Doing Something About Digital Identity
And asking everyone to prove their identity is not it
The Monetary Authority of Singapore (MAS) issued a report that highlighted four key pillars of digital infrastructure. The first is… digital identity. They talked about how digital identity will ensure authentication and validation of an individual’s identity, while simultaneously delivering both privacy and security.
As you might imagine, I agree wholeheartedly, which is why I was very happy to see digital identity issues given prominence at Fintech Week London where I had a “fireside chat” with the UK’s Minister for Digital Infrastructure, Matt Warman. Matt was clear that digital identity is recognised as fundamental to the evolution of fintech, and therefore financial services, in the City and beyond.
I was very pleased to hear this, because in the UK we should aim as high as other global financial centres such as Singapore. In fact, we should aim higher: not only privacy and security for people but for companies, things and bots. We need a digital identity infrastructure that supports our transition to a new economy, not one that stutters along digitising the relics of the post-industrial revolution bureaucratic response to urban anonymity.
We have all of the technologies that we need to build the new kind of digital identity that we need for the 21st century — zero-knowledge proofs, verifiable credentials, strong authentication — and now we need to put them to work!
If London is to remain a preeminent financial centre and an engine for the wider economy, then it needs to reinforce the need for this missing pillar of the economy and drive forward its construction. My thinking for Fintech Week was that UK has found it extremely difficult to develop a fit-for-purpose digital identity, so perhaps the fintech sector can provide some new thinking, some new ways to approach the problems of identity that could deliver both improved security and better privacy in a more practical way.
The European Commission has put forward proposals for a "European Digital Identity Wallet" that will enable citizens to link national identities and other attributes (eg, driving licences, bank accounts) in a convenient way to access both public and private services. Dan Morgan, the European policy lead at Plaid, says that such a secure digital identity for all Europeans has the potential to remove some of the major barriers not only to access, but also to the usage of financial accounts in Europe, and I am certain that he is correct.
A digital identity has to be used to be effective though. I hope the euroID will take inspiration in terms of ease of use from Apple, who have said that a "personal ID" feature will be part of iOS15, the next version of Apple's mobile operating system planned for the fall.
Do we want ID?
But.. is convenient near-universal personal identification a good way forward? That is not obvious, because it is not obvious who should know your real identity or why they should be allowed to know it. As John Herrman, writing in the New York Times, points out it is hard to overstate just how thoroughly connected a typical internet user’s various identities have become and platforms that ask for legal names are “woven through countless other social networks, shopping sites and commenting systems”.
The UK’s Open Rights Group warn of the dangers of “consent fatigue” because people will be required to prove their age and identity, linked to some official form of identification (eg, a passport) for every site they visit and every service they use. No-one really reads those stupid cookie consent pop-ups any more, they just click “OK” and go about their business and it will be the same with identity. You will no longer be able to access some websites without proving your identity: and in the view of many, the only reason you would not click “OK” on the identity pop-up is if you have something to hide.
We will end up with dangerous “honeypots” of verified personal data. Suppose an adult services site, to pick an obvious example, uses an identity verification service to check that I am actually Dave Birch, that I am actually resident in the UK and that I am actually over 18. They might ask me to use my Apple Wallet to send them my driving licence or they might ask me to scan my driving licence and, using something like Stripe Identity, quickly obtain this information. But what this means it that when the adult site is next hacked (which happens all the time), now my verified personal information and service preferences are available to fraudsters the world over. It also means that every other web site that I logged into as “Alexander de Pfeffel Johnson” will also know who I am. That doesn't sound right.
How should digital identity work then? Well, the proposed euroID will enable people to choose which aspects of their identity, data and certificates they share with third parties, and to keep track of such sharing. The point here is that the adult services site does not need to know my name or my age or anything else: it merely needs to know whether I am over 18 or not in order to create a persistent identifier linked with that single attribute. In other words, a credential.
Credentials are the way forward.
There is a well-understood and fundamental asymmetry between privacy and security when it comes to providing products and services. You can have security without privacy, but it doesn't work the other way round. You can't have privacy without security. If you can't keep your data secure then it doesn't matter what any of your privacy goals or policies are, because none of the data will be private for long. My view is we should set a high bar.
No digital identity infrastructure should involve any sort of trade-off between privacy and security: we (ie, the industry) should be perfectly capable of delivering both. And we know how to do it. Designing an identity infrastructure that is founded on credentials rather than identity (what some people refer to a reputation economy) is not only feasible but highly desirable.
Suppose that an “anglosphere” vision for national identity (based on the concepts of social graph, mobile authentication, pseudonyms and so on) was focused on the credentials rather than on either the transport mechanism or biographical details? Then, as a user of the scheme, I might have an entitlement to (for example) access health care, enter a bar or read to the Wall Street Journal online. I might have the credentials necessary to demonstrate these entitlements on my phone (so that's the overwhelming majority of the population taken care of) or stored somewhere safe (eg, in my bank) or out on a blockchain somewhere. Remember, these credentials would attest to my ability to do something: they would prove that I am entitled to do something (see a doctor, drink in the pub, read about people who a richer than me), not who I am.
The way to move forward in this area of vital national interest is to reframe the discussion to be about credentials, not identity as a dangerous proxy for entitlement.