Online identity: With the failure of Gov.UK Verify should Britain follow the Nordic model?
UK should consider adopting Norway's BankID model, says Signicat's John Erik Setsaas
Digital identity presents an interesting conundrum. As more and more government, financial and other services move online - some abandoning the medium of paper altogether - we a need a simple, secure way to authenticate ourselves, only sharing what we need to in order to retain a modicum of privacy. We keep our passport in a draw or a safe, but who do we trust to look after our online ID?
At one extreme we might not trust anyone, instead choosing to keep our credentials locked away in an encrypted vault to which we alone have the key. That requires confidence that the encryption we choose will keep up with advances in technology, and also that we won't lose our private key.
At the other end of the scale, many of us our happy to log in to websites using our Facebook or Google credentials - but knowing a bit about their extractive business models should we really trust them as custodians of our online souls, convenient as that may be?
The ideal solution would be one in which our photos, dates of birth, address and there rest were not shared with the service providers at all. Instead an authentication token providing proof of our validity would be sufficient to sign us up for the majority of online services.
John Erik Setsaas is a self-proclaimed ‘identity nerd'. He is on the board of EEMA, the European think tank focusing on identity and authentication, and the company at which he is VP of innovation, Signicat, is part of ETSI, and works as part of the committee responsible for the standardisation of European digital signature and trust services. It should be mentioned at this point that Signicat's customers are regulated industries, largely in the finance sector.
Such an anonymised system is possible, but we're not there yet, he said.
"We don't have any means of an anonymous authentication but this is something we are working on, being able to use personas that could be anonymised but still bound to a physical identity."
Complicating the matter further, law enforcement authorities (hopefully with a proper warrant) will require the ability to identify the person behind the anonymous persona. The bond of trust is not just between service provider and client: the state has a stake too.
Nordic know-how
The separation of electronic ID (eID) from individual government services was the idea behind Gov.UK Verify, the goal being to provide a one-stop-shop for accessing many government services. Users are given a choice between providers (including Barclays, Experian and the Post Office) to manage their identity credentials. Once checked these identity custodians issue a verified eID that';s valid across departments. However, take up has been poor, Whitehall departments uncooperative and the Parliamentary Infrastructure & Projects Authority recently recommended closing Verify down.
Elsewhere, the Indian government's Aadhaar identity database has been widely criticised for overreach, as well as being insecure. But being secure is only part of the problem.
"The Germans of course have very good technical secure solution that nobody uses," Setsaas said. The smartcard-based nPA requires a special card reader and updating information is cumbersome. Also it's only valid for government use. Given the small number of times the average person has to contact a government department, the use case is questionable. No wonder take-up is limited.
The Nordic countries have the most advanced digital ID systems, Setsaas contends. There is no state ID card in his native Norway but the commercial sector, particularly the banks, came together 15 years ago to create one, BankID. In doing this they augmented their status as trusted custodians and simplified the KYC process for themselves. BankID is now accepted by many businesses and government services.
Banks think they're in the money business but really they're in the trust business
"Banks think they're in the money business but really they're in the trust business," said Setsaas. "In general people trust banks even though they claim not to - you still have your money and your mortgage there. We need these trusted entities."
So why did this system work in the Nordics where Gov.UK Verify, seemingly a similar scheme, has apparently hit the buffers?
The UK is both larger and more ‘small c' conservative he said, when asked how transferable the model is. A significant proportion of the population will resist change.
"In Norway people in general are ready to go to digital. On the other hand I know that you still use cheques in the UK. People like to hang on something physical."
He continued: "Smaller countries makes it easier. Also I think we have a better climate for cooperation. In the way the banks got together and said let's not compete on identity because we all benefit from a unified identity infrastructure. The challenge with the Verify model is that they're setting up a competition on the identity level as well."
The Netherlands and Benelux countries represent a halfway house, he went on. In the Netherlands they have the iDIN for banking and the DigiID, but the latter is for government services only.
"The reason they are struggling with taking up in the Netherlands is they're not promoting it enough, the banks should promote that you are actually using iDIN and so they are actually aware of it and people don't understand why they should have the two systems."
Self-sovereign identity
But many people won't trust banks to look after their identity. A central repository is a honeypot for hackers and there is a danger of consortia of banks becoming identity monopolies. And what happens if a bank collapses or is bought out? The idea of self-sovereign identities has taken hold. Users choose between different providers of ‘identity wallets' to store date of birth, biometrics, driving permits and other attributes and can move between them at will. However, unless you run a home server to store your ID wallet, you still need to trust the provider storing your data.
Blockchains, of course, loom large in such discussions. Signicat's main customers are banks, so it should not be a surprise that Setsaas is unenthusiastic. Nevertheless his points are not easily dismissed.
Blockchains have a small place as systems of audit, but they are public so not a suitable place to store private data, he said. Moreover, data storage on blockchains is expensive and inefficient. Also you really need a trusted custodian to look after your private key - lose that and you lose everything. Roughly a quarter of all bitcoin mined are thought to have been lost forever because their owners failed to keep their keys safe.
Most importantly though, from the point of trusted verification, is that someone needs to vouch for the information that goes onto the blockchain (or is audited by it).
"There was a website for trading art and a guy managed to register himself as the creator of the Mona Lisa. People tend to think well if it's on the blockchain you can trust it. Well you can trust it hasn't changed since it was added, but you can't trust the original information unless you have a trust framework around it."