Legal identity of a person in a digital world
Today, Sep 16th is the International Identity Day, a commemoration of the UN Sustainable Development Goal 16.9 which calls for the provision of legal identity for all by 2030.
United Nations defines Legal identity as the basic characteristics of an individual’s identity. e.g., name, sex, place and date of birth conferred through registration and the issuance of a certificate by an authorized civil registration authority following the occurrence of birth. In the absence of birth registration, legal identity may be conferred by a legally recognized identification authority. This system should be linked to the civil registration system to ensure a holistic approach to legal identity from birth to death. Legal identity is retired by the issuance of a death certificate by the civil registration authority upon registration of death.
Per United Nations’ legal identity agenda, everyone has the right to be recognized as a person before the law, as enshrined in Article 6 of the Universal Declaration on Human Rights and Article 16 of the International Covenant on Civil and Political Rights. Several International human rights instruments, such as Article 7 of the Convention on the Rights of the Child and Article 24(2) of the International Covenant on Civil and Political Rights also recognized a right to birth registration.
Sustainable Development Goal Target 16.9 (“legal identity for all, including birth registration, by 2030”) is key to advance the 2030 Agenda commitment to leave no one behind.
McKinsey & Company says that nearly one billion people have no form of legal ID. That means they have no birth certificate, driver’s license, National ID, or passport — no legal way to interact with their own government for services or aid. Without legal identification, millions are potentially denied access to education, financial services, health care, the recognized labor market, or even the ability to secure property. Nearly 1 in every 8 people do not legally exist in today’s world.
Governments and United Nations have a key role to play to overcome these inequalities and all this needs to be done in context of the increased digitalization. Usually, Governments and concerned bodies are issuers of various types of identifiers, such as birth certificate, driver’s license, passport, social pins etc. Plus, other forms of documents, such as education credentials could also be forms of identity in different contexts.
Most of these credentials are in paper form today that are slow and costly to issue & are also prone to security & privacy related issues such as stealing, spoofing, breach in digital context.
Digitalization of identities could help with establishing faster and lower cost methods to issue and verify credentials and hence establishing identity of a person. It will enable United Nations to achieve its legal identity related sustainability goals by 2030.
However, people are hesitant to share or store such credentials in digital formats today due to widespread privacy and security issues in the systems.
· First, today’s ‘digital’ identity systems are account based, centralized & federated systems that due to the nature being centralized, become the honey pots of information that can be breached by bad actors.
· Second, the same centralized systems are used for information collection and tracking of a person by current platforms, that is further shared and reshared most times without the knowledge of person, causing privacy breaches.
· Third, the widespread verification of legal identity methods used today are based on taking a picture and sending information over insecure email or other communication systems, which again lead to the problems above.
If we could build systems that enable data protection and privacy, and created a more trusted ecosystem for issuance and verification of credentials; will it enable true digitalization of ‘identity’?
United Nations Development Programme (UNDP) has been conducting research to figure the future of legal identity, especially the role digitalization could play in establishing legal identity for all. A second roundtable held on February 10th, 2022 was hosted by UN Legal Identity Agenda (LIA) Task Force. The discussion was guided by the following 3 questions –
1. What data protection and privacy standards help in the design of your products, particularly for customers in countries/regions without detailed data protection and privacy standards?
2. When developing and marketing digital identity and biometric technologies and services, whose needs are you planning your products for, government, business partners, or data subjects / citizens?
3. The centrality of biometric data in ‘linking’ digital identities across government systems, and ‘control’ of biometric data.
I, Vikas Malhotra, founder & CEO of WOPLLI Technologies stressed the need for the system and architecture where the outcomes would lead towards the safety for people (secure, privacy enabled and no harm), fairness for people (removal of bias, inclusion) and are trusted (transactions between people or between systems) in the roundtable. In the same discussion, Self-Sovereign Identity, based on Decentralized Identifiers (DID has been recently recommended by W3C — Decentralized Identifiers (DIDs) v1.0 (w3.org)), was discussed by Daniel Bachenheimer, Principal Director at Accenture, as an area to look into, for enabling digitalization of credentials, their issuance and verification, while enabling privacy and secure architecture constructs for the future.
