Author: Nick Tegg

Posted on

Background & Use Cases …

Just Imagine ...
The vast amount of Personal Data that is currently obtained processed, stored, managed, retained and eventually deleted under our existing centralised model in which personal data is inextricably linked to the application that uses it.
Just Imagine ...
The service improvements, the improved efficiencies, the reduction in fraud potential, the enhanced customer relationships, the cost savings, design improvements and reduction in compliance overhead that could be achieved by the widespread introduction of decentralised identities and the personal management of personal data.

In February 2019 TechUK issued a white paper entitled ‘The Case for Digital IDs‘, which made a number of recommendations to the UK Government, the most important of which being:

the UK Government to facilitate the creation of a fully functioning digital identity ecosystem, which operates across public and private sectors

The white paper includes a list of potential Use Cases for Digital Identities and several of these are described in this post.

Recognising the importance of the subject in July 2019 the Department for Culture Media & Sport issued a Digital Identity: A Call for Evidence, confirming that

We are committed to enabling a digital identity system fit for the UK’s growing digital economy without the need for identity cards by working in partnership across government, the private and voluntary sectors, academia, and civil society.Quote

Potential Use Cases

Digital birth certificates
How about issuing new born babies with a Digital Identity as their very first verifiable credential; one that they could use throughout their life. Issuing at birth would be a great first step in safeguarding youngsters online but issuing to school age children would be a game-changer in restricting access to harmful content.
DBS or criminal record checks
Non-standardised application process across the UK introduces inefficiency,is poor for labour mobility and requires the processing of a considerable amount of personal data in multiple centres.
ID checks at bars, nightclubs & public places
Controlled access to identity verification data via a mobile device limits the exposure of personal data to that which is appropriate to meet the check being carried out e.g. club doorman verifying an individual as being 18+ or a police officer requiring a date of birth and current address.
Right to rent checks
A landlord or letting agent is legally obliged to see original acceptable docs, review prospective tenants face-to-face and make copies of documentation. This is expensive and inefficient for all parties, and carries significant data protection risks. From a consumer standpoint it would be preferable to be able to transfer reference checks to different landlords and letting agents.
Age verification for access to age restricted online content
Support certification against PAS1296:2018 for online age checking presents a model for age verification for age-verified goods and services.
Voter registration, polling and e-voting
Digital identity and one-to-one facial recognition software can be used as a means of citizen verification for voter registration, identification at polling stations, remote e-voting and polling.
Qualification screening checks
Verify that a huge range of regulated professionals, such as doctors, dentists, accountants, security consultants, architects etc have the qualifications and specialisms that they purport to have.
Licensing checks
To work in the UK private security industry an individual must be licensed by the Security Industry Authority, a lengthy process that requires the sharing of copious amounts of personal data.
Proof of address for utility bills and banking
By providing a customer with an attribute stating that they have been a customer for a certain period of time a bank or utility company could dispense with existing slow, inconvenient and potentially fraudulent manual processes.
Posted on

Personal Digital Identity, where to begin?

Lets’ start with a good old fashioned Problem Statement:

The problem of –
being required to share multiple items of personal information as a pre-condition to being granted access to resources on a website
Affects –
my ability to manage and maintain control over my personal information;
The impact of which is –
that I no longer know who has my information, what they are doing with it and how securely it is being maintained.
An ideal solution would be …
A system whereby my personal information is securely stored and decoupled from their application. This would enable me to take back control of my personal information by managing when and how third parties are able to view and use my personal information.

Now, I’ve got that off my chest, let’s have a look at an important piece of background material on the subject.

In 2005 Kim Cameron, Architect of Identity at Microsoft wrote The Laws of Identity‘, a blog in which he produced a problem statement, far more succinct than mine – “The Internet was built without a way to know who and what you are connecting to.”

Cameron argues that it’s hard to introduce an identity layer into the Internet because there is no agreement on what digital identity should be or how it should be run. This comes about because digital identity is related to context and each one of the billions of Internet users has many hundreds of reasons, or contexts, for using the Internet.

According to Cameron, the emergence of a single simplistic digital identity solution as a universal panacea is not realistic, what is needed is a unifying identity metasystem that can protect applications from the internal complexities of specific implementations and allow digital identity to become loosely coupled.

Cameron proposes 7 laws of identity:

  • User Control & Consent – technical identity systems must only reveal information identifying a user with the user’s consent.
  • Minimal disclosure for a constrained use – the solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.
  • Justifiable parties – digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
  • Directed identity – a universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
  • Pluralism of Operators & Technologies – a universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
  • Human integration – the universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
  • Consistent experience across contexts – the unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
Proudly powered by WordPress