The tech industry is renowned for reinventing itself: change happens, and technology changes with it. This is no less true than in the digital identity sector. In the last twenty years or so, the identity sector has gone through its adolescence and emerged as a bright young thing. Now, the government has a golden opportunity to take advantage of the machinations of the sector and build better ID for all.
A lesson from the past brings us into a bright future
Back in the day, which is not that long ago, maybe the mid-late 2000s, the notion of cloud computing was setting tech circles alight. The idea that software could be moved from the constraints of a desktop and made accessible from any device without installing anything was no less than revolutionary. It was also highly disruptive for the industry. Around this time, Microsoft had developed a technology known as the ‘Information Card’. One of the designers of this system was the author of the 2005 treatise “7 Laws of Identity”, Kim Cameron. The reason I mention this is because the Information Card system was based on these laws, the first of the seven being
“ User Control and Consent”: “Technical identity systems must only reveal information identifying a user with the user’s consent.”
This statement was way ahead of its time. Way ahead of the GDPR, way ahead of the current crop of decentralised IDs.
The Information Card system was desktop-based, the cards installed and confined to the desktop. I’ll come back to this concept of identity held on a device later…
In 2009, at IIW (Internet Identity Workshop), I presented a working prototype of a ‘Cloud Selector’ that would pull the Information Card off the desktop and enable it to be used in internet-based transactions. But that was too early for most to appreciate. However, being ‘stuck’ on a desktop at a time when cloud-computing was starting its rocket to the stars, rang the death knell for the Information Card.
But the idea of an encapsulated ‘identity’ stuck in the sector’s mind. The notion of “Claims” being part of an identity-initiated exchange was established. Claims (now more commonly known as attributes – it’s a protocol thing) were snippets of data that confirmed the identity information needed to allow a transaction to occur, e.g., “I’m over 18 so let me in”. The scene was set…but it took a while to brew.
Over the subsequent years, the identity debate became ever-more heated, even philosophical in tone. What is a digital identity anyway? Who really has ownership and control over claims, including those issued by a government? How can technologists make identity secure, yet accessible for the consumer? The debate continued, and many variants of what a digital identity could be entered the space. Enterprise identity and consumer identity become increasingly merged as the internet, BYOD, and federated social login across enterprise apps made the landscape fuzzy. In UK government circles, a move from a simple login to a more ‘verified’ and therefore ‘secure’ identity system became a goal. Out of this twinkle in the eyes of several government and industry players came the UK government identity scheme, Verify.
Verify was a good try, but no cigar.
The idea of verifying an individual by checking attributes against trusted sources is sound. But it’s a case of how to do that in a way that doesn’t end up with either poor match rates or people getting fed up entering copious amounts of information. And, then there are the fraud checks…fraudsters are pretty amazing at circumventing detection, as is attested by the increase in online payment fraud, expected to reach $25 billion losses by 2024.
During this period, the privacy debate reared its head thanks to folks like Edward Snowden and various debacles including the Cambridge Analytica/Facebook privacy fiasco. The laws that Kim Cameron set out seemed to be increasingly relevant. In the meantime, data was circumnavigating the globe and cybercriminals were pushing their snouts into the data trough like there was no tomorrow.
The identity industry was scrabbling to ‘MAKE IT STOP’.
Ideas began to formulate. Can we fix identity to ensure user control and still have verification?
A long way back to decentralisation
The Information Card was a form of decentralised identity. You could call it a wallet as it was on a device, admittedly a big lumbering desktop that you couldn’t exactly rock up to the local newsagents and buy a bottle of oat milk with. However, it was decentralised in the fact it did not communicate with a central server and instead held local identity claims.
