Digital identification platforms are actively becoming critical national infrastructure: They are enabling the digital transformation of services, creating opportunities for innovation, and defending against fraud. Inclusive and trusted identification systems are also an enabler, a building block of digital economies and means of service transformation, making services easier to access, whether that be for finance, education, or healthcare. Countries across the globe are working on updating or implementing new identity systems. For these systems to serve these countries and the individuals enrolled with them adequately, it will be essential to promote interoperability and appreciate that this is ultimately all about people, not technology.
So, are we really solving the right problem with these identity systems, or is there a better way? In my opinion, it’s not really about identity at all: most people don’t care about digital identity; they just want better access to services. And to gain better access to better services, they actually need the ability to express trusted data about what they are (for eligibility) rather than who they are (as identity).
There are other misconceptions or assumptions that implementors of population scale identity systems often make, which may favor a vendor or a particular application but certainly don’t tackle the human element of identity. For example, many see identity as a credential, a card you are expected to carry with you that somehow validates your identity, something physical that can be tested. Of course, this doesn’t address the online need to prove who we are to digital services, and it often has a high cost attached to its production and use. Equally, identity is not something that is given to us by a state; the ability to prove one’s identity is a fundamental human right.
Identity is more a function of human interaction than a number, card, digital signature, or DID. In many cases, the information that proves your eligibility or applicability for the service or outcome you need is more important.
If we put IOT aside for a moment and think about the core aim of digital identity, we have a human problem of needing to prove something to someone you don’t necessarily know so that you can get the thing you need / want / are entitled to get. Think of crossing a border, applying for a job, getting social benefits or emergency payments from a government agency, receiving a pension, accessing health care, and so on.
To answer the question: tell me who you are? You could simply state your name and maybe some supporting information like your age. For many transactions, that’s plenty of data, but as the value of the transaction increases or the risk placed on the entity you’re transacting with increases, you might need to add some evidence that they would trust or could check themselves to satisfy their risk. If we stay offline for a moment, then I could get a library card simply by adding a phone number and address, just self-asserted, but they can be checked against a government database (to see if I live in the area and pay taxes, go to school there, etc.), and the risk is pretty low (I can only borrow a few books at a time). If I’m trying to buy alcohol, I could show a photo ID document like a driving license so that the vendor satisfies the need to check my age, but again the risk is pretty low to them, and if I have a fake ID, they have minimal training or technology to check it and are not expected to by the state, so all we really have is a speed bump to deter misuse rather than a genuine identity check.
It is often useful to set some principles for identity systems. In general, they should: observe proportionality; promote ease-of-use; follow the law and protect people’s rights; understand risk and help others to understand it too, and whatever we need to do requires to apply to the task in hand, the transaction we are trying to complete for the service that’s being accessed.
Fundamentally this is about individuals needing or wanting to do something, and identity should not get in the way.
Change is accelerating, and it’s out of our control. Many will cite the COVID effect where the drive to go online rather than in-person interaction has been a necessity from a public health perspective but also because so many of us suddenly realized that maybe there are other ways of working. My view is that this change has always been coming and that public expectation has been growing for a while. The rise of Amazon and the Gig-Economy are just two examples as convenience and flexibility build a greater hold on those with access to smartphones and internet connectivity.
But change is not universal, and not everyone has the same opportunities. Globally there are 1.1 billion people with no legal identity. Of those who do have a legal identity, 3.4 billion are unable to use their ID online despite a large proportion of these individuals having access to a mobile device. Many of these people are in the developing world, but the potential for exclusion is just as present almost everywhere. For example, here in the UK, around 17% of the population don’t have either a driving license or a passport, the two primary means of identification required by the government’s proposed single sign-in system. Inclusion, therefore, is a significant issue.
Then there are the unbanked, around 1.7 billion people worldwide who do not have access to a bank account either through problems of inclusion or socio-economic reasons. These individuals often struggle to identify themselves reliably and can be lost to the system, as happened for many in the informal work sector during the initial COVID crisis.
Once established, digital identities can play a significant role in building digital economies. Digital Identity and trusted data about individuals are key enablers for the digital transformation of government services and are foundational building blocks for a digital economy. Implemented correctly, they will provide trust for services when transacting with users, reduce government duplication, simplify implementation for service providers, and remove barriers to adoption.
Providing citizens with the ability to obtain a digital identity without unnecessary exclusion or cost that can be used across government and the private sector is vital.
Government services that need to reveal sensitive data, allow people to change their records, or allow people to claim money or other benefits will only achieve digital transformation if they can reliably identify the users attempting to access those services.
