The market failure of the Standard Model of Digital Identity

A standard model of digital identity has been with us, more or less, since the publication of the Laws of Identity by the late great Kim Cameron at Microsoft in 2005, and today still dominates most digital identity solutions, services, standards and policy frameworks. The Laws of Identity taught us that a digital identity is formally a set of claims about a digital subject. The standard model holds that digital identities are issued on behalf of Subjects by Identity Providers and are used by Relying Parties to deal with Subjects, chiefly by individuating Subjects within a group of similar persons or entities. The three principal players of the standard model – Subjects, Identity Providers (IdPs) and Relying Parties (RPs) – are variously said to ‘hold, ‘present’, ‘exchange’, ‘use’ and/or ‘consume’ digital identities as if identities are a good or a service.

The standard model has spawned a great many government and industry initiatives (typically referred to as “trust frameworks”) and commercial programs to launch identity provider businesses. Federation is almost always an extra objective of these efforts, wherein digital identities issued by one identity provider are expected to be re-useable by their subjects at multiple relying parties. The grandest federations aim for digital identities to be accepted by essentially any relying party within large nation-scale contestable marketplaces, and for identity providers to compete for the business of subjects, thus providing end users with a choice of identities and identity providers.

The most elaborate expressions of the standard model are arguably seen in the private-public partnerships launched by the governments of the United States and the United Kingdom, and similar policy programs of Canada and Australia. It has been the express policy position of Anglophone governments (across the party-political spectrum over at least a decade) to let the free market find lasting digital identity solutions. The U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC, 2009-16) and the U.K. GOV.Verify program (2011-18) saw tens of millions of dollars invested in pilots, and numerous identity providers launched, but both programs were terminated eventually without leaving any lasting identity businesses, nor significant adoption of new digital identities.

Clearly, the standard model of digital identity has been a market failure.

Despite the apparent urgency for better digital identity, no robust commercial model has emerged for the sort of Identity Providers that have been anticipated for over fifteen years. The supposed ideal of end users enjoying a choice of identity providers remains entirely hypothetical; they can’t even avail themselves of one IdP (not of the type that the grand federations were geared up for).  We must conclude that digital identity is not the sort of thing that can be bought and sold in the marketplace. The Standard Model does not describe participants or services that will in fact emerge of their own accord under free market forces.

If digital identity was really anything like the organic, plural, real-world identities with which people are familiar, then this market failure would not be surprising. We don’t usually buy and sell relationships. On the other hand, it is obvious that a great many subjects and relying parties are getting on very effectively in the digital domain, authenticating one another on the basis of discrete attributes and credentials. So rather than exalting claims data as “Digital Identities”, it would be sufficient instead to simply deal with attributes and credentials on their merits, as signals used to help counter-parties deal with one another under specific conditions.

We should reframe the Digital Identity in terms of verified data about actors.

Most of the things that parties need to know about each other when transacting in the digital domain are available from extant sources of truth, recognised in the real world. Instead of abstracting and complicating “Digital Identity”, we could digitise established truths with better fidelity and preservation of context, so that those truths are clear, attributable and reliable when used online. This reframing takes today’s verifiable credential tools and extends them so as to verify the source and conditions-for-use of data in general, so that the trusted sources of data are safely connected to data users. We should be constructing orderly data supply chains to support the digital economy so that the origin and intended usage of data is evident, context is clear, and terms & conditions may be attached to data items. We should learn from the market failure of Digital Identity as framed in the standard model inherited form the Laws of Identity, and evolve, moving from loose ideas of identity to concrete data about the entities we deal with online.