International Standards and Digital Identity

So-called ‘digital transformation’ can often involve little more than moving things from paper onto a screen or automating the way things are already done, aiming to optimise them or reduce costs. Nothing wrong with that in itself of course, but it’s not really ‘transformational’ in any real meaning of the word, more about efficiency and optimisation.

The way we handle our identity is a good example: it’s still largely paper based. ‘Digital identity apps’ or the way we prove our identity online rely on us scanning paper identity documents such as passports and driving licences — although some providers now directly read the chips in ePassports to streamline and improve the process.

Making identity digital

Some years back DVLA outlined plans for a digitised, not natively digital, driving licence — essentially an image of the plastic driving licence on a screen:

Since then, there’s been slow but useful progress in developing natively digital ‘foundational identity’ — the type of identity attributes that only a government can assure such as legal name, date of birth and right to work/reside/study.

There’s the work at ISO on mobile driving licences for one thing. These will be much smarter than current driving licences, enabling the holder to selectively release data if desired rather than the entire licence detail. For example, you could release proof of date of birth together with your photo. Or even, if I understand it correctly, confirmation of your age and photo rather than sharing your full birth date. Data minimisation, user consent — what’s not to like?

Provided the issuer of your driving licence is trusted (generally the case), mobile driving licences could potentially be used for things such as proof of age, checking-in at a hotel and possibly even as part of Know Your Customer (KYC) checks.

Perhaps more significantly when it comes to trusted identity, there’s also the work at ICAO on digital travel credentials. This focuses on what are essentially smartphone passports, summarised here with some earlier background in these slides. The full specification 1.2 if you want to trawl through it at leisure can be found on the ICAO site here.

The benefits of natively digital approaches

The slides I’ve linked to above illustrate how digital travel credentials will tackle the numerous areas needed for trusted digital identity. These span the diligence of the initial identity proofing and ‘document’ issuing process, ensuring strong binding of the individual to the ‘document’, cloning protection, privacy protection, user consent and interoperability amongst others.

In the same way that the paper versions of passports and driving licences often act as the basis for much of today’s identity proofing, the truly digital versions will do the same in a more secure, digital way. It’s significant and useful that both ISO and ICAO have taken the opportunity not just to snapshot paper documents onto a device, but to rethink and redesign the way they work to take advantage of what’s possible when they become natively digital objects.

For many people, particularly for those countries without national identity cards and central population registers, these government-assured digital credentials will enable smart, phone-based, portable identity to become a reality, with better security, privacy and consent than was possible with their old paper equivalents. They will also ensure the holder of the digital credential is the same person that the data relates to using strong authentication on the smartphone, something not possible with paper equivalents.

Users will be able to choose what data to release to a third party and to be able to do so in a natively digital way. This will be a distinct improvement on the current kludge where we end up scanning or photographing our paper documents and then rely on someone checking a selfie video to work out whether we’re the same person that the documents relate to.

Improving services

These improvements to our core identity credentials will have implications for those companies already offering digital identity services. While it will mean foundational identity becomes natively digital, I think it still leaves plenty of scope for additional services, including the ability for us to gather together and manage a whole host of additional personal data in suitable, trusted apps — such as our employment history, qualifications, professional memberships and so on.

It’s also another area where the global tech players, such as Apple and Google, will doubtless extend their warm embrace, as they have done already in finance with the likes of Apple Pay and Google Wallet — see for example this piece on Apple wants your iPhone to replace your passport and driver’s license.

The biggest benefit however is that as identity goes increasingly digital, it should help improve the extent to which many other services can become natively digital too.


Notes and updates

This post replaces and updates with additional detail an older one commenting on developments around international standards for trusted government issued ‘documentation’ at ISO and ICAO

09.05.2021: ‘Americans could soon fly using IDs stored on their phones under Apple-TSA project‘. An article based on Apple’s announcement that it will start to add US drivers’ licences or state IDs to Wallet, with select TSA checkpoints amongst the first to accept these new digital IDs.

01.12.2020: updated link to ICAO standards work on DTCs. Also, see this piece on Privacy-preserving features in the Mobile Driving Licence

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.