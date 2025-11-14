Legal Safeguards Required to Prevent Digital ID Authoritarianism in America

The United States stands at a critical juncture where the infrastructure for comprehensive surveillance already exists, requiring urgent legal restrictions to prevent digital identity systems from enabling Chinese-style social control. The FBI accesses 640+ million facial images,1 government agencies purchase location data from apps without warrants,2 and 20 states are deploying mobile driver’s licenses with potential tracking capabilities3—all while operating in a legal vacuum with protections designed for the analog age. Without immediate comprehensive legislation establishing data minimization, warrant requirements for government access, prohibition on tracking architectures, and independent oversight, America risks creating the technical foundation for authoritarian control that differs from China only in current political will to activate it, not technical capability.

The surveillance infrastructure is already built

America has constructed a vast public-private surveillance apparatus that rivals China’s technical capabilities. The Next Generation Identification system provides FBI access to over 640 million photos4 through connections to state DMV databases, Department of State passport photos, and Department of Defense biometric systems. This means one in two American adults already appears in law enforcement facial recognition databases without comprehensive legal protections, accuracy standards, or warrant requirements for searches.

The data broker loophole enables government agencies to circumvent the Fourth Amendment entirely. The FBI, IRS, DEA, DHS, Department of Defense, and ICE all purchase commercially available data5—including precise location information from Muslim prayer apps, protest attendance from social justice movements, and comprehensive personal profiles—without obtaining warrants. A classified 2022 ODNI report confirmed intelligence agencies buy “significant amounts” of commercially available information6 that would otherwise require judicial authorization, creating what the ACLU calls government “buying its way around the Constitution.”

Fusion centers in 79 locations nationwide integrate federal, state, local, and private sector data streams with what Senate investigations described as “ambiguous lines of authority”7 that enable “policy shopping” to evade oversight. These centers already document First Amendment-protected activities including protests and religious gatherings, yet a 2012 Senate report found no instances where they prevented terrorist attacks8—revealing mission creep toward political surveillance.

The technical architecture for comprehensive tracking exists today. TSA deploys Credential Authentication Technology 2 units with facial recognition at 250+ airports,9 20 states have received waivers for mobile driver’s licenses that could enable “phone home” tracking,10 and the Fusus platform integrates public and private cameras across 60+ U.S. cities.11 Combined with Ring doorbell partnerships with police and ubiquitous license plate readers, America possesses the infrastructure for real-time population tracking—it simply lacks activation through unified legal authority and centralized databases.

China’s model reveals the authoritarian endpoint

China’s social credit system, while more fragmented than Western media portrays, demonstrates how digital identity infrastructure enables comprehensive behavioral control when legal protections are absent. The system has restricted travel for 17.5 million flight purchases and 5.5 million high-speed rail purchases12 through blacklisting mechanisms that operate without due process, meaningful appeal, or clear standards for removal. Individuals face restrictions for unpaid court fines, contractual disputes, and critically—for political dissent.

The weaponization against minorities and dissidents reveals the system’s true purpose. In Xinjiang, the Integrated Joint Operations Platform flags Uyghurs for “pre-crimes” including praying regularly, possessing many books, traveling to certain cities, or having relatives overseas.13 A 2020 Human Rights Watch analysis of 2,000+ detainees found only 10% listed for “terrorism”—the remaining 90% were detained for entirely lawful activities.14 One woman was sent to forced labor for receiving four phone calls from her sister abroad. A man faced detention for studying the Quran in the 1980s and “letting his wife wear a veil” in the early 2000s.

The surveillance infrastructure supporting this control includes 700+ million cameras with facial recognition, WiFi sniffers collecting device identifiers, countless security checkpoints requiring national ID scans, and mandatory biometric collection15 (DNA, iris scans, voice recordings, facial images) for ages 12-65. The digital national ID card serves as the linchpin—required for train tickets, hotel stays, SIM card purchases, social media accounts, banking, and even fuel purchases in Xinjiang. Every transaction, movement, and interaction generates data fed into predictive algorithms that flag “ideological instability.”

Public-private cooperation blurs surveillance boundaries. The Supreme People’s Court blacklist integrates directly into Alibaba platforms, preventing defaulters from making luxury purchases.16 U.S. technology companies—including IBM, Intel, Dell, and Nvidia—supplied surveillance technology to Chinese police17 despite knowledge of use targeting ethnic and religious minorities. This demonstrates how corporate profit motives align with government surveillance objectives absent strong legal restrictions.

Constitutional protections provide the framework

The Supreme Court has established clear Fourth Amendment protections applicable to digital identity systems, though enforcement remains incomplete. Carpenter v. United States (2018) required warrants for historical cell-site location data,18 recognizing that comprehensive digital information constitutes a Fourth Amendment search even when stored by third parties. The Court explicitly rejected extending the third-party doctrine to digital-age technologies, noting that merely using modern technology should not strip away constitutional protections.

