Who will control the identity of the future?

Maybe Facebook. Maybe a firm you’ve never heard of. Maybe yourself.

This post discusses a few of the themes from a recent research project at Caribou Digital. You can skip the post and just download the report.

There are a lot of organizations competing for our identities. Governments have long held monopoly power over official identity, using their authority to document and record their populations as the fundamental first step in exercising state control.[1] Government-issued identity credentials — whether national ID card, driver license, or simply a unique number — are rigid, static, and outside the control of the individual, but the fact that they come from the state grants them a level of trust which makes them extremely valuable. If we need to identify or authenticate ourselves for something important, chances are it will require a state-based identity credential.

In the private sector, firms such as Facebook, Google, and LinkedIn also compete to attract users to their platforms. Their business models vary, but they all offer virtual environments that enable us to create customized, dynamic representations of our selves. Turns out we really like doing this, probably in part because none of us has just a single “identity” that is accurately represented by a string of digits or a plastic card. Instead, we cultivate and express multiple identities (e.g., Hispanic, sister, Muslim, athlete) based on the social contexts that we live in. These digital personas have become so important, they increasingly define who we are — professionally, personally, socially — to the world around us.

Currently, our Facebook identity and our government identity are worlds apart. They serve very different functions, are managed by very different institutions, and manifest in daily life in completely different ways. But as more and more of our lives become mediated by digital communications and services, our digital identities are becoming the central asset that coordinates and unlocks the most important resources and services we use. This is leading many governments to seek some of the efficiencies and innovation from the private sector, while firms are looking to increase the scope of official identity use cases they can provide, resulting in a convergence in interest and activity between public and private sector in the digital identity industry.

We can see this convergence in the United Kingdom’s GOV.UK Verify[2] program, which relies on private-sector firms such as Experian and Verizon to provide digital identity credentials for citizens to access government services. In another public-private collaboration, the Netherlands[3] is basing its national identity standard on a banking industry credential, a model that has already proven successful in Finland, Norway, and other Nordic countries.[4] These efforts aren’t limited to Europe or the West — Nigeria has partnered with MasterCard to provide identity cards that also function as bank payment cards,[5] and India is inviting private-sector services to connect to its Aadhaar program through the India Stack initiative.[6]

Not all of the current activity is in explicit partnership with states. The mobile operators, backed by their industry association, GSMA, are using the ubiquity of the SIM card to try to drive adoption of their Mobile Connect standard worldwide.[7] And of course Facebook, Google, and the other global platforms are continuing to build up functionality so that their digital profiles can be used for an increasing number of activities.

But most interesting are the new identity startups that are emerging. Companies such as Blockstack, Consent, Global ID, Evernym, miiCard, ShoCard, and Yoti[8] are using advancements in biometrics, mobile sensors, distributed ledgers, and encryption to develop next-generation digital identity solutions that are more secure than our social network profiles, and more functional than our government identities.

As the growth of new ventures suggests, there’s currently a lot of hype around digital identity. Entrepreneurs recognize that digital identity is the linchpin that ties together all the services, devices, and organizations that we care about and want to connect with, and there’s money to be made for whoever controls that key. This isn’t new, and there have been plenty of efforts over the years to establish and standardize a commercial identity platform (Microsoft Passport, anyone?). But recent advancements in technology — especially in distributed ledgers and encryption — have renewed interest in the potential for solving what Kim Cameron called the missing “identity layer” of the internet.[9]

There are different identity solutions being proposed, but the most radical are open, distributed systems that grant full control to the user. Often referred to as “self-sovereign” identity, systems such as Evernym are based on open-source technical infrastructures (e.g., distributed ledgers) that are not owned by any firm or state, and are instead controlled by the user. Individuals can accumulate and associate all of their credentials — from a library card to a driver license to a website login — into a single identity container that becomes their unique identifier. By putting users in charge of their data, self-sovereign identity systems are capitalizing on the growing popular backlash against surreptitious data collection and profit-driven privacy policies, while their open-source, decentralized structure offers the transparency and trustworthiness that wide-scale adoption will demand.

