Are we heading towards digital identity crisis?
In today’s digital economy, identity is the core element of it. Digital identity has been through evolution over the years, but with rapid changes in the market, a digital identity revolution needed more than ever.
If we go back to 1997, Microsoft released Passport as a universal login, and the changes happened in the identity until today. We’re not talking only about human beings’ identity but everything ( Machines, Bots, Animals, Supply Chain and Things).
In 2012, a research paper about the need to reinvent the societies’ systems because digital technologies’ advancement would lead to exponential growth in personal data and argued that privacy must be part of that future system. Afterwards, a paper after another started to highlight the digital identity challenges and the need for a data trust model to encourage more connected and integrated systems to forward the digital economy.
However, that trust model got further expansion to consider the attributes of human beings. As in today’s world, we might have different personas (as shown below) that are used differently and stored in separate Personal Data Storage (PDS), that should allow privacy if the link between Personas and the core identity controlled and managed by the identifier (i.e. the owner of this identity). However, the core identifier needs to be associated with other parameters (i.e. attributes) necessary to broaden specific identities’ usage. In some cases, there will be no need to verify the user’s identity before using the service; instead, you check the attributes against the eligibility criteria required before using the service.
Many attributes would be associated with the core identity. Still, if we tried to categorise the attributes and identify the owner and the controller of it, you might consider these three categories:
I wanted to give you some background about digital identity before we dive into the crisis point. As you can see, you might assume you’re the owner of your identity, but that would be a challenge in the coming years. Your identity attributes (which is far more critical than you think) will be determined by external factors that you don’t control much.
In February 2021, the UK Government published The UK digital identity and attributes trust framework explaining the need to build trust in today’s digital identity. The UK government committed to establishing a governance and oversight function to own and enforce that trust framework (and with good faith and merit of the government’s objective) that assurance of digital identity would help speed up the UK Government’s digital strategy.
I’ve summarised the key takeaway points from the paper about digital identity as follows:
- Optional and no age limit to have it
- Only for a living person
- Usable Internationally
- Reusable or one-time off
- Still working in progress
There will be four entities that will have to meet specific legal, technical and policy requirements:
- Identity Provider
- Attributes Provider
- Orchestration Provider (Identity Trust Governor)
- Relying parties
That reminded me of a similar story in 2011, related to identity assurance of a user consuming services online. The proposal (at the time) suggested classifying the identity providers based on data accuracy and license them accordingly. Still, attributes indicated at the time were very limited to specific patterns of user’s behaviour, location and machine in use.
Now, the question “where is the crisis?
As explained, digital identity will play a significant role in the digital economy and impact our society. It is essential to openly discuss other points beyond the trust that needs to be addressed as early as possible such as:
- Privacy of digital identity
- Selling or sharing disposable data
- Inheritance in digital identity
- Use by date for the algorithms
- Left behind society (that don’t want digitalisation)
Let me give an example of some of these issues and the impact expected in the future.
Example 1:
In 2007, the Amazon Kindle service started to sell eBooks to 18+ old readers and allowed access to the service through a valid amazon account. However, if Amazon decided to terminate your accounts (for whatever reason), you won’t have access to the books anymore. You could argue this isn’t directly related to the digital identity and more towards Terms and Conditions, which is correct in a digital economy where digital transactions are preferable. I argue service providers (such as Amazon) would exercise their Ts & Cs to the extent to verify if the consumer is still a living or deceased person through the trust framework (which is their rights). That means if an 18 years old male purchased books from Amazon in 2007, he would be able to have access to the books he bought until 2068 (based on the average life expectancy), which means loss of millions of pounds in monetary value every year. So, inheritance in digital identity needs to be part of that framework to minimise deceased person’s productivity losses as we move towards the digital economy.
Example 2:
There is a big expectation that blockchain will play a big part in the digital identity as a distributed ledger by providing unified, interoperable, and tamper-proof infrastructure. In a conversation with RSQ Labs co-founder he mentioned that:
public blockchain doesn’t achieve privacy because it’s public, and the claim that blockchain is unhackable is not true, but the effort required to comprise it is higher.”
That doesn’t exclude blockchain from being an ideal infrastructure for decentralised identity, but privacy concerns need to be considered. The advancement in Privacy Enhanced Technologies (PET) in recent years is promising to help achieve some of the necessary privacy in the new digital age, such as:
- Secure multi-party computation (SMPC)
- Differential privacy
- Zero-knowledge proofs (ZKP)