Chief Justice Roberts wrote that cell phones provide “near perfect surveillance” creating an “exhaustive chronicle” of location and movements.19 The decision established factors courts must consider: the intimacy and comprehensiveness of data, retrospective capability, whether surveillance is “deeply revealing,” and the involuntary nature of data generation. Digital ID systems that continuously track location, transactions, services accessed, or create comprehensive dossiers would clearly trigger Carpenter’s protections.

Riley v. California (2014) unanimously required warrants to search cell phones20 even incident to arrest. The Court recognized that modern phones contain “the privacies of life” and that technology allowing individuals to carry information in their hands “does not make the information any less worthy of the protection for which the Founders fought.” Since most mobile driver’s licenses store on smartphones, Riley protections apply—law enforcement cannot search contents without warrants except in narrow emergency circumstances.

First Amendment protections against surveillance chilling effects remain robust in doctrine if weak in enforcement. Americans for Prosperity Foundation v. Bonta (2021) struck down California’s donor disclosure requirements21 as unconstitutionally chilling associational rights, even with confidentiality assurances, because history of leaks created “unnecessary risk.” The Court applied heightened scrutiny and found the disclosure requirement failed narrow tailoring. Digital ID systems requiring real-name identification for accessing protected speech, or tracking individuals’ expressive activities, face strict scrutiny requiring compelling interests achieved through least restrictive means.

The Fourteenth Amendment’s procedural due process protections apply directly to digital ID systems. Elhady v. Kable (2019) found the federal Terrorist Screening Database violated due process22 because individuals lacked meaningful notice of inclusion, opportunity to challenge placement, or clear non-arbitrary standards. Courts have required notice, hearing, and appeal rights before government can place individuals in databases affecting liberty or property interests. Any social credit-style system restricting travel, employment, or services based on digital ID scoring would face similar constitutional challenges.

Current legal framework is fundamentally inadequate

The United States lacks comprehensive federal privacy legislation, instead relying on a fragmented “patchwork” of sectoral laws that leave digital identity systems largely unregulated.23 The Privacy Act of 1974, designed for paper records, cannot address networked databases, cloud computing, AI systems, or biometric authentication.24 It requires only “intentional and willful” violations for private rights of action, contains broad “routine use” exceptions, and applies only to government agencies—leaving private sector digital ID providers entirely uncovered.

The Electronic Communications Privacy Act dates to 1986—before commercial internet, smartphones, cloud storage, or modern surveillance technologies. Its “180-day rule” provides reduced protection for stored data, and it completely fails to address biometric authentication, continuous behavioral verification, or digital identity tracking. Constitutional scholar Neil Richards describes these laws as “ill-suited to the digital age” where people necessarily “reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”25

Most critically, America has no federal biometric privacy law whatsoever. Only Illinois’ Biometric Information Privacy Act provides meaningful protection through private right of action, written consent requirements, retention limits, and prohibition on selling biometric data.26 The law has generated significant enforcement—Meta paid $650 million in 202127 (the largest consumer privacy settlement in U.S. history), and BNSF Railway faced a $228 million jury award in 2022.28 Yet 27 states have minimal or no biometric protections,29 leaving facial recognition, fingerprint collection, and iris scanning largely unregulated outside Illinois, Texas, and Washington.

The third-party doctrine creates a constitutional black hole for digital privacy. Supreme Court precedents from the 1970s held that information voluntarily shared with third parties loses Fourth Amendment protection—allowing government to obtain information from banks, phone companies, ISPs, and email services without warrants. While Carpenter created a limited exception for highly sensitive location data, government agencies interpret the ruling narrowly, claiming it applies only to cell-site information.30 Nearly all cloud-stored data, IoT device information, smart home data, and health tracker information potentially remain unprotected.

State privacy laws proliferate rapidly—20 states enacted comprehensive privacy laws from 2018-202431—but create a compliance patchwork with critical gaps. Most lack private rights of action (California’s limited exception covers only data breaches), exempt employee and business-to-business data (California again excepted), and rely on under-resourced state attorneys general for enforcement. Only Illinois’ BIPA demonstrates that private enforcement drives meaningful corporate behavior change.

Data minimization must become foundational law

The most critical restriction on digital ID systems is mandatory data minimization—collecting only information strictly necessary for the stated verification purpose. The American Privacy Rights Act (H.R. 8818) introduced with bipartisan support in June 202432 establishes this principle, requiring collection be “necessary and proportionate” to service delivery with FTC guidance enforcement. California’s CPRA similarly requires collection be “reasonably necessary and proportionate” with risk assessments mandatory for high-risk processing.