You might also like
And here we are, in 2021, 16-years on since the Laws of Identity treatise, and back where we started. This time, the concept of decentralized identity has been resurrected in the form of self-sovereign identity (SSI). These identity in your pocket solutions, puts the user control back into identity, making a firm move away from the centralised identity stores of systems such as Verify. SSI is based on device wallets. An individual installs a mobile wallet that contains verified claims, the backbone of which is a blockchain. Privacy and user control are intrinsic in the design and portability have been recently addressed to allow for these wallets to be used on multiple devices. A few design issues remain, some of which I discussed in an article entitled “Three Questions on Self Sovereign Identity”.
Decentralisation is an enticing approach to identity and one which obviously will not go away. How the underlying mechanism provides for often complex, multi-faceted, use cases that involve more than the individual, is yet to be fully explored. However, it may well be that SSI is just part of a wider identity network, what the industry once termed the ‘identity ecosystem’.
The identity ecosystem is dead, long live the identity ecosystem
There is a stirring in the identity community. A stirring that is building into a crescendo of voices coming together in unison. After many long years of exploring the requirements, the potential, and the possibilities within the field of identity, a very large penny has dropped.
This field of identity dreams is not about identity it’s about transactions. Because the industry got caught up in a philosophical discussion about the roots of what identity is, the resultant solutions and platforms were constrained in how to handle the use of online services by individuals. By changing the mindset of what we can do with our personal data the industry has opened new ways of using this data.
The concept of the ‘identity network’ or ‘identity fabric’ or whatever you want to call it, has roots in a flexible way of working with personal data. The identity network is based on the idea of a data exchange, one that continues to reflect Kim Cameron’s laws of identity, putting the user as a central part of the exchange. The difference is that the identity network offers a way to connect many parts of a system that can cover a multitude of use cases. Use cases that include the need for anti-fraud checks, verification of attributes, user consent and control, and secure access. The clue is in the connectivity.
Once there were desktop-based identity cards, then this moved into centralised cloud services, and then the industry circled back to decentralised identity wallets. This convergent evolution was an important stepping stone in realising what can and can’t be done with a single approach. Identity networks are the technical equivalent of having an identity cake and eating it. The perfect combination of cloud services that can link back to SSI and other decentralised wallets, as needed to fit the use case.
And one of the most important features of this modern way of ‘doing identity’ is that an identity network offers can even be so lightweight that it never needs to create an identity at all; a ‘zero identity’ system. In a world where identity theft is rife, this is indeed an exciting prospect.
From Zero Trust to Zero Identity
Zero Trust security has been an inflection point for the identity industry. Zero trust is based on the premise that when controlling access to resources an organization should take the stance of “never trust, always verify”. That is, always check who it is that is trying to access something. This stance is the basis of verified identities. However, identity networks can go one step further and create Zero Identity, in the form of “verify, don’t store”.
“Verify, don’t store” has an evolutionary advantage over “never trust, always verify”. It takes the concept of checking someone out before granting access, but without storing any personal data. In other words, real-time verification which helps prevents fraud. This is only achievable if you use a system designed to allow data to be checked on-the-fly, as the system acts as a conduit between the stakeholders, i.e., user/relying party/attribute provider/verification service. By not storing data you can avoid all manner of problems that come with both centralised and decentralised identity systems. This is not to say that those systems do not play a part. The need for identity-based transactions is alive and kicking and comes in many flavours. And no doubt, a rich and varied identity space will no doubt continue to fill the landscape.
As initiatives like the latest DCMS Trust Framework coalesce, being able to think across the many varieties of identity offerings is vital in preventing the mistakes of the past. We have been through an evolutionary process in the identity space, and government should take full advantage of the history of identity to identify the future of government services for citizens.
ABOUT SUSAN MORROW:
Susan has worked for over 20 years in the cybersecurity and digital identity space. She currently holds the position of Head of R&D at identity data specialists, Avoco Secure, based in the UK. Susan is also the Think Digital Partners Digital Identity Advisor.
Susan’s focus is on strategic development and solution architecture. Core areas of her domain knowledge include the use of technology layer linking, usability, accessibility, and data privacy. Her mantra is to make sure that human beings control technology not the other way around.