Digital Identity Legislation – Why? And Why Now?

In recent months industry news has been awash with announcements and references to nation state legislation. It seems that after years – decades even – of rumour, speculation and signaling, common law governments (often referred to as the ‘Five Nations’) have stepped up to the plate to formally announce their plans to enact legislation to support digital identity initiatives in their jurisdictions.  

It’s likely you’ll have heard of the one that applies to your location in the world, but perhaps less likely, the news of legislation for digital identity in other countries. 

To give a better sense of the international picture (and I don’t claim to know of them all) it looks a bit like this:

If you’re following this industry and living in Australasia you might have seen this announcement coming out of my homeland, New Zealand.  Remember that New Zealand was arguably the first common law country to launch a service of this type and is now entering its second generation where I provided review and comments on the preparatory work in advance of the Cabinet Paper.  Remember also, this is not the first legislation in the digital identity space in New Zealand. The Electronic Identity Verification Act and its twin, the Identity Information Confirmation Act, both in 2012, were designed to support the operation (in essence enabling the use of government’s authoritative data sources) of the digital identity verification aspect of the NZ Government’s opt in RealMe service.  New Zealand may have been the first of the Five Nations to specifically enact legislation specifically to enable digital identity.  To complete the picture downunder, in Australia there are as yet unconfirmed reports that the coalition government plans to pass legislation enabling the DTA’s Trusted Digital Identity Framework (TDIF) to be extended to encompass private sector providers beyond those public sector services (the ATO’s myGovID and Australia Post’s Digital iD) currently certified under the framework.  

If you’re following this industry and living in the UK, it would have been hard to escape the long-awaited response at the beginning of the month to DCMS’s Call for Evidence in September 2019.  Buried in the body of the response, was an interesting reference to legislation in section 4.3.  Those readers who have watched the trajectory of digital identity in the UK could be forgiven for thinking that it might have been a reprise of the great work from 2014-15 – the Identity assurance Principles from the Privacy and Consumer Advisory Group (PCAG) – assembled to assist the construction and operation of Gov.UK Verify – where the concept of a statutory Code of Practice was mentioned. The response talks of the Digital Identity Strategy Board comprising agencies whose needs for digital identity are pretty critical to their operation. That the private sector is not represented (at least formally) is a point which industry observers will continue to watch with considerable interest.

If you’re following this industry and living in the US, the Foster Bill introduced (quite appropriately in my view) on September 11th will not have escaped your attention. When you read Bill’s Bill a couple of things may catch your eye. Like the UK, the Foster Bill seeks to bring together Federal and State agencies to set direction, without upfront engagement of the private sector. Like New Zealand, this is not the first legislation in this space, albeit the first at a federal level. The Electronic Identity Management Act in the Commonwealth of Virginia in March 2015 was the first US effort and aimed to reduce the risks (principally liability) associated with providing and operating digital identity services. However it did have some gaps by not accounting for all the roles in a Trust Framework. Given that Kantara operates a conformity assessment and assurance trust framework for digital identity, it worked with the original drafters and experts to successfully have the legislation revised. It came into force in July of this year. Again, like New Zealand, you can sense CommVA leaning towards supporting legislation for Trust Framework operations.  Further north into Canada you will find supporting policy too but it’s probably safe to assume more is coming, once the PCTF has some operational mileage on the clock. 

Peripheral to the Five Nations, if you add the eIDAS Open Consultation seeking comment on the effectiveness of the scheme in Europe, at the same time as talk of an EU-wide single ID  in the State of the Union address in recent days (extending EU competence completely tangential to eIDAS), you can see just how hot this particular aspect of the digital identity space is getting.

Like me you might be asking yourself this question; was this by design or by accident?  And why now? Was it hatched in clandestine meetings and orchestrated as one? Or was it something to do with the market conditions globally that motivated these jurisdictions to look at this type of policy intervention?   

As an ex civil servant I know that jurisdictions, bound together as they are through some common bond – be it geographic, historic allegiances or whatever – meet or talk quite often. But in this case I don’t think there was explicit orchestration. Nor do I think it was primarily motivated by COVID. It takes years rather than months to get policy mature enough to release announcements of this nature. Sure, COVID might have offered a last minute input to the 11th hour fine tuning of the Cabinet Paper or equivalent for the most recent initiatives, but the original driver had to pre-date COVID. 

What is it then, that has motivated the Five Nations to move in a similar time frame along a similar but not identical path?  In my view it is fraud, plain and simple.  And the huge part of those truly horrible statistics on online fraud that point to identity theft. The Equifax breach of 2017 left the nations of the world stunned and Governments the world over with few answers at the time beyond penalties for example.  Online fraud is a global problem – a pandemic of a different kind. Numerous attempts have been made to quell its rise. But sadly, nothing is working.  The Foster Bill is the first tangible evidence that the US is serious about tackling online identity-related fraud from a legislative perspective. To a greater or lesser extent, my sense is that online fraud is a significant element in the UK’s decision and possibly NZ’s as well, which brings us full circle to the Canadians who saw it coming and began its journey years ago. 

About Colin Wallis:

Colin leads the Kantara Initiative Inc. an international ethics based, mission-led Trust Framework Operator, specification developer and new concept incubator in the domains of digital Identity and personal data. Kantara’s open and inclusive philosophy to community development attracts the leading edge of identity and privacy thought leaders passionate about improving the trustworthy use of identity and personal data through innovation, standardization and good practice. ID Pro – the association of digital identity professionals – was conceived in Kantara, and IDESG – the US focussed voluntary, public-private partnership built around the Obama Administration’s National Strategies for Trusted Identities in Cyberspace (NSTIC) – has recently been absorbed into Kantara. Colin’s 15 years combined public and private sector background in digital identity in the UK, US and his original homeland New Zealand, ensures that Kantara’s programmes are aligned with multiple eGovernment strategies in additional jurisdictions such as Australia, Canada and Sweden while influencing others in Europe and worldwide. He has contributed to international standards consortia including ISO and ITU-T, as well as the OECD’s ITAC (Internet technical Advisory Committee). Now living in Dorset, Colin was named in OWI’s Top 100 Influencers in Identity in 2018.