Will the digital world solve the identity crisis?

A truly digital identity is a critical enabler for a digital economy. A trusted, secure and universally accepted digital identity fosters economic growth, productivity and financial inclusion. Today, however, a sizeable section of the global population is lacking the basic digital credentials to fully participate in the digital economy.

To address this issue, many countries have recently launched new national electronic identity (eID) programmes, including Australia, Cameroon and Jamaica, with the most ambitious being India’s Aadhaar project, which had registered more than 1 billion citizens as of August 2017.

Caught between two worlds

However, as UBS pointed out in a 2016 white paper, digital identity is still straddling the analogue and digital worlds. In addition, security remains an issue – as demonstrated by recent high-profile data breaches at Equifax, Yahoo! and Uber.

“Part of the problem is that we still rely to a great extent on the analogue world – as when asked to produce a physical passport or birth certificate to open a bank account. There are also serious problems in the way identity is currently handled in the digital realm, from the lack of security of our data to the lack of control over it,” says the white paper.

Yet at the same time, technology developments such as the Internet of Things (IoT), smart contracts and artificial intelligence are creating an increasingly interconnected world, where machines and other objects “become economic actors in their own right”, says the UBS report.

Jesse McWaters, ‎financial innovation lead at the World Economic Forum (WEF), and lead author of the 2016 WEF report ‘A blueprint for digital identity’, says most people are so used to the current process of establishing identity that it is difficult to see how strange it is in a digital environment.

“A physical identity system has three parties: a user that wants to use a service; a service provider that needs to confirm an attribute to provide the service; and an identity provider that provides a trust bridge. But in an online world usually there is no identity provider, which has led to every service provider becoming an identity provider and building up stores of information,” he says.

A growing awareness

This approach is problematic for three reasons, says Mr McWaters. First, it creates a responsibility for a service provider, who may be in the business of selling goods, to maintain a secure customer database. Second, it means that users need constantly to provide their data, with little visibility into where that data goes and how it is used afterwards, particularly in light of new business models built on monetising data.

Third, the current process fails to take advantage of opportunities for greater privacy that a digital identity could provide. “Contrary to the commonly held belief that people have less privacy in a digital environment, it becomes possible to tailor queries much more efficiently and respond to a specific question, such as whether an individual is over 18 or not, with a simple yes or no, as opposed to providing a driver’s licence with name, date of birth and address,” says Mr McWaters.

Since the report’s publication 18 months ago, he has seen an important shift to a greater understanding that identity is a key component in scaling the digital experience. “Identity pertains not just to individuals and companies, but increasingly to devices and financial assets, and there is a need to better manage this,” he says.

“Many are realising that things they once thought of as disparate problems – such as data breaches, fraud and inappropriate use of metadata – are all connected to identity management.”

This recognition is not confined to the financial services community, but also includes trade, logistics, hospitality, health, travel and so on. “That growth in the awareness of the problem and possible solutions is the most important development I have seen,” Mr McWaters says.

Banking opportunity

Identity is about more than authentication; it is also about managing the transfer and confirmation of attributes. But who should be involved in creating a digital identity solution? In its report, the WEF focused on financial institutions for several reasons, says Mr McWaters.

“First, banks are in a unique position to support a solution because they have a store of customer attributes that have been obtained with high level of assurance. Banks are held to a high regulatory standard through rigorous KYC [know your customer] processes,” he says. “Second, banks have a strong competitive interest in playing an important role in a digital identity solution. In addition to helping them reduce cost through more efficient processing, it has a strategic value in helping the bank retain an important role in the customer’s life – becoming a custodian not just of their funds but also of their data, and providing them with the mechanism to control the sharing of data or attributes.”

His second point is particularly important in jurisdictions such as Europe and the UK, where the Payment Services Directive 2 (PSD2) and open banking threatens to disintermediate banks from the customer relationship. “Because of PSD2-type legislation, many banks have realised that they must help their customers and make banking easier – or someone else will,” says Greg Wolfond, founder and chief executive of SecureKey Technologies, a Toronto-based identity and authentication service start-up.

“In part, [digital identity] will help on-board customers faster, and reduce friction and fraud in the process, but it is also an opportunity for banks to be ‘reintermediated’ into their customers’ lives – to be there when customers are renting a flat, help them prove who they are, their credit score, pay the rent, set up utility services, etc,” says Mr Wolfond. “There are huge opportunities for banks to add value by playing a role in these digital identity ecosystems.”

