The U.S. Senate Homeland Security and Governmental Affairs Committee recently passed a bill called the Improving Digital Identity Act, which now moves to the full Senate for debate. The bill was introduced in response to a call from the bipartisan Commission on Enhancing National Cybersecurity for federal agencies to act as “an authoritative source to validate identity attributes” across the digital ID market. If passed, an Improving Digital Identity Task Force would be established to help ensure citizens’ privacy and security, and to support “reliable, interoperable digital identity verification in the public and private sectors,” which then could be established by the U.S. federal government after a Senate committee vote.
The legislation states that there is no easy, affordable method for government agencies and businesses to verify whether an individual is who they purport to be online, allowing cyber criminals to access personal data more easily.
With the hype of Artificial Intelligence (AI) and the proliferation of AI-powered chatbots, services and products, the approval of the bill is vital. It is becoming clearer each day that having a digital identity solution that empowers people and protects their data and privacy while being equitable and accessible to all, is a necessity as we further move to a global digital economy, making this an issue that goes far beyond the U.S. border.
The World Economic Forum (WEF) recently published a report on Digital Identity, stating that there are roughly 850 million people globally who lack legal identification (ID), which makes it difficult or impossible for them to fully engage with society. At the same time, many of those with ID do not have privacy and control over how their data is shared.
There are different approaches to a digital identity system solution, each with its benefits and challenges. When the Improving Digital Identity Task Force embarks on its mission, it will not have to start from scratch. International organizations, such as the WEF, Global Government Forum (GGF) and Organization for Economic Cooperation and Development (OECD) have been researching this subject for years and have findings and recommendations to share. Several governments have already been experimenting with building digital identity solutions, and the U.S. Task Force can learn from their successes as well as their failures.
Before we dive into the various findings and the essential properties for viable solutions, let’s first understand what digital identity is and what the different approaches for digital identity system are.
What is digital identity?
The OECD defines Digital Identity as “a set of electronically captured and stored attributes and/or credentials that can be used to prove a feature, quality, characteristic, or assertion about a user, and, when required, support the unique identification of that user.”
Identifiable data includes a wide range of things, such as passwords, usernames, bank accounts, social media photos, posts, and can be generalized to any personal information with any website we have engaged with. We could have many identifiable data — for example, different usernames and passwords for different applications and services, making it difficult to keep track and remember.
Approaches to digital identity systems
There are three main approaches to digital identity systems:
Centralized Digital Identity solutions are administrated and controlled by a single authority. As the internet grew, centralized authorities and hierarchies gained more power as more people had to manage a growing number of digital identities while having no control over them.
This model is a siloed one where systems are isolated from each other, and people have to create a digital identity account for every platform — for example, you might pay your rent or mortgage using one identity, shop at an online retailer using another, and browse social media on a third. The average person has 100 passwords and a study from the University of Sydney conducted a survey among social media users from Australia, UK, and U.S. revealed that a third of people don’t trust social media companies with their data. This creates bad user experience as they have to manage an increasing number of accounts.
Due to the problems that resulted from the centralized digital identity model, federated identity was developed, which allows authorized users to access multiple applications and domains using a single set of credentials, such as when people can use their Google or Facebook account to sign into websites or apps. A federated identity links a user’s identity across multiple identity management systems so they can access different applications efficiently. In federated identity systems, personal data is often being stored, tracked, and shared to other parties without people’s knowledge.
Since the data is controlled by these siloed organization, the user has no control over their data privacy and security and have to trust these organizations for implementing proper cybersecurity measurements to protect their data and adhere to proper use of data.
The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022. A Clark School study at the University of Maryland is one of the first to quantify the near-constant rate of hacker attacks against computers with Internet access – every 39 seconds on average, affecting one in three Americans every year – and the non-secure usernames and passwords we use that give attackers more chance of success.
This explains why privacy and security is the top of the list for users as well as governments when constructing the framework of a digital identity system.
