Written by Waldemar Scherer, CEO and Co-Founder of Integritee AG
Across politics, the private sector, and civil society, the push to create new digital identity systems is growing. But to offer a real alternative to the status quo, these systems must embrace privacy by design.
In a world where everyone seems to be talking about digital transformation, identity management remains firmly in the past.
When we want to formally identify ourselves to access a service, such as opening a bank account, checking in at an airport, or even something as simple as renting a car, there is often no alternative but to refer to analog paper documents such as passports, driver’s licenses, and residence permits.
This demonstrates that when it comes to identity, we are still at an early stage of digital transformation.
For the most part, we have simply recreated the analog world in the digital world by creating digital copies of paper documents.
True digitization of IDs remains elusive
Distinguish between digitization and Digitization It may be useful in this regard.
While digitization is the process of digitizing existing documents and processes, Gartner describes digitization as “the use of digital technologies to change the business model and provide new revenue and valuable production opportunities.”
For the most part, identity has only been partially digitized, but certainly not digitized. Think about what you need to do when opening an account with an online bank or digital payment provider, for example.
To verify your account, you will usually need to scan or photocopy hard copies of your passport, official ID or driver’s license, and provide proof of your address.
In addition, you may also need to take and upload a selfie to verify your identity. For proof of address, a copy of a paper utility bill is usually suggested, although many consumers now pay for utilities using electronic bills.
Bad for competition, bad for security
Although companies try to make these processes as straightforward as possible, they still require the user to leave their computer or smartphone and track down one or more paper documents and then wait up to 48 hours for them to be verified.
The inconvenience and bureaucracy in this process hinder competition and market efficiency. This is because these services tend to be relatively “static”:
Once a customer has made an effort to introduce themselves hard, they don’t want to go through trouble again, even if a competitor offers a slightly better price.
Digital identity systems also lack interoperability or common standards in most countries, leading to cybersecurity and privacy concerns.
If you want to use a range of digital services that require identity verification, you need to upload sensitive personal documents, which are potentially of high value to criminals, to several different central servers.
In this way, isolated digital identity systems provide hackers with multiple attack surfaces and the security of your documents is as strong as the weakest link between them.
Central logins aren’t the answer either
Given these challenges, it’s no surprise that some of the world’s biggest tech companies are trying to bridge the gap.
In the short term, some of the de facto dominant players have become digital identity hubs for users.
Many smaller web services allow you to skip the registration procedure and sign in with your Google, Facebook, or PayPal account instead. However, this approach has a number of drawbacks:
- These accounts are not officially recognized identity documents. Therefore, for some services such as opening a bank account or renting a car, further verification will be required to ensure legal compliance.
- By centralizing logins, this practice reinforces the dominance of the largest players in the market.
- It creates a central target for hackers and makes the potential consequences of losing control of basic accounts dangerous.
- Users still have no control over their personal data and the central service provider has the ability to revoke access to it.
Encouraging signs of progress
In the long term, many companies envision a future in which users are formally recognized as digital identities that they can own and manage themselves.
Companies like Microsoft, for example, have explicitly advocated the creation of a decentralized digital identity (DDID) system based on distributed ledger technology (DLT).
ID2020 Alliance is a public-private partnership that embraces the principle that “identity is a human right and that individuals should possess their own identity”.
It has received support and participation from many major companies such as Mastercard, Accenture, Microsoft, PwC, Cisco and Facebook.
There have also been some major developments on the political and organizational front. On June 3, 2021, the European Commission proposed the introduction of an EU-wide digital identity wallet, an interoperable system that would allow users to selectively store and share officially recognized identity documents in all member states.
The devil is in the details for DDID
While these developments are encouraging, it will be important to closely monitor the proposed technical solutions in the end. In the case of the ID2020 Alliance, the exact procedures for the proposed identity network are not entirely clear.
While the organization suggests that “decentralized systems can provide greater privacy protection for users,” it says broad agreement on technical implementation is needed first.
Conversely, Microsoft has gone ahead with its own DDID implementation, based on Azure Active Directory and the Bitcoin-based ION network, while Mastercard has a rival system in the works.
For citizens and consumers, there will obviously be a trust deficit to overcome here: If competition and data security are the main problems in the status quo, is this really a problem that the big players – including Big Tech – can be trusted to solve on their own?
As for the EU proposal, the European Commission said that while a digital identity wallet should be interoperable, each member state can choose how it is technically implemented.
While France and Germany explore blockchain-based methods, this still leaves open the possibility that some countries may choose central servers to store their citizens’ identity data. Furthermore, it remains unclear how this heterogeneous network of different identity systems will remain secure and interoperable.
How do you combine Blockchain and private data?
In addition to the trust barrier mentioned above, there is also a fundamental technical question – how can a public blockchain, which is transparent in nature, be used in conjunction with highly sensitive private data?
In this regard, it is important to consider that often it is only necessary to check that certain conditions are met, without having to know the subtleties. When you order a drink at a bar, the establishment must know that you are over 18, but not your exact date of birth.
When renting a car, the rental company needs to know that you hold a valid driver’s license, but you don’t necessarily need a true copy of the document.
When applying for a loan, the finance company needs to know that you have enough collateral, but not your exact bank balance.
Thus, a system that fully respects the privacy of the user must transmit the minimum applicable personal data to facilitate a service or transaction.
This is where Trusted Execution Environments (TEEs) come into play. A Trusted Execution Environment (TEE) is a reserved area within a computer processor that runs separately from the standard operating system.
The basic data that is processed in TEE cannot be accessed by anyone, not even the system administrator of the device it is running on.
If the public blockchain network is used for remote validation of TEE, users can rest assured that their data remains confidential and can only be processed in agreed ways.
So, if we go back to one of the above scenarios, the verified data about your name, passport and driver’s license can be stored in TEE.
When you rent a car, part of the code in TEE will verify that you meet the rental requirements, and the rental company will simply be informed that the transaction can go ahead, without revealing any other details or asking for any paper documents to be exchanged.
This hybrid approach offers many of the advantages of centralized servers – such as speed and performance – but uses blockchain to ensure trust.
More importantly, it provides privacy by design, which means that users do not need to trust the unverifiable behavior of third-party administrators to know that their privacy is being respected.
Digital identity is currently in a formative stage of development. The principles embedded in our identity systems are likely to prevail for decades to come.
To enhance user confidence and move away from harmful data collection practices of the past, these systems should embrace the principle of privacy by design. This will not only be beneficial for users’ privacy, but will also facilitate more open, competitive and innovative data-driven services.
Valdemar Scherer, CEO and Co-Founder of Integritee AG, a veteran CEO and entrepreneur, with a background in Business Informatics, has managed global programs and digital transformation projects in the financial services sector.
He was an integral part of EY’s Swiss-based blockchain fingerprint creation team. As the co-founder and former head of the Blockchain Foundation at Swisscom, he has built blockchain solutions and services for world-renowned companies in the fields of finance, insurance, and pharmaceuticals.