Towards a single digital identity

The benefits of a single digital ID to cover tax returns, gym membership and travel are clear, the question is how best to go about it

It's striking how many news stories revolve around questions of digital identity. Last week we witnessed the shocking online racial abuse of England footballers, which led to calls for verification of social media accounts. Earlier, we had the debate about the relative merits of centralised track and trace apps, where the owner's identity is known, versus decentralised ones where it is obfuscated.

There is pressure from celebrities to remove the anonymity of social media users as part of the online safety bill, and in the business world, this year we have seen mergers such as Okta buying Auth0, and finance and payment giants like Mastercard and Citi Bank snapping up identity software firms.

Indeed, identity management is big business. Researchers at ResearchAndMarkets project the identity sector will be worth a cool $15.8 billion in 2025 up from $7.6 billion in 2020. With the need to balance accessibility and inclusiveness with privacy and security it's a huge political issue too.

Digital identity finds itself at the centre of a swirl of debates concerning privacy, security, surveillance, fraud, streamlining government and commercial services, free speech, disinformation, the relationship between the individual and the state, vaccine passports, technical interoperability, regulation and control over personal data.

In a world where more and more life is lived online, the way we identify ourselves to others, what information we share with them, and what they can do with it is becoming increasingly important. But at the moment digital identity is a big mess.

National identity

How you perceive and use your digital identity will be strongly influenced on where you live.

If you are a citizen of Estonia, long the trailblazer in state-run ID schemes, you'll be used to having everything in one place. Your blockchain-based national ID card can be used as a driving licence, a loyalty card, a health service identifier, for public transport, as a travel document, for voting, for banking, to sign electronic documents and for gym membership. Very handy, but on the other hand it is mandatory and government-run, which is a stumbling block for those worried about how all the dots might be joined together.

India is another country with a state-run ID scheme, but its Aardhaar national identity card programme, now rolled out to more than a billion people, has been beset by security issues, data leaks and problems with the accuracy of its biometrics.

If you live in a Scandinavian country you may be accessing a similar range of services to Estonia with your BankID. Banks, trusted as secure custodians of personal data, issue digital identities that are accepted by many businesses and government departments in countries like Norway. But banks do not enjoy such levels of trust everywhere.

If you live in the UK, with its historical antipathy towards centralised ID schemes, you will probably have a separate, disconnected identity for dozens of services and membership schemes. In theory at least this keeps different areas of your life separate, but at the cost of inconvenience, repetition and form filling - and security risk too: the more places your details end up the greater the chance of identity theft and fraud.

The government's attempt to offer a single ID for multiple public services via a peculiar mix of public and private trusted repositories (Gov.uk Verify) is widely regarded to have failed, in part because of internecine Whitehall strife (important departments such as HMRC were unwilling to abandon their own authentication system and pushed back against Verify) and also because benefits to the individual were never made clear. Take up has been poor and budgets have overrun.

In fact, thus far the UK could be seen as a case study in how not to do digital identity. Peoples' details are stored in multiple public and private repositories, vulnerable to hackers and unscrupulous cross-matching, with none of the advantages that digitalisation promises. Ironically, the UK government is one of the most advanced nations when it comes to making services digital, frequently coming near to the top in international comparisons. It surely makes sense to build on this success.

In February the government released a draft digital identity framework saying it is committed to solving problems of identity theft and fraud but without the need for a national identity card.

A single, verified, secure digital ID could be hugely convenient and remove duplication, as well as streamlining processes, Mark Taylor, Osborne Clarke

"The logic for digital ID is strong in many ways, not least because we all already have so many different logins held by so many different businesses," says Mark Taylor, digitalisation and data partner at legal firm Osborne Clarke.

"A single, verified, secure digital ID could be hugely convenient and remove duplication, as well as streamlining processes such as anti-money-laundering checks, opening accounts and so on, but the trick is to structure it in a way that maximises convenience and minimises concern over ‘big brother' surveillance, and also avoids digital exclusion."

