ID2020 Certification Mark: Our Theory of Digital Identity
What is digital identity? Do you have one? Does your digital identity afford you your rights to privacy, security, and choice?
Here’s our (working) philosophy of digital identity, a term that comprises a host of technologies, processes, and systems but one that we believe should ultimately be about you.
Your digital identity should be yours
Today, more than half of the planet has access to the Internet. Still more have access to mobile devices.
More and more, our relationships with institutions, and with each other, take place in digital spaces. Every interaction in the digital world spawns a digital identifier, or bits and bytes of data that can broadly be broken up into two categories: content (data) and context (metadata).
Today, your digital identifiers are grouped and systematized by technology providers seeking to collect and monetize information.
A digital identity, as we see it, is a metasystem: a collection of all of those systems of digital identifiers. So, if you interact with any technology connected to the Internet, or to a mobile network, you have a digital identity.
In the developed world, most of us use large service providers to manage the huge number and variety of digital identifiers we collect. The most prevalent service providers are (you guessed it) Facebook, Google, and Amazon. Each provider mediates your interactions in order to provide a seamless digital experience. And yet, as they do, they also collect your digital identifiers, in order to derive insights and (right again) drive profit.
So your digital identifiers are, for the most part, not in your control. In fact, they are more often than not stored in siloes. And the more siloed and numerous your digital identifiers become the less control you have over them. So while you do have a digital identity, you probably don’t have control over it.
And that’s just you. Over 1 billion people worldwide do not have access to any form of official identification. This lack can make it difficult, if not impossible, to access basic critical services like education or healthcare.
So, a large group of individuals have no officially recognized form of identification and those of us that do often don’t enjoy our rights to privacy, security, and choice.
Your digital identity should be yours, but it isn’t.
“Good” digital identity is your right
A “good” digital identity is one that is truly yours. With a “good” digital identity you can enjoy your rights to privacy, security, and choice.
The right to privacy is the right to permission access to your information at a granular level on an ongoing basis. Today, we consent once to give access to our digital identifiers. While it is possible in some digital spaces to revoke consent, revocation mechanisms are often esoteric and hidden behind high barriers to entry. True privacy means that you control access to individual digital identifiers, and that you can revoke (or modify) that access easily, at any time.
The right to security is all about protecting your data from unwanted access. Our certified digital identity systems must adhere to the highest security standards in existence today. And we are constantly evolving our Technical Requirements, which you can view here, in response to a changing landscape.
Last but not least, the right to choice is essential, and often overlooked in the digital world. Though you certainly have the right to choose among a few providers, and to exchange access to your information for that right, true choices are few and far between in the digital world; to get philosophical for a moment, what freedom actually exists in a world of prescribed, circumscribed choices? A world that, in most cases, takes a certain kind of digital presence as a given?
Achieving each of these rights depends on shifting the locus of control away from institutions and towards you.
So what is “good” digital identity, anyway?
A “good” digital identity is one that is portable, persistent, privacy-protecting, and personal.
Portability means that your information can be moved seamlessly from one hosting/storage site to another, without duplication, modification, or deletion. Persistence refers to durability; that your digital identity will stay with you for life, and that no individual or institution can duplicate, modify, or delete it. Privacy-protection refers to the safeguards in place to ensure that activities that you do not consent to are strictly forbidden, placing you in control. Personal means that you control your information at a granular level on an ongoing basis.
In short, a “good” digital is yours.
How do we get there?
Our Technical Advisory Committee is made up of some of the world’s leading experts on digital identity and its underlying technologies. They have identified seven categories, or focus areas, that determine whether or not a digital identity meets our standards: applicability, identification and verification, authentication, privacy and control, attestations and trust, interoperability, and recovery and redress.
Our Technical Certification Mark is the first step in a long process towards achieving “good” digital identity for all. It aims to give companies that go above and beyond to implement “good” approaches to digital identity a way to demonstrate that they do, incentivizing a race to the top.
We are hoping that this certification mark will not only play a market-shaping role, but also a market-making one; we not only want to give visibility to organizations currently building digital identity technologies, processes, and systems that meet our technical requirements, but incentivize new ones to as well.
Digital identities that meet our technical requirements will be awarded certification, but that is by no means the end of the process. More on that below.
Key focus areas
Our technical requirements address 7 focus areas: applicability, identification and verification, authentication, privacy and control, attestations and trust, interoperability, and recovery and redress. Think of these as the base of a “good” digital identity. Our Certification Mark is concerned with these seven, as well as an eighth: openness.
Openness plays a special role in our technical requirements. For us, openness is not required, but it certainly helps. If most elements in an applicant’s stack are open, then we view it as trustworthy-until-proven-otherwise. If not, then we approach it with an assumption of untrustworthiness.
Why? Trust but verify. If a technology is open sourced then it is easier for the broader community to verify an applicant’s claims. Many of our applicants, particularly those whose systems make use of biometry, will not be able to open-source aspects of their technology. Still, where elements aren’t open applicants need to give a sense of why and what their thought process was.
Taken together, these eight categories form the stepping stones towards enabling “good” digital identity for all (and realizing our 4 Ps). The Certification Mark is key to this process.
How do we evaluate?
Our evaluators review each application in full. They perform a plausibility check to determine the veracity of claims: do referenced documents/resources exist? Do answers contradict one another? Is all terminology clear and used in accordance with our technical glossary? Do the answers provide a consistent narrative that coheres with our requirements? Our evaluators are experts dedicated to analyzing digital identity technologies, processes, and systems fully. And they’re not shy; they will reach out to applicants to get crystal clear answers. An applicant’s response also tells them a lot about an organization: are they responsive? Courteous? Open-minded?
Once our questions are fully answered, the final results will be published in full online under a Creative Commons (by) license, on ID2020.org. Publishing this information is part of the ID2020 Certification Mark requirements, which include our approval profile (both of which can be found on our website).
It’s not a perfect method, but it gets us to the last mile
Let us be clear: receiving the ID2020 Certification Mark does not mean that a digital identity capable of providing the balance of probability necessary to ensure that the entity making a claim is who they say the are. No digital identity is, in and of itself, capable of providing complete assurance.
At ID2020, we believe that no technology can be understood apart from a use-case. That’s why at ID2020 we do not only certify “good” digital identities; we test them in a variety of contexts to ensure their suitability for a given individual, in a given place, at a given time. This is what we call the last mile and it’s where our robust monitoring and evaluation processes come into play.
Disclaimer: even with our team of experts we won’t ever have 100% certainty that all answers are true, and will stay true. But this application process will give us enough data points and input to take a pretty good snapshot. And if we ever learn about (or suspect) non-compliance or foul play, we’ll follow up, and reserve the right to revoke the certification. It’s a pretty high-touch approach, and we’re confident that this will lead to high quality and consistency.
Got all that? More than anything, we want to open a dialogue (it’s why we published our Certification Mark under a Creative Commons (by) License) and want you to contribute to our mission to improve lives through digital identity by adding your voice to the conversation. Please contact us at firstname.lastname@example.org with any questions or comments.