Image credit: Sandro Halank, Wikimedia Commons, Creative Commons Licence BY-SA 4.0.
Part 1
Digital identity is a microcosm of bigger challenges in data sharing and cyber safety, including content provenance, Deep Fakes, and software supply chain integrity. If we can fix digital identification, then we can also solve these broader data quality problems.
The Digital Identity industry is stuck in a paradigm which treats identity as a good or service to be literally provided—i.e. bought and sold—for general purpose authentication. We keep aiming for “reusable digital identity” even though every business transaction has its own context, parameters and acceptance criteria.
In short, different parties need to know different things about their counterparties.
Various “IDs” serve us well in the physical world when presented and verified via familiar tamper resistant plastic cards. But online we have resorted to ad hoc presentation of the plaintext identifiers without any of the integrity or provenance cues that go with physical credentials. This has enabled endemic digital impersonation and fraud with a spectacular global cost.
Instead of replicating the verifiability of existing credentials online, the Digital Identity Industry has tried and tried to roll out novel general-purpose IDs. Across all the major Common Law System countries—AU, CA, NZ, UK and US, where there is no tradition of national ID—no commercially successful reusable Digital ID has yet to emerge in 25 years of trying.
There is an intrinsic barrier to using novel digital identities for identification: because they don’t have the meaning and familiarity of driver licences, birth certificates, Medicare cards etc., new IDs disrupt the way businesses manage identification risk. There is no legal precedent for their use; even if the underpinning Digital ID legislation provides liability cover, the new law is untested. So new digital IDs necessitate a reset of onboarding protocols.
Even if we were completely certain that a new general-purpose ID would improve identification security, the switching cost—including risk analysis, business process reengineering, contract changes, software upgrades, changes to forms, and end user training—is a lot for businesses to bear and is not funded by the Digital ID system.
How did we get to this point, where a radical new ID is apparently preferred by technology leaders, yet it carries so much uncertainty and cost, and the track record of comparable initiatives is so poor? One contributing factor is the framing of online identification as a matter of proving “who someone is”. No third party “identity provider” can verify and warrant every attribute of interest to the satisfaction of every business (or even a few businesses).
We could break through digital identity if we reframed the thing in terms of specific facts and proofs. Instead of asking broadly “who someone is” online, let’s narrow down the question to what do you really need to know about a counterparty in a certain context, and build a framework to distribute verified data.
We have proven technologies, infrastructure and increasingly familiar consumer tools that can distribute the common facts and proofs needed to secure people and businesses online. We have solved a near identical problem before—magnetic stripe card fraud—using chip technologies that foreshadowed today’s verifiable credentials and which are now widespread in mobile digital wallets.
Moreover, the infostructure to distribute facts and proofs for identifying people could also deliver verifiable data about any digital subject. That is, we can build data verification platforms from standard components to fix digital identification and at the same time enable secure data sharing at large.