Columns

Workshopping the Future of Digital Identity

December 20, 2018

 

The following is an example Weekly Principal Column drafted by OWI’s Principals for OWI Members. Join over 30 organizations as OWI Members today and unlock market intelligence, insights and analysis, as well as special events. Learn More

 

Workshopping the future of digital identity

Dion Lisle, Principal

 

As we come to the end of 2018, an interesting year in Identity and life in general, I wanted to lay out some thoughts about the future of Digital Identity.  In early November I was lucky enough to be invited to a workshop on the Future of Digital Identity with a variety of thought leaders from across the identity ecosystem.  The event was done under Chatham House rules, so no names can be given. However, it was driven by a team that had done similar workshops across the globe and had inputs from those previous sessions. Previous sessions were in Sydney, Singapore, and London.

The workshop started with some BIG themes based on input from the previous workshops done in Asia and Europe.  From a list of 20+ big themes in Digital Identity, we were given the assignment to prioritize the top 4 that we would say are URGENT.  This was not an easy assignment and interestingly enough, we ended up with a different list than the previous workshops in Asia and Europe.

The list of 20+ big themes included such gems as; Tech to Society, Dataless Business Models, IOT and Identity, Stateless Netizens, The Rise of Nationalism, New Biometric Fingerprints and others, this team of Identity thought leaders settled on these four.

  1. Interoperable Trust Frameworks
    1. Connecting today’s technologically or geographically disparate systems into one usable system.
  2. Ethics by Design
    1. The necessity of ethics across the systems (see above) that are consistent across the globe.
  3. Verified but Incognito
    1. Verify me as me, but don’t expose anything about me.
  4. Me, Myself & I
    1. Digital ID users maintain deliberately separated identities and attribute stores. Providers offer context-based, Digital-ID-as-a-service solutions.

Interoperable Trust Frameworks

The greatest controversy here was blockchain. Does blockchain solve the need for Interoperable Trust Frameworks? the consensus was no. Does blockchain add value? The audience was divided.  Personally I am in the camp of yes it can, but it needs to be architected from the beginning to solve for specific business and identity trust issues. Some workshop attendees were 100% anti-blockchain as though the very word led to a lack of trust. I think blockchain can be a key component of a global trust framework.

As a friend said to me recently “culture eats strategy for lunch” making it clear to me it will be the human elements that lead to a successful trust framework more than any given technology. I think it will take time for a framework to emerge and I further believe it will be based on a federated standard driven by financial institutions, like banks and others with a vested interest in success for their underlying business. I do not believe we will see a trust framework from government entities or non-profits. (at least not a successful one)

There are so many more questions to answer here such as how to trust data from disparate sources equally.  If Myanmar’s data comes into a system, can it have the same level of trust as the data from Switzerland? Does this system need an arbiter of what entails trust and who would that be, perhaps a consensus algorithm can serve the purpose? Maybe the framework like payments systems starts on a regional or local basis and then each concentric system connects and grows.

 

Ethics By Design

Related to the Interoperable Trust Frameworks above, Ethics by Design requires data standards and sharing capabilities while protecting and trusting data sources. Equally? The team running the workshop made the point that Ethics by Design requires 3 key components:

  1. Accountability
  2. Transparency
  3. Auditability

Do we believe that China’s eventual identity framework will be as transparent as the EU’s? Probably not; however, the hope is that to participate in the global economy all players will reach agreement on what these three factors mean and how to reach them. Personally, I am very happy with the title of this section but I would add Privacy as the fourth bullet.  I am sure as we see more ”Facebook” type disclosures we will want to be sure our behaviors that confirm our identity are not later used to judge our actions.

Timely article by the NY Times on December 10th shows that over 75 companies track your geolocation regularly, some without clear permissions. The business of selling your location data is projected to be a $250M business by 2020. I have never been a big privacy wonk, but this is beginning to make me nervous. You don’t even need to envision a data breach to be concerned how location data can be misused.

The same issue applies as we discussed transaction data. I have often said, “I do not trust surveys, but transaction data never lies.” This is a great point to not trust surveys but it further points to a potential issue around the use of our transaction data. A draconian but not impossible example:

Marijuana is legal in California, but not in Illinois, can Illinois officials look at a resident from Illinois’s transaction data showing a legal purchase of marijuana at a dispensary then search that person when they land at O’hare airport.

Should you receive emails based on your previous purchases (transaction data)? Bad news, you already are. How to limit this intrusion of your privacy? No one in the workshop had a clear answer as many people are willing to trade off privacy for better, less frequent marketing.

Is that the right tradeoff?

 

Verified but Incognito

This subject was rated 3rd in the final prioritization but definitely had the best (aka most heated) conversation around it. The conversation focused on the desire to get easier access to online goods and services by being verified for transactions online.  However, as the group discussed the tradeoffs there was no clear “winner” in the tradeoffs of easy or even cheap and private.

Ease of use was a key point here as everyone acknowledged that any transaction friction led to a drop off of revenue/sales/activities. As much as everyone agreed that easier online business was a goal, when we put on our consumer hats, we collectively realized how scary it could be.  Lots of joking about porn, gambling, and pot aside, no one was ready to trade off verified identity for their privacy. The exact balance was never agreed upon of course.

The discussion turned to Identity Tokenization whereby a system can verify it is you, but no one system would hold your actual identity. There seemed to be those in attendance that believed this is already happening today, but more folks seemed to think this is not a solved issue.  Full disclosure there were some vendors in attendance that might have been presenting their own scheme to solve this key issue. A great quote from the final notes on this key issue:

“One view expressed was that zero-knowledge proofs cannot exist because we don’t have perfect forward privacy (ie what is private today, may not be in the future).”

Now that seed is planted, solving privacy issues today may open new issues in the future, we all knew that, but hearing it so bluntly stated was a bit jarring in the session.

 

Me, Myself & I

I should note that I actually just closed my Facebook account due to privacy concerns, nothing specific just seeing how FB acted during recent disclosures.  With that said I have always used different pictures for Facebook and Linkedin profiles because I want them clearly differentiated. My daughter uses different identities on Instagram for different audiences of her dance videos.  The use cases vary as widely as the number of social media platforms in use.

Can this dividing of identities of a single person lead to fraud? Of course, as it seems everything can lead to an increase in fraud. Conversely, people have a right to divide their personal identity into slices that serve different purposes. I would argue that this is true until a financial transaction is involved. Obviously, a person that declared bankruptcy 3 years ago cannot set up a new identity to avoid their previous obligations.

If we (the Identity Ecosystem Players) are able to drive the first two priorities it would seem to deliver value to this fourth bullet priority. Global Frameworks and Ethics by Design would add tremendous value to delivering on the goal of Me, Myself & I.

I hope you appreciate the insights shared here from a closed-door working group and appreciate the amount of thought and time put into this effort by a broad group of people. Having insights from a broad range of thought leaders should deliver a better guide to the near and long-term future of Digital Identity.

 

OWI Recommendation

It is year-end, so that means planning begins for next year and it is past time but not too late to work on your roadmap. Please feel free to use this as a starting point for your team as you begin to assess what Digital Identity priorities you need to implement. During this planning stage, OWI has the team and resources to augment your talented identity team by putting these insights into action. 2019 promises to be a big year in Digital Identity and it will be driven by OWI members as our members are some of the leaders in the space.

Enjoy the holidays, think about these high-level Digital Identity concepts and then let us know how we can help make them real for you in 2019.