Digital identity laws for better trust in big tech

As big tech gains influence, we need a central anchor of trust for our identities, which can be found in new digital identity laws

Identity is experiencing a phenomenal shift across the UK and Europe. In the UK, the Department for Culture, Media and Sport (DCMS) recently created a new agency to oversee the creation of new digital identity laws in a bid to augment physical documents such as passports.

Meanwhile on the continent, the EU’s digital wallet scheme is nearing pilot stage and will see all the Union’s 457 million citizens offered a unified, mobile-based means to prove who they are, wherever they are and whenever they need.

Identities are a multi-faceted being – and individuals should have the power to prove who they are to a whole host of bodies and services.

But in the age of digital services – and soon, digital identities – ownership has become challenging. There’s huge potential for success for digital ID schemes, but as the government begins to explore new digital identity laws, there are some vital considerations needed about the size, scope and gravity of these projects.

The identity landscape – how and why is it shifting?

Undoubtedly, the pandemic accelerated a trend toward digital services that were already in motion. We know consumers want them – 76% of respondents in our recent survey cited a desire for more government services to be made available online. And it makes sense why – they’re easier, faster and more efficient.

But as we use more digital services, identities are also becoming more multifaceted than simply a passport or driving licence. Consider, for example, bank details, email addresses, social media profiles, and medical records… to what extent are these now part of identity?

Big techs are also taking action to have greater ownership and leverage over consumer data – TikTok is the most recent example that’s made headlines globally for its ‘aggressive’ data harvesting, while Google and Meta have also received data privacy fines in Europe for misuse of user cookies.

The government is no longer the single source of power and information. And consumers no longer have as much control as they might think of their identity and their data.

But, while consumers are receptive to the idea of a digital identity scheme in theory, what will it take to make for an effective reality?

Digital identity schemes – the good, the bad and the ugly

Concepts such as self-sovereign identity (SSI) are great in theory – whereby full ownership of identity credentials is given back to the individual, who decides with who and how they are shared. But there are two clear elements that will hold this back from lift-off: governance and technical effort. Shifting all consumer credentials to the blockchain requires significant and impetuous effort while, without any oversight or governing body, there’s no initiative or standardised means to see this through and protect it as it develops over time. The success of any scheme requires mass adoption, and SSI simply asks too much of consumers.

The other question we might ask is, what’s the harm in letting big techs have more of our data? While it may seem convenient and inconsequential now, our lives are only going to become more digital and it’s very difficult to take back control once data has been given away – ownership of this data becoming more disparate holds huge complexities for all involved in the longer term.

There is scope for digital identity schemes to be delivered effectively, securely and with more power in the hands of consumers, though.

A leading example is Estonia’s digital identity programme. Since 2014, the nation has gained a global reputation for pioneering digital identities. Its Smart-ID service allows citizens to authenticate themselves and provide digital signatures online from an app on their smartphones. This is then recognised as an equivalent to a handwritten signature anywhere in Europe. Using advanced face verification technology, the app securely verifies a user against its government issued-ID document and only delivers the essential information and approval to the third-party – eg., verifying a citizen is over 18 without sharing their full address and passport number.

Schemes like the EU Digital Wallet are another brilliant example of how we can strike a balance between maintaining an anchor of trust and empowering consumers to combine all their ID facets into one place, with control over what they share and with whom. The wallet scheme brings in trusted third parties and service providers, but similarly to Estonia’s scheme, will ultimately be weighed in existing strong identification documents that are issued and protected by respective nation governments, ensuring there’s a consistent, trusted controller of data.

What’s next for the UK and digital services

A single sign-on and ID verification solution to access government services online – One Login – is already moving closer to reality and will see citizens able to gain access to services online more easily and securely from as soon as the end of the year, while our eyes are on a broader digital identity scheme materialising from the DCMS’s new agency’s work.

The UK is hearing consumer calls for digital services. But crucially, it’s also recognised that moving to more digital identity schemes and services – if handled in the right way – is also far more secure. As mentioned in the Estonia example earlier, a digital identity scheme can greatly limit how much of our Personally Identifiable Information (PII) is shared on the internet. Whereas in the past you may have shared a scan of a full identity document – containing your date of birth, address, passport number, photo – a digital identity scheme can now simply validate requests from third parties while keeping all other sensitive information protected and secured. The impact of this in reducing fraud and phishing attacks will be phenomenal.

Physical documents are also far easier to lose, steal and manipulate than an online service if it is secured with biometrics. Facial verification technology is already emerging as the obvious solution for schemes globally, as it can verify users based on existing trusted government photo IDs. Biometrics are something you are, not something you have, so they simply can’t be forgotten, shared, stolen or compromised in the same way.

Creating a central anchor of trust

A digital identity scheme that can incorporate all stakeholders – from governments to banks to service providers – is undeniably the direction we are heading, but it’s a difficult journey that needs a consistent driver. As these schemes start to materialise in the UK and beyond, maintaining a government presence at the helm ensures there’s a level of consistency and trust and data sharing is minimised.

After all, identities to date are issued by governments – so who else is better placed to take passports and ID cards into the digital space? It’s a huge undertaking, which is why it needs that top level of oversight and consistency, combined with world-leading security.

This piece was written and provided by Mike Summers, at iProov.