Other startups are trying to solve more specific identity pain points, especially in financial services, where strong regulations around customer due diligence (e.g., KYC, or “know your customer”) create lots of friction and costs. In order to serve these use cases, these providers have to formally verify users to a high “level of assurance,” which in most jurisdictions means verifying the user’s official, state-based identity credentials. Firms like Yoti and ShoCard are doing this using smartphone cameras to scan physical credentials, such as passports, and match them with a self-portrait, or “selfie.” This allows them to authenticate the user, and store a digital version of the user’s official credential on the mobile device, where it can be used both online (e.g., logging into websites) and offline (e.g., buying alcohol). If these approaches fulfill regulatory requirements, they can make a wide range of identity use cases immensely more efficient and convenient.

The technological innovation among identity firms is moving quickly and is exciting to watch. But the tech is, of course, only part of the answer. Fundamentally, private-sector digital identity has to have the right incentives to drive adoption, since, unlike the state, it can’t make enrollment mandatory. And because digital identity is used for so many different things, finding the right use case to focus on — the killer app — is a challenge, and one that will have different answers in different markets. Determining which uses cases are highest value for both end-users and the relying parties — the organizations who will trust and accept the identity — is therefore a critical strategic decision facing every provider.

Unsurprisingly, most of the new digital identity startups are based in the West, and are designing for Western users. While there is clear need for improved identity solutions in emerging markets — an estimated 1.5 billion people worldwide have no official identity — the most critical need is for the legal protection and benefits that come from state-issued identity credentials, and organizations such as the World Bank’s ID4D group are the best suited for working with governments to improve the effectiveness of their programs. There is better opportunity for private-sector solutions in those markets where they can build on established state identity programs, such as India, Pakistan, and Peru. But the challenge of determining the most important use cases for adoption is even more difficult in markets where digital services are relatively new and behavior patterns are still emerging, and the economics of serving lower-income populations is still to be proven.

The other obvious obstacle for identity startups is the massive scale of incumbent platforms. With 84% of its 1.7 billion users outside of United States, Facebook is dominant worldwide, especially when you consider its other properties (WhatsApp, Instagram, Messenger). The company has long held a “real name” policy and requires verification on some accounts, and it would be relatively easy for it to roll out a new service for verified identities (perhaps to enable higher levels of financial payments in its Messenger app?) that leverages its installed base to reach critical mass. Of course, Facebook is an advertising company, and the regulatory burden and transactional revenue model typically associated with verified identity may seem like a distraction from its core business. But it launched P2P payments in Messenger, another typically transactional model, so it’s possible that official identity could be seen as just another service that increases usage and therefore eyeball-hours.

A fundamental truth about identity is that the system is built on trust — you show me a credential, and I decide based on that credential whether I trust your claims. Regulations and government certifications are ways of codifying and standardizing that trust, in effect providing the grease that enables all kinds of transactions between unknown parties worldwide. In the near term, the most important use cases will still only trust credentials that are connected to an official, state-based identity — the gold standard of identity — and private-sector identity providers will have to find ways of connecting or integrating with these systems (and concomitant regulations) in order to gain widespread use.

While this is today’s reality, it’s interesting to consider whether, and how, this might change. There’s what we could call a technological alternative, where our world of increasingly dense sensors and data can be used to algorithmically determine and verify our identity. As John Clippinger likes to argue, our mobile devices already track our GPS coordinates, fingerprints, voice patterns, walking gait, typing habits, and more, which taken together and triangulated with other data provide strong correlations for probabilistic verification that can be independent of, and more accurate than, any government or central organization.[10] Trusting software in this way will require not only a cultural shift in perception, but also the development of methods for addressing the biases that are inherent in those algorithmic processes.[11]

In another scenario, a government could lose its monopoly power on trusted identity due to a security breach. One bad and highly visible hack of a government database could potentially damage the trust in an entire country’s identity credential, leaving individuals to seek private-sector alternatives, or even an alternative state credential. We see something similar when an economic crisis causes individuals to forgo local currency in favor of other state currency or non-fiat stores of value. In this context, it’s not hard to imagine Estonia, which launched its e-residency program[12] in 2014 and has already stated its ambitions toward “country-as-a-service,”[13] emerging as the most trusted 3rd-party identity credential worldwide.

