From blockchain to governments and regulations – the alphabet of digital identity

What are blockchain’s particularities when it comes to identity? What new possibilities does blockchain bring out to us that were not available before?

In order to understand the new benefits of blockchain for digital identity, we need to review its current state. At present, there are two problems that we are dealing with. First, every web service on the planet issues user IDs and passwords. Second, these organizations offering global web services are suffering from data breaches: 7.8 billion people had their identity compromised in 2017. The current approach to digital identity is faulty and has created the current situation. A fragmented security plan will not address these issues, so we need a different strategy.

There is a fascinating property of blockchain that has a very interesting parallel to digital identity. Blockchain was invented for a very particular purpose: to create digital money – that can only be in possession by one person at a time. It is called the “double spend” problem. We have a double spend problem in identity, too. Crooks have enough information about you; they and you are equally convincing when registering for services. Everybody is looking for a trusted mechanism of sharing identity information, and blockchain has potential here. Digital identity will be more trustworthy when it can only be asserted and possessed by the person it belongs to.

How should governments and private sectors approach identity and what models do you see around the world that are worth mentioning?

Today, every organization acts independently, with their own plans and perspectives, and yet there is no organization in the world big enough to do digital identity by itself. The ideas for digital identity projects range from creating a government-issued identity to using social media as an identity provider.

In Canada, a unique collaboration between private and public sector organizations is taking root. Governments, banks and telcos try to solve the identity equation by leveraging the core strengths of each of the players. By allowing Canadians to use the trusted relationships they already have, they can assert and re-use the information they have already shared and that has been verified. By re-using the information in these registrations, Canadians can access new services more quickly and with less effort because they can share trusted information that has already been vetted.

Regarding the models worth mentioning, Estonia has established a successful system which provides state-issued digital identities to 98% of its citizens. Their solution facilitates digital signatures to validate identities with a suite of services including security and safety, healthcare, e-governance, business and finance, education and mobility services. While this method has been extremely successful for Estonia’s relatively small population of 1.3 million, adapting this model to some countries will be a challenge – national ID cards are a political hot potato in many G20 countries.

Is the Canadian approach exportable to other countries and markets? If so, under what conditions?

There are three key pillars in Canada: banks, telcos and the various levels of government. First, the banks have a trusted relationship with consumers and are uniquely positioned in their clients’ lives, ensuring customers have full control of their bank accounts. Canadians access their bank accounts 17 times per month on average. They don’t forget their passwords, and they will notice quickly and notify their bank if they lose access to their account because that is where their money is. What’s more, banks are able to detect changes in user behaviour based on devices, location, time of day, amounts, and payees. The user’s self-interest in managing a bank account is an important part of our Canadian identity model – it is a passive way of taking advantage of existing user behaviour. 

Secondly, the telcos, or mobile operators, are associated with the mobile device that can be carried anywhere around the world. In this case, the user’s self-interest lies in the fact that they have a lot of data on their mobile phone that must be protected, and the convenience of using mobile phones to validate identities fits with a fast-paced and digital environment. Like bank accounts, mobile phones are something that users will manage well out of self-interest and it is always close to hand.

Finally, various levels of government also have trusted relationships with citizens and hold important pieces of a citizen’s identity – digital and otherwise – that are essential to leverage for an effective digital identity system. The government has the authoritative reference data that every organization depends on to make the economy work.

In South American countries, a government-issued scheme makes sense, especially in those with many unbanked citizens. In other countries, we may see a telco-led scheme prevail (in Germany, for example, there a relatively small number of telcos when compared to banks, which makes it easier to get critical mass for a service). So, the Canadian model is adaptable to other countries because all modern economies have these three industry players which have relationships with citizens across the economy.

Putting customers in control does sound attractive, but what type of knowledge and behaviour is needed for a successful and secure adoption?

The key success factors for consumer adoption are simplicity, safety and privacy. The model must have a very simple user ritual to allow users to share data; sharing should be as simple as clicking or tapping.

Safety speaks to making sure users can’t be tricked out of their data, or inadvertently overshare their personal information. This gets into the crook-in-the-middle type attacks that are prevalent online. It’s important to make sure data can only be received by the intended destination service, and that context and consent are clear. The model should minimize the user sophistication required around the security model – if there is a big list of ‘don’t do this and don’t do that’, it will fail.

Privacy is really important. It is about making sure there are no honeypots of data. The personal data being shared by the user is proportional to the value they are getting from the service – data minimization. Limiting surveillance, preventing honeypots of data and data correlation across organizations are important too.

What is your view on digital identity initiatives in Europe? Do you have a message for business leaders and policy makers?

The recent GDPR legislation is part of an excellent initiative which sends a powerful message to everyone involved in the handling of data. The new legislation puts consumers in control of their data and holds organizations accountable, with consequences such as crippling fines and immense breach remediation costs. Another interesting aspect of GDPR is the consumers’ right to be forgotten, and have the final say in when, where and how their data is used – or deleted.

Another promising scheme that comes out of Europe is eIDAS, but it comes with some challenges largely because it’s government-led. The legislation sets new standards for electronic identification and translations in Europe’s Single Market. In theory, it should be applicable across multiple countries, but in practice, it has scaling issues because not all member states understand the framework of recognizing each other’s eIDs, and the scheme has uneven implementation and user adoption across economies. Even worse, since it is government services, user challenges will continue because of forgotten passwords, since government services are not accessed frequently by most citizens.

About Andre Boysen

Andre is responsible for positioning SecureKey’s growth strategy, cultivating opportunities in new and existing markets, and promoting demand for the company’s solutions globally. He serves as SecureKey’s digital identity evangelist. He recognized as a global leader in digital identity by One World Identity (2017) and Innovate Identity (2016). Andre serves on the boards of the identity standards organizations of DIACC and the Kantara initiative.

About SecureKey

SecureKey is a leading identity and authentication provider that simplifies consumer access to online services and applications. SecureKey’s next generation privacy-enhancing services enable consumers to conveniently and privately assert identity information using trusted providers, such as banks, telcos and governments, helping them connect to critical online services with a digital credential they already have and trust, while ensuring that information is only ever shared with explicit user consent. SecureKey is a champion of the ecosystem approach to identity, revolutionizing the way consumers and organizations approach identity and attribute sharing in the digital age.