What is Identity, digital or otherwise?

The quality or condition of being a specified person or thing.Concise Oxford Dictionary, 8th ed, 1990

Something I have …

How identity worked in the pre-computer age.

Few of us growing up in the developed world had any choice in the matter. When I was born my parents were legally required to register my birth for which they received a paper birth certificate; a verified credential which, even today, I am occasionally required to produce.

Since then, like most other people in the UK, I have become an avid collector of verified credentials that either enabled me to claim the benefits to which I was entitled or take on the responsibilities they bestow. Registering with the local doctor allowed my parents and I to use the NHS and the issue of a National Insurance number kick started my contribution towards the cost of the welfare state. In 1975 the Met Police confirmed me in the office of Constable and gave me a warrant card which came with the power of arrest; a really powerful credential that acted as both a proof of identity and authority for me to take certain legal actions. On receiving my first pay cheque I opened a bank account and the cheque book I received was another valuable and frequently used credential. Debit cards, credit cards, driving licence, marriage certificates, mortgage certificates, loan agreements, credit rating, insurance certificates, passport, degree certificate, professional qualifications and memberships all followed over the next 45 years. I still have most of these original documents, locked away in a filing cabinet in my office just in case I need to produce them some day.

Occasionally I need to carry some of these credentials so that they are immediately available for inspection; international travel and hiring a car are impossible without a passport and driving licence respectively. Knowing that I will need to present them I carry them with me, either on my person, or in my wallet.

The issuing process for each of my credentials had a number of common factors – I needed to engage with a third party issuer and both parties understood the nature and reason for the transaction, on each occasion I needed to assert my identity to a standard acceptable by the other party and finally I needed to back up that assertion with acceptable documentary proof.

During those, sometimes lengthy engagements, both parties trusted the physical modes of communication, whether they be phone calls, face to face meetings, snail mail, registered post for valuable items or simply the physical exchange of signed and witnessed documents.

None of these transactions could not have happened as they did without there being a prevailing sense of TRUST between all parties. In the pre-computer era impersonation, fraud, forgery, false accounting, misrepresentation, disguise and scamming were all pretty hard to get away without specialist skills, knowledge and native cunning. Besides these, the likelihood of capture and threat of a custodial sentence deterred all but the most adventurous, or desperate.

These important physical credentials are a necessary, and in some cases legal, manifestation of my identity; they do not alone amount to my identity as a person. They are perhaps best seen as tools to enable and support my interaction with the various authorities that make up the nation state.

Before computers, issuing authorities had a clear, settled and documented step-by-step manual process for dealing with applications, employing the right number of people to make the process work but there was little or no sense of urgency.

The advent of computerisation brought opportunities to cut costs and improve the services delivered but the automation of ‘something I have‘ has not been without difficulties. Early attempts to computerise the credential issuing business led to incompatible systems running bespoke processes with first generation operating systems hosted on expensive mainframes provided by a handful of approved suppliers.

I would argue that it is only now with the introduction of the Internet, Cloud computing, ubiquitous encryption and various cross-industry working groups that the true benefits of a computerised ‘something I have‘ can be realised

Something I know …

With the rapid expansion of the Internet without an identity layer, web organisations were forced to authenticate users by the only means available to them at the time – username and password. This method of authentication is now the norm but it is a paradigm that has been completely undermined by our inability to manage these credentials securely in the real world. Don’t just take my word for it, look at the guidance produced by the UK’s National Cyber Crime Centre and the writings of Bruce Schneier on the subject.

To address the failings of username and password authentication we are now being forced down the route of the multi-factor authentication. MFA comes under the category of ‘something I know‘ because for a few seconds I need to know a one time passcode sent to me by an out of band channel (usually SMS) before entering it into the browser. This deeply inconvenient and time consuming authentication method treats only the symptoms of the identity-free Internet, not the causes of it.

There are other attributes of my identity that come under the heading of ‘something I know’. I know the dates that are important to me, my favourite teacher and I also know the answer to the ubiquitous mother’s maiden name question. The most significant problem with using these attributes to authenticate my digital identity is that its entirely possible that with a little bit of research a diligent social engineer may be able to discover all of this information and use it to impersonate me.

