Digital IDs: the challenges and solutions to a new age of identity

Tom Fisher, Researcher, Privacy International

We hear a lot that ‘identity’ is a key driver for financial and social inclusion. It is often cited as a tool to enable people to exercise their rights. But as Privacy International’s research has shown, identity systems can also be sources of exclusion.

Achieving universal coverage in an ID system is an impossible dream. We see people who can’t get an ID, even when they are entitled; for example, people in border communities. Some people have one but can’t use it: for example, the elderly farmer, whose worn fingerprints aren’t detected by biometrics. Similarly, trans people – whose name and gender on an ID might not match how they present themselves – face abuse and discrimination.

Yet, more and more essential services are linked to identification - government benefits, schooling, healthcare. The list is growing. But it’s also a growth area for the private sector too. When an identity system is coupled with a single ID number – a unique identifier used across multiple services – it then becomes an ideal tool for profiling and tracking, both online and off.

We’ve got to start thinking about identity differently. We need to ask: is an identity system really a solution for people to overcome barriers, or is it itself a barrier? We have to listen to those who will be marginalised and excluded from a system. They have to be at the heart of how an identity system is designed and used. Most importantly, there has to be recognition that an identity system isn’t a solution to every problem and that it can in fact cause the very exclusion it was designed to prevent.

Adam Cooper, Chief architect, ID2020

Article 6 of the Universal Declaration of Human Rights states that: ‘Everyone has the right to recognition everywhere as a person before the law. ’ To ensure this in a digital world, individuals need a trusted, verifiable way to prove who they are online.

State based identity systems provide a vital foundation of authoritative sources of trust, but they almost always focus on government needs to somehow classify citizens or deliver services rather than providing choice, privacy protection, and interoperability.

It is also true that the current models of national or corporate identity have many issues. Identification, verification, and account creation is time consuming and duplicated across multiple systems; privacy isn’t always the top priority for those providing identity, and interoperability is at best single sign-on.

The next wave of solutions needs to enable digital identity that is available to all and does no harm. We need to avoid identity that can be used to persecute or disadvantage individuals and we need to remove barriers to adoption at all levels.

Interoperability and portability can be achieved by putting the individual at the centre and leveraging trust from multiple authoritative sources. There also needs to be an acceptance that governments are not going away – they will continue to provide many of the authoritative sources of trust, the difference is users should be empowered to decide how and when this trust is shared.

Importantly interoperability should also be cross-scheme, as well as cross-border. It should be based on standards and obtain equivalence through mapping to international norms, such as EU (eIDAS Regulation), NIST (800.63), and ISO (29115).

We should be working towards identity systems that demonstrate portability of trust and the ability for individuals to take control of their identity destiny. Many refer to this as self-sovereign identity, I would argue that self-managed identity more accurately describes what is needed, ie the user at the centre, standards and governance in the open, and governments and corporations providing proofs of identity as, when, and if we need them.

Alastair Campbell, Head of digital identity, HSBC

I’m sure all of us recognise the industry-wide opportunity to enable our customers to ‘own’ and federate trustworthy digital identities, as well as its profound opportunity to streamline CDDs, enable new services, and empower all of our digital lives.

We, at HSBC, are passionate advocates of the movement as, today, we continually put our customers (and ourselves) through great hassle and inconvenience, getting them to re-assert their customer data assurances for remedial CDD, cross-border account opening, and so on. However, we have become increasingly concerned that the general direction of travel of the ‘digital identity’ cottage industry is going to struggle to deliver the outcomes we all want. We can, and should, guide an alternative way forward more likely to deliver to our needs.

We are all experiencing – I’m sure – in one form or another, attempts in local markets to build ‘digital identity schemes.’

Whilst the mechanics and the participants’ roles vary by scheme type, in general they each attempt to build a shared ‘circle of trust’ with all participants agreeing:

a. a common, holistic, and fixed definition of digital identity/KYC
b. common standards for ID proofing
c. shared technology, governance, and liability models.

These ‘holistic’ approaches to digital identity rely on these unlikely agreements between members to get started, resulting in hugely cumbersome and highly fragile arrangements. We see small localised successes of these schemes – in Singapore, Canada, the Nordics – but it seems very unlikely that any global universal scheme is going to emerge from these.

As an alternative, we’ve started tackling our own digital identity problems from a very different perspective.

About Identity Week

Identity Week comprises of three world-class events: Digital:ID, Planet Biometrics and SDW – all focused on the concept of identity. The events will explore the complete spectrum of the identity lifecycle, from how organisations are approaching the task of on-boarding, authenticating and authorising citizens, consumers or employees, to how they can access services across multiple markets in the physical, digital and mobile domains. There are a host of attractions, from peer-to-peer networking and targeted interactive round tables, to free on-floor seminars and expert-led conferences for each event, with over 250 speakers. The events offer a one-stop shop for any company involved in provisioning or ascertaining identity, whether via a secure credential, biometric, or digital identity solution.