth of July: Your Digital Papers, Please

Elizabeth Garber’s warning to the identity industry is blunt: Better digital ID may expand rights. Built badly, it may also make rights easier to revoke.

Independence Day is a funny time to talk about digital identity.

Not funny “ha ha,” exactly. More funny in the way fireworks are funny when your uncle insists he knows what he’s doing with a Roman candle in one hand and a beer in the other.

But July Fourth is, at least in theory, the holiday where America pauses to celebrate freedom, rights, liberty and the radical idea that people should not have to ask permission from power to exist.

Digital identity sits right in the middle of that promise.

Because freedom, in practice, has always required paperwork.

A birth certificate. A driver’s license. A passport. A work permit. A student visa. A Social Security number. Those card-sized artifacts of belonging can determine whether you can board a plane, rent an apartment, open a bank account, get a job, enroll in school or prove to a bored TSA agent that you are, in fact, you.

That is the uncomfortable power of identity systems: They can help people exercise their rights. They can also make those rights easier to suspend, search, revoke or weaponize.

That is why Elizabeth Garber’s argument in May at the European Identity and Cloud Conference 2026 cut through the noise: digital identity is not just about slick wallets or a friendlier DMV. It is about power — who has it, who grants it, who loses it, who gets to appeal when the system says no.

“We build the technologies that sit at the beating heart of politics,” Garber told the EIC audience. “Who belongs and who does not?”

There it was: the fireworks, the flags, the whole July Fourth civic pageant — compressed into one database query.

Garber is not anti-identity tech. She is the person in the disaster movie pointing at the hairline crack in the dam while everyone else is still admiring the architecture.

Garber, founder of Humanitech Consulting, works on human-centric, rights-enhancing identity: verifiable credentials, mobile IDs, privacy-preserving proofing — the plumbing behind one of civilization’s oldest questions: Who are you, and what are you allowed to do?

If it sounds dry, it’s not.

Identity is IAM for real life. Authentication, authorization and access control — only instead of deciding who gets into Salesforce, the system can decide who gets a job, a bank account, a hospital bed, a boarding pass or a knock at the door.

Garber’s warning is not that digital identity is bad. Quite the opposite. Her central argument is the United States needs better identity infrastructure. People without reliable documents are locked out of housing, health care, education, banking and employment. Fraud is real. Access gaps are real. The current system is not some analog Eden. It is more like a DMV designed by Franz Kafka after a long lunch.

Garber’s example was the unhoused population. Roughly a quarter of unhoused people lack ID at any given time, she said — documentation they need to access housing, education and basic services.

So yes, build better ID.

But do not pretend better ID is automatically freedom-enhancing just because the demo has rounded corners and a cheerful UX.

July Fourth celebrates the idea that rights are not favors handed down by whoever controls the clipboard. Life, liberty and the pursuit of happiness were not supposed to come with a terms-of-service update and a revocation API.

That is the trap.

Especially in a country that still does not have comprehensive privacy legislation and has a long, bipartisan fondness for surveillance tools once someone waves the magic phrase “national security” over the procurement form.

Vendors do not need to be villains for this to go wrong. That is almost the point.

Most of the identity industry is not sitting around a conference table plotting dystopia over stale muffins. Many are trying to solve real problems: fraud, access, account recovery, credential portability, government service delivery, age verification, benefit access, workplace onboarding.

Take age verification. A bar, pharmacy, delivery app or online service may need to know whether someone is over 21. It does not need their full name, home address, height, weight, eye color, organ donor status and whatever tragic haircut was captured at the RMV.

A well-designed credential can answer the question being asked — yes, this person is old enough — without turning every transaction into a tiny identity strip search.

Good. Necessary. Boringly important.

But tools built for convenience in one administration can become tools for targeting in another. A credential that lets someone prove eligibility today can become the record that helps identify them tomorrow. A mobile ID that makes daily life easier can also become part of a searchable, revocable, location-adjacent identity layer if the system is built without hard limits.

Garber asked the EIC audience to imagine a world where “government-issued identities” live on phones, legal status is “bound to our fingertips, our faces, and our devices,” and mobile carriers already know where people are.

“Now, imagine that your credentials are suddenly revoked,” she said. “Maybe you’re an immigrant, maybe you held the wrong sign at a protest, maybe they don’t like how you dress.”

That is the part the industry tends to soften with words like “governance,” “trust framework” and “stakeholder alignment,” which is how technologists say “please don’t make this about power.”

Sorry. It is about power.

Garber put it more starkly: identity sits at the “beating heart of politics.” Who belongs? Who does not? Who can prove it? Who decides? Who audits the decider? Who gets an appeal when the database shrugs?

The Fourth of July version is simpler: What good is liberty if your rights can be deprecated in the next release?

This is where the conversation gets uncomfortable for vendors, standards bodies and government buyers. Because “trust” cannot just mean “the issuer is legitimate” or “the cryptography checks out.” A perfectly valid credential can still participate in an abusive system. A technically elegant wallet can still become a tracking surface. A standard can be neutral in theory and combustible in practice.

Trains are useful. So are identity systems. The historical problem was never that trains existed. It was where they were ordered to go, as Garber put it.

That analogy is harsh. It should be.

The identity industry is building infrastructure that future leaders, agencies, courts, employers, platforms and police departments may inherit. Some will use it well. Some will not. Designing only for the benevolent user is malpractice with a slide deck.

And we do not need to point to China’s facial-recognition state or Russia’s surveillance dragnet to make the case. We have our own domestic starter kit.

Look at Flock Safety and the rapid spread of automated license plate readers. The pitch is public safety: find stolen cars, solve shootings, catch suspects faster. Fine. Those are real problems. But the same network also turns streets, parking lots and neighborhood entrances into a searchable record of where cars — and therefore people — have been.

