Digital identity can and should be reframed
In 2019 the U.K. government Department for Digital, Culture, Media and Sport issued a “Call for Evidence” on Digital Identity. Earlier this month the government published its response to the submissions, establishing a new Digital Identity Strategy Board and promulgating some high level principles to inform a legal framework, and possible new Digital Identity legislation —something which has been absent in the English speaking world but is now on the agenda across the Five Eyes nations.
I made a submission to the inquiry, and have permission to publish it.
In a nutshell
I called for a reframing of government’s approach to Digital Identity, with less stress on “trust” and more focus on a high fidelity digital-to-analogue conversion of existing real world relationships and credentials. We have institutions, businesses, brokers and processes which provide a great many personal and professional attributes which are widely relied upon across the economy. If government focused on improving the way these sources of truth are digitised, without imposing inordinate changes to real world processes, then you would go a long way to fixing the most urgent identity problems.
What follows is a lightly edited copy of my submission.
My understanding of the Call for Evidence
The Department for Digital, Culture, Media and Sport (DCMS) is working with the Government Digital Service “on the future of digital identity” and initiated a public call for evidence. DCMS organised the call into four topics (Needs and problems, Criteria for trust, Role of government, and Role of the private sector) and a total of 21 numbered questions.
I provided my opinion on the state of free market Digital Identity and brief answers to a selection of the 21 questions.
Needs and problems
We face undeniable problems of mounting identity-related crime in digital channels, the apparent ease with which identity information (and personal data in general) can be abused, and terribly inconvenient online authentication and identity proofing. We have faced these same problems globally for well over 10 years, trying to solve them with many public-private initiatives. The United Kingdom’s domestic initiatives have numerous parallels internationally, including the Australian federal government-funded Internet Industry Association authentication hub (2005), the Australian banking sector’s Trust Centre (2007) and the US National Strategy for Trusted Identities in Cyberspace (NSTIC, 2009–2017). The Murray Report into Australia’s financial services sector (2014) re-prosecuted the case for a national approach to Digital Identity; since then the Digital Transformation Agency and the Australian Payments Council have worked on public and private sector identity frameworks respectively. A similar vision of a contestable market for Digital Identity services has been pursued for over a decade in Canada and New Zealand.
The unwavering enthusiasm of Five Eyes Nations for a market-driven identity ecosystem seems somewhat unreal when experience shows so clearly that Federated Identity is easier said than done.[1] No free market Digital Identity offerings have so far proved sustainable; Canada’s Concierge system is well regarded for its credentials being reusable across banking and government, but the system has not yet proven itself beyond the founding cohort and we therefore can’t consider it to be “open”.
There are a few notable international successes in federated identity but overwhelmingly they have been enabled by legislation; examples include BankID in Scandinavia, and the Estonian national ID card. I suggest that the lessons of these European programs is almost completely academic for the Five Eyes Nations since we don’t have the legislative appetite.
[Update: In the past 12 months, most of the Five Eyes nations have in fact started discussing Digital Identity legislation from a range of perspectives. The U.K. government in its response to the Call for Evidence anticipates consumer protection laws for identity. The U.S. House of Representatives is considering the Improving Digital Identity Act with a focus on electronic verification of existing credentials. And Australia has just announced the possibility of legislating to enable its federal government logon “MyGov” to be used in the private sector. It remains to be seen if these laws have the same scope and effect as the European efforts. Thanks to Kantara Executive Director Colin Wallis for his recent summation and analysis of announced legislative intentions.]
Evidence suggests therefore that the identity problem can and should be reframed.
There is a worldwide trend in the Identity and Access Management (IDAM) industry away from universal identification and towards digitising verifiable claims, or attributes. Efforts include:
- The FIDO Alliance developing technical protocols for authenticating users and mobile devices with reduced reliance on passwords. FIDO is the most important IDAM alliance the world has ever seen, yet it has expressly stated its mission is not identification, which FIDO sees as a localised matter for businesses, beyond technological standardisation.
- The Verifiable Claims working group of the World Wide Web Consortium (W3C) works on protocols for expressing and exchanging dependable claims about users, such as qualifications, account details, roles and so on.
Andrew Nash, former Product Director of Identity at Google and now Vice President of Consumer Identity at Capital One, put it simply at the Cloud Identity Summit in 2014: “attributes are more interesting than identity”.
