An Identity Digital-First Trust Model Increases Privacy and Protection

The World Economic Forum (WEF) released a report that promoted the opinion that freeing ourselves of passwords will actually make us safer and businesses more efficient. Cybercrime is a lucrative business and is currently costing the global economy $2.9 million every minute, ~ 80% of these attacks are password-related. Traditional, and now outdated authentication that relies on the user to remember PINs, passwords, passphrases, or whatever so called memorable combination of numbers and characters creates a headache for users, but it is also impacting business efficiency and costs. The WEF believes the average annual spend for companies is now at over $1 million for staffing cyber related management alone.

Our digitalised economy requires every user (employee, citizen, social) to embrace technology as a efficiency driver. We should also be expecting those that we trust with our identities and data to harness tools such as artificial intelligence and machine learning to increase our experience, protect us from cyber criminals and control 3rd party request to our PII, while optimising their cost base.  

A passwordless economy is not just about the provision of access to authorised platforms and services and protecting against cybercrime. When designed effectively, digital identification can increase our privacy and reduce existing social inequalities. So privacy and equity must be foremost in discussions about how to design digital identification.

As outlined in the User Isolation Protection report I published previously, the authentication methods have the capability to exploit many of our personal characteristics; biometrics, pattern-based, geo-location and many more device controlled uniques. We can extend these examples and extended to our identities to include; degrees, morals, hobbies, schools, occupations, social status, personal expression, etc. Each of these can be applied depending on the context they are used.

In recent years, many governments, campaigners and commercial vendors have been discussing the idea of a “self-sovereign identity(SSI)” that lets you share your identity freely, confirm it digitally, and manage it independently—without the need of an intermediary between you and the world to confirm who you are.

Making this work we would need to transform all our physical documents (birth certificate, passport, driving licence etc) into a single, digital document or filing system stored by the person themselves rather than on a huge government database, giving a person control over how and when their personal data and/or identity is used. This would mean you would ‘sign in’ to websites with that information rather than creating username after username for each website. This is coming to be known as ‘self-sovereign identity’ (SSI), though the precise definition of this has not yet been agreed.

Such an identity is asynchronous, decentralised, portable, and most of all, in control of the identity holder. A distinct concept within SSI is “decentralised identifier,” which focuses more on the technical ecosystem where one controls their identity.

There has been a growing push for digital forms of identification. Proponents assert it is an easier and more streamlined way of proving one’s identity in different contexts, that it will lead to faster access to government services, and that it will make ID’s more inclusive.

Several technical specifications have been recently published that expand on this idea into real world applications. Summarised below are two of them, with a focus on the privacy and equity implications of such concepts, and how they are deployed in practice.

The Trust Model (not Zero-Trust!)

Major specifications that address digital identities place them in the “trust model” framework of the Issuer/Holder/Verifier relationship. This is often displayed in a triangle, and shows the flow of information between parties involving digital identification.

The question of who acts as the issuer and the verifier changes with context. For example, a web server (verifier) may ask a visitor (holder) for verification of their identity. In another case, a law enforcement officer (verifier) may ask a motorist (holder) for verification of their driver’s license. As in these two cases, the verifier might be a human or an automated technology. 

Issuers are generally institutions that you already have an established relationship with and have issued you some sort of document, like a college degree or a career certification. Recognising these more authoritative relationships becomes important when discussing digital identities and how much individuals control them.

Verifiable Credentials

Now that we’ve established the framework of digital identity systems, let’s talk about what actually passes between issuers, holders, and verifiers: a verified credential. What is a verified credential? Simply put, it is a claim that is trusted between an issuer, a holder, and a verifier.

The World Wide Web Consortium (W3C) published an important standard, the Verified Credential Data Model. 

This was built in the trust model format in a way that satisfies the principles of decentralised identity. The structure of a verified credential consists of three parts: a credential metadata, a claim, and a proof of that claim. The credential metadata can include information such as issue date, context, and type.

While these specifications provide structure, they do not guarantee integrity of the data.

“Digital First” Identities Could Lead to Privacy and Equity Last

These thorough specifications are a significant contribution to the development of digital identification. But the concept of “digital first” raises major concerns around privacy preservation, safety, and their impact on marginalised communities.

Both specifications recommend data minimisation, avoiding collection of personally identifiable information (PII), proper auditing, proper consent and choice, and transparency. However, unlike Europe that has GDPR, the United States requires a comprehensive federal data privacy law, otherwise these are just recommendations, not mandates.

Acknowledgements are given for additional content for this post from content taken from Alexis Hancock and World Economic Forum. For further information outline the technology, go take at look at  Sedicii, Thales, EY, Evernym and Hyland.