It’s still early days in the evolution of private-sector digital identity. The current landscape features a few very large incumbents that have massive scale but for whom identity has been a means to an end, not the core offering, leaving them behind in functionality and scope of use cases. On the other side are a number of small identity startups that have designed their offerings from the ground up to solve specific identity pain points with advanced technologies, but whom have few (if any) users on board. It’s tempting to believe that an open, decentralized system will gain critical mass and emerge as a real alternative for those who believe that individuals, not profit-driven firms or states, should manage their own identities. But libertarian ethos and corporate distrust aren’t widespread enough, aren’t strong enough, to push those solutions into the mainstream. More work needs to be done to understand the most important use cases and business models that can incentivize participation in the broader identity ecosystems, by both individuals and commercial partners. This challenge may favor not the most technologically advanced firms, but those with the best understanding of value propositions in a specific region and user base, and creativity in developing commercial models to serve them.

The research referenced in this post was supported by the excellent team at Omidyar Network. But the views expressed here are mine and do not represent Omidyar Network or Caribou Digital. You can download the full report, free of charge, from the Caribou Digital website.

References

[1] James C. Scott, Seeing like a State: How Certain Schemes to Improve the Human Condition Have Failed (Yale University Press, 1998).

[2] GOV.UK Verify, https://identityassurance.blog.gov.uk/

[3] “Dutch Interbank Digital Identity Service Announced,” Innopay, https://www.innopay.com/blog/dutch-interbank-digital-identity-service-announced/.

[4] Herbert Kubicek and Torsten Noack, “Different Countries-Different Paths Extended Comparison of the Introduction of eIDs in Eight European Countries,” Identity in the Information Society 3, no. 1 (July 2010): 235–45.

[5] “Why Mastercard Is Establishing a Nigerian Identity,” CNN.com, http://edition.cnn.com/2014/09/25/business/branding-nigeria-mastercard-backed-i-d-/.

[6] “About India Stack,” India Stack, http://www.indiastack.org/About-India-Stack.

[7] “Mobile Connect Developer Portal,” Mobile Connect, https://developer.mobileconnect.io/content/overview.

[8] http://blockstack.com, http://consent.global, http://evernym.com, http://www.myglobal.id/, http://miicard.com, http://shocard.com, http://yoti.com

[9] Kim Cameron, “The Laws of Identity,” May 2005. https://msdn.microsoft.com/en-us/library/ms996456.aspx

[10] John Clippinger is a pioneer in the “self-sovereign” identity movement, leading development of the Open Mustard Seed system and co-authoring the Windhover Principles on identity, https://idcubed.org/digital-law/socialstack/

[11] See, for example, Angwin, Julia, Jeff Larsen, Surya Mattu, and Lauren Kirchener. “Machine Bias: There’s Software Used Across the Country to Predict Future Criminals. And It’s Biased Against Blacks.” ProPublica, May 23, 2016. https://www.propublica.org/article/machine-bias-risk-assessmentsincriminal-sentencing.

[12] “Taavi Kotka Promises 10 Million ‘e-Estonians’ by 2025,” E-Estonia, http://e-estonia.com/taavi-kotka-promises-10-million-e-estonians-2025/.

[13] Oscar Williams-Grut et al., “Estonia Wants to Become a ‘Country as a Service’ and Already Has 10,000 Virtual Residents,” Business Insider, http://uk.businessinsider.com/interview-with-estonia-cio-taavi-kotka-2016-4.