Talking Digital ID with NAB

I was delighted to appear on the latest NAB Digital Next podcast in conversation with Alysia Abeyratne, Senior Manager for Digital Policy at NAB (National Australia Bank). We drilled into the history of verifiable credentials and the recent awareness that identification doesn’t need so much identity.

Hence NAB’s terminology has switched from “digital identity” to Digital ID — something that’s much more familiar and concrete.

NAB realises that identification processes need better data. Lockstep’s perspective is that the best data for identification will come through real world IDs and credentials repackaged in improved digital formats that make them more reliable online than plaintext IDs, and less vulnerable to theft.

The Australian federal government’s Digital ID Bill embodies this paradigm shift.

Individuals don’t need new numbers or any new “digital identity”; they need better ways to handle their existing IDs online. And it’s exactly the same with businesses; the best digital technologies conserve the rules and relationships that are working well in the analogue world.

After reviewing the historical language of “digital identity” and the state of the art in verifiable credentials, I went on to discuss how better verification of all important data is an urgent need, in the broader context of AI and the wicked problems of Deep Fakes.

Here are some edited extracts from the podcast.

Some History

At the dawn of ecommerce, in 1995, Australia was leading in e-signatures, e-authentication and PKI (public key infrastructure) even before we were buying much online. Around then Australia passed its technology neutral electronic signature law.

PKI was dominated by Defence thinking thanks to national security perspectives. Led to onerous operational standards, some still with us today in TDIF.

Trying to help people think about new digital concepts, we had naive metaphors for identity, such as “passports”, which we hoped would let us freely go around cyberspace and prove who we are. It turned out to be really hard to have a general-purpose proof of identity.

About 15 years ago, the digital industry got a little more focused, by looking at specific assertions, attributes and claims. These boil down to what do you need to know about somebody, from application to application.

And what do you need to know about a credential?

Verifiable Credentials and What Do You Really Need to Know?

Sophisticated verifiable credentials today let you know where a credential has come from, reference its terms and conditions, and can even convey how a credential has been carried (so we can tell the difference, for example, between device-bound Passkeys and synced Passkeys).

Instead of identity, we can ask better design questions, about the specifics that enable us to transact with others. When it’s important and you can’t rely on trust, then you need to know where a counterparty’s credentials have come from.

Provenance matters for devices too and data in general. The subjects of verifiable credentials can be non-humans, or indeed intangible items such as data records.

In almost all cases, we need to ask: Where does a subject come from? How do you know that a subject is fit for purpose? And where will you get these quality signals?

The same design thinking pattern recurs throughout digital credentials, the Internet of Things, software supply chains, and artificial intelligence. We need data in everything we do, and we need to know the story behind the data.

The importance of language

We habitually talk about “identity” but what do you really need to know about somebody?

When put it like that, we all know intuitively that the less you know about me, the better!

Technically that’s called data minimisation. In privacy law, it’s sometimes called purpose specification; in security it’s the good old need-to-know principle.

What do you really need to know about me? It’s almost never my identity, as we saw at the first NAB roundtable (PDF).

So, if identity is not necessarily our objective, we should not call this thing “digital identity”. It’s as simple as that.

Digital identity makes uneven progress

The Digital Identity field is infamously slow moving.  The latest Australian legislation is the third iteration in four years, and the government’s “Trusted Digital Identity Framework” (TDIF) dates back to 2016 (PDF).

We’ve made Digital Identity hard by using bad metaphors – especially “identity” itself. There is wider appreciation now that the typical things we need to know online about people (and many other subjects) is not “identity” but instead it’s credentials, specific properties, facts and figures.

But meanwhile we have made great progress on verifiable credentials standards and solutions. White label verifiable credentials are emerging; the data structures can be customised to an enterprise’s needs, issued in bulk from a cloud service, and loaded into different digital wallets and devices.

Enterprises will be able to convert their employee IDs from analogue to digital; colleges and training organisations will do the same for student IDs and qualifications. The result will be better security and privacy as users become able to prove exactly what they need to know about each other in specific contexts.

Governance of Digital ID and beyond

A major potential game changer is happening at home in Australia. The Digital ID Bill and resulting Australian Government Digital ID System (AGDIS) makes the problem simpler by making the objective smaller. Instead of any new and unfamiliar “digital identity”, AGDIS conserves the IDs we are used to, and introduces a governance regime for digitising them.

The IDs we are familiar with are just database indexes. And we should conserve that. The Australian Digital ID Bill recognises that ID ecosystems exist and we should be able to govern the digitising of IDs in a more secure way. So, the AGDIS is a more careful response to the notorious data breaches in recent years.

The plaintext problem

The real problem exposed by data breaches is the way we all use plaintext data.

Consider my driver licence number. That ID comprises six numbers and two letters, normally conveyed on a specially printed card, and codifies the fact I am licensed to drive by the state of New South Wales. My status as a driver in turn is a proxy for my good standing in official government systems, so it has become a token of my existence in the community. Along with a few other common “ID documents” the driver licence has become part of a quasi-standard grammar of identification.

Historically, IDs are presented in person; the photo on a licence card proves the credential belongs to the person presenting it. Relative to the core ID, the photo is a type of metadata; it provides an extra layer of evidence that associates the ID with the holder.

When we moved identification online, we maintained the grammar but we lost the supporting metadata. Online, businesses ask for a driver’s licence number but have none of the traditional signals about the quality of the ID. Simply knowing and quoting an ID doesn’t prove anything; it’s what geeks call a “shared secret”, and after a big data breach, it’s not much of a secret anymore.

Yet our only response to data breaches is to change the IDs and reissue everybody’s driver’s licences. The new plaintext is just as vulnerable as it was before. It’s ridiculous.

But let’s look carefully at the problem.

The driver licence as a proxy for one’s standing is still valid; the licence does provide good evidence that a certain human being physically exists. But knowing the ID number is meaningless. We need to move away from plaintext presentation of IDs — as Lockstep submitted to the government in the 2023 consultations on Digital ID legislation.

Crucially, some 15 years ago, banks did just that. The banks transitioned from magnetic stripe credit cards, which encode cardholder data as plaintext, to chip cards.

The chip card is actually a verifiable credential, albeit a special purpose one, dedicated to conveying account details. In a chip card, the credit card number is digitally signed by the issuing bank, and furthermore, every time you dip your card or tap it on a merchant terminal, the purchase details are countersigned by the chip.

Alternatively, when you use a digital wallet, a special secure chip in your mobile phone does the same thing: it countersigns the purchase to prove that the real card cardholder was in control.

Mimicking modern credit card security for Digital IDs

That’s the pattern that we now need to pivot from plaintext IDs to verifiable IDs.

The Australian Competition and Consumer Commission (ACCC) has the role of Digital ID regulator. As it did with another important digital regime, the Consumer Data Right (CDR), the ACCC is expected now to convene technical working groups to develop detailed rules and adopt standards for governing Digital ID.

If the rules adopt hardware-based digital wallets and verifiable credentials, then the presentation of any ID can be as secure, private and simple as a modern payment card. That will be a true game changer.