The challenge of Digital Identity
I have certain physical characteristics that will not change dramatically (if at all) over the course of my life. There are aspects of my eyes, voice, fingerprints, height, gait, the shape of my face, that give someone or something certainty that I am me.
Attached to these physical characteristics are certain immutable facts. I was born on a particular day, at a particular location, to a particular person. There’s a whole history of events associated with my physical person that will not and can not change.
Then I have a set of personal attributes associated to these physical characteristics that are factual and true, but not necessarily immutable. They are stored as records which, when provided by a trusted source and validated, will be considered gospel but could, in theory, be changed over time. Many people, for example, will not carry the same name for their entire lives.
It is only through the combination of my physical characteristics and the trusted record of these attributes that my physical identity is formed. My face, combined with a government issued document, proves I am me.
My physical characteristics need an anchor that ties them to my personal attributes.
What then needs to differ to create an effective Digital Identity?
Surely we just create tools and software to verify my physical characteristics against a digitised database of my personal attributes.
I could swiftly pass through border control with but a smile directed towards a facial recognition camera. I could set up a bank account on my phone using my fingerprint alone. I could vote in a General Election from an app.
This would be a nirvana for some, a nightmare for others, but not a million miles away from the direction identity is going.
If implemented correctly, digital identity solutions can enable:
- Greater security compared to passwords and personal information which can be forgotten or stolen
- Reduced operational risks and costs from incorrect data entry
- Improved customer experience in many different contexts – from opening a bank account to moving through an airport
- An increase in the availability and usefulness of digital solutions for governments and private businesses
However, the challenges are numerous.
- Who owns your digital identity? Instinctively, many argue that the individual should be responsible for their own identity. But in reality, they don’t today. The aspects of our identity that matter most – our personal attributes – are almost exclusively issued, owned and managed by government organisations. Where digital identity is concerned, individuals should have a level of control but it is highly unlikely that they will have full ownership
- Who is incentivised to create an overarching system? That being said, you could question whether the government is incentivised and able to create a digital identity solution, compared to private organisations that stand to benefit more greatly. The cost is likely to be excessive and will need to show a positive return on investment
- How do you ensure trust across the digital identity system? But where sensitive personal information is concerned, there is a distinct lack of trust in the private sector. Similarly, trust in the government in the UK is particularly low at present. Trust in the ability to verify physical characteristics and in the personal attributes that these relate to is essential for a functioning digital identity solution
- How do you allow and manage privileged data access? In the examples above, border control will need access to a different set of personal attributes to let you into the country compared to the bank opening a new account for you. Each organisation seeking to utilise an overarching digital identity solution should be granted access ONLY to the information they need, and nothing more. Either that, or there will need to be different solutions for different uses, which in itself could be challenging
- How do you ensure the security of the system? Where information is stored digitally, the threat of hacking or a data breach will always remain. Similarly, although the technologies that verify your physical attributes are improving dramatically, so too are the tools and techniques used by rogue operaters to trick the system
- Is this approach ethical? The use of biometric information always raises the question of ethics. If government and private organisations are able to identity us through means we are aware of (eg., using an app), they will also be able to do so without our knowledge (eg. CCTV cameras). The potential to violate our privacy could be seen by many as a move towards an authoritarian big brother state
- At what point do you create a digital identity, if at all? The creation of a digital identity should be opt-in. If you do not want a third party to hold and manage your biometric information, then they should not be able to. However, there comes a point where those that object to the very concept of a digital identity become marginalised if certain services become entirely reliant on it. There is also the question of children. We can get a passport at any age – should the same be true of a digital identity?
Digital identity solutions are being pursued globally and models for their implementation are already appearing. The Singapore Government recently introduced facial verification as an extension to their existing National Digital Identity infrastructure. Government and private organisations can access personal information once an individual has verified their identity using facial recognition software provided by iProov.
Although slightly further behind, the UK Government has consulted with the market to form an approach and principles within which a framework for digital identity can be considered. Similarly, industry groups in the UK, such as TISA, are exploring how digital identity could be applied in more specific scenarios.
Digital identity is an area that will evolve considerably in the coming years. Effective solutions will act as a secure key to an ever-expanding range of digital services, streamlining customer journeys, reducing instances of fraud and reducing operational costs.
But mass adoption isn’t just reliant on an effective solution; individuals need to trust not just that the system is secure, but also that their personal liberties won’t be abused by governments and private organisations alike. This, rather than the technology, might be the toughest nut to crack.