Improving identity assurance and trust

We may live in a digital age, but paper documents – notably passports – are still the most trusted evidence to help prove who we are. It’s not surprising that one of the most common requests made of Government is to provide a secure service for checking the validity of passports.

An online Document Checking Service already exists for the GOV.UK Verify commercial identity providers, but has not previously been available to anyone else needing to check Government-issued documentation. The pilot recently announced by the Department for Digital, Culture, Media and Sport and the Cabinet Office will provide the opportunity for a broader selection of organisations, drawn from different areas of the economy, to trial secure passport checking. 

Privacy and security

Under the terms of the pilot, a passport will only be checked with the consent of its owner. The passport number will be communicated securely with HM Passport Office (HMPO) and its validity confirmed with a simple YES or NO. Combined with the upcoming ability to read passport chips on suitable iPhones (once iOS 13 is out this autumn) as well as on many existing Android phones, this should help to improve current identity assurance and verification processes.

The data minimising approach used for passport validity checking is part of a wider commitment to privacy, including the use of privacy enhancing technologies (PETs), to help citizens control their identity-related data. Zero knowledge proof, tokenisation, verifiable claims and other methods of implementing a secure, privacy-aware digital identity infrastructure for the UK are likely to be essential to ensure trust.

Improving consistency

There’s no shortage of interesting developments in the UK’s digital identity space. This includes startups pioneering new identity and age verification apps, Open Banking, challenger banks, NHS Login, the recently updated Government Gateway, BBFC Age-verification requirements, GOV.UK Verify and Digital Identity Scotland as well as the wider implications of eIDAS, PSD2 and Strong Customer Authentication (SCA). There are also various initiatives from some of the global technology companies that may become more relevant in the digital ID space, such as Mastercard’s identity announcement and Apple’s “Sign In with Apple”, with its aspirations to provide a privacy-centric solution that reduces the amount of personal data we’re currently obliged to share online.

There are various approaches to digital identity; from citizen-centric models such as decentralised identifiers, self-sovereign ID and personal data stores without intermediaries and with no all-seeing central authority; to more traditional organisation-centric models typically built around registers, hubs, databases and data-sharing.

Keeping our personal data in separate silos, relevant to their purpose, can be good security and privacy design and help limit the damage from data breaches when they occur. The UK currently has a variety of technical and assurance standards that could benefit from a more consistent user experience, privacy and security. We should be reducing the need to share raw data as well as providing better visibility to citizens of how their data are being used – applying the sort of principles that the UK Government’s Privacy and Consumer Advisory Group developed, or the Scottish Government’s Identity Management and Privacy Principles for example. 

Towards an appropriate, voluntary digital identity infrastructure 

The majority of digital identity initiatives focus on establishing proof of an individual’s identity and personal attributes. However, a worthwhile identity infrastructure needs to be about far more than just us, as individuals. It’s equally important for us to know, when we need to, that the person or organisation we’re dealing with is who they claim to be if we’re to ensure trust and reduce fraud. After all, much of the current fraud happens when we’re fooled into handing over our data or money to people or organisations who falsely claim to be someone we trust, such as our bank.

A successful digital identity infrastructure also needs to include those acting on behalf of others (such as parents of young children, carers or accountants – and even devices, such as wearable medical devices). This was something recognised in the 2013 working draft of ISO/IEC standard 20093:2013 which drew in part on the UK’s work from 1999 to develop consistent standards of identity assurance

The principles of identity assurance remain broadly as set out in the 20 year old UK Government paper:

  • establishing that a given identity actually exists
  • establishing that a person or organisation is the true holder of that identity
  • enabling identity holders to identify themselves for the purpose of carrying out a transaction via an electronic medium

Importantly, much of the time what we need to prove isn’t our identity but merely something about ourselves, or proof of our entitlement to something. As identity and privacy adviser Steve Wilson has commented:

Here’s what really matters:  

What do you need to know about someone or something in order to deal with them?

– Where will you get that knowledge?

– How will you know it’s true?

… It’s not identity per se that usually matters; instead it’s specific attributes or claims about the parties we’re dealing with.

Most of the time in a pub or restaurant, for example, the main interest of the proprietor is in whether we have the ability to pay the bill and are of legal age to buy alcohol, not who we are. 

More recent work such as vectors of trust, decentralised identifiers and verifiable claims (and some of their example use cases) all need to be part of this discussion. They move us on from the monolithic Levels of Assurance (0-3) the UK Government and CESG developed in the late 1990s to more context-relevant assurance related to specific domains, and individual attributes or claims – for example, our name, address and legal right to reside in the UK may be assured to a high level (via the appropriate trusted sources), whereas other attributes (such as the “Grade 5 piano” I claim to hold) may be less well assured.

