There is a reason we don’t all have a definitive digital identifier.
I am describing a digital ID to be used by everybody for everything we do online – any bank would know you anywhere and know what funds it could give you, any government agency would accept your filings without seeing a separate ID, you could submit medical forms and sign contracts simply and easily. This digital ID has been the holy grail of cyber lawyers and digital policy makers for nearly 30 years – longer than there has been a popular consumer internet.
We would all benefit from a system that provided a digital ID. Website sign-ons and transactions would be much simpler. We could be identified as ourselves on any device we chose to use. Providing anyone online with a verification of our age, licensure, residence, disability status, health information, or nearly any other identity tag that would be helpful to us, it would reduce our hassles and improve our experiences.
So why don’t we have one? Because creating a federated identity management system is hard. I know very smart people who have been working on this goal since the 1990s. The data protection responsibilities alone are mind-boggling as we can all image what a thief or enemy would do if they could conclusively spoof your identity online – from economic consequences to reputation destruction, the damage would be incalculable.
One of the primary issues is choosing an entity to manage the identity records and provide proof when needed. Who will hold your digital identifier so that anyone you ask can confirm your identity at any time? Will it be your bank? Your employer? Your local, state or federal government? There are structural system problems with having a private company hold your information – not everyone has a bank or an employer, and would it be harder to leave a job that controlled your entire online identity? – and will anyone insure the private company against the terrible things that could happen if they mismanaged access to the definitive ID data for a million or more people? The more you depend on this digital ID, the more liabilities grow for denying you access to it or granting unauthorized access to someone else.
And government is not organized to run such a program. The federal government would be a natural choice to do so, but it would mean an entire new bureaucracy to operate it, an entirely new budget to fund it, an entirely new set of laws, rules and procedures to manage it, and an entirely novel technology system to make it work efficiently. And we know the federal government is not immune to sophisticated hacking attacks.
One of the solutions that has been floated is organizing a private company whose only job would be to organize and operate such a system. Not only would this solution involve the liability issues of private companies with a cost-consciousness that could hinder security, but who would own that company, and would we trust the owners? When a private equity firm purchases our federated digital identity company and decides to change the rules or charge ten times more for the service, will our entire system fall?
Into this void walks the government of the United Kingdom, who just released its draft rules for governing the future use of digital identities. The new Digital Identity and Attributes Trust Framework is a first glimpse at how a government could guide the development of a unified identification system online. According to Gov.UK, “This new ‘trust framework’ lays out a set of rules organisations should follow, including the principles, policies, procedures and standards governing the use of digital identity. The framework sets out areas such as:
- how organisations should handle and protect people’s data
- what security and encryption standards should be followed
- how user accounts should be managed
- how to protect against fraud and misuse
Once it is finalised, we expect the framework to be brought into law.” So the standards are organized around how companies and other entities would use and protect digital identity data. The current framework publication is called an ‘alpha’ version, with changes expected prior to final passage.
The UK framework anticipates operation by a government body that sets procedures for joining and using the identity trust system. The UK does not intend to force the system on any person, but it expected that such a system would facilitate transactions across the internet and trust assurances from this system are likely to be requested by key parties, like banks or hospitals. The overall concept, as with all federated digital identity programs, is to reach an accepted set of rules so that all potential users understand the level of risk they are accepting by requesting and receiving verification from the digital-identity-governing entity.
The UK envisions roles for 1) an identity service provider, who will prove and verify user identities 2) an attribute service provider, who will collect, create, check or share pieces of information that describe something about a digital identity user, 3) an orchestration service provider, or brokers and distributed ledger services who will assure secure transferal of the data, and 4) a relying party, who will receive the services from the other network parties. This framework sets forth basic rules for all the participants in the network, including specific rules for each type of participant. It also addresses security concerns such as responding to data threatening incidents and overall privacy and data protection requirements.
I commend the UK for its foresight in creating this framework and making the effort to build support for it before the rules are implemented. The hard work has just begun, but we will need such action if the general public can benefit from all of the advantages of a definitive online identity system.