Utah’s SB 260, recognized by the ACLU as the best state model,33 demonstrates effective implementation. The law mandates State-Endorsed Digital Identity use must be “free from surveillance, visibility, tracking, or monitoring by any other governmental entity or person.” It prohibits “phone home” capabilities where digital IDs notify government servers when used, enables selective disclosure allowing users to prove age requirements without revealing birth dates or exact ages, and explicitly bars government entities from requiring individuals to surrender mobile devices during verification.

European Union standards provide the international benchmark. eIDAS 2.0 requires EU Digital Identity Wallets implement privacy-by-design and privacy-by-default34 as mandatory principles, not optional features. Users control which attributes to share with third parties through selective disclosure, can generate pseudonyms stored only locally, and access dashboards showing all transactions with ability to report violations. Online service providers must receive certification from public authorities before requesting data, preventing arbitrary over-collection.

Technical implementation requires cryptographic protections. Zero-knowledge proofs enable verification of attributes (e.g., age over 21) without revealing underlying data (birth date, full name, address). Attribute-based credentials allow presentation of only necessary information for each transaction. Estonia’s X-Road platform demonstrates how distributed databases with secure interoperability prevent centralization while enabling cross-agency verification—800+ million digital signatures given from 2002-202235 without creating a single surveillance database.

Government access requires warrants and strict limits

The Fourth Amendment Is Not For Sale Act passed the House 219-199 in April 202536 with bipartisan support, prohibiting government purchase of data from brokers without warrants. Sponsored by Rep. Warren Davidson (R-OH), the legislation requires court orders before law enforcement or intelligence agencies purchase location data, communications records, or personal information collected from apps and services. Data obtained in violation would be inadmissible in court, creating an exclusionary rule that incentivizes compliance.

This closes the data broker loophole that currently enables circumvention of Carpenter protections. As the ACLU stated: “Bipartisan passage is a flashing warning sign to the government that if it wants our data, it must get a warrant.”37 The law addresses documented practices by CBP, ICE, FBI, DEA, IRS, Secret Service, and Defense Intelligence Agency purchasing location tracking, protest attendance, religious affiliation, and comprehensive personal profiles without judicial authorization.

Legal restrictions must extend beyond purchases to compelled disclosure. The Improving Digital Identity Act (S.884) passed the Senate Homeland Security Committee 11-138 and explicitly prohibits tracking or surveillance capabilities in federally-supported digital ID systems. President Biden’s January 2025 Executive Order stipulated that federal grants for mobile driver’s licenses must ensure credentials “should not enable surveillance or tracking of interactions in which the digital ID is used”39—establishing privacy protection as a condition of federal support.

Constitutional protections require notice of surveillance. As Professor Neil Richards argues based on Berger v. New York and Katz v. United States,40 targets have a right to know when government searches their data. Electronic surveillance must follow Title III requirements including warrant specification, duration limits, and eventual disclosure to subjects. Digital ID systems enabling secret government access violate these constitutional minimums regardless of technical capabilities to monitor undetected.

Purpose limitation and use restrictions must carry criminal penalties. Germany’s approach provides a model: their electronic ID includes “double-check verification” where an eID server validates both the individual’s identity and the service provider’s authorization to request specific data.41 Private entities cannot directly access ID information—they must receive certification demonstrating legitimate need for particular attributes. Unauthorized access or repurposing data for secondary uses (advertising, profiling, surveillance) triggers enforcement with meaningful consequences.

Transparency and oversight create accountability

Estonia’s Data Tracker tool represents the gold standard for transparency—citizens can see exactly who accessed their data, when, and for what purpose through public audit logs of all data access.42 Citizens can challenge unauthorized access through administrative and judicial processes. This transparency mechanism has operated successfully since 2002 with 99% adoption among Estonian residents and 800+ million digital transactions43 without creating a surveillance state.

Real-time transparency must extend to biometric systems. California’s 2026 regulations require annual audits for large data holders, risk assessments before initiating high-risk processing including facial recognition, and public disclosure of algorithmic decision-making logic.44 Companies must certify internal controls, document purposes and data categories used, identify third parties with access, and report disparate impact testing results. These requirements adapt to digital identity by making surveillance visible and contestable.

Independent oversight bodies with enforcement authority are non-negotiable. The proposed Digital Privacy Agency (H.R. 2701)45 would establish a federal entity with rulemaking authority, investigation powers, and civil penalty capabilities independent from industry influence. California’s Privacy Protection Agency, created in 2020 as America’s first dedicated state privacy enforcement agency,46 demonstrates the model—combining regulatory development, investigation, audit, and public reporting functions with adequate resources and technical expertise.