I conclude that “identity” remains too loose a concept to translate smoothly from the analogue real world into the digital domain. We also note that fear and loathing of a national ID is inevitable, understandable, and distracting to the Digital Identity mission. We therefore suggest that a pragmatic, theoretically robust and politically less risky approach is to reframe the identity problem.
The root technical problem online is this:
The things we need to know about people or entities in order to deal with them are difficult to know with certainty in the digital environment.
Commerce and government services revolve around established facts and figures (attributes) of end users such as account numbers, government IDs, customer reference numbers, employee numbers, professional qualifications, memberships, company positions, social security entitlements, driver license numbers, and personal attributes, like age, marriage status, residency and health conditions. These critical pieces of identity information and other personal data lose their reliability and provenance online: we cannot tell where the information is supposed to have come from, much less can we distinguish copies from “originals”; indeed, the concept of originality is all but lost online. Nor can we be sure that data presented online truly belongs to particular individuals, and has been presented when applicable with consent.
Criteria for trust
The Call for Evidence suggests that “[at] the heart of a successful approach to digital identity is the need to improve trust between the person or organisation aiming to prove something about themselves, and the [relying party]”. I respectfully disagree, insofar as it would be more than enough in the current climate for us to simply replicate in the digital domain the level of trust that we are accustomed to when subjects and relying parties deal with one another in the real world. As outlined above, the priority task should be to obtain reliable information about transacting parties in the digital environment. Framing Digital Identity efforts in terms of “trust” has tended to overload and complicate the task.
I do not believe that “trust” per se should be an objective of Digital Identity systems, because trustworthiness is an emergent property, with just as many regulatory and governmental determinants as technological ones. If we did better at reliably conveying the precise attributes we need to know about one another, then digital trustworthiness would follow.
Of course I acknowledge a trust deficit which needs careful attention at government, corporate and institutional levels. In our “Post Snowden World” governments seeking to build Digital Identity solutions are under greater pressure to avoid intruding into citizens’ affairs, and, moreover, to be seen to avoid intruding. The more complex and novel the proposed “trust frameworks”, the harder it is to convince laypeople that the frameworks themselves are trustworthy. Purportedly privacy enhancing constructs such as “Triple Blind Privacy” have a distinct downside in that they upend the way relying parties judge the reliability of a credential’s source, which complicates liability and legal certainty.
Conclusion
The world abounds with sources of truth. We have institutions, businesses, brokers and processes which provide a great many personal and professional attributes which are widely relied upon across the economy. If government focused on improving the way these sources of truth are digitised, without imposing inordinate changes to real world processes, then it would go a long way to fixing the most urgent “identity” problems.
Addressing specific questions
Here are brief responses to selected questions from the Call for Evidence.
1. Do you think digital identity checking will be a way to help meet the common needs of individuals and organisations referenced above? What other ideas or options would help?
I would like to see a change of emphasis from “identity checking” to “attribute [or claims] checking”. All stakeholders agree that absolute identification should be avoided wherever possible when undertaking routine transactions. The language of “identity checking” unavoidably overloads the task at hand. The words we use matter, and by shifting attention from “digital identity system” to infrastructure for checking concrete attributes, we should see more precisely conceived and designed systems.
4. How should we ensure inclusion, especially for individuals with thin files?
The thin file problem is complex and calls for flexible, practical processes in the field. On a case-by-case basis, the bona fides of such individuals need to be built up in response to their particular needs for identity-dependent services. Establishing entitlements is first and foremost a social challenge, not a technological one. I suggest that getting thin file cases onto a digital footing must be about verifying and then digitising precise attributes, rather than issuing a new “Digital Identity” as such. For instance, some people will need their medical needs substantiated as a priority, while for others their immigration status and family ties will be more important. There will be no one-size-fits-all basket of personal attributes, and no universal standard for identifying these individuals; that is, it is not clear that there is a well-defined “fat file” for them to aspire to. To suggest that thin file individuals will be granted a generic Digital Identity could have unintended consequences.