Like Mr McWaters, he argues that banks should play a central role in a digital identity solution. “I don’t think it is solvable without the banks. But it is up to them to step up and help consumers with this – they must want to play a role,” says Mr Wolfond.

Fostering mass adoption

While bank-led digital identity projects such as BankID in Sweden and Norway and Finland’s Tupas were successfully rolled out more than a decade ago, today there is a growing trend of consortium building, bringing together multiple constituents of an identity ecosystem. This approach also helps allay public fears over centralising personal data and government surveillance, which has thwarted government-run initiatives in the past.

In a pioneering example of a consortium approach, Estonia created an eID in 2002 together with the private sector, mainly for efficiency and secure authentication reasons. “Telcos, banks and utility companies provide most digital services, rather than the state, and we wanted digital identity to become a normal daily activity,” says Kaspar Korjus, programme lead on Estonia’s e-Residency project.

More recently, the top seven Canadian financial institutions – Bank of Montreal, CIBC, Desjardins, National Bank, Royal Bank of Canada, Scotiabank and TD Canada Trust – joined SecureKey’s digital identity platform, which also includes telcos, utilities and government agencies. SecureKey Technologies’ Mr Wolfond believes the platform’s success is dependent on building a consortium.

“Banks can play a role as trust anchors in terms of KYC checks and bank app log-ins, whereas a telco can identify the mobile device and location. Using my phone camera, I can check my facial biometrics against government-issued IDs. A consortium can pull parties together and allows people to assert their identity in a meaningful way,” he says.

Similarly, Alastria is a Spanish consortium launched in October 2017 that includes 140 companies and institutions in different sectors, as well as engaging with fintech start-ups, universities and regulators. Alex Puig, chief executive of Alastria, says: “Even a state-sponsored project does not guarantee success, therefore rolling out a digital identity solution needs everyone on board.” The non-profit open initiative counts Banco Santander, Banco Sabadell and BBVA among its founding members.

According to Yves Bontemps, head of corporate solutions at bank messaging consortium Swift, shared digital identities are an enabler of the global digital economy transformation. “The new digital economy is all about ecosystems and connecting organisations, the frontiers of which are being blurred by API [application programming interface] connectivity. In this new world, sharing identity between organisations is necessary to support a continuous natural flow of information,” he says.

Blockchain’s killer app?

Alastria is using blockchain, or distributed ledger technology (DLT), to enable and accelerate the digital transformation of the various industries. Its initial aim is to create a standard digital identity, ID Alastria. The consortium is building a semi-public blockchain based on Ethereum, but on a national level and without cryptocurrency; instead, it is tokenising euros.

Mr Puig believes blockchain is ideal for digital identity because it is decentralised, made up of nodes hosted by participants, and therefore more secure. “In any centralised technology, there is a single point of attack or place where everyone’s identities are stored. But in Alastria’s case, the digital identity is owned by the individual. Hackers can attack one person but not the whole community at the same time.

“The identity that Alastria is creating is not built on such information as my name or where I live, but what I have permission to do. We are working with certificates, claims and attributes. For example, I can prove I am a client of Santander, so BBVA could also accept me as a client without having to go through the KYC process.” The next step for the consortium is to build services on top of the blockchain using smart contracts.

SecureKey’s digital identity network is using IBM’s blockchain technology, which is built on Linux Foundation’s open-source Hyperledger Fabric, a permissioned blockchain. Government and the banks in the consortium will run the nodes, but no consortium participant will be able to track or conduct surveillance on individuals, due to the unique ‘triple-blind’ privacy capability of the SecureKey implementation.

“This is important to ensure the provider doesn’t know where you are going, the receiver doesn’t know everything about you and the network does not see the data,” says Mr Wolfond. “We wanted triple-blind privacy, which is compliant with ‘privacy by design’, an approach to systems engineering that takes privacy into account throughout the engineering process. This is the standard in Canada and compliant with General Data Protection Regulation [GDPR] in the EU.”

A matter of control

Even though Estonia’s eID network pre-dates DLT, it is using the technology to record every identity card transaction, whether obtaining an e-prescription or voting, with a unique hash on a blockchain. “An individual can see who has accessed their data and when – it can’t be tampered with. Blockchain is an important component in digital identity because it increases the trust between citizens and government,” says Mr Korjus.

“Giving individuals control over their data, or self-sovereignty, has been a dominant theme over the past year,” says Gene Vayngrib, CEO and co-founder of Tradle, a start-up that uses blockchain to achieve user-controlled KYC portability. He says the centralised identity management design is outdated. “Using blockchain to allow individuals to point to the place and time where their identity was verified by an entity in the ecosystem creates the basis for portability and fraud prevention, as well as effectively managing privacy and confidentiality. That creates much better convenience for the customer but also for the banks because it removes friction in their own operations.”

Mr Vayngrib adds that many people talk about how self-sovereignty fits into GDPR, but not many point out its importance for cross-border data movements. “Data residency restrictions, the most recent imposed by China, apply to institutions moving their customers’ data, but not to customers moving their own data,” he says.

Self-sovereign identity

With the advent of DLT, a decentralised, truly independent, self-sovereign digital identity system becomes possible. Sovrin, for example, is a fully open system which allows any person, organisation or thing to have an identity independent of any proprietary ‘siloed’ database.

DLT start-up Evernym created the Sovrin ecosystem, a purpose-built public distributed ledger, because Ethereum and Bitcoin’s blockchains were not appropriate for identity, mainly due to privacy, performance, cost and governance issues, according to Timothy Ruff, the company’s co-founder and CEO.

“We knew something different had to be built but also that no one could own it, including us. We knew we would have to give it away and take a risk that, as it took off, we could fail and the ecosystem would survive,” he says. “Additionally, it means some third party can’t come in and monitor you or take your identity away.”

Though it was designed to solve identity issues, Sovrin is not, in fact, an identity system, according to Mr Ruff. “The problem lies in defining identity, which means so many different things in different contexts. Sovrin is actually a ‘claims exchange’ system, where a claim is a piece of information that makes an attestation about some fact, and stretches beyond simple identity,” he says.

“No longer do I have an identity that I carry with me, but I have dozens, hundreds, or even thousands of claims in a digital wallet that I can use in different contexts, depending on where I need to establish trust,” adds Mr Ruff. “As a counterparty, you can receive and verify the claims I give to you, and vice versa.” In this way, Sovrin could help prevent phishing attacks because not only can the bank ensure that the individual is verified, but an individual can authenticate the bank just as strongly, for example.

The platform also helps in an IoT world. Mr Ruff uses the example of one self-driving car communicating to another. “When cars talk to each other, is there a user name and password? No. So how does identity verification work in the IoT context when devices need to authenticate each other?” he asks. “Use case after use case, the traditional model of identity is limited, confusing and context dependent. But when dealing with claims, and the ability for each party to give each other a verified claim and then immediately check the signature on the claim, then all that is needed is a standardised way to digitally sign these claims and verify the signatures.”

While many large banks and institutions are getting behind Sovrin, Finland’s TrustNet consortium is the first to go public with a pilot to test how Sovrin’s self-sovereign identity will benefit its citizens.

The future is borderless

Digital identity is the first step to a fully digital economy and already many are exploring what else can be done. SecureKey, for example, is working on a cross-border project to allow a French citizen to open a bank account in the UK, made feasible under the EU’s eIDAS regulation, which enables digital signatures within the internal market. Additionally, it is working with Gov.UK Verify to allow a UK citizen to open a bank account in Canada. “We are doing a lot of work around interoperability and that is where it has to go – money moves globally and ultimately we need an international digital identity standard,” says Mr Wolfond.

In another pioneering move, Estonia is moving towards becoming a borderless nation state, where any individual can become a digital resident. Mr Korjus says: “We now provide foreigners with a digital identity through our e-Residency programme. They are digital residents and it is up to us now – and in the future – to define those digital residents’ rights and obligations.”

The country has attracted more than 27,000 e-Residency applications from 150 countries. Most are looking to access business services, such as starting location-independent global EU businesses. Now, in conjunction with Finnish fintech company Holvi, they can set up payment accounts remotely. “Individuals can be part of our digital society without ever visiting Estonia. Of course, business services is just one aspect; I am planning to transform many of our core services,” says Mr Korjus, mentioning areas such as healthcare, crypto-tokens and investments.

Mr Korjus’s vision is that, in the future, it will not matter how large a nation state’s territory or internal market is – people will subscribe to the state that has the best services or a better value proposition. “This means we will also offer better services to resident citizens, because if we offer poor services then our citizens can subscribe to other nations,” he says.