SpruceID

Utah just set a new standard for digital identity in the United States. With SB 275 (State-Endorsed Digital Identity Program Amendments), the state moves beyond principles and into practice, establishing a State-Endorsed Digital Identity (SEDI) program that puts user control, privacy, and accountability at the center. Building on last year’s SB 260, this new law:  ➡️ Codifies a digital identity bill of rights, including the right to a physical ID, selective disclosure, and freedom from surveillance  ➡️ Requires privacy-preserving architecture, limiting tracking and cross-context correlation by design  ➡️ Establishes enforceable obligations across the ecosystem, from wallet providers to relying parties  ➡️ Introduces real enforcement mechanisms, including oversight by the data privacy ombudsperson and civil action by the attorney general A key shift is the move from simply restricting bad behavior to requiring systems that make misuse technically difficult. With this bill, Utah’s approach demonstrates what’s possible when policymakers and technologists work together to build identity systems that are both usable and rights-preserving. We're encouraged to see legislation that centers on user control and privacy in this way, and we hope it serves as a model for other states exploring digital identity. Read more about our thoughts on SB 275 in our most recent post: https://lnkd.in/gruHUmtU

Is your document intake system creating security risks? Many government agencies focus on protecting core infrastructure, but document intake can sometimes be the weakest link. Here are 5 warning signs: → Your system accepts files without meaningful requirements or size limits → Documents remain in your system without retention or deletion policies → Sensitive documents are accessible beyond the staff who need them → Files are accepted without validating their actual contents → You lack visibility into who accessed documents, when, and how Each of these creates exposure. We put together a brief list to help evaluate each of these areas and provide practical steps you can take: https://lnkd.in/gDPraQMi

Internet Identity Workshop has always been a place where the most important ideas in identity actually take shape - not just presented, but debated, refined, and built on in real time. It brings together the people doing the work across standards, government, and industry in a way that’s hard to replicate anywhere else. We’re honored to support the conversations (and the snack table) that make this collaboration possible.

Digital identity is at a turning point. Governments are moving from pilots to production, and credentials are being issued at scale. But one question still matters most: Are these systems actually improving how people access services? The answer is in outcomes: – Can residents complete services faster? – Do more people successfully finish applications? – Are underserved communities seeing better access, or not? – Are staff spending less time on manual verification? Verifiable digital credentials should reduce friction, not introduce new barriers. We put together some practical thoughts around KPIs for agencies that measure real impact, not just activity: https://lnkd.in/gNDtBZyj

You can get the budget, vendor, and security right, and still see digital identity adoption stall. Verifiable digital credentials introduce a new trust model. Staff are asked to verify identity without familiar visual cues. Residents are asked to trust that sharing from their phone reveals only what’s necessary. In both cases, people are making real-time decisions about privacy, risk, and correctness. Without clear answers, they default to what they know. That’s why change management isn’t a support function, it’s part of the system. In this blog, we share tips we've seen help drive adoption - from aligning stakeholders early to training for real-world confidence, communicating privacy clearly, and building feedback loops that improve trust over time. Read more: https://lnkd.in/gQu2YESm

NIST National Cybersecurity Center of Excellence (NCCoE) just released a new practice guide on using mobile driver’s licenses (mDLs) in financial services, now open for public comment over the next 45 days. SpruceID had the opportunity to collaborate on this project alongside a broader ecosystem of partners to help build and test the reference architecture. The guide walks through how banks can accept mDLs for things like account opening, authentication enrollment, and high-risk transaction verification. Having worked on the implementation, a few things stood out: 1. mDLs are no longer theoretical, but integrating them into existing identity systems is where the real work is 2. Verifiers are emerging as a distinct layer, not just a feature inside applications 3. Identity orchestration matters more than any single component 4. Trust frameworks and ecosystem coordination are still the biggest unlock for adoption If you’re working in identity, this comment period is a good opportunity to engage. A lot of the direction gets shaped by real-world feedback at this stage. We wrote more on what we learned from the build here: https://lnkd.in/ghU8akAT Link for comments: https://lnkd.in/giRqy_TY