Digital Identity also creates the possibility for international trade and innovative cross-border services to be implemented. This will support cross-border payments, increase the protection afforded to data in international trade transactions, and create an environment for entrepreneurs to establish innovative business propositions to drive the expansion of the digital economy. Trading blocks worldwide are moving towards a model of international cooperation and digital interoperability similar to that already in-place in the European Union, where the legal basis for identity interoperability has been in force since September 2018 under the eIDAS Regulation. Such international interoperability and the associated trust in digital transactions that can be achieved opens new markets to businesses that would have previously found the processes involved prevented their participation. At a government level, it creates trust between authorities and reduces the cost of fulfilling essential activities such as those related to the import and export of goods, paying duties, and applying for Visas.
Digital transactions that are truly transformative rely on trusted data. A key example of this would be eKYC data enabling financial accounts to be opened more quickly and efficiently online or enabling innovative new services leading to greater financial and social inclusion.
Government agencies have an opportunity to provide these critical sources of trusted data, often referred to as authoritative sources of trust upon which digital identities can be verified and subsequently the rich data needed to enable digital transformation.
Trusted data also enables the creation of new digital services that are more convenient, less costly, and open new opportunities to individuals and businesses. The global pandemic has highlighted the need for greater trust in conditional cash payments, remote applications for services, and increasingly the need for electronic health records to ensure that individuals are vaccinated correctly and are able to then continue with their lives. Trusted data enables these services, as does digital identity.
Digital identity should itself not become a barrier to accessing services. Identity systems should be designed by focusing on the needs of users and the available proof they have access to for identity verification.
User testing with a wide range of users most likely to benefit from digital access to services should be a priority to ensure that the user experience is appropriate, intuitive, and attractive to those most likely to benefit from adoption and does not in itself create a digital divide.
Inclusion can be increased by making sure that multiple identity verification and authentication methods are available and that levels of assurance can start at lower levels with the option to obtain a higher level when needed (i.e., identity uplift). For example, sign-in to digital service becomes a barrier if card readers or biometric readers are required to achieve authentication (as would be expected in a government office), whereas digital means of authentication, perhaps linked to the user’s mobile device, are more appropriate and drive inclusion and uptake.
Where possible in-person authentication should also be an option (e.g., through a mobile-id) to maximize the impact of digital identity.
Digital identity should be inclusive and should not be mandated as this in itself may lead to a digital divide where some individuals may not be able or willing to act online or provide proof of identity.
Digital identity systems should consider the needs of disabled and disadvantaged groups of society, providing alternative means of verification and/or authentication where applicable. Consideration for assisted options of onboarding and access should also be part of an inclusive policy, enabling those willing to participate but unable to do so alone in all circumstances to benefit from digital transformation.
As such, government offices should provide support for digital identity registration for individuals with disabilities, those with limited digital skills, or those without regular access to digital technology. Equally, government service providers should ensure that alternative methods of registration and authentication are available to those who are less able or unable to use standard methods of access to ensure that identity systems do not discriminate or isolate certain sections of society.
Regardless of the technology solution, without legal and consumer protection, bad things will happen. There needs to be a reliable legal environment within which identity can operate to which services must conform. This means the presence of data protection and privacy laws that meet internationally recognized requirements (GDPR is just one reference point). There also needs to be some form of consumer protection such as a supervisory body or a regulator able to ensure that standards are applied, and the rights of individuals respected and provide a framework for redress should identity fraud or breaches occur. These all seem like obvious requirements, but have you checked your legal environment recently? Do you know who to turn to if your digital identity is compromised? These are some of the greater problems faced when implementing a digital identity system and are beginning to be expressed as Trust Frameworks, collections of rules and standards that should be observed by all parties providing and consuming our digital identities. The EU, Canada, Australia, and the UK have been developing such trust frameworks. Across Africa and Asia, interest in creating similar frameworks is growing rapidly, and for a good reason.
Most people don’t really want a digital identity; what they want is access to better services more conveniently.They care about trust in that they don’t want to be ripped off or their data stolen, and they care about convenience because they just want to get something like being paid by the government or gaining access to vital services they need.
No one really wants to manage their data or their identity. If you ask most people (not technical people but just the average citizen), they won’t know what a credential is or a private key or even what you mean by authentication.The concepts that are most used to stem from non-digital life: buying goods and services, depositing money in a bank account, gaining access to healthcare or other social services, even applying for a job. All of them need some aspect of identity, trust, and eligibility data, but what the person involved wants is the result, not the fancy technology that gets them there. What they probably want is the new job, the treatment from a doctor, or that emergency payment from the government that they so badly need.
Tech companies often skim over all this context and head straight for a cool-looking app that purports to solve everyone’s problems. Tech is never the answer on its own; it needs to be there as an enabler, facilitator, or accelerator of something the user wants and needs and to do so as silently and painlessly as possible.