Something I am …

Should I die without identification on me and without my mobile phone the police have a number of biometric methods available to them to identify me – fingerprints, DNA and dental records are the most commonly used. In my case, I had my dabs taken when I joined the police service and have also recently had some very expensive dental treatment; these are clearly verified credentials that uniquely identify me.

The fundamental concept underpinning the Who.Me? experiment is the conclusion arrived at by Sariyar & Schlunder in their 2016 paper:

Identification of an individual (based on digital data) means to know a globally unique natural identifier (allowing a singling out), which can be a combination of attributes and to associate them with a set of attributes. Both together allow a singling out and the recognition of the individual. The genome and fingerprints are unique identifiers, and they can stand for the individual, but they are not sufficient to identify an individual without further reference information. In general, there is no fixed set of (reference) information that is always sufficient for identificationSariyar M, Schlünder I. Reconsidering Anonymization-Related Concepts and the Term 'Identification' Against the Backdrop of the European Legal Framework. Biopreserv Biobank. 2016;14(5):367–374. doi:10.1089/bio.2015.0100
The Who.Me? experiment will demonstrate whether it is possible for me, as a standard Internet user, to collect, collate and control my own personal data when using the Internet. As I plan to use my own unique natural identifiers to underpin my digital identity there are a number of key factors I need to take into account:
  • Information storage – How secure is the Personal Online Datastore (POD) in which I will store my biometric data? How will the POD integrate with my digital wallet so that these verified credentials can be made available securely?
  • Information exposure – What information is appended to the ledger and how do I ensure that my biometric data is not exposed?
  • Proportionality – What control do I have over my data being released, how can I ensure only the correct and appropriate information is disclosed?
  • Information format – What is the format of these biometric files and how can a limited and constrained amount of information be released?

Who’s setting the standards?

The World Wide Web Consortium is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. Led by Web inventor and Director Tim Berners-Lee and CEO Jeffrey Jaffe, W3C’s mission is to lead the Web to its full potential.

The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. It is working to change the nature of authentication with open standards that are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.

Arising out of the UN’s Sustainable Development Goal (SDG 16.9) that recognises legal identity as a fundamental human right, the ID2020 Alliance is a global public-private partnership with a manifesto to improve lives and accelerate access to digital ID by underserved and vulnerable populations. It is a multi-stakeholder collaboration that advocates the adoption of ethically-grounded digital ID solutions, the definition of individual-centred functional requirements and funds projects to deploy promising solutions.

Formed in 2010, OIX is a technology agnostic, non-profit trade organisation of leaders from competing business sectors focused on building the volume and velocity of trusted transactions online. OIX’s mission is twofold: a) to be the leading industry body driving the digital identity industry; and b) to be a centre of excellence that aligns to open, interoperable standards across the UK and Europe. The organisation operates the OIXnet trust registry, a global, authoritative registry of business, legal and technical requirements needed to ensure market adoption and global interoperability.

Established 2016 as an independent non-profit organization the Sovrin Foundation administers the Sovrin Network, an open source, public service utility based on distributed ledger technology (blockchain) that enables self-sovereign identity on the internet. Charged with administering the publicly created Governance Framework for the Sovrin Network, the Foundation is responsible for ensuring the Sovrin identity system is public and globally accessible and is committed to transparency and neutrality.

Created in March 2019 by the Sovrin Foundation, the Sovrin Alliance is a community of developers, enterprises, business and government leaders, NGOs, Sovrin Foundation staff, and volunteers that ensures the future of self-sovereign identity.

DIF is an engineering-driven organisation focused on developing the foundational elements necessary to establish an open ecosystem for decentralised identity and ensure interoperation between all participants. DIF Working Groups develop specifications and emerging standards for protocols, components, and data formats that inform development. Beyond specifications, DIF members develop open source reference implementations of the technical components and protocols they create and work to align industry participants to advance common interests.

Headquartered in Brussels, EEMA is a leading independent, not for profit, European Think Tank including topics on identification, authentication, privacy, risk management, cyber security, the Internet of Things, Artificial Intelligence and mobile applications. EEMA is a strong supporter of the European Electronic Identification, Authentication and Trust Services , eIDAS and the Go.eIDAS initiative.

