Getting Identity Right. At Last.
A seismic shift is under way in the huge, ongoing international project called ‘digital identity’. It hasn’t triggered any spectacular earthquakes yet. It’s more tectonic than that. But it’s seismic nevertheless.
Ten years ago, we (Mydex CIC) were one of five companies (along with the likes of the Post Office and the credit reference agency Experian) chosen by the UK Government to pioneer its Verify digital identity programme. At the time the Government had a vision for identity which went something like this.
An ‘identity’ — that confirms that a person is who they claim to be — would be a sort of digital product produced by specialist producers called ‘identity service providers’ (ISPs). They would compete in a market for digital identities made up of competing ISPs. Organisations would buy these identities from the ISPs to help them reduce the costs and risks they incur in checking to see if individuals are who they say they are.
None of this vision is likely to survive as it gets replaced by a different, more efficient and more person-centric perspective.
The first shift towards this new perspective happened a few years ago when the Government decided to launch its Identity and Attributes Trust Framework. Adding the word ‘attributes’ isn’t just a small semantic change. It signifies something very important (see below).
The second shift, confirmed by the publication of the Government’s Beta version of this Trust Framework, is the explicit recognition that ‘identities’, attributes, or both, may be shared by a range of different parties including citizens using personal data stores.
The Trust Framework paper gives the example of Carmen, a doctor moving to work at a new hospital. Before starting work at the hospital, she must prove who she is and that she has the relevant qualifications. She gets a digital version of her registration certificate that confirms her licence to be a doctor in the UK. It is added to her personal data store. The information from this registration certificate can be checked against an authoritative source. She can share it when needed e.g. when applying for a post at her new hospital.
Says the Paper:
“Attributes can be created, collected and checked by an attribute service provider. An attribute service provider could be an organisation or a piece of software, like a personal data store or digital wallet.”
It’s all obvious, sensible stuff. But what it points to is a new vision of identity that has got nothing to do with the one outlined by Verify above; that combines trust-building with citizen agency with the reduction of friction, effort, risk and cost.
Here are some of the main operational differences between the two visions.
A new vision of identity
First, an ‘identity’ is not a fixed ‘thing’. It is a byproduct of a process for the sharing of verified attributes (that is, details about an individual that have been generated or checked by a recognised, responsible body such as a bank or government department). The particular bits of information that may go towards confirming that an individual is who they say they are may vary greatly from situation to situation. It doesn’t really matter what they are, as long as the process for making them available is reliable, safe and efficient.
Second, the use cases of ‘identity’ vary widely. Most people think of identity as relating to one specific scenario such as opening a bank account when, as an individual, you have to prove to the bank that you who you say you are and not some sort of fraudster. That’s important. But it’s actually just one step in an entire sequence of operations where it is necessary to know the identity and attributes of a person in order to provide them with a service.
Other use cases include being recognised when you return to a service, checking eligibility for the provision of a service (such as for a loan or a benefit), configuring the details of that service so that they fit the circumstances of the individual concerned, planning the delivery of this service, and implementing its delivery.
At each stage, different bits of information may be needed. If a person is applying for a job where they will be driving a lot, they will need to present evidence of having a valid driving licence. If they are applying for a loan or benefit, the driving licence may be irrelevant but details about their financial circumstances become central. At each point, it’s the ability to access and use verified attributes that matters — and it is the bundles of these attributes that make up the individual’s identity in that context.
Third, this means there can never be a fixed, separate product called ‘an identity’, because the detailed bits of information in play at any one time will be changing. What really adds value is the ability to configure multiple different data points to fit the task at hand.
Fourth, this ability to access, share and configure verified attributes requires the existence of enabling data logistics infrastructure — infrastructure that enables these processes in a safe, efficient, privacy-protecting way. This mental and operational shift from ‘product’ to enabling infrastructure is vital. It is what our recent White Paper on Design Principles for the Personal Data Economy is about.
Fifth, this means there is no need for a special class of producers called ‘Identity Service Providers’, because their role is being fulfilled by this infrastructure.
Sixth, it also means that identity provision will never, ever become a ‘market’ because there isn’t a ‘product’ to sell. At one time, many companies hoped to make a fortune selling identities for fabulous profits. The opposite is true. Like all infrastructure such as roads, railways, electricity and the internet, the greatest benefits accrue all round when the costs of using attribute sharing infrastructure are brought to as close to zero as possible. The economic logic driver here is ‘cost out’, not ‘margin plus’.
Seventh, and most important of all, ‘identity’ is not just a service to organisations. It is first and foremost inclusive: a service for citizens as the example of Carmen shows. It is about empowering citizens with agency; with the information they need to make their way efficiently and effectively within a complex world of service provision.
Finally, the citizen-empowering data logistics infrastructure that’s needed for this new realistic vision of identity is already built — by Mydex CIC. As just noted, we have just published a White Paper examining the design principles of the ecosystem it needs to work within.
Conclusion
For decades now, identity practitioners (Governments, big businesses, tech companies) have been chasing a vision of identity that was as real as a pot of gold at the end of a rainbow. That is why they have spent decades — huge amounts of wasted time, money and effort — getting nowhere.
But now there is growing Governmental recognition of the need for a different approach that empowers citizens as agents able to share verified attribute about themselves. This idea lies at the heart of Digital Identity Scotland’s Scottish Attribute Provider Service, the Korean Government’s increasingly ambitious MyData initiative, and the EU’s Data Governance Act (especially its provisions for ‘data intermediaries’).
The Government’s proposed Identity and Attributes Trust Framework doesn’t get us all the way to the coherent, alternative vision that is needed. But it has made some decisive steps in that direction. By recognising the pivotal importance of verified attributes and the potential role of personal data stores in enabling the sharing of these attributes, it is opening the door to actually solving the problem of identity. At last.