Digital transformation: what you are is more interesting than who you are

Digital identity has been striving for many years to provide a safe, secure, and reliable means of approving who we are to online services. To a certain extent this has been successful: we have numerous examples around the world that demonstrate our ability to uniquely identify individuals – from the 1.4 billion in India to the 1.4 million in Estonia each has its own special characteristics for each reliably proves who we are. What they don’t do is tell us much about what we are. 

The global pandemic has given us a view into the future, but it’s also accelerated that future and has shown what many of us have known for some time: identity alone is not enough if you want digital to be the default. If you need to move to a more radically digital world and to do that reliably as part of everyday life, then you need to transform services not simply digitise them, and to do that you need to provide a solution to eligibility as well as identification. 

It's all about you

What you need is trusted data about me and often you don’t even need to know who I really am: I could be anonymous or even use a pseudonym. It should be my choice but also appropriate for the transaction I’m trying to complete. For example, if I just want to buy age restricted goods then some assurance that I’m over the legal age is useful, but you don’t need my name or even my actual date of birth. But if I’m trying to open a bank account, view my health records, or form a company, then you probably want to know more about me.

And it gets even more interesting when we stop thinking of digital identity as a thing in its own right and start thinking of services and their transactions and how we can transform them rather than just digitise them with a fancy digital sign-in on the front. Transforming services means rethinking transactions and the data they really need to provide better outcomes for all of use. Inevitably, this points to a need for other data that is meant to answer the question of eligibility as well as of identifying ourselves. Think of it this way: if I was going to borrow your new car, you’d want to know that I had a valid driving licence and some insurance, just knowing I’m Adam without that extra assurance means a leap of faith rather than a calculated risk based decision.

Identity, the great enabler

Digital identity therefore needs to be the key that unlocks access to trusted data, which gives that extra assurance rather than simply being a means of identifying yourself to a service. In fact, identity probably needs to divorce itself from the credentials used to complete those sign-ins allowing us to only reveal what we need, or want, to reveal at a point in time.

So, if we want to do more digitally, then the services we use will need better information about us at certain points in time as we transact our way around our everyday lives. An obvious starting point is eKYC, providing an electronic version of the Know Your Customer data needed to open bank account and other financial products, or perhaps some government services such as applying for a passport. This is a mixture of identity data and other information about you to ensure that you are eligible as well as identified. The European Commission and the banking sector have been working on standards in this area for some time, and many other countries are looking to implement similar systems linked to national eID systems. This highlights two other key ingredients if we are to build systems that can be truly transformative: firstly, the services we want to use often decide the types of data they want us to reveal (e.g. are you over 21, do you live in the UK, are you able to drive); secondly, we will often need to prove the value of that data by obtaining it from an authoritative source such as a government ministry, hospital, NGO, or other recognised organisation. 

All of this is achievable 

None of this is science fiction. Some countries are already making plans to build systems that support many of these ideas, others are watching closely. The National Institute for Standards and Technology (NIST) produced a set of guidance under NIST 800.63 some years ago, which outlines some of the key standards we need to describe systems that function in this way. We also have OpenID Connect and its concept of a Self-Issued OpenID Provider, there are emerging standards for Decentralised Identifiers from DIF, and there are Verifiable Credentials from the W3C. What remains is for an entity at scale to put these building blocks together and to change our relationship with digital and identity forever. 

About Adam Cooper

Adam Cooper is a consultant to the World Bank ID4D programme, and an advisor to major initiatives with organisations such as the UN Commission for International Trade Law, the MOSIP Modular Open Source Identity platform, the Turing Institute, and the Scottish Online Identity Assurance Programme. 

About ID Crowd

ID Crowd specialises in mitigating business and technology risks relating to identity, helping clients understand how to better trust their customers and the businesses they transact with. We understand the critical and interrelated concepts of digital identity and trust together with the various threat vectors including cyber-attack, identity, and eligibility fraud.