In May 2016 the UK Government’s Digital Service launched GOV.UK Verify, an identity assurance scheme intended to provide a single trusted login across all Government Digital Services, verifying the user’s identity in 15 minutes. Although take-up by UK citizens has not been as swift as originally projected there are currently almost 5 million people who have signed up to the service. Five Identity Providers (also called ‘certified companies’) are contracted to verify an individual’s identity by reference to existing government issued credentials e.g. driving licence and passport. The UK’s newly appointed Director of Digital Identity, Lisa Barrett stated in a recent blog that “Digital identity is a vital issue not only for government transformation – as has often been our focus – but also for users who benefit from a safe, effective and  functioning digital economy underpinned by strong digital identity solutions.

NIST has produced a range of Special Publications (SP) on Digital Identity:

  • SP800-63-3 -Digital Identity Guidelines
  • SP800-63A – Enrolment and Identity Proofing
  • SP800-63B – Authentication and Lifecycle Management
  • SP800-63C – Federation and Assertions

SP800-63 contains a useful overarching diagram that describes the Digital Identity Model:

NIST Digital Identity Model

In October 2018 NIST produced an excellent Technology Overview document on Blockchain, concluding that the technology is still new and organisations should treat blockchain technology like they would any other technological solution at their disposal–use it only in appropriate situations

Social Linked Data (Solid) is the technology that underpins a movement led by Sir Tim Berners-Lee to re-orient the web to its original vision of a collaborative/re-writeable/editable web. The removal of editing capability in original browsers spawned an effort to get the write functionality back; dubbed the ‘read-write web’ this effort led to Richard McManus’ seminal article published in 2003.

The issue with writing data, as Wikipedia and others have learned, is that there needs to be a degree of control over who can write what so a process of obtaining and using permissions is needed. To enable these permissions there needs to be a system for identity – a way of uniquely confirming that an individual is who they purport to be; hence Solid’s relevance to the subject of digital identity.

Solid also provides a Personal Online Datastore (POD) within which an individual’s personal data can be stored and managed, and from which can be shared with approved partners.

OWI is a market intelligence and strategy firm focused on digital identity, trust, and the data economy. Through advisory services, events, and research, OWI helps a wide range of public and privately held companies, investors, and governments stay ahead of market trends, so they can build sustainable, forward-looking products and strategies. Since 2017 OWI has been the official host of the KNOW Identity Conference and KNOW Forums.

RAND Europe was commissioned by the British Standards Institution (BSI) in January 2017 to carry out a rapid scoping study to examine the potential role of standards in supporting Distributed Ledger Technologies (DLT)/Blockchain. The resulting report, entitled Distributed Ledger Technologies/Blockchain: Challenges, opportunities and the prospects for standards serves as an overview of the 6-week study and concludes that there is scope for standards to play a role in supporting the technology.

ISO has produced a terminology document for DLT as a first of a range of standards documents that are currently under development.

Hyperledger Indy provides tools, libraries, and reusable components for providing digital identities rooted on blockchains or other distributed ledgers so that they are interoperable across administrative domains, applications, and any other silo. Indy is interoperable with other blockchains or can be used standalone powering the decentralisation of identity.

Hyperledger Aries provides a shared, reusable, interoperable tool kit designed for initiatives and solutions focused on creating, transmitting and storing verifiable digital credentials. It is infrastructure for blockchain-rooted, peer-to-peer interactions. This project consumes the cryptographic support provided by Hyperledger Ursa, to provide secure secret management and decentralised key management functionality.