Fusion center operations require democratic accountability mechanisms currently absent. The 79 centers operate with what Senate investigations termed “ambiguous lines of authority” enabling evasion of oversight.47 Legal reform must mandate: public reporting on data sources and access, legislative oversight hearings, inspector general reviews, prohibition on monitoring First Amendment activities without individualized suspicion, and warrant requirements for accessing integrated databases. The 2012 finding that fusion centers provided no documented terrorism prevention value while monitoring political activists48 demands structural reform, not incremental adjustment.

Algorithmic transparency addresses the “black box” problem in digital identity verification. California’s ADMT regulations effective 202649 require businesses to disclose when automated decision-making affects consumers in financial services, employment, education, healthcare, or housing. Consumers gain rights to know about ADMT use, opt-out of significant automated decisions, appeal results, and access information about logic involved. Digital ID systems employing risk scoring, predictive analytics, or automated verification must provide these protections to prevent algorithmic discrimination and enable meaningful contestation.

Specific prohibitions prevent authoritarian drift

Legal restrictions must explicitly prohibit social credit-style systems. The Improving Digital Identity Act bans three specific practices:50 (1) creation of a national ID card, (2) establishment of a central national ID registry, and (3) mandatory participation in digital ID systems. These prohibitions, combined with Utah’s model statute preventing government surveillance and tracking, create legal barriers against the infrastructure that enables Chinese-style control.

Biometric surveillance networks require immediate prohibition. Current law permits FBI access to 640+ million facial images without warrant requirements, comprehensive accuracy standards, or bias testing mandates.51 Reform legislation must: ban real-time facial recognition in public spaces absent individualized warrants, prohibit creation of centralized biometric databases, require annual bias audits with public reporting, establish accuracy thresholds before deployment, and mandate deletion of biometric data after verification completes. Illinois BIPA provides the template: written consent before collection, written policies on retention and destruction, prohibition on sale, reasonable care in storage, and private right of action with statutory damages.52

Function creep demands statutory barriers. Singapore’s SingPass expanded from government services to private sector HR departments and crowdfunding platforms. India’s Aadhaar now links to voting registration despite Supreme Court rulings against mandates.53 Legal restrictions must specify permitted uses with criminal penalties for repurposing, sunset provisions requiring reauthorization for scope expansion, and prohibition on conditioning access to benefits or services on digital ID adoption absent explicit legislative authorization through public debate.

Blacklisting mechanisms without due process violate constitutional requirements established in Elhady v. Kable. Any system restricting travel, employment, housing, education, or financial services based on digital identity scoring must provide: pre-deprivation notice of adverse information, meaningful opportunity to challenge inclusion before restrictions activate, clear non-arbitrary standards for determination, regular review with burden on government to justify continuation, and expedited judicial review. China’s model of 17.5 million blocked flight purchases without appeal or clear removal criteria54 represents the precise opposite of constitutional due process.

Discriminatory deployment requires prohibition and remediation. NIST studies document that facial recognition shows significantly higher error rates for Black and Asian faces,55 while multiple wrongful arrests of Black individuals based on misidentification demonstrate real-world harms. Legal requirements must include: demographic bias testing before deployment, accuracy parity across racial and gender groups as deployment condition, prohibition on use where accuracy disparities exceed specified thresholds, notification to subjects when biometric identification contributes to adverse action, and right to human review of all automated identity decisions affecting substantial interests.

International best practices inform American reform

The European Union’s comprehensive framework combines strong legal protections with technical safeguards. eIDAS 2.0 establishes EU Digital Identity Wallets available to all citizens by 202756 with mandatory features: voluntary and free participation, user control over attribute sharing, selective disclosure enabling minimal data transmission, explicit consent via PIN for each transaction, prohibition on penalties for non-use, and decentralized architecture preventing central EU tracking databases. Integration with GDPR provides enforcement through independent Data Protection Authorities with fines up to €20 million or 4% of global revenue.

Germany’s privacy-first approach demonstrates that strong protections don’t prevent adoption. Their electronic ID launched in 2010 includes explicit user consent for each data transmission, PIN-based confirmation for every transaction, transparency about which information service providers request, and “double-check verification” where an eID server validates both the individual and the service provider’s authorization.57 Germany’s Federal Office for Information Security certifies service providers, preventing unauthorized data requests. Under-16s receive IDs with eID functions disabled by default, protecting minors through technical architecture.

Estonia’s 99% adoption proves that transparency builds trust rather than undermining it. The X-Road platform uses open-source distributed databases without centralization,58 enabling citizens to see all data access through public logs while preventing government from secretly surveilling. When a 2017 cryptographic vulnerability affected 750,000 ID cards, Estonia’s transparent disclosure, rapid certificate suspension, and systematic replacement demonstrated how democratic accountability handles security failures. Contrast with authoritarian systems where vulnerabilities remain hidden until catastrophic breaches occur.

