It’s easy to criticise the government for wasting £175m on one of their many identity systems, but the problem of establishing identity online is one of the great technical challenges of our time.
Since the 1960s, we’ve used personal information such as usernames and passwords to link inbound traffic to a specific account. This approach made sense in the 1960s for logging on to one computer, but today the average person has more than 130 online accounts.
Along with usernames and passwords, we’re frequently asked for our full name, contact information, payment details, addresses, date of birth, bank statements, utility bills and mother’s maiden name to establish who we are. Stored on the servers of hundreds of companies, this information is traded both legally and illegally as we’re tracked and profiled by advertisers and targeted by criminals.
In its latest attempt to solve the problem of identity, the Department for Digital, Culture, Media, and Sport (DCMS) recently published its draft rules of the road for governing the future use of digital identities.
The Trust Framework policy paper outlines the government’s commitment to taking “a leading role in developing the digital identity market”.
In treating “identity” as a product or service to be sold by commercial identity providers, DCMS is overlooking the fact that “identity” can instead be expressed as the response to a specific question, asked by one organisation and answered by another. For example: “Are you over 18?”; “Do you have a monthly income over £1,200?”; “Do you have less than three points on your driving licence?”; “Are you a resident of the UK?”; “Can the police identify you if you break the law?”.
The data needed to answer these questions is held by different companies and government bodies and should not be centralised by commercial identity providers.
The Foundation 2 proposal, developed by Demos, argues that these questions can be expressed as standardised requests, developed and maintained by a new standards body and routed between existing organisations.
Each request would perform a specific function while using the minimum amount of personal data – for example, the answer to the question, “Do you have a monthly income over £1,200?” would be either yes or no.
The government should not be developing these standards, it should be regulating them. We argue that a new standards body, funded by industry, should develop these standards and that the regulator, the Information Commissioner’s Office (ICO), should then license organisations to send or receive these requests. This would reduce the financial burden on the state and avoid the risk of regulatory capture that occurs when governments attempt to both develop and regulate new standards.
When a person chooses to interact with an organisation, these standardised requests would be sent to their device’s operating system (OS) provider, such as Apple, Google or Microsoft. The OS provider would match the organisation making the requests to the organisations that could respond, check that they were licensed by the regulator, and present the user with the option to consent. This would show the name of the organisation making the request, the type of requests and the organisations that could respond.
If the user consents, the OS provider would route these requests to the right organisation, a direct connection would be established and a response would be returned. Without using any personal information, this process would connect an organisation that needs something with an organisation that can provide it, all within a standardised, regulated, consent-based architecture.
The discovery problem
The government’s idea of a market for digital identities ignores the inherent discovery problem faced by any identity provider. When an individual chooses to interact with an organisation, the organisation does not know where their digital identity resides.
This chicken-and-egg problem affects companies such as Yoti that want to offer a digital identity, but no one will use it because nowhere accepts it, and nowhere will accept it because no one is using it.
In online interactions, companies would need to include hundreds of buttons for every possible provider, resembling the early days of the internet when search engines displayed lists of topics on which a user could click. Google solved this problem by routing users to the right website, and a similar process is now needed for digital identity.
The Foundation 2 proposal does exactly that. Companies and governments would make specific requests, minimising the amount of data shared. The regulator would license organisations to send and receive these requests, providing assurance and reducing risk, just as the DVLA reduces risk by licensing people to drive.
A standardised consent form would put users in control and reduce complex processes like buying a house to a few clicks. All of this would be achieved without expecting anyone to create a new digital identity with a commercial identity provider.
While this proposal describes existing applications such as identification and payments, the standards body would continue to develop standards for new use cases and the regulator would continue to license organisations to send or receive these requests. If a company developed a program that could accurately predict the risk of heart disease based on payment and health data, a request could be designed that enabled this important application and the regulator could then license these organisations.
Together, the standardisation of requests, the licensing of organisations and clear user consent, would create an application programming interface (API) ecosystem capable of supporting any number of useful applications.
In seeking to improve the handling of digital identities, DCMS has failed to address the diverse needs of users, companies and government, the inherent discovery problem, and the risks of centralising data with commercial identity providers.
The Trust Framework policy paper successfully identifies many of the challenges and opportunities surrounding digital identity, but DCMS should focus on the regulatory function of licensing organisations to make specific requests and not on certifying organisations to provide unspecified attributes or digital identities. The paper recognises the need to get this right, but supporting a market for digital identities that will soon become redundant is not the right approach.