By Waldemar Scherer, CEO and co-founder Integritee AG
Across politics, the private sector, and civil society, the push for establishing new digital identity systems is gathering pace. But to offer a true alternative to the status quo, such systems must embrace privacy-by-design.
In a world where everybody seems to be talking about digital transformation, identity management remains firmly rooted in the past.
When we want to authoritatively identify ourselves to access a service, such as opening a bank account, checking in at an airport, or even something as simple as renting a car, there is often no alternative than to revert to analog, paper documents like passports, driving licenses and residency permits.
This demonstrates that when it comes to identity, we are still at an early stage of digital transformation.
For the most part, we have simply recreated the analog world in the digital realm by creating digital copies of paper documents.
True Digitalization of IDs Remains Elusive
The distinction between digitization and digitalization may be instructive in this regard.
Whereas digitization is the process of making existing documents and processes digital, Gartner describes digitalization as “the use of digital technologies to change a business model and provide new revenue and value-producing opportunities”.
For the most part, identity has only been partially digitized, but certainly not digitalized. Think about what you need to do when opening an account with an online bank or digital payment provider, for instance.
To verify your account, you will typically need to scan or photograph paper copies of your passport, official identity card, or driver’s license, and provide a proof of your address.
In addition, you may also need to take and upload a selfie to verify your ID. For proof of address, a copy of a paper utility bill is typically suggested, even though many consumers now pay for utilities with e-bills.
Bad for Competition, Bad for Security
Despite businesses trying to make these processes as straightforward as possible, they still require the user to leave their computer or smartphone and track down one or more paper documents and then wait up to 48 hours for them to be verified.
The inconvenience and bureaucracy of this process hinders competition and the efficiency of the market. This is because such services tend to be relatively “sticky”:
Once a customer has gone to the effort of laboriously identifying themselves, they don’t want to go through the hassle again, even if a competitor offers a slightly better price.
Digital identity systems also lack interoperability or common standards in most countries, which leads to cybersecurity and privacy concerns.
If you want to use an array of digital services that require identity verification, you need to upload sensitive personal documents, that would be potentially highly valuable to criminals, to multiple different centralized servers.
In this way, siloed digital identity systems provide hackers with multiple attack surfaces and the security of your documents is only as strong as the weakest link among them.
Centralized Logins Also Not the Solution
Given these challenges, it is unsurprising that some of the world’s biggest tech firms have been trying to fill the gap.
In the short term, some of the most dominant players have become de-facto digital identity hubs for users.
Many smaller web services allow you to skip a sign-up procedure and sign in with your Google, Facebook or PayPal account instead. However, this approach has a number of drawbacks:
- These accounts are not officially recognized identity documents. Therefore, for certain services like opening a bank account or renting a car, further verification will be required to ensure legal compliance.
- By centralizing logins, this practice further strengthens the dominance of the biggest players in the market.
- It creates a centralized target for hackers and makes the potential consequences of losing control of primary accounts grave.
- Users still do not have control over their personal data and the centralized service provider has the power to revoke access to it.
Encouraging Signs of Progress
In the longer-term, many companies envision a future where users have officially recognized digital identities that they can own and manage themselves.
Firms like Microsoft, for example, have explicitly advocated the creation of a decentralized digital identity (DDID) system based on distributed ledger technology (DLT).
The ID2020 Alliance is a public-private partnership that espouses the principle that “identity is a human right and that individuals must have ‘ownership’ over their own identity”.
It has received support and participation from many major companies like Mastercard, Accenture, Microsoft, PwC, Cisco, and Facebook.
There have also been some major developments on the political and regulatory front. On June 3, 2021, the European Commission proposed the introduction of an EU-wide digital identity wallet, an interoperable system that would allow users to store and selectively share officially recognized identity documents throughout all member states.
The Devil’s in the Detail for DDID
While these developments are encouraging, it will be important to keep a close eye on the technical solutions that are eventually proposed. In the case of the ID2020 Alliance, the precise workings of the proposed identity network are not entirely clear.
While the organisation suggests that “decentralized systems could provide greater privacy protection for users”, it says that widespread agreement on technical implementation is required first.
Microsoft, conversely, has pushed ahead with its own DDID implementation, based on Azure Active Directory and the Bitcoin-based ION network, while Mastercard has a rival system in the works.
For citizens and consumers, there will clearly be a trust deficit to overcome here: if competition and data security are the main problems with the status quo, is this really an issue that the big players — including Big Tech — can be trusted to solve on their own?
As for the EU proposal, the European Commission has stated that although the digital identity wallet should be interoperable, each member state can choose how it will be technically implemented.
While both France and Germany are exploring blockchain-based approaches, this still leaves open the possibility that some countries could opt for centralized servers to store their citizens’ identity data. Furthermore, it remains unclear how such a heterogeneous network of different ID systems will remain secure and interoperable.
How to Combine Blockchain and Private Data?
In addition to the trust barrier mentioned above, there is also a fundamental technical question — how can a public blockchain, which is transparent by nature, be used in conjunction with highly sensitive private data?
In this respect, it’s important to consider that it’s often only necessary to validate that certain conditions are met, without needing to know precise details. When you order a drink at a bar, the establishment needs to know that you are over 18, but not your precise birthdate.
When renting a car, the rental company needs to know that you hold a valid driver’s licence, but don’t necessarily need an exact copy of the document.
When applying for a loan, the finance company needs to know that you have adequate collateral, but not your precise bank balance.
Thus, a system that fully respects user privacy should convey the minimum viable amount of personal data to facilitate a service or transaction.
This is where trusted execution environments (TEE) come into play. A trusted execution environment (TEE) is a reserved area within a computer processor that runs separately from the standard OS.
The underlying data processed in a TEE is accessible to no one, not even the system administrator of the device it operates on.
If a public blockchain network is then used to remotely verify the authenticity of a TEE, users can rest assured that their data remains confidential and can only be processed in agreed ways.
So, if we return to one of the scenarios above, verified data about your name, passport and driving licence could be stored in a TEE.
When renting a car, a piece of code in the TEE would verify that you meet the requirements for rental, and the rental company would simply be informed that the transaction can proceed, without disclosing any further details or requiring any paper documentation to be exchanged.
This hybrid approach delivers many of the benefits of centralized servers — such as speed and performance — but uses blockchain to ensure trust.
Most importantly, however, it provides privacy by design, which means that users do not need to trust in the unverifiable behavior of third-party administrators to know that their privacy is being respected.
Digital identity is currently in a formative stage of development. The principles that are embedded into our identity systems now will likely prevail for decades to come.
To foster user trust and make a break from the harmful data collection practices of the past, such systems must embrace the principle of privacy by design. This will not only be good for the privacy of users, it will also facilitate more open, competitive and innovative data-driven services.
Waldemar Scherer, CEO and co-founder Integritee AG, a seasoned executive, and entrepreneur, with a background in business informatics, has managed global programs and digital transformation projects in the financial services sector.
He was an integral part of the team to establish EY’s Blockchain footprint in Switzerland. As a co-founder and former Head of Enterprise Blockchain at Swisscom, he built blockchain solutions and services for internationally renowned companies in the finance, insurance and pharma industries.