It’s essential too that the move towards digital identities doesn’t disadvantage or discriminate against those who cannot or will not use digital approaches, or who lack standard identity documentation such as a passport. Access to online public services needs to be as accessible and universal as our face-to-face experiences. We need to find approaches that can work for everyone and not solely for the digerati.

We also need to avoid confusing trusted digital identities or verified claims about ourselves with the notion of some kind of “ubiquitous digital ID” for single sign-on. Single sign-on is a distinct need which may or may not require any degree of user “identification”. The Verifiable Claims Use Cases shows some of the domains we may well want to keep entirely separate from each other – finance, education, retail, legal, healthcare, etc. A “ubiquitous digital identity” can present significant privacy and security risks – as was well illustrated by the hack of 50m Facebook users’ profiles, a hack that impacted every online service where users logged in using their monolithic Facebook digital ID, and the reported breach of India’s Aadhaar biometric identity system.

Monolithic digital identities can also undermine human rights, including the right to privacy, and become an intrusive mechanism for unwarranted surveillance by both commercial organisations and governments, alienating and excluding citizens rather than acting on their behalf. As with the various financial and loyalty cards we carry in our wallets and purses, we may well want to do the same with our digital identities – and use a variety of digital identity apps and services rather than aggregating and consolidating them all. It’s important we have the choice.

Most of the legal-related attributes associated with identity checking are held by the state – such as whether we have the right to reside, work or study in the UK, or whether we are a UK national. However, such high-value “identity checking” of our legal status happens for most of us relatively rarely – such as when we change jobs, move home, open a bank account or cross a national border. The relatively low frequency of identity checking per se needs to be reflected in the way everyday digital identity works to avoid encouraging an intrusive, inappropriate and unnecessary “papers please” culture (albeit a digital one).

We need to be able to prove something about ourselves – “I’m of a legal age to buy a pint” for example – when we need to without sharing identity-related data where it’s not needed or appropriate. We can take the best of what worked well with paper in terms of trust, but improve it by layering in privacy and security features that are only possible in the digital world and which reduce the amount of personal data we’re forced to routinely divulge.

Desirable characteristics

Digital identities should mirror some of the more desirable characteristics of the way we use our passports in the face-to-face world:

  • They will not “call home” (they can be used without tracking the user by reporting to the issuer where, when and with whom they are shared)
  • If they do need to “call home” (to re-validate or update essential data) they must do so without capturing any details of where, when and with whom they are being used unless that is done with the explicit consent of the individual

We can also encourage the development of an infrastructure that improves privacy and security:

  • It will disclose only minimal data (for example, it will provide proof of age – “Over 21” – rather than date of birth)
  • It will be usable online and offline (for example, for face-to-face or telephone interactions)
  • It should be available for all who want it, but not mandatory
  • It should enable us to act on behalf of another person where they have authorised us to do so, or for them to act on behalf of us (for example, a relative with Power of Attorney over another’s finances or health; or a medical device working on behalf of its wearer)
  • It should be able to authenticate the organisation or individual we are about to interact with (to prevent fraudsters obtaining personal data by impersonating somebody else)

Such principles could help provide consistency and build trust regardless of whether services are developed and provided by the public or private sectors. 

The role of the upcoming pilot

There is a certain irony in using a paper-based document such as a passport as part of an initial process of bootstrapping digital identity. But the Government pilot to expand secure access to the Document Checking Service will be important in enabling a range of trusted providers – such as banks and employers, or organisations working in the self-sovereign identity space, or those providing bespoke identity apps – to improve the quality of their identity assurance processes. 

It will also help to start identifying where existing legislation, rules or regulations need to be removed, updated or streamlined to move them away from paper-bound, data-leaking, face-to-face processes and into the digital, PET-enabled, online age, helping improve efficiency and productivity, and reducing the amount of fraud we’re increasingly exposed to on a daily basis.

The pilot will help broaden access to relevant Government-held data in a secure, privacy-aware, citizen-controlled way, while in parallel the more extensive evidence base is collated from the current call for evidence. These are important, complementary steps towards establishing a trusted digital identity infrastructure for the UK that places citizens and their needs at its centre.

I encourage all of you, particularly those active in the privacy and security space, to submit your ideas, feedback and proposals to the current call for evidence. This is a useful opportunity to help shape the development of an accessible, inclusive digital identity infrastructure centred on citizens rather than the state – and with strong privacy and security at its core.

Transparency disclosure: I am currently specialist adviser to the Government’s Digital Identity Team in DCMS. This blog however is solely a personal perspective

The Call for Evidence on digital identity closes on 15th September 2019

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.