Switzerland’s direct democracy reveals public skepticism about digital ID absent strong protections. The March 2025 referendum approved e-ID by only 50.39%59 after voters rejected a 2021 proposal involving private company control. The current system requires federal government management (not private corporations), video identification for verification, voluntary and free participation, and oversight by the Federal Data Protection and Information Commissioner. The close vote demonstrates that privacy protections and government (rather than corporate) control are prerequisites for democratic legitimacy.

The Netherlands balances innovation with protection through clear government roles, strong regulatory enforcement, and integration with GDPR. Their Data Protection Authority issued a €3.7 million fine to the Tax Authority for illegally processing personal data in fraud detection60—demonstrating that government must follow its own rules. This accountability distinguishes democratic digital ID from authoritarian systems where government operates above law.

Implementation must prioritize constitutional protections

Immediate congressional action should focus on passing the Fourth Amendment Is Not For Sale Act through the Senate following House passage, advancing the American Privacy Rights Act through committee markup, and holding oversight hearings on existing digital ID deployments examining privacy protections, surveillance capabilities, and constitutional compliance. States should adopt Utah SB 260 model legislation implementing the ACLU’s 12 essential features:61 no “phone home,” offline capability, selective disclosure, device protection, mandatory optionality, purpose limitation, and prohibition on secondary uses.

Agency reforms require moratoriums on warrantless data purchases, comprehensive reviews of surveillance programs, and implementation of Biden Executive Order digital identity guidelines across all federal departments. The FBI should suspend facial recognition database expansion pending comprehensive legal framework, TSA should pause additional mobile driver’s license waivers until privacy protections are established, and fusion centers should undergo immediate inspector general investigations examining First Amendment monitoring, legal authorities for integrated databases, and effectiveness versus civil liberties costs.

Short-term legislative priorities include enacting comprehensive federal privacy law with data minimization, purpose limitation, strong individual rights, meaningful penalties (percentage of revenue model), and private right of action. Update the Electronic Communications Privacy Act to address cloud storage, eliminate the 180-day rule, protect modern communications, and require warrants for all content access. Establish either a Digital Privacy Agency or significantly expand FTC authority62 with dedicated privacy division, adequate resources, rulemaking power, and enforcement capabilities.

Federal biometric privacy legislation modeled on Illinois BIPA must require opt-in consent before collection, retention and destruction policies, prohibition on sale without explicit authorization, reasonable security measures, and private right of action with statutory damages. Regulate facial recognition specifically through accuracy standards before deployment, bias testing with public reporting, prohibition on real-time surveillance absent individualized warrants, notification requirements when used for law enforcement, and restrictions on database size and retention.

Long-term systemic reforms include comprehensive surveillance law modernization updating FISA with privacy protections, requiring warrants for domestic communications incidentally collected, limiting data retention, strengthening oversight, and eliminating Section 702 “backdoor searches.” Legislatively reverse the third-party doctrine for digital-age data, codifying Carpenter protections for location information, communications, cloud storage, IoT data, and health information. Establish sunset provisions for surveillance authorities with mandatory reauthorization requiring demonstration of effectiveness, civil liberties compliance review, and public debate before renewal.

The window for protection is closing rapidly

The convergence of technical capability and legal vacuum creates urgent danger. FBI biometric databases encompass half of American adults, fusion centers integrate public-private data streams with minimal oversight, data brokers sell location and personal information to government without warrants, and mobile driver’s licenses deploy across 20 states without comprehensive privacy protections. The infrastructure for Chinese-style surveillance exists in America—only legal restrictions and political constraints prevent activation.

China’s trajectory from fragmented pilots to comprehensive control demonstrates how systems expand. What began as corporate compliance monitoring and court judgment enforcement evolved into predictive policing enabling mass detention of 1.8 million Uyghurs63 for lawful religious practice, family connections, and “ideological instability.” The Integrated Joint Operations Platform flags individuals for possessing books, traveling to certain cities, or receiving overseas phone calls—then mandates detention before any crime occurs under the principle that “suspicion cannot be eliminated.”

American vulnerabilities mirror China’s enabling architecture. Public-private cooperation blurs accountability boundaries—surveillance capitalism business models align corporate data collection with government intelligence interests.64 Data broker intermediaries circumvent constitutional protections, creating the functional equivalent of warrantless mass surveillance. Emergency justifications (post-9/11 authorities, COVID-19 tracking) normalize temporary measures that become permanent infrastructure. Partisan polarization creates incentives to weaponize surveillance tools against political opposition.

The primary barriers preventing authoritarian control are legal protections and democratic norms, both eroding. Third-party doctrine exempts most digital life from Fourth Amendment coverage. The Privacy Act’s 1974 text cannot address modern surveillance. No federal biometric privacy law exists. State laws proliferate but lack uniformity and enforcement teeth. Meanwhile, economic incentives favor surveillance expansion—tech companies profit from data monetization, government agencies seek investigative shortcuts, and the intelligence-industrial complex depends on contract revenue.

