What the heck is a digital identity?

Photo by NordWood Themes on Unsplash

What is identity in this new digital age? Up until a year ago my understanding was pretty basic and rooted in what I saw in everyday life. We’ve grown accustomed to how we deal with identity in the physical world. For one, over time people come to recognize us which is a nuance that is difficult to replicate in online interactions. Each time we come back to a website that requires some level of authentication we are treated like a stranger no matter if we’ve logged in a thousands times before.

When I meet someone new, like say at the liquor store, and they need to confirm my age I show them my driver’s license, a provincially issued credential, which validates with a certain level of authority that I am above the legal drinking age. In the physical world we rely on a few foundational identity credentials provided by government such as a birth certificate or a permanent residency card to establish and validate our identity. These in turn give us access to supporting, and extended identity credentials such as driver’s licenses, health cards and Social Insurance Numbers (SIN), which invariably get used in person for many transactions where risks and the value of a valid identity are high such as purchasing a house.

Fantastic visual from the Interact white paper on digital identity showcasing the interconnections between the various levels of identity starting with foundational moving up to supporting and ending with extended. Source: https://developer.interac.ca/white-paper-digital-identity/

With more and more physical transactions being displaced by online transactions the importance of identities we can trust both as consumers and providers becomes ever more important. The world we live in now has diverged into two separate but connected realms. The realm of the physical is a world we know and understand intimately, many of our systems and processes are modeled to best serve this physical space. However, as the 20th century came to a close, the digital realm emerged with the dawn of the computer followed by the internet, the smartphone, and every other digital disruptive technology that has contributed to the rapid evolution of that digital space.

Like toddlers many of us leverage existing constructs to make sense of the unknown. This in turn paints an inaccurate picture when it comes to our understanding of the digital realm. Too often we try to replicate how things are done in the digital world with how they are done in the physical world when the building blocks of digital fundamentally transforms how we can do things. We used to have to go to the library or access an encyclopedia to find an answer to a question we might have, now we simply pull out a smartphone from our pockets and access a wealth of knowledge and an answer in seconds.

Even more astonishing is that now we can get context sensitive information based on the task we want to accomplish directly from our phones, a device that used to be strictly used to talk to someone elsewhere in the world. Want to know which route to take by car, bike, or metro that will get you there fastest and avoid traffic? Take out your smartphone. Want to know which stores sell umbrellas near you before the storm starts? Take out your smartphone. Want to watch an entire season wherever you happen to be without having to wait for an episode a week for an entire year? You get the idea.

Other countries are certainly making some waves in this space as well, whether their approach is desirable or not remains to be seen or debated but I highlight it to showcase what is already here. When I visited China recently residents were granted access to the train station through the combination of their resident card, a nationally issued credential, paired with their bought train ticket. They would lay down both on a scanner which would first confirm that the person on the train ticket is the same person on the resident card confirmed by a camera that uses facial recognition. Then it would make sure that this was the same person that this train ticket was assigned to. The gates would only open up to let individuals through once everything was confirmed and in proper order.

Another interesting observation from China was that very few times did I see cash exchange hands, when I did it was mostly tourists. Over there you can pay universally by mobile phone, through the use of QR codes, or even with facial recognition. From big companies down to street vendors the same digital payment options were available.

As the world continues to move from physical transactions to digital transactions the more important it becomes to have a trustable digital identity that is both secure, private and consumable by a plethora of services.

Establishing a trusted digital identity online provides assurances in the following 3 ways:

  1. That you are signed in securely through some form of verified login;
  2. That you are a real person that exists in the world; and
  3. That you are that same real person that has consented to provide personal information or authorization to receive a service.

Of course, there are different levels of trust and assurance required online, for example opening a new email account shouldn’t require the same level of rigour and scrutiny as say applying for a visa to another country.

In the digital realm we aim to replicate the level of scrutiny for establishing and validating someone’s identity where the stakes are high, and rightfully so. The problem is that we make citizens repeat this process almost each time they first interact with a different government body. A true digital identity however, could completely transform not only how people trust each other online but also give way to new forms of interactions with even higher levels of trust and privacy.

Once we’ve established and validated someone’s identity oftentimes online credentials are issued in the form of usernames and passwords. Everyone that consumes services online is a victim of this experience, we manage hundreds of credentials with varying degrees of security requirements and constraints. This has in turn given way to unsafe practices where account names and passwords are replicated across many services which leads to an increase in risk of exploitation when one service provider is breached. This also makes us more vulnerable to identity theft and fraud which has been growing at an average of 33% a year over the past 3 years.

Imagine a world where we no longer needed to manage hundreds of credentials. Imagine an identity ecosystem where authoritative parties are the sole holders and providers of your valuable data, where you not only control who has access to what at all times, but you are now in a position to provide trust and information without actually sharing your valuable data. This is only possible in the digital realm and is known as a zero-knowledge proof.

For example, say you wanted to purchase marijuana online but need to prove you are of age. In the physical world this would require that you show a piece of identity such as your driver’s license, but this invariably also shares your address, your actual age as well as your driver’s license number. With a digital identity trust framework, you’d be able to confirm that you are of age simply by allowing the seller to ping a trusted authoritative third party in your identity network to confirm that you are in fact legal and that is it. No date of birth, no address, nothing else shared.

Imagine a world where you always have access to your health records, and they follow you no matter where you are and giving a doctor access can be done in a matter of seconds simply by giving them permission. No matter if you move from one province to another or from one country to another, you will always be in control of your data.

The introduction of autonomous things further transforms the digital landscape and how we operate in our physical realm where one can foreseeably see these autonomous things interacting with other autonomous parties and transacting on your behalf like machines doing your groceries and needing to pay for them in a trusted and secure manner.

Finally, imagine changing to a new bank. Think of all the effort involved in order to make sure your direct payments and withdrawals are up to date. This means currently that information is duplicated across all those third parties’ systems which increases the chances of it being exploited. What if all you did was give these third parties the permission to access the necessary information to conduct the transaction when and as needed. That way when you change bank accounts all you need to do is change the information in one place and everyone would have the up to date information in one fell swoop.

The ramifications of such a shift in the digital realm would be quite profound and fundamentally transform a plethora of services and interactions online. My thinking in this space has evolved tremendously thanks to a digital identity pilot project I’ve been involved in through the GC entrepreneurs. Identity is a building block for the future of the web, getting this right can completely transform the way Canadians interact and we’ve got some amazing talent working in this space. If you’re interested in finding out more feel free to reach out and be sure to follow Tim Bouma who’s a wealth of knowledge in this space from a Canadian context and who happens to be working on the Pan-Canadian Trust Framework.

If any of this has sparked any interest on your part, I would encourage you to explore how digital identity would factor into your world. If you do I’d very much be interested in hearing or reading about it so be sure to let me know. :)