Digital identity crops up in the agenda from time to time, as is the case in the UK during the past couple of months. Back in July 2019, the British government launched its call for evidence on Digital Identity, it received over 100 responses and eventually published the consultation outcome at the start of September 2020. In this article, Digiecon makes high level conjectures to introduce the digital identity discussion to the non-tech-savvy.
What exactly is digital identity?
If you ask the average person what identity is, it will tell you that identity is what identifies you to whomever needs to know who you are – something like your Passport or your Driver Licence, with a photo, your signature and possibly fingerprints and/or other sort of biometric info. Right? Well, not completely. In the digital world, identity can be a unique alphanumeric string, a unique user id. So, to use a service, you can submit your user id and a proof that you are the owner of that id.
If you want to use an online service, you just need to register first, providing a certain amount of information about yourself (which, under data protection regulations, should be just the essential for the service you are using). Whenever you need to use the service again, you just authenticate yourself (by providing user id and password). That offers the organisation providing the service some reassurance that you, not anybody else, is doing whatever the online service allows you to do. Financial services go a step further, they adopt multi-factor authentication to try to ensure no fraud will be committed. That is because if you can reasonably reject that you have made a transaction, the financial services organisation is liable for losses.
There is an inconvenience, though, every time you enrol with a new digital service, you select a user id and a password. Every service has different rules and you are also told not to repeat passwords. For online services that are not used frequently, it does not take long for you to forget all about the credentials to access the service. This creates barriers for use of these services.
One token to rule them all …
An alternative to having to register for a new identity with every new online service, is to rely on federated identity. The popular example is the case where you are offered to sign in with e.g. Google or Facebook accounts, instead of using the organisation’s specific registration and authentication services. Google or Facebook will pass back information confirming that you have successfully authenticated your access together with essential data about yourself. This is then accepted by the organisation as a proof of identity for the use of their services.
Although federated identity goes some way to simplifying user experience, it is still not perfect. You may not have a subscription with any of the popular services which are usually shown as options, or you may simply not trust the fact that you are logging in with another service – are they tracking your visit to other websites? An alternative would be to have one, or very few, trusted, regulated and neutral identity provider(s). This could, in theory, increase confidence of users while significantly reducing the chances of fraud or commercial exploitation of knowledge about the websites you have been accessing.
There is yet another alternative, though. What if you could register once with a trusted party and receive a digital identity which would not require you to remember your password? If you make the alphanumeric sequence long enough and completely unpredictable (in computing science, a random sequence with very high entropy), you wouldn’t even, in theory, need a password. These are commonly referred to as tokens. The mere fact that you are able to present a valid token authenticates your identity. This is not free from issues, though, you would need a secure physical element to store your token information as it would be impossible for you to remember the specific alphanumeric string.
A number of approaches have been proposed but none really gathered momentum in the UK. The government proposed issuing id cards back in 2006 but by 2010 the identity cards act was repealed in Parliament. Using an id card enabled with near field communication (NFC) with a recorded identity token would have allowed tap-to-identify type of service. The mobile industry came up with a similar idea, using a mobile identity where the mobile phone NFC capability could be used and Mobile Operators could act as identity providers.
Much ado about nothing… or, is it?
One might ask, why so much fuss? If digital identity is so important to reduce friction in the adoption of digital services, why not quickly converge tp a viable solution and get it implemented country-wide? Although the question sounds simple enough, the answer is not straightforward.
The first consideration is what system to use – a digital identity card, an identity flash drive or a more traditional multi-factor authentication with a centralised identity provider in a federated identity scheme? A second consideration is who to select as identity issuer – the government, a government selected third party, a fully independent body? Finally, how and by whom the centralised identity system should be regulated?
There is a legitimate concern that giving the government the power to centrally grant digital identities or to act as identity provider can give rise to a localised version of the system adopted in China. If the identity provider registers every digital interaction a citizen has, it effectively meddles with the very basic right to privacy. In the case of China, the system is infamously linked to vision AI where citizens’ movements can be detected via CCTV videos, associated with the citizen id, and permanently recorded. In China, the system is official, citizens are aware that their movements are tracked and that the government is scoring them for their behaviour. In the UK, well informed human rights advocates fear that aspects of privacy may also be at risk should a central government digital identity system be used to link-up citizens’ activities across public and private sectors. To be noted, privacy is the top principle identified by the government in its response to the call for evidence on Digital Identity
Waiting for Godot
Public and Private sectors will not stand still while waiting for a consensus on the best approach for UK’s Digital Id. They keep on progressing with their own initiatives.
In the public sector, the government is pushing ahead with GOV.UK Verify. It is delivered by the Government Digital Service in conjunction with private sector identity providers including the likes of Barclays, the Post Office and Experian. It is used to grant services to more than 22 central government online services. A video explaining how the system works can be found here. GOV.UK Verify has been around since 2016 and has so far garnered between 4 and 7 million unique users (the original goal was for 25 million unique users by 2020).
In the private sector, Open Banking is believed to be a powerful catalyst for the emergence of consensus on Digital Identity specifications. The Open Banking Implementation Entity was created by the UK’s Competition and Markets Authority to create software standards and industry guidelines that drive competition and innovation in UK retail banking. Open Banking does not provide digital identity but it can support digital identity initiatives by creating a standardised and ubiquitous authentication mechanism that consumers can use to access their digital identity regardless of where it is stored.
Achieving broad use of digital identity will unlock great value to the economy through reduction of fraud and costs associated with transactions. It will also facilitate the launch of new digital services. The value to the economy is estimated as an increase of 3% in GDP by 2030. However, if not implemented correctly, it can result in substantial lessening of privacy.
As a citizen or member of an organisation, the best thing for you to do is to keep yourself informed about the discussion, understand how you can benefit from a widely adopted digital identity, and make sure your voice is heard on the approach you find preferable to protect privacy.