Constitutional protections mean nothing without enforcement mechanisms that make violations costly. Illinois BIPA’s private right of action generated more privacy protection than 50 years of federal legislation lacking such provisions. California’s dedicated Privacy Protection Agency demonstrates that independent oversight with resources and authority drives compliance. European fines reaching 4% of global revenue change corporate behavior in ways symbolic penalties cannot. Democratic accountability requires not just laws on paper, but institutional structures that operationalize rights through transparency, oversight, enforcement, and remedies.

The technical capability for authoritarian-style surveillance already exists in the United States. Activation requires only erosion of remaining legal protections, emergency justification for expanded authorities, or political will to weaponize existing infrastructure. The pathway from current surveillance state to Chinese-style control is shorter than most Americans realize—measured in software updates and executive orders, not constitutional amendments or public referendums. Legal restrictions must be comprehensive, technically sophisticated, democratically legitimate, and urgently enacted before the infrastructure becomes too entrenched and powerful to restrain. The United States faces a choice: establish robust legal protections now while democratic norms hold, or risk waking in a surveillance state where constitutional freedoms exist only in theory while digital identity systems enable comprehensive behavioral control in practice.

References

Footnotes

ACLU. “The FBI Has Access to Over 640 Million Photos of Us Through Its Facial Recognition Database.” American Civil Liberties Union, accessed November 2025. https://www.aclu.org/news/privacy-technology/fbi-has-access-over-640-million-photos-us-through ↩ Brennan Center for Justice. “Closing the Data Broker Loophole.” Brennan Center for Justice, accessed November 2025. https://www.brennancenter.org/our-work/research-reports/closing-data-broker-loophole ↩ ITIF. “The Path to Digital Identity in the United States.” Information Technology and Innovation Foundation, September 2024. https://itif.org/publications/2024/09/23/path-to-digital-identity-in-the-united-states/ ↩ Electronic Frontier Foundation. “Face Off: Law Enforcement Use of Face Recognition Technology.” Electronic Frontier Foundation, accessed November 2025. https://www.eff.org/wp/law-enforcement-use-face-recognition ↩ Center for Democracy and Technology. “Legal Loopholes and Data for Dollars: How Law Enforcement and Intelligence Agencies Are Buying Your Data from Brokers.” CDT, accessed November 2025. https://cdt.org/insights/report-legal-loopholes-and-data-for-dollars-how-law-enforcement-and-intelligence-agencies-are-buying-your-data-from-brokers/ ↩ NBC News. “U.S. government buys data on Americans with little oversight, report finds.” NBC News, accessed November 2025. https://www.nbcnews.com/tech/security/us-government-buys-data-americans-little-oversight-report-finds-rcna89035 ↩ Electronic Frontier Foundation. “Why Fusion Centers Matter: FAQ.” Electronic Frontier Foundation, April 2014. https://www.eff.org/deeplinks/2014/04/why-fusion-centers-matter-faq ↩ Wikipedia. “Fusion center.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Fusion_center ↩ TSA. “Digital Identity and Facial Comparison Technology.” Transportation Security Administration, accessed November 2025. https://www.tsa.gov/digital-id ↩ Fortune. “America needs a digital identity strategy.” Fortune, September 2025. https://fortune.com/2025/09/13/online-life-america-needs-digital-identity-strategy-will-wilkinson/ ↩ Privacy International. “Public-Private Surveillance Partnerships Tracker.” Privacy International, accessed November 2025. https://privacyinternational.org/examples/public-private-partnership-tracker ↩ MIT Technology Review. “China’s social credit system stopped millions of people from buying travel tickets.” MIT Technology Review, March 2019. https://www.technologyreview.com/2019/03/04/136791/chinas-social-credit-system-stopped-millions-of-people-buying-travel-tickets/ ↩ Human Rights Watch. “China: Big Data Fuels Crackdown in Minority Region.” Human Rights Watch, February 2018. https://www.hrw.org/news/2018/02/27/china-big-data-fuels-crackdown-minority-region ↩ China Digital Times. “Aksu List Shows Arbitrary Imprisonment, Extensive Surveillance of Uyghurs.” China Digital Times, December 2020. https://chinadigitaltimes.net/2020/12/aksu-list-shows-arbitrary-imprisonment-extensive-surveillance-of-uyghurs/ ↩ Wikipedia. “Mass surveillance in China.