Self-Sovereign Identity (SSI), contrary to the current centralized and federated identity models is not account based and instead works based on issuance and verification of credentials. There are seven basic building blocks of SSI. These seven building blocks are as follows:
- Verifiable credentials (aka digital credentials):
The term credential applies to any (tamper-resistant) set of information that some authority claims to be true about the subject of the credential — and which in turn enables the subject to convince others (who trust that authority) of these truths. For example: A birth certificate issued by a hospital or vital statistics agency proves when and where you were born and who your parents were.
2. The trust triangle: issuers, holders, and verifiers:
Issuers are the source of credentials. Every credential has an issuer. Most issuers are organizations such as government agencies (passports), financial institutions (credit cards), universities (degrees), corporations (employment credentials), NGOs (membership cards), churches (awards), etc.
Holders request VCs from issuers, hold them in the holder’s digital wallet, and present proofs of claims from one or more credentials when requested by verifiers (and approved by the holder).
Verifiers can be anyone — person, organization, or thing — seeking trust assurance of some kind about the subjects of credentials. Verifiers request proofs from holders/provers of one or more claims from one or more VCs. If the holder agrees (and the holder always has that choice), the holder’s agent responds with a proof the verifier can then verify. The critical step in this process is the verification of the issuer’s digital signature, typically accomplished using a DID.
The relationship between issuers, holders/provers, and verifiers is often referred to as the trust triangle.
Fig 1: Trust Triangle
3. Digital wallets:
Digital wallets could be either custodial (server-side where the keys are stored by the broker) or non-custodial (or the edge wallet, where the keys are in the end device). The digital wallet helps to;
- Store credentials.
- Protect credentials from theft or prying eyes.
- Keep credentials handy — easily available and portable across all your devices.
4. Digital agents:
In SSI infrastructure, every digital wallet is “wrapped” by a digital agent that acts as a software guardian, making sure only the wallet’s controller (typically the identity holder) can access the stored VCs and cryptographic keys. Agents in addition, using instructions from their owners, “speak” to each other over the internet to form connections and exchange credentials. They do this via a decentralized, secure messaging protocol designed from the ground up for private communication between digital agents.
5. Decentralized identifiers (DIDs)
A DID functions as the address of a public key on a blockchain or other decentralized network. In most cases, a DID can also be used to locate an agent for the DID subject (the entity identified by the DID).
DIDs are designed to be able to take advantage of any modern blockchain, DLT, or other decentralized network via a DID method that is written specifically for that target system. The DID method defines the following four atomic operations on any DID:
- How to create (write) the DID and its accompanying DID document (the file containing the public key(s) and other metadata describing the DID subject)
- How to use the DID to read (look up) the DID document from the target system
- How to update the DID document for a DID, e.g., to rotate a public key
- How to deactivate a DID by terminating its usage (usually by updating its DID document to contain no information)
6. Blockchains and other verifiable data registries:
A DID can be registered with any type of decentralized network or verifiable data registry (this is the formal term used in the W3C Verifiable Credentials Data Model and Decentralized Identifier specifications)
7. Governance frameworks (aka trust frameworks)
These are the set of business, legal, and technical rules for using SSI infrastructure that will enable interoperable digital trust ecosystems of any size and scale.
There are many market drivers for Self-Sovereign Identity, and it also shifts the locus of control towards a human in the transactions, that they would have on the Internet. While it enables trust-based transaction to verify credentials hence establishing identity, the outcomes are achieved in privacy enabled and secure manner, that are not possible in existing centralized & federated account-based identity systems.
Self-Sovereign identity could be the way to enable legal identity digitalization for not only the one billion who do not have legal identity today but the entire nearly 8 billion of the world’s population.
Vikas Malhotra is founder & CEO of WOPLLI Technologies, Chair of the IEEE IC group on ‘Cyber Security for Next Generation Connectivity Systems and Co-Chair of the Trust over IP foundation ‘Artificial intelligence & Metaverse’ taskforce. He has enabled digitalization for 25+ years at a global scale, including building cloud services; and is on a mission to make our experiences [as we work, play, learn, live] safe, fair, trusted.
References:
Decentralized Identifiers (DIDs) v1.0 (w3.org)
Self-Sovereign Identity (manning.com) by Drummond Reed and Alex Preukschat
Nearly one billion people have no form of legal ID | McKinsey