3. Decentralized Identity or Self-Sovereign Identity (SSI)
Currently, Self-Sovereign Identity is used interchangeably with the term Decentralized Identity. Certificate fraud, fake credentials, slow verification processes, and data breaches are just some of the problems associated with our current centralized digital identity systems that decentralized identity technology can solve.
Self-Sovereign Identity (SSI) is a model that gives individuals full ownership and control of their digital identities without relying on a third party. In contrast to centralized identity management, you are in control of your identity and can decide who sees your data. You can also remove access to your data at any time. SSI solutions utilize blockchain and Web3 technologies and are currently being experimented with several governments such as Catalonia and Estonia.
The essential properties for a viable digital identity system/framework
One of the key findings of the Digital leaders Study 2023 published by Global Government Forum is that “to realize their vision of seamless services wrapping around the user, countries must develop two essential capabilities: strong digital ID systems, and high-quality, cross-government data management.” Analyzing the success stories, as well as the ones that were not implemented well, the survey suggests three main essential properties for building a viable digital identity system:
1. Privacy and security: Building trust by putting citizens in control of their data
As data owners, institutions and organizations sometimes hold their datasets so close that citizens can’t see how they’re being used, which is fostering public suspicion that hampers progress. The most successful digital ID systems – such as those in Estonia and Singapore – are those that put control in the citizen’s hands, providing transparency on how data is being used and seeking explicit permissions before it is shared with public or private bodies.
In Estonia, for example, every time personal data is accessed – whether it’s a doctor reading medical records, or a police officer checking a vehicle registration – that action is visible to citizens in their digital ID dashboard, enabling them to challenge improper use.
Another solution currently being experimented in Catalonia is a decentralized, Self-Sovereign system where data is not collated centrally. In this framework, users control digital wallets containing their personal data, sharing information when they choose. The lack of a centralized government-held database can address public concerns about security and privacy and makes this a suitable approach for countries without an existing national ID system.
2. Accessibility and ease of use: Focus on building a customer base, not delivering a policy
Citizens are likely to adopt a digital ID system if it’s straightforward to set up, makes their lives easier, and provides valuable opportunities. Germany, where less than 10% of the public makes use of a digital ID system introduced a decade ago, highlights this issue. Every citizen and resident in Germany holds an e-ID card capable of securely holding and sharing personal data, and able to verify the user’s identity to online services, yet it’s barely used. The complex sign-up process has led to high drop-out rates among those seeking to activate their digital ID systems. A decade ago, the hope was that private companies would build services for e-ID users, but low adoption has kept the potential market small.
In contrast, Singapore’s digital leaders keep a careful eye on the Singpass app’s ratings on Google Play and Apple’s App Store (where it scores an impressive 4.5 and 4.8 stars respectively). Singapore has also introduced service centers, where officials can walk citizens through the process. Nowadays, citizens can access 2000 private sector services via Singpass, while companies have access to 3.5 million customers.
3. Usability: Create a ‘single source of truth’ for key datasets
Governments with advanced digital identity systems can identify individuals with confidence and use citizens’ ‘unique identifier’ reference to link up datasets around them. This property, though quite essential, is still a challenge even for success stories, such as Singapore. There is no easy solution here, but the problem must be addressed. Government agencies are siloed, they keep their own records and often may have different identifiers for the same data on different agencies’ databases.
One of the plausible solutions to overcome this challenge would be a decentralized identity. Catalonia’s blockchain system can be accessed by any public body in the EU, reflecting the lives of EU citizens who increasingly need to connect with organizations across the EU. It also offers digital ID for non-EU citizens, such as Ukrainian refugees. The EU has already been implementing these essential properties in their proposed digital identity framework, utilizing three key principles: accessibility, wide usability and giving full control to users.
In this global digital economy, it is imperative that every nation adopt these properties to create a viable digital identity system that empowers users while providing adequate privacy and security.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.