Europe's e-ID scheme

A particularly ambitions scheme is the planned European e-ID, which aims to enable all EU citizens to authenticate themselves and access online services with a national digital identification that's recognised throughout the bloc.

The e-ID scheme builds on the current setup the Electronic IDentification, Authentication and trust Services (eIDAS) introduced in 2014 - which ominously has so far failed to generate much interest. For ID schemes to succeed they must be attractive to citizens, businesses and governments.

Anne Bailey, senior analyst at KuppingerCole, sees clear benefits for citizens in having a single ID, but is uncertain about whether the e-ID will do any better than eIDAS in gaining traction among businesses and government departments. There are many parts that need to come together. Governments will need to digitise more services first and businesses, who stand to lose some primary customer data, need to see the advantage to them. So far these things have not been well communicated, she says.

"The initial reaction of many enterprises is that they are no longer in control of their customer or employee data, which becomes a liability especially in transactions that require a high level of assurance," says Bailey.

"The proposed requirement that each EU member should provide an interoperable digital national ID valid for cross-border transactions will not remove this risk."

Further to this, she adds, there is a huge disparity between governments' preparedness across Europe, with some still heavily reliant on paper forms.

Unlike Estonia's broadly successful ID scheme, e-ID will be voluntary for both citizens and businesses, the latter of which may prove problematic, Bailey believes, as so far they have little incentive to engage.

"While voluntary is the way to go for individual usage, not requiring certain industries to digitise services and interoperate with these digital national IDs may block mass adoption."

Certain key sectors such as banking, finance and telecommunications should be required to participate in the scheme, as was the case with open banking (PSD2), she believes.

If there are no services available online, a digital national ID will be of little use, Anne Bailey, KuppingerCole

"If there are no services available online, a digital national ID will be of little use, even if it is available to all eligible individuals and businesses who want one."

If businesses are not compelled to join they will need to be incentivised to do so, says Taylor: "Few commercial players are likely to adopt a ‘build it and they will come' strategy, so it may be that government sponsorship, funding or other involvement is needed in some form."

The e-ID scheme is still on the drawing board and full details will not be unveiled until September 2022, but the precedents aren't encouraging. Large, top-down IT projects have a poor track record, even within a single country - see Universal Credit and NHS NPfIT, for example.

Nick Lambert, CEO of blockchain-based digital ID company Dock, believes if it takes the top-down approach, Europe's scheme may go the same way.

"The scale of the project seems deeply unrealistic considering the range of services - renting a car, checking into a hotel, filing taxes - they are seeking to support, across a population of over 500 million users," he says.

"Tech innovation typically comes from an ecosystem of entities all vying to capture a share of a market and it seems unlikely that a large and bureaucratic organisation trying to cover such a broad scope will be successful."

On the other hand - and this is key driver for the EU's initiative - leaving the private sector to work out the details could lead to a proliferation of non-compatible standards, most likely with subsequent consolidation marooning identity within the walled gardens of a small number of (probably American) tech giants and keeping people - and governments - tied into their services. The European Commission has said it wants EU citizens to retain control of their data, rather than share it with the likes of Google and Facebook. If this works it will be a seachange, Lambert says.

Identity is not really yours, it's kind of loaned to you for a time and it can be taken away, Nick Lambert, Dock

"Currently identity is either given to us by a centralised government, as with passports or driver's licences, or it's a user account on Google or Facebook. And that identity is not really yours, it's kind of loaned to you for a time and it can be taken away."

Decentralised identity

Lambert is a proponent of self-sovereign identity, aka decentralised identity, whereby the individual owns their digital identity, and can restrict access to the information as required. A pub landlord need only know you are old enough to buy alcohol; he doesn't not need to know your home address or whether you are licensed to drive a car or even your date of birth, provided your details can be reliably authenticated.

