A unifying framework for digital Identity
#digital identity, #digitalID have been tweeted around 2000 times within the last week itself. A simple Google search is more than enough to surprise you at the sheer variety of results associated with the “digital identity” keyword, from voting in saunas to a more transparent informal mining sector. A wide range of initiatives has sprung up around the topic. This includes the World Bank ID4D group, the ID2020 Alliance, as well as dedicated initiatives at Omidyar Network, the GSMA, and the UN agencies. Data privacy and digital Identity are also among the top topics at many development conferences these days, including at ICT4D in Kampala last week.
The digital identity word soup
Inevitably, one draws the conclusion that there is a “digital identity” revolution underway. Yet, many discussions, workshops, and reports on the topic leave the participants more confused than before. Somehow, the community and external stakeholders still fail to communicate effectively and disaggregate the topic.
As is often the case with buzzwords, “digital identity”, too, is frequently used interchangeably to refer to sub-concepts like biometric authentication or national ID cards. This is partly due to the fact that these sub-concepts can’t be accurately placed in relation to one another in the absence of a framework.
Some of the initiatives mentioned above, especially the World Bank ID4D program, focus on closing the “legal” identity gap: the estimated 1.1 billion people that lack a set of credentials required by law for access to certain services, like telecommunications or banking. Most of the time, these legally required credentials must be government-issued. For instance, in many African countries, a national ID card or passport is necessary for SIM card registration. This legal identity gap has rightfully been identified as a major barrier for economic and social inclusion, leading to “legal identity for all” being designated as one of the targets for achieving Sustainable Development Goal 16.
The “buzz” around digital identity is compounded by the fact that it is often confused with legal identity. Throw into this mix the general confusion about what legal identity constitutes in itself, the role that digital identity can play in accelerating the path towards “legal identity for all”, and how it can do so in a “good” way. Then add all the other concepts associated with digital identity like mobile phone numbers, social media data, and biometrics, and we have the perfect recipe for (what we call) the “digital identity word soup”.
Towards a framework for digital identity
Using digital identity as a catchall term to designate very different concepts, elements, and processes used for various purposes in identity management dilute how each of these aspects can be leveraged to add value in a specific use case.
Digital identity is a huge space that not just one company will be able to cover. What we need are collections of actors having different models, so that these models can be mixed and matched in order to achieve the desired outcome in a specific context or in reference to the overall “legal identity gap”.
We are not alone in thinking that we need more clarity in our terms […] in order to prevent the design of systems with sub-optimal outcomes. At Gravity, we’ve ourselves been culprits of carelessly throwing the term digital identity around and mixing it up with legal identity. As a result, we were often met with confusion (“You provide ID? But isn’t that a government’s job?”). So over time, we’ve adopted a simple framework that helps us better navigate the space and communicate on what we do.
We distinguish between three different concepts: credentials, storage, and processes. We introduce each of them briefly below and will publish more detailed explanations in our upcoming posts.
Credentials
Credentials are essentially pieces of personal data coupled with some meta information. We can call the data your identity attributes. Here are some examples of attributes:
- Date of birth: 1990
- GPA: 3.8
- phone number: 0738294738
Many credentials contain more than one attribute. A university diploma, for example, contains not only the GPA but also the name of the course.
The simple fact that this data exists, on paper or digital, means that someone must have created it. Your University diploma was created by the university’s dean’s office, your national ID card was given to you by your government, and your credit history that sits in the Credit Bureau database was submitted by your bank. So every set of attributes must have an issuer. Sometimes, this issuer can be you. The attributes that you put on your LinkedIn profile were created by yourself, hence, you are the issuer of these credentials.
Several credentials together can make up an identity. People have different identities depending on which type of credentials they group together.
Storage
Both digital and paper credentials need to be stored somewhere. They could be stored in a drawer or box in your home, on your computer, in the cloud or in a government database. The type of storage is a key aspect of every digital identity system. Where your credentials are stored very much determines the amount of agency and control you have over them.
There are different storage paradigms. Most of the time, your credentials are spread over different silos in the databases of different organizations.
Sometimes, these organizations decide to or are forced to submit their data to a central database. This central aggregation approach is the one used by Credit Reference Bureaus, some national identity databases like Adhaar, or the ultimate central mega database of AntFinancial in China.
There are many advantages of aggregating data in one place, for individuals and organizations. However, this also comes with a wealth of issues around data privacy and security. The decentralized storage paradigm is trying to preserve the benefits of centralization, without the risks. The idea is to provide every individual a way to store their credential in a storage they control, either on a device or in the cloud. It is the kind of storage system many decentralized Identity projects, including Microsoft, Tim Berners-Lee’s company Inrupt, and ourselves are working on.
Processes
The last piece of the puzzle is processes. This includes all kinds of transaction and checking of credentials on different storage platforms. One example of a very common process is authentication.
Authentication:
The process of proving that an identity or set of credentials belongs to you. Usually, you first provide an identifier. This is you stating which identity you are claiming. When you want to access your Facebook account, you provide your email address, when you register a SIM card, you provide your national ID number.
Next, you need to prove that this facebook account or this national ID number is yours. This process boils down to the following:
Give me something you have, you are, or you know, and I check if it’s among your credentials.
The most common authentication method today is via password. Give me your password (something you know) and I go to the storage and check if that value of the password credential is the same. If you forgot your password, many services ask you other things you know: What’s your mother’s maiden name, for example. Of course, the “mothers maiden name” credential must have been created and associated with your identifier when you registered.
Passport control at airports and many humanitarian organizations use biometric authentication: “give me a biometric (something you are) and I’ll check on the storage”. Note that a fingerprint, voice print or any other biometric is just a credential. However, it is a credential that is often used for authentication.
Putting it all together
That’s it, credentials, storage, and processes are all you need to piece together your digital identity system of choice. Self-sovereign? Probably go for a decentralized storage approach. Availability is important as well? Maybe decentralized cloud storage then. Want to use fingerprints for authentication? Someone has to register a person’s fingerprint and create the credential first. Of course, the nitty-gritty details of the implementation are a little more complicated, but it helps thinking through the haze.
Any digital identity system can be evaluated using this framework; Facebook, UNHCR’s PRIMES, your government’s ID system. In the articles which will follow, we’ll take an in-depth look at each of the concepts.
Please provide your feedback in the comments. Do you agree with us that this space is hard to understand at times? Do you think we’re missing something essential? Feel free to share, clap and come back for the upcoming articles. I would like to thank my colleagues at Gravity, Sharanya Thakur and Marc de Courcel for their inputs.
