Digital identities are here to stay. How do we keep them up with the times? asks Bruce Esposito, Global Identity and Access Management Strategist at One Identity, an identity and access management (IAM) product firm.
In a way, digital identities have become part of the fabric of society, and it’s hard to imagine them going away anytime soon. With the spread of COVID19, the need to provide a method to uniquely identify people on a large scale has become paramount in developing a long-term response to this and future pandemics.
There is, however, one evolution of digital identities that many have envisaged, and some organisations have already implemented. Last year, Deloitte published an article outlining how a unique digital identity can streamline citizens’ and businesses’ interactions with government. With a single login, similar to the way we log into bank accounts, businesses would be able to apply for government grants and check the status of a building inspection. Individuals would be able to buy a bus pass and pay their taxes all in the same place, thus enabling better service quality and increased operations efficiency.
Unique digital identities might not be such a utopia after all, as countries across the world are beginning to adopt this model. In Europe, Estonia is leading the way: citizens can already pay their taxes with a pre-populated tax form, access their health records and vote online. The European Union is following suit with a project called EU Once-Only, which aims to create a digital single market across the continent. The project will take unique identities one step further, allowing EU citizens not only to benefit from having a single digital identity within their country, but also to use their electronic ID seamlessly across the other states within the Union.
On a global scale, the United Nations is also looking at digital identities as a way to provide people across the world with the basic human right of being recognised as a person before the law. In its 2030 Agenda for Sustainable Development, the UN outlines its objective of providing a legal identity for all.
Several projects are underway which are looking at blockchain technology in identity management. It addresses the idea that identities need to be portable and verifiable everywhere at any time. The idea is to create a technology that will allow people the flexibility to create encrypted digital identities that can be used across multiple applications without requiring a single, centralised identity store. No central repository helps eliminate the risk today of hackers stealing large amounts of identity data from a single source like a company’s customer database.
Blockchain allows for the idea of zero-knowledge proof. This is the concept where a person can prove to another entity that they know a certain piece of information or meet a certain requirement without having to disclose any of the actual information. For example, a person could prove that they are over 21 without having to show their date of birth. The person would have a indicator tied to their identity stating they are over 21. The entity verifying this would not need to know the actual dat of birth, but instead would only need to validate the government’s digital signature who issued and attested to the information. This can all be done with blockchain technology.
This is similar to how we do it today in our paper-based world. When ordering an alcoholic beverage at a restaurant or store we may be asked to prove we are over a certain age, although this stopped happening to me many years ago. We typically show the person requesting proof, our drivers license. They simply check our date of birth and hand our license back to us. They don’t need to record any personal data like our name, address, date of birth, etc in some customer database. They just simply verify the information at the time of the request and then forget it. This is exactly what needs to happen in a digital identity world.
Why should we have a unified digital identity?
There are several examples of where having a unified digital identity is not only successful, but also the best way to overcome certain specific challenges.
The US Department of Defense, for example, has adopted a Common Access Card (CAC), which is a single smart card that the entire DoD uses to access any branch. It is used to enable physical access to buildings and controlled spaces and provides access to defence computer networks and systems.
The United Nation’s World Food Programme has found a way to use blockchain technology to provide digital identities to Syrian refugees, who often arrive at camps without any ID. A digital wallet is created on which refugees can transfer money and purchase food and supplies. This simplifies the process of having to physically distribute these resources. With biometric identification, refugees are able to identify themselves and access their digital wallet at camp supermarkets.
Currently, the Covid-19 pandemic has created new challenges for the Center for Disease Control and Prevention. The US federal government has started to use mobile phone location data as an ad-hoc digital identity to help with its epidemic response. Since most people in the US have a mobile phone, this has provided a simple way to track whether people are following the shelter-in-place guidelines, and to track where people maybe gathering in crowds. An example is in New York City where they found a large number of people where gathering in Brooklyn’s Prospect Park. Using this information, the authorities posted warnings to encourage social distancing and where able to monitor the ongoing situation.
Unified identity and privacy
It sure sounds great to be able to have a single, unified digital identity. This, however, creates a whole new set of challenges in terms of privacy and human rights.
The same technology that is currently being used to track people during the coronavirus pandemic could also be abused. Government officials in China have already started using facial recognition software to identify people going out in their pyjamas, which is considered an uncivilised behaviour. The rule-breakers’ pictures were be posted online as a form of public shaming. But this is example is benign when considering the more obvious reasons why an authoritative government would have an interest in implementing a unified identity to track its citizens.
An example of where a unified digital identity can also have some unintended consequences is with India’s Aadhaar programme, which is the largest digital ID program in the world. It was shown to be at risk for fraud. It resulted in cases where money was stolen and and identities where used to open fraudulent accounts. The biggest problem was when there were system failures and downtime which caused people to lose access to needed resources. This was documented to have caused the death of at least 15 people, 7 of which were unable to access subsidized grain. A unified digital identity is only as good as the trust that the system that uses it can provide.
In the case of using a digital identity to respond to the COVID19 pandemic, North Dakota’s contact-tracing app, Care-19, provides a warning example. It was found that the app was covertly sending location and advertising data to third parties. This again creates an issue of trust as a major issue for all contact tracing apps will be getting people to use them. One recent study claimed that at least 60% of citizens would need to download the app for it to work. If citizens don’t trust that their personal information is protected from abuse they simply will avoid allowing it to be used.
Are the risks worth the benefits?
As our digital identities evolve there is a need to balance the benefits they provide with the risks they create.
The first step to make this work is to avoid monolithic systems, which have a single point of failure and a single point of abuse – India’s Aadhaar, for example. These systems provide high assurance in identifying an individual, but can also be a double edged sword and over-identify. This is what has happened with Social Security Numbers and the US credit system. This information has proven far to easy to obtain and abuse that it has now created the basis for a whole identity-theft industry to be built around it.
The answer: contextual integrity
One key to approaching this problem is the idea of contextual integrity, as proposed by Helen Nissenbaum. The idea is that only the minimal required identity information is provided to the requestor based, on the context of the request. For example, a healthcare provider may need to know a person’s sex and weight, but a retail provider would not. Conversely a retail provider may need to know a person’s income as reported on tax forms in order to extend credit, but a healthcare provider may not need to know this.
Mobile phone have started to become the first platform to enable this type of functionality. They are becoming the basis for contact tracing applications which are viewed as key to managing the current and future pandemics. These apps today enable someone to voluntarily control and choose to share their health information. However, as mobile phones have become a de-facto digital identity for almost everyone, there are concerns about how much personal data is being shared with third parties without the person’s consent and knowledge. Not that this is always bad. Data such as geolocation should be accessible to emergency services personnel, but there is no reason why this kind of information should be available to retailers, for example.
Ultimately, to address these privacy concerns, it is necessary to implement the idea of a self-sovereign identity along with contextual integrity within these systems. A person should be able to own and control all aspects of their identity. They should control which information is shared, where it is held and – most importantly – when it is forgotten. Individuals shouldn’t be asked to give up their control over their identity to any one single organisation.
We, as individuals should be pushing for these changes, going back to the basics of freedom that were obvious before the modern age of technology – we own who we are, and we owe it to ourselves to take this issue very seriously.