What is document intake? It's the process of collecting, validating, and structuring citizen-submitted documents. Every government digital service starts here, whether it's benefits applications, permit requests, or license renewals. Three things document intake determines: - Fraud prevention: Can you verify documents are authentic before processing? - User experience: Can residents submit documents easily, or do they face friction and errors? - Downstream automation: Are documents structured so systems can read and route them automatically? Document intake isn't just a technical step. It's the foundation that makes everything else possible. Learn more: https://lnkd.in/gQuwK_4q

California’s DMV adopted a dual-format approach for its mobile driver’s licenses, supporting both ISO 18013-5 mDL and W3C Verifiable Credentials. Different verification contexts require different technical formats: in-person verification at TSA checkpoints relies on ISO mDL, while online interactions are better supported by W3C credentials. Single-format systems can limit future policy and technical flexibility. Multi-format architectures allow states to support multiple verification environments without redesigning credential infrastructure. At SpruceID, our architecture allows both formats to be issued from the same credential data, enabling interoperability. Learn more: https://lnkd.in/gC_C2DD7

When systems can’t trust each other, residents are asked to prove who they are repeatedly. That’s not a workflow problem, it’s an interoperability problem. Interoperability means agencies verify credentials using open standards, not vendor-specific APIs. It’s how a credential issued once can be trusted across departments, securely and privately. Federal guidance already calls for standards-based identity under NIST SP 800-63. The real question is whether procurement enforces it. Digital identity is civic infrastructure. It should be open, interoperable, and built to preserve user choice. Learn more: https://lnkd.in/gZwU4GRS

KYC is ineffective, expensive, and burdensome. It's time for an upgrade. We see just such a proposal in an exciting comment letter submitted to Secretary Bessent and his U.S. Department of the Treasury crypto team on implementation of GENIUS. It was submitted by the team at SpruceID (see it here https://lnkd.in/ecFtHEyp). The letter argues that the BSA/AML framework (built for a paper/intermediary era) should be modernized for digital assets by recognizing high-assurance digital identity + privacy-preserving cryptography + standardized APIs as first-class compliance evidence—so institutions can detect illicit activity more effectively while collecting less sensitive personal data. It argues we should adopt an Identity Trust model. Taking this approach, regulated entities (e.g., banks/trust companies/supervised providers): - verify users once -issue encrypted/pseudonymous credentials -support unlinkable transaction identifiers, and - enable lawful access via a threshold-key process (court + Identity Trust, conceptually). The model’s four stages—Identifying, Transacting, Investigating, Monitoring—are positioned as a privacy-preserving way to achieve BSA identification where required. The rundown of Spruce's proposals are: 1) Treat verifiable digital credentials (VDCs) as valid Customer Identification Program (CIP)/Customer Due Diligence (CDD) evidence, including as “documentary” methods where appropriate, with assurance baselines like NIST IAL2+ and issuers such as government authorities / approved institutions / identity trusts. 2) Enable/recognize privacy-preserving “attribute verification” (data minimization) so compliance can be satisfied by proofs like “not on OFAC list” without routinely collecting full PII. 3) Create or approve a financial-sector trust registry of approved credential issuers (e.g., DMVs, regulated FIs, certified identity providers), aligned with interoperability standards (the letter references NCCoE). 4) [THE BIG ONE] Use existing exemptions/relief authority to allow early adopters to treat validated credentials as acceptable documentary evidence for CIP (the letter explicitly points to using exemptions authority). 5) Modernize the Travel Rule to allow VDC-based transmission (i.e., transmitting verifiable proofs instead of plaintext PII), with conditions like trusted issuance, IAL2+, binding to required data, real-time validity checks, and lawful access on legal request. 6) Standardize “verifiable real-time APIs” and technical profiles and clarify what evidence (logs/signatures/receipts) satisfies BSA obligations. If we are going to improve consumers' lives by fixing KYC, we need the full engagement of the Treasury and other agencies like U.S. Securities and Exchange Commission where I have to imagine Chair Atkins and Commissioner Peirce would be in favor of an upgrade. Pursuing a sandbox or other MVP in-the-wild trial of such a system could change things for the better.