Details of the EU e-ID's implementation have not yet been published, but KuppingerCole's Bailey says that decentralised identity solutions (DIDs) would be a good fit given the security and interoperability requirements set out. As a plus, there are many such solutions already on the market which will keep competition high in the important early days. On the downside, though, they may fall foul of data protection legislation like the GDPR, which was drawn up designed in a different technological era.

As well as amended legislation, if DIDs are to succeed they will need a strong pull factor. Individuals must feel they are in control of their data and that it is valuable; only then will businesses start to see there's something in it for them.

Presently, in countries like the UK where our digital identities are scattered out of sight and out of mind across multiple organisations, this can seem an alien concept. Certainly DIDs advocates have some selling to do. The convenience and trust advantages of having single a portable ID are the place to start, asserts Osborne Clarke's Taylor, who also says blockchain-based solutions with their built-in security, transparency and tamper resistance have much to offer, not least tackling the 'big brother' concerns.

"Rather than the ID being issued and controlled by a central - probably government - authority, the individual concerned can create their own portable digital ID which they retain control over, including aspects such as what it covers, who can access it and what that third party can do with it."

Portability is another key advantage. A decentralised identity can be moved from one provider to another, so long as they are based on the same protocols.

"The whole identity thing starts to break down if everyone's using different methods, and pursuing their own way of doing things, so standards are highly important to make that move forward," Lambert says.

Standards and common interfaces are vital if an individual is not to require more than one digital ID and identity Balkanised. Importantly, universal compatibility will also support the provision of digital IDs by private entities, reducing central government ‘big brother' concerns, encouraging innovation and giving people a choice.

There are a number of groups working on technical standards for managing decentralised identities , including the W3C Decentralised Identifiers Working Group (with which Dock is aligned), the Decentralised Identity Foundation, OpenID Foundation, and more. However, these efforts are all to some extent a work in progress.

"The key point to remember about W3C's DID is that it is an emerging standard. Although DIDs are already being used by vendors in the verified identity market, the standard itself is still undergoing changes before it is fully approved," says KuppingerCole's Bailey.

In practice

So how do DIDs work, for example to access government services? What's going on behind the scenes?

The system uses public key cryptography. As a simplified overview, the government agency generates a key pair and publishes the public key on a website where anyone can access it. It then creates the digital identity document, signs it with the agency's public key and issues it to the individual's public key, probably some sort of digital wallet with the corresponding private key kept on the users' device. The identity can now be verified by participating government services, and the individual can change wallet providers if they choose.

And should our pub owner, for example, want to check the person is over 18, they can verify the validity of the ID by ensuring the public key of the issuer matches the public key of the government's address and that the individual is the owner of the recipient's public key - obviously, these procedures are hidden behind a nice UI, wallets, QR codes and so on - and be shown only a true or false as to the claimed age.

DIDs tackle some of the issues around managing digital identities, but they're not a perfect or complete solution. In the absence of connectivity, the validation mechanism described above falls over, for example. This is a particular problem when the checker is not a human but a machine - and many of the systems being built on top of digital IDs in places like Estonia are automated, such as using AI to suggest relevant services.

While they could go some way to dissuading the sort of trolling and abuse experienced by the England players and the spreading of disinformation on social media by requiring identities to be tied to a authentic ID - without the social media firm necessarily knowing who it belongs to - it is far from certain whether this would be effective where social media algorithms create profit from division (Facebook has always operated a real names policy), and any such requirement on social media firms would increase the risk for people communicating anonymously in repressive regimes (which would be unlikely to accept a DID system anyway), and for whistleblowers.

But the need for some sort of unified digital identity is clear. There are clear dangers in tying multiple activities to a central digital ID (see China's Social Credit system), but a free-for-all carries security and privacy risks of its own and is increasingly inconvenient. There are limits to how far we can engineer ourselves out of the identity mess and it's an issue that goes way beyond the technical, but decentralised IDs, protected by cryptography and managed by their ‘owners', surely have a place, particularly in a country where national ID cards are anathema.