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Mass_surveillance_in_China ↩ TechNode. “Blacklists and redlists: How China’s Social Credit System actually works.” TechNode, October 2018. https://technode.com/2018/10/23/china-social-credit/ ↩ Human Rights Watch. “China’s Chilling ‘Social Credit’ Blacklist.” Human Rights Watch, December 2017. https://www.hrw.org/news/2017/12/12/chinas-chilling-social-credit-blacklist ↩ Supreme Court of the United States. “Carpenter v. United States.” 585 U.S. ___ (2018). https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf ↩ Legal Information Institute. “Carpenter v. United States.” Cornell Law School, accessed November 2025. https://www.law.cornell.edu/supremecourt/text/16-402 ↩ Supreme Court of the United States. “Riley v. California.” 573 U.S. 373 (2014). https://supreme.justia.com/cases/federal/us/573/373/ ↩ Wikipedia. “Strict scrutiny.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Strict_scrutiny ↩ Syracuse Law Review. “Federal Judge Finds Terrorism Watchlist Unconstitutional.” Syracuse Law Review, accessed November 2025. https://lawreview.syr.edu/federal-judge-finds-terrorism-watchlist-unconstitutional/ ↩ Security.org. “47 States Have Weak or Nonexistent Consumer Data Privacy Laws.” Security.org, accessed November 2025. https://www.security.org/resources/digital-privacy-legislation-by-state/ ↩ Wikipedia. “Privacy Act of 1974.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Privacy_Act_of_1974 ↩ Princeton Legal Journal. “Carpenter v. United States, the Stored Communications Act, & the Third Party Doctrine in the Digital Age.” Princeton Legal Journal, accessed November 2025. https://legaljournal.princeton.edu/carpenter-v-united-states-the-stored-communications-act-the-third-party-doctrine-in-the-digital-age/ ↩ Wikipedia. “Biometric Information Privacy Act.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Biometric_Information_Privacy_Act ↩ Bloomberg Law. “Is Biometric Information Protected by Privacy Laws?” Bloomberg Law, accessed November 2025. https://pro.bloomberglaw.com/insights/privacy/biometric-data-privacy-laws/ ↩ ACLU of Illinois. “Biometric Information Privacy Act (BIPA).” ACLU of Illinois, accessed November 2025. https://www.aclu-il.org/en/campaigns/biometric-information-privacy-act-bipa ↩ Hall Booth Smith. “Update On Global Biometric Laws.” Hall Booth Smith, accessed November 2025. https://hallboothsmith.com/update-global-biometric-laws/ ↩ Columbia Law Review. “Laundering Data: How the Government’s Purchase of Commercial Location Data Violates Carpenter and Evades the Fourth Amendment.” Columbia Law Review, accessed November 2025. https://columbialawreview.org/content/laundering-data-how-the-governments-purchase-of-commercial-location-data-violates-carpenter-and-evades-the-fourth-amendment/ ↩ White & Case LLP. “US Data Privacy Guide.” White & Case, accessed November 2025. https://www.whitecase.com/insight-our-thinking/us-data-privacy-guide ↩ Congress.gov. “The American Privacy Rights Act.” Congress.gov, accessed November 2025. https://www.congress.gov/crs-product/LSB11161 ↩ American Civil Liberties Union. “There’s Only One State That is Asking the Right Questions About Digital Identity.” ACLU, accessed November 2025. https://www.aclu.org/news/privacy-technology/digital-id-utah ↩ European Commission. “European Digital Identity (EUDI) Regulation.” Shaping Europe’s digital future, accessed November 2025. https://digital-strategy.ec.europa.eu/en/policies/eudi-regulation ↩ e-Estonia. “ID-card.” e-Estonia, accessed November 2025. https://e-estonia.com/solutions/estonian-e-identity/id-card/ ↩ CyberScoop. “House passes bill to limit personal data purchases by law enforcement, intelligence agencies.” CyberScoop, accessed November 2025. https://cyberscoop.com/house-passes-4th-amendment-is-not-for-sale-act/ ↩ The Hill. “House passes bill requiring warrant to purchase data from third parties.” The Hill, accessed November 2025. https://thehill.com/homenews/house/4601266-house-passes-bill-requiring-warrant-to-purchase-data-from-third-parties/ ↩ Congress.gov. “Improving Digital Identity Act of 2023.” Congress.gov, accessed November 2025. https://www.congress.gov/bill/118th-congress/senate-bill/884/text ↩ Biometric Update. “Digital IDs gain momentum as state laws take effect; legislation is advanced.” Biometric Update, February 2025. https://www.biometricupdate.com/202502/digital-ids-gain-momentum-as-state-laws-take-effect-legislation-is-advanced ↩ Brennan Center for Justice. “The Fourth Amendment