I recently had the privilege of attending "Think. Digital Identity for Government" event in a magnificent building, home of the Institution of Civil Engineers - at One Great George Street in London. It was a relatively intimate event attended by the most influential digital identity officers in government, technology innovators and practitioners.
We shared the stage for the finale, the ‘Future of Digital Identity’ and met with dozens of people all stakeholders in the key decisions we need to make involving the future of digital identity!
I took four major learnings away from the conference
1: The UK is very protective on identity matters. Being Spanish, I was surprised such a leading country didn’t have a national ID card or any mandatory way of identification. Along the years I have learned that UK culture preserves people’s identity as a fundamental right to the point that issuing a mandatory ID is considered a breach on the mutual trust between government and citizens.
The reality is the digital world is a big threat to this status quo and the UK will need to make decisions to be safe in a fully digital environment. My first takeaway was that the decision won’t be issuing a National ID card so all other options need to be on the table, perhaps the solution will come from aggregating verifiable ‘optional’ ID’s in a new way?
2: Self-Sovereign Identity is part of the future. If we understand self-sovereign identity as an identity fully controlled by the identity holder, self-sovereign identity is not only a trend but a reality. SSID in its “blockchain” form is one most talked about and has many obstacles, but other models are gaining mindshare like a self-sovereign mobile wallet or other forms of eID governed by the individual.
If we accept the people of the UK considers identity governance as a fundamental right for each citizen, it seems logical to me that self-sovereign Identity will be part of the recipe.
3: No global standards are emerging. A trending topic in government conversations is creating a digital identity that can be trusted globally, that is aligned with international standards, has no borders, no political or geographic limitations. That is far from trivial, so where are these international standards and are they complimentary?
- eIDAS. The EU is proud to have created a digital identity framework that can allow interoperation inside the EU. I do see one weak link in the chain here - this model is based on the use of digital certificates that citizens have to manage. A big assumption here is if you have the certificate you are the person the certificate was issued to, but this is far too big an assumption. People usually install these certificated in multiple devices and in multiple locations (home and work usually). Even if the model is technically valid and follows ‘world-wide best practice’ I don’t see it expanding as the global standard. Can we do better than this? Can we provide digital credentials that absolutely confirm the identity of the holder and make the job of self-management much simpler?
- NIST SP 800-63-X Guidelines. The National Institute of Standards and Technology has created a set of guidelines around digital identity that are a great tool to build a digital identity framework. These guidelines are used worldwide by digital identity related companies and are a common foundation to build solid digital identity technology and ecosystems.
- ISO. ISO29003 for Identity Proofing, ISO24760 for Identity Management and the not released yet ISO18013 for Mobile driver licenses are a small subset of ISO standards linked to digital identity, proofing and verification in one way or another. These also need to be considered when defining identity programs at a government level ( if the UK wants to be aligned with the rest of the world ). Even then, adoption and interpretation of these standards in isolation or together with others make the final recipe unique for each context, country or region.
- GPG45. These are the UK guidelines for identity proofing and verification of individuals. They summarize other guidelines coming from ISO or NIST to create a set that is more aligned to the UK context. They are another tool to build digital identity ecosystems, I believe they are very well explained and relatively easy to understand and apply. They will need some adaptation to recent technology trends particularly with innovations in smart devices and biometrics, but they are not outdated yet.
There is, in summary, a lot of amazing work already done to define standards, technologies and methodologies to create and manage digital identities. In some sense the ingredients are the same for everybody but the recipe is different across regions and departments, so they are more or less favourable depending on taste. I don’t see a solution for this in the short term, countries tend to believe in their own approach and that approach cannot be imposed on others.
4: UK government has an opportunity to make a difference. I didn’t think I was going to say this in my life, but Brexit has brought a great opportunity to the UK in the context of digital identity. UK government now has a blank(ish) canvas and it can make its own decision around digital identity without depending on any decision in Brussels or elsewhere. This presents some risks, but I see it more as an opportunity in this specific domain. I honestly think the UK culture is, in general, one of the most pragmatic, decisive and forward thinking and can blaze a trail.
Let’s wait and see what it is to come for the UK in Digital Identity and how companies working in that domain fit in. Exciting times are to come, let’s enjoy them together.