6. Where do you see opportunities for a reusable digital identity to add value to services?
In cultures such as Britain’s, with no history of or appetite for national ID, the very abstraction of a reusable Digital Identity (in the singular) is problematic. This might be an unpopular opinion but I do not see opportunity for reusable “identity” per se because indexing individuals in a uniform way at scale is inevitably going to border on national ID. Instead I urge a shift in focus to reusable personal attributes (or verified claims). There is clearly a need―and in some cases fresh legislative support―for verified digital attributes such as proof of age, address, residency, social security entitlements, health conditions, vaccinations, and so on. Note that some of these attributes are not identifying―and definitely must be conveyable without identification―which reinforces the point that attributes are a more fruitful pursuit than “identity”. I believe that identity is rather overdone, and it would be more powerful (and at the same time less contentious) to assure the provenance and fidelity of specific personal data items without calling out “identity”.
7. What are the building blocks essential to creating this trust?
Technical building blocks are emerging nicely, as noted above, including the Verified Claims protocols of W3C. In Australia and the U.S., services to verify government credentials such as driver licences and birth certificates are being rolled out. Thus a marketplace of reliable attributes is emerging already.
8. How does assurance and certification help build trust?
Standards, conformance and certification are cornerstones of all commerce, from rail, road and container shipping, through safe electricity supply, to product testing and import/export approvals. Note too that the world has well established Mutual Recognition Arrangements (MRAs) that ensure standards certifications are equivalent across jurisdictions.
The trick with Digital Identity attributes is to find the right level at which standardization is really useful. Different business sectors (think of accounting and medicine) have their own well-established processes for credentialing, which are trusted across the board, without relying parties delving into how “identification” is done in different places. In the real world, it is not necessary to standardise identification between accountants and doctors. When digitizing and certifying credentials, it is essential that existing “black box” business processes are, for the most part, left intact.
9. How do we ensure an approach that protects the privacy of users, and is able to cover a range of technologies and respond appropriately to innovation (such as biometrics)?
The bedrock of privacy is Collection Limitation. A problematic side-effect of general-purpose Digital Identity can be over-collection. If a business application requires just one specific attribute — such as proof of age or proof of vaccination or proof of residency — then authentication systems should avoid “identity” as far as possible.
Biometrics is often a distraction in Digital Identity discussions. Best practice for biometrics in e-commerce is for device unlocking, in a one-to-one verification mode (as opposed to one-to-many identification). The only identification mode which works at scale with current technology is face recognition for border control applications, where lighting and presentation conditions are tightly controlled. Selfie authentication―where a consumer captures an image of their face and photo ID and sends them to a matching service―has become a common pattern only in the past two years. Biometric vendors like to promote their “liveness” (anti-spoof) measures but there is still no independent standard for impersonation resistance. The advent of “Deep Fake” synthetic faces threatens an arms-race where Selfie authentication could be usurped at scale by organised criminals. It’s still early days.
For practical reasons, and to minimise consumer anxiety, we urge great care in positioning biometrics in this discussion. It would be premature to cement biometrics in nation-scale Digital Identity frameworks. Government must be clear about what any biometric is for, what mode it will be deployed in, how will its use be constrained.
14. Do you think government should make government documents and/or their associated attributes available in a digital form?
Yes, it is useful for certain attributes to be verifiable over APIs against government sources of truth (as per the experience of the Australian federal government’s Document Verification Service, DVS). There is a well-established pattern now for the document checking API to return a simple privacy-preserving “yes/no” answer as to the validity and currency of an attribute.
Yet the APIs alone are not a complete verification solution. Proof of possession of an attribute is best provided by installing certified (digitally signed) copies of attributes into personal authentication devices, controlled by the legitimate attribute holder, and able to be presented directly to relying parties. See https://www.constellationr.com/blog-news/safety-numbers.
About the author
I am an independent researcher and adviser, based in Sydney Australia, and dedicated to Digital Identity, privacy and data protection. I have consulted to clients and projects including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC), the Australian Trusted Digital Identity Framework (TDIF), the Australian Payment Council, the FIDO Alliance, the New South Wales Digital Driver Licence, the Australian National Biometric Matching Capability, IBM, Infosys and Evernym.
[1] See also my presentation to the AusCERT 2011 conference, Identities Evolve: Why Federated Identity is Easier Said than Done. In 2013, at the Cloud Identity Summit in Napa Valley, I debated David Rennie of the U.K. Government Digital Service, who argued that digital identity was “easier done than said”, a position which has not been borne out.