in the Digital Age.” Brennan Center for Justice, accessed November 2025. https://www.brennancenter.org/our-work/policy-solutions/fourth-amendment-digital-age ↩ BSI. “The German eID Function.” German Federal Office for Information Security, accessed November 2025. https://www.bsi.bund.de/EN/Themen/Oeffentliche-Verwaltung/Elektronische-Identitaeten/Online-Ausweisfunktion/online-ausweisfunktion_node.html ↩ Tech Policy Press. “Lessons from National Digital ID Systems for Privacy, Security, and Trust in the AI Age.” TechPolicy.Press, accessed November 2025. https://www.techpolicy.press/lessons-from-national-digital-id-systems-for-privacy-security-and-trust-in-the-ai-age/ ↩ e-Estonia. “e-Residency.” e-Estonia, accessed November 2025. https://e-estonia.com/solutions/estonian-e-identity/e-residency/ ↩ CA Privacy Protection Agency. “Law & Regulations.” California Privacy Protection Agency, accessed November 2025. https://cppa.ca.gov/regulations/ ↩ Congress.gov. “Online Privacy Act of 2023.” Congress.gov, accessed November 2025. https://www.congress.gov/bill/118th-congress/house-bill/2701 ↩ Inside Privacy. “California Finalizes Updates to Existing CCPA Regulations.” Inside Privacy, accessed November 2025. https://www.insideprivacy.com/state-privacy/california-finalizes-updates-to-existing-ccpa-regulations/ ↩ Homeland Security. “Fusion Centers.” Department of Homeland Security, accessed November 2025. https://www.dhs.gov/fusion-centers ↩ Wikipedia. “Fusion center.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Fusion_center ↩ PwC. “The California Privacy Regulations and Their Requirements.” PwC Japan Group, accessed November 2025. https://www.pwc.com/jp/en/knowledge/column/california-privacy.html ↩ Congress.gov. “Improving Digital Identity Act of 2023.” Congress.gov, accessed November 2025. https://www.congress.gov/bill/118th-congress/senate-bill/884/text ↩ American Civil Liberties Union. “The FBI Has Access to Over 640 Million Photos of Us Through Its Facial Recognition Database.” ACLU, accessed November 2025. https://www.aclu.org/news/privacy-technology/fbi-has-access-over-640-million-photos-us-through ↩ Wikipedia. “Biometric Information Privacy Act.” Wikipedia, accessed November 2025. https://en.wikipedia.org/wiki/Biometric_Information_Privacy_Act ↩ Atlantic Council. “Exploring the global digital ID landscape.” Atlantic Council, accessed November 2025. https://www.atlanticcouncil.org/in-depth-research-reports/report/exploring-the-global-digital-id-landscape/ ↩ Fortune. “China’s ‘Social Credit’ Used to Ban 23M From Traveling.” Fortune, February 2019. https://fortune.com/2019/02/22/china-social-credit-travel-ban/ ↩ Electronic Frontier Foundation. “Face Off: Law Enforcement Use of Face Recognition Technology.” Electronic Frontier Foundation, accessed November 2025. https://www.eff.org/wp/law-enforcement-use-face-recognition ↩ European Commission. “European Digital Identity (EUDI) Regulation.” European Commission, accessed November 2025. https://digital-strategy.ec.europa.eu/en/policies/eudi-regulation ↩ IdTechWire. “Germany Launches Digital ID Cards for Smartphone Storage Nationwide.” ID Tech, accessed November 2025. https://idtechwire.com/germany-launches-digital-id-cards-for-smartphone-storage-nationwide/ ↩ Medium. “Estonia is enhancing the security of its digital identities.” E-Residency Blog, accessed November 2025. https://medium.com/e-residency-blog/estonia-is-enhancing-the-security-of-its-digital-identities-361b9a3c9c52 ↩ IdTechWire. “Swiss Voters Narrowly Approve State-Run e-ID Law.” ID Tech, accessed November 2025. https://idtechwire.com/swiss-voters-narrowly-approve-state-run-e-id-law/ ↩ Linklaters. “Data Protected Netherlands.” Linklaters, accessed November 2025. https://www.linklaters.com/en/insights/data-protected/data-protected---netherlands ↩ American Civil Liberties Union. “There’s Only One State That is Asking the Right Questions About Digital Identity.” ACLU, accessed November 2025. https://www.aclu.org/news/privacy-technology/digital-id-utah ↩ White & Case LLP. “Data Privacy Update.” White & Case, accessed November 2025. https://www.whitecase.com/insight-alert/data-privacy-update-2025 ↩ Here & Now. “’The Perfect Police State’ paints a picture of the surveillance China uses to monitor Uyghurs.” WBUR, August 2021. https://www.wbur.org/hereandnow/2021/08/09/geoffrey-cain-perfect-police-state ↩ Privacy International. “Public-Private surveillance partnerships.” Privacy International, accessed November 2025. https://privacyinternational.org/learn/public-private-surveillance-partnerships ↩

Pray for freedom!