International Standards and Digital Identity

So-called ‘digital transformation’ can often involve little more than moving things from paper onto a screen or automating the way things are already done, aiming to optimise them or reduce costs. Nothing wrong with that in itself of course, but it’s not really ‘transformational’ in any real meaning of the word, more about efficiency and optimisation.

The way we handle our identity is a good example: it’s still largely paper based. ‘Digital identity apps’ or the way we prove our identity online rely on us scanning paper identity documents such as passports and driving licences — although some providers now directly read the chips in ePassports to streamline and improve the process.

Making identity digital

Some years back DVLA outlined plans for a digitised, not natively digital, driving licence — essentially an image of the plastic driving licence on a screen:

Since then, there’s been slow but useful progress in developing natively digital ‘foundational identity’ — the type of identity attributes that only a government can assure such as legal name, date of birth and right to work/reside/study.

There’s the work at ISO on mobile driving licences for one thing. These will be much smarter than current driving licences, enabling the holder to selectively release data if desired rather than the entire licence detail. For example, you could release proof of date of birth together with your photo. Or even, if I understand it correctly, confirmation of your age and photo rather than sharing your full birth date. Data minimisation, user consent — what’s not to like?

Provided the issuer of your driving licence is trusted (generally the case), mobile driving licences could potentially be used for things such as proof of age, checking-in at a hotel and possibly even as part of Know Your Customer (KYC) checks.

Perhaps more significantly when it comes to trusted identity, there’s also the work at ICAO on digital travel credentials. This focuses on what are essentially smartphone passports, summarised here with some earlier background in these slides. The full specification 1.2 if you want to trawl through it at leisure can be found on the ICAO site here.

The benefits of natively digital approaches

The slides I’ve linked to above illustrate how digital travel credentials will tackle the numerous areas needed for trusted digital identity. These span the diligence of the initial identity proofing and ‘document’ issuing process, ensuring strong binding of the individual to the ‘document’, cloning protection, privacy protection, user consent and interoperability amongst others.

In the same way that the paper versions of passports and driving licences often act as the basis for much of today’s identity proofing, the truly digital versions will do the same in a more secure, digital way. It’s significant and useful that both ISO and ICAO have taken the opportunity not just to snapshot paper documents onto a device, but to rethink and redesign the way they work to take advantage of what’s possible when they become natively digital objects.

For many people, particularly for those countries without national identity cards and central population registers, these government-assured digital credentials will enable smart, phone-based, portable identity to become a reality, with better security, privacy and consent than was possible with their old paper equivalents. They will also ensure the holder of the digital credential is the same person that the data relates to using strong authentication on the smartphone, something not possible with paper equivalents.

Users will be able to choose what data to release to a third party and to be able to do so in a natively digital way. This will be a distinct improvement on the current kludge where we end up scanning or photographing our paper documents and then rely on someone checking a selfie video to work out whether we’re the same person that the documents relate to.

Improving services

These improvements to our core identity credentials will have implications for those companies already offering digital identity services. While it will mean foundational identity becomes natively digital, I think it still leaves plenty of scope for additional services, including the ability for us to gather together and manage a whole host of additional personal data in suitable, trusted apps — such as our employment history, qualifications, professional memberships and so on.

It’s also another area where the global tech players, such as Apple and Google, will doubtless extend their warm embrace, as they have done already in finance with the likes of Apple Pay and Google Wallet — see for example this piece on Apple wants your iPhone to replace your passport and driver’s license.

The biggest benefit however is that as identity goes increasingly digital, it should help improve the extent to which many other services can become natively digital too.

Notes and updates

08.02.2021: ‘Apple empowers businesses to accept contactless payments through Tap to Pay on iPhone‘. As expected, Apple has announced that merchants (US-based only at first) will be able to accept Apple Pay and other contactless payments using only an iPhone and appropriate app, and based on technology acquired with Apple’s purchase of Mobeewave in 2020 ($100m well spent). This will be a significant disruption for point of sale transactions, removing the need for separate card readers and the costs and inconvenience that goes with them. But I hope it also shows where identity will head next: towards the anonymous “proof of something” (such as age) without releasing personal data (such as date of birth) that I’ve long been waiting for. Apple already provides various layers of anonymity in payments and other areas, such as its iCloud Private Relay service . Surely it can’t be long before it does the same with identity, enabling us to “tap to prove” rather than “tap to pay”? That would give us the ability to have secure, private identity both face-to-face and online (as with Apple Pay at the moment) — where necessary it could create an automatic alias for us when we prove who we are or something about ourselves, just like I can do using Apple’s infrastructure when I’m on websites that require my email address (and which now only get a random alias email address). This is the sort of disruption I was discussing with DCMS when they were drafting their Digital Identity and Attributes Trust Framework. It brings alive the prospect of the user-centric, private and secure approach to identity that I discussed in the article above and in various previous pieces, including in this one in, er, 2006 when data-leaking and insecure “ID cards” were being debated! If Apple adds identity as a service, as I assume it will, it means trusted digital identity can finally happen — only a decade or two on from when we originally needed it! 🙂 So it’s not just the incumbent point of sale and other financial service providers who need to take notice of Apple’s announcement, but governments too — otherwise they may find their slow-moving efforts to create old-fashioned monolithic single sign-on and centralised identity services rapidly obsoleted by consumers putting their money (and identity) where their smartphone is.

09.05.2021: ‘Americans could soon fly using IDs stored on their phones under Apple-TSA project‘. An article based on Apple’s announcement that it will start to add US drivers’ licences or state IDs to Wallet, with select TSA checkpoints amongst the first to accept these new digital IDs.

01.12.2020: updated link to ICAO standards work on DTCs. Also, see this piece on Privacy-preserving features in the Mobile Driving Licence

This post replaces and updates with additional detail an older one commenting on developments around international standards for trusted government issued ‘documentation’ at ISO and ICAO.


2 responses to “International Standards and Digital Identity”

  1. […] As expected, Apple’s letting drivers store their driving licences and state IDs in Apple Wallet. It’s a significant improvement over current paper and plastic documents, providing users with more choice and control over what information they release. For example, a user can share proof of their entitlement to drive, or prove they’re over 21, without handing over any other personal data. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: