Digital IDs are very much in the news at the moment, whether vaccine passports or calls for social media accounts to be verified to prevent online abuse.
Osborne Clarke partner Mark Taylor provided some comments on digital IDs as part of his contribution to a feature in leading technology media title Computing called ‘towards a single digital ID’ written by its research editor John Leonard.
Many of the articles on Computing’s website are free to access but some require registration including the feature on digital ID.
Mark Taylor’s full comments can be found below:
At a time when trust in the authorities is low in this country do any centralised digital ID schemes have a chance of succeeding?
“The logic for digital ID is strong in many ways, not least because we all already have so many different log-ins held by so many different businesses. A single, verified, secure digital ID could be hugely convenient and remove duplication, as well as streamlining processes such as anti-money-laundering checks, opening accounts, etc. But the trick is to structure it in a way that maximises convenience and minimises concern over “big brother” surveillance, but also avoids digital exclusion.
“Key to this will be ensuring that individuals feel that they retain control of their data. Specifically, we have the possibility of “self-sovereign” ID formats. The central idea is that rather than the ID being issued and controlled by a central (probably government) authority, the individual concerned can create their own portable digital ID which they retain control over, including aspects such as what it covers, who can access it, what that third party can do with it, etc.
“Another concern is the concentration of security risk which might arise with a single digital ID. It should be possible to design around this, but it does require careful consideration in any digital ID solution.”
Has anyone done it well (eg Estonia perhaps)?
“Digital ID in Estonia is government-issued, which might not be acceptable in some countries.
“On the positive side, Estonian digital ID is built on a blockchain structure. The great advantage of blockchain is that it offers a structure for holding data which is secure, auditable and transparent, both in terms of enabling access to the data stored on it, and because any tampering with the data can be readily spotted. It has been suggested as ideally suited for self-sovereign ID systems – the individual can be confident that any access to their data is logged, amendments to their data cannot happen without their consent, and no one can gain access without their consent.
“How do you see the battle emerging between the right to privacy and the move to do away with online anonymity?
“These are not necessarily mutually exclusive concepts. Just because an online service provider or platform, seeks to verify someone’s identity does not mean that privacy is then lost. Privacy regulation is important precisely to control what someone can do with personal data that it has in its possession.
“What tends to be a bigger concern (as mentioned above) is whether a use of a centralised digital ID gives one entity particular insight over how an individual interacts online. In practice, it should be possible to overcome this concern.”
Digital identity suffers from a lack of standards with many actors all going their own way. Do you see it coalescing around a particular standard / implementation?
“Standards and common interfaces will be important to ensure, first, that an individual doesn’t need more than one digital ID because they would be universally compatible and recognised, regardless of the issuer.
“Secondly, common standards would support the provision of digital IDs by private entities, reducing central government “big brother” concerns. Ensuring that digital ID accounts are portable from one provider to the next would allow consumers to switch their digital ID provider, facilitating a competitive market for these services. Regulatory authorisation based on qualitative (not quantitative) criteria might be needed to reinforce consumer trust in the issuers.
“One challenge though is how to incentivise the development of this market – few commercial players are likely to adopt a “build it and they will come” strategy, so it may be that, again, government sponsorship, funding or other involvement is needed in some form. Another liability – i.e. to what extent the issuer of a digital ID is responsible for and underwrites the assurance as to identity which it seeks to provide.”
If you would like any advice on data protection, digitalisation or digital ID then please contact Mark or another member of the team.