That is not science fiction. That is procurement.

Garber made the broader point bluntly: “If the state’s going to surveil, they’re going to surveil. But we don’t have to make it easy.”

Garber’s prescription is not to stop building. It is to build bravely.

That means more than shipping privacy claims in 8-point type.

It means foundational ID that is portable, persistent and privacy-preserving. It means selective disclosure, zero-knowledge proofs, biometric cryptography and systems that allow people to prove what is necessary without revealing their whole lives like they are dumping a purse onto a TSA table.

“We need to be building bravely the tools and the rules,” Garber said.

It means provenance and authenticity tools, including standards that help people know what is real in a world where fake images, doctored videos and synthetic outrage now arrive faster than a correction can load.

It means legal protections, not just policy vibes. Comprehensive privacy law. Strict limits on secondary use. Surveillance restrictions with teeth. Digital civil rights that survive a change in administration, business model or attorney general.

The United States has privacy laws, plural, which is part of the problem. California has the CCPA, Colorado has its own version, and Europe has the GDPR. What the U.S. still lacks is a single national privacy baseline strong enough to tell companies and governments: No, you may not collect everything just because you can, or wave “security” over surveillance to make it legal.

That is the legal layer Garber is talking about. Not another banner. Not another disclosure. Actual rules.

And it means vendors have to get comfortable hearing critics before the critics become plaintiffs, regulators or front-page stories.

Cybersecurity already has a model for this, imperfect but useful: CISA’s Secure by Design push, which tells vendors to stop dumping risk on users, and the anti-ransomware playbook, where government, industry and defenders share signals and make the ecosystem harder to abuse.

Identity needs its own version of that muscle memory — except the adversary is not always a ransomware crew in a hoodie.

Sometimes the adversary is the quiet institutional temptation to collect more than necessary, retain it longer than necessary, connect it to more systems than necessary and call the whole thing modernization. It is the invisible hand of our worst impulses, only with procurement authority and a compliance memo.

That is why the table cannot be limited to vendors and agencies. It also needs civil liberties groups, privacy engineers, public defenders and the people most likely to be harmed when “innovation” becomes infrastructure.

There are signs of maturity here. The debate over mobile driver’s licenses, server retrieval and Utah’s digital identity bill showed that parts of the identity community can still do something rare in tech: argue in public, listen, adjust and not immediately behave like every critique is an attack on shareholder value.

More of that, please.

The industry should not be afraid of hard questions. It should be afraid of easy answers.

“Trust us” is not an architecture.

“Policy will handle that” is not a control.

“The data is encrypted” is not a civil liberties strategy.

And “the user consented” is doing a lot of unpaid overtime in a world where consent often means tapping “accept” because the line is long, the app is mandatory or the alternative is explaining to a uniformed person why you would prefer not to use the faster face-scanning lane.

Airport biometrics are the polite version of the problem. Officially, participation may be voluntary. Practically, the choice is made in public, under time pressure, with a boarding pass in your hand and a line of people behind you silently wishing you would stop having principles.

That is not meaningful consent. That is UX with a cattle prod.

This is the Independence Day identity challenge: Build systems that help people carry their rights with them, without building systems that make people easier to follow.

That is not anti-vendor. It is pro-survival.

The best identity companies should welcome this framing. Rights-enhancing identity is not a moral accessory. It is the product category that should win. Privacy-preserving proofing, minimal disclosure, local biometric storage, warrant-aware architecture, revocation due process — these are not soft features. They are the difference between infrastructure people trust and infrastructure people eventually fear.

And yes, this is where the data-broker and surveillance-analytics crowd should start sweating through the fleece vest. If your business model depends on collecting more, linking more, retaining more and making people easier to find, score or sort, then “rights-enhancing identity” is not a slogan. It is a threat model with better manners.

America has always been loud about freedom and weird about papers. This year, as the fireworks go up and politicians compete to say “liberty” with the most jaw tension, the identity industry should ask a less ceremonial question: Are we building systems that protect people when the law is fair? Or systems that still protect them when it is not?

Because the real test of identity infrastructure is not whether it works when everyone in power is reasonable.

The real test is whether it protects the person who falls out of favor.

That person may be an immigrant. A student. A protester. A journalist. A patient. A worker. A woman crossing state lines. A teenager with the wrong marker in a government database. Someone without a stable address. Someone with the wrong surname, wrong ZIP code, wrong politics or wrong luck.

Or, eventually, you.

Happy Independence Day.

Now show me your papers.

Photo by Mick Haupt on Unsplash

Author

  • Tom Spring

    Tom Spring is a cybersecurity journalist covering identity, AI, cloud security and enterprise risk. He is the founder of Security Point Break and former Senior Editorial Director at CyberRisk Alliance, where he led coverage for SC Media, MSSP Alert and ChannelE2E.

    An award-winning reporter, his work has been recognized by the Society of Professional Journalists, ASBPE and the Jesse H. Neal Awards. He focuses on cutting through cybersecurity hype to deliver clear, grounded reporting for security and business leaders.

Total
0
Shares

Leave a Reply

Previous Article
Fake Interpol investigation email phishing scam targeting small businesses with ransomware

No, Interpol isn't Investigating You: That ‘Evidence’ is Ransomware

Next Article
Illustration of stacked WinRAR-style archive books cracking open as a bug emerges, representing a security flaw in WinRAR's file recovery feature

WinRAR Patches Critical Flaw Enabling Remote Code Execution

Related Posts

Discover more from Security Point Break

Subscribe now to keep reading and get access to the full archive.

Continue reading