A new approach to digital identity

Digital Identity

Written by Chris Yiu, Senior Policy Fellow for Technology at the Tony Blair Institute

Revolutions sometimes come in small steps. For those of us born before 1995, turning 16 had a small coming of age moment: a blue and red card would arrive in the post. Squished in bulging wallets, between various receipts, loyalty, debit and credit cards, our National Insurance card would later invariably be lost, or buried in a drawer. A minor panic would then ensue each time a new employer asked for your number.

But today, as wallets have shrunk and new payment forms such as Apple Pay arisen, a major transformation can take place, giving people greater control of the identity and information and nations a greater control of their borders. Through our own digital ID – a self-sovereign identity – wide reforms can also be put in place to reboot government and citizenship for the 21st Century.

The introduction of ID cards in the UK has long been a politically fraught issue. But such cards are common across Europe and, in digitally pioneering countries like Estonia, encrypted IDs allow people to authenticate themselves online, so that they can vote, submit tax claims, or manage medical prescriptions without leaving the house. Citizenship is intertwined with the nation state and we need to be smarter in how we manage this.

Two challenges need to be overcome.

The first is finding an acceptable balance between the state’s desire to have an authoritative view of what is happening, and the right of individuals to go about their lives without undue monitoring. Any approach that involves building a national identity database runs two big risks: that it is used by the state either now or in the future to profile the activities and behaviour of individual citizens, and that it is compromised on an industrial scale by hackers with malicious or criminal intent.1

The second is more prosaic. Despite advances in production methods, it remains possible to create counterfeit physical identity documents that will pass a cursory examination. And because the data printed on the documents is in plain sight, people often share far more information than warranted. In the UK these challenges apply to the documents we use for identification, such as passports, birth certificates and driving licences. All of these are routinely requested, copied or transcribed in ways that take our data well outside of our control.

Fortunately, new technologies can help address these. By putting individuals in control of their personal data and securing it with digital signatures, individuals can credibly assert their identity or status without mediation by the state. And because digital data is more flexible than physical documents, it would be possible to share only the information required in any given circumstance.

Such an approach, broadly characterised as self-sovereign identity, could work as follows:

  1. Users would install a digital wallet to their smartphone, and use this to generate a unique pair of digital keys (the basis of modern cryptography). Unlike traditional username / password combinations where credentials are stored on a central server, the user’s private key will never be known to anyone else.
  2. Users would then provide their public key to identity authorities, and receive digitally signed attestations that would be stored in their digital wallet. This would be the digital equivalent of the safe place where you currently store your passport and other important papers; the difference is that digital versions cannot be altered or counterfeited.
  3. Users would share these digitally signed attestations with third parties as required (e.g. to prove eligibility to work), and use their private key to sign any related documents. The digital signatures involved would give the counterparty confidence in what is being asserted without requiring a central system to intermediate the interaction.

As well as addressing the centralisation and oversharing challenges of traditional identity systems, this approach also opens up the potential for other uses of technology to streamline processes and reduce bureaucracy. In cases where the individual is physically present, it would be possible to for bank managers, landlords or employers for example to check facial biometrics against a digitally signed photograph shared from the user’s digital wallet, significantly reducing the risk of identity theft. And for online transactions, a personally controlled digital identity could be the foundation for reorienting public services around the citizen. Estonia has led the way on this front. For example, digital health records belong to citizens, are walled off from other data unless the citizen chooses otherwise, while there is an indelible record of anyone else that has accessed them.

Smartphones also make it possible to leapfrog some of the costs associated with cards and card readers in traditional electronic ID systems. However, digital inclusion remains a relevant factor, and there may be a need to issue devices to individuals who are unable to provide their own. It would also be relatively easy for new residents to get set up, although a requirement would remain for existing identity authorities to issue digitally signed attestations, and the process for this would need to be properly staffed and resourced.2

In the context of migration to the UK, a system like this could provide the infrastructure that ensures people are only employed when they have a legal right to work, and have access only to the public services that they are entitled to. Individuals would simply need to acquire the relevant digitally signed attestations (and there is no reason why this could not be done before entering the country). For existing citizens, the same attestations could be issued when setting up basic identity attributes for the first time.

This would not be a silver bullet for controlling illegal immigration. It would not track individual activity and there will be some element of non-compliance. But by making it far harder to operate under false pretences, it would radically shift the incentives for anyone contemplating gaming the system. It could also restore the public’s confidence that the system and our national borders are not being abused, address many of the concerns that drove Brexit.

But it also part of the major revolution that should be taking place in Britain today, to ensure that we are a modern, imaginative and innovation nations, ready to give people control in the right ways.

1 – Some recent attempts to improve identity assurance for online transactions have experimented with using a patchwork of identity providers to verify an individual, rather than relying on a central database. By proving that you are in possession of some private information that would only be known to you and your bank, say, they can then vouch for you when you interact with government online. These sorts of approaches have, however, not proved to be straightforward. Many people struggle to pass verification, particularly if their circumstances are complex, and more fundamentally this approach only shifts control to the new identity providers rather than to the individual.

2 – Some people working in this field are thinking about how distributed ledger technologies like blockchain could be used to establish a trusted identity (sometimes called a “proof of existence”) that is entirely independent of public identity infrastructure. This will be particularly relevant in countries where people do not routinely have access to official identity documents. The approach usually relies on recording some baseline information and then relying on other individuals to verify these claims, in order to gradually build up a reliable picture of an individual’s attributes. 

This article was originally published here.


More Thought Leadership

Comments are closed.