Now let’s define a few terms…

Claims
According to the Sovrin Foundation Glossary v3 a claim is an assertion about an Attribute of a Subject. Examples of a Claim include date of birth, height, government ID number, or postal address—all of which are possible Attributes of an Individual.
Credentials
A Credential is comprised of a set of Claims and is a digital assertion made by an Entity about itself or another Entity. Credentials are a subset of Identity Data and must be based on a Credential Definition. Examples of Credentials include college transcripts, driver licenses, health insurance cards, and building permits.
Credential – Agent
Once issued, a Credential is typically stored by an Agent.
Credential – Holder
The Entity holding the issued Credential.
Credential – Issuer
The Entity creating and issuing the Credential.
Credential – Relying Party
The Entity to whom a Credential is presented.
Credential – Subject
The Entity described by the Claims is called the Subject of the Credential.
Credential – Verifier
The Entity to whom a Credential is presented for verification.
De-centralized Key Management System (DKMS)
Public key infrastructure based on decentralized identifiers and identity records (for example, DID documents) containing verifiable public key descriptions.
Digital Identity
According to Wikipedia digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organisation, application, or device. ISO/IEC 24760-1 defines identity as “set of attributes related to an entity”.
Digital Wallet
A software module, and optionally an associated hardware module, for securely storing and accessing Private Keys, Link Secrets, other sensitive cryptographic key material, and other Private Data used by an Entity. A Wallet [Wallet Storage] is accessed by an Agent. In Sovrin infrastructure, Wallets [Wallet Storage] implement the emerging DKMS standards for interoperable decentralised cryptographic key management. Darrell O’Donnell’s 2019 paper entitled The Current and Future State of Digital Wallets provides a guide to help understand where the Digital Wallet market is and where it is heading for business and personal use.
Distributed Ledger Technology (DLT) or Blockchain
A distributed database in which the various nodes use a consensus protocol to maintain a shared ledger in which each transaction is cryptographically signed and chained to the previous transaction.
Personal (Online) Data Store (POD)
A personal data store, vault or data locker is a service that lets an individual store, manage and deploy their personal data in a highly secure and structured way. PODs are like secure USB sticks for the Web that can be accessed from anywhere. When others are given access to parts of the POD, they can react to the the content but the data owner decides which things can be accessed by applications and people. A Personal Data Store is NOT a Digital Wallet, it is more like a personal, domestic filing cabinet that stores persoanl data. Solid and Mydex are just two examples of personal data stores.
Self-sovereign Identity (SSI)
Lifetime portable identity for any person, organisation, or thing that does not depend on any centralised authority and cannot be taken away. Also describes the digital movement that recognises an individual should own and control their identity without the intervening administrative authorities. Christopher Allen’s excellent post from 2016 provides another useful overview of the subject.
Trust Framework
A generic term often used to describe a legally enforceable set of specifications, rules, and agreements that govern a multi-party system established for a common purpose, designed for conducting specific types of transactions among a community of participants, and bound by a common set of requirements.
Web of Trust
Phil Zimmerman originated the phrase “Web of Trust” in PGP 2.0 (1992), however, his ‘Web’ had a very limited meaning, focused on peer validation of public keys.
Verifiable Credentials
A digital attestation of one Identity Owner about another, also called Attestations or Claims.
WebID
A way to uniquely identify a person, company, organisation, or other agent using a URI, defined by the W3C WebID 1.0 specification.
WebID-TLS
Enables secure, efficient and maximally user friendly authentication on the Web by authentication onto any site by simply choosing one of the certificates proposed to them by their browser. These certificates can be created by any Web Site for their users.

As a good primer on the subject I highly recommend Sovrin’s White Paper entitled “Sovrin: A Protocol and Token for Self-Sovereign Identity and Decentralised Trust“.

Background & Use Cases …

Just Imagine ...
The vast amount of Personal Data that is currently obtained processed, stored, managed, retained and eventually deleted under our existing centralised model in which personal data is inextricably linked to the application that uses it.
Just Imagine ...
The service improvements, the improved efficiencies, the reduction in fraud potential, the enhanced customer relationships, the cost savings, design improvements and reduction in compliance overhead that could be achieved by the widespread introduction of decentralised identities and the personal management of personal data.

In February 2019 TechUK issued a white paper entitled ‘The Case for Digital IDs‘, which made a number of recommendations to the UK Government, the most important of which being:

the UK Government to facilitate the creation of a fully functioning digital identity ecosystem, which operates across public and private sectors

The white paper includes a list of potential Use Cases for Digital Identities and several of these are described in this post.

Recognising the importance of the subject in July 2019 the Department for Culture Media & Sport issued a Digital Identity: A Call for Evidence, confirming that

We are committed to enabling a digital identity system fit for the UK’s growing digital economy without the need for identity cards by working in partnership across government, the private and voluntary sectors, academia, and civil society.Quote

Potential Use Cases

Digital birth certificates
How about issuing new born babies with a Digital Identity as their very first verifiable credential; one that they could use throughout their life. Issuing at birth would be a great first step in safeguarding youngsters online but issuing to school age children would be a game-changer in restricting access to harmful content.
DBS or criminal record checks
Non-standardised application process across the UK introduces inefficiency,is poor for labour mobility and requires the processing of a considerable amount of personal data in multiple centres.
ID checks at bars, nightclubs & public places
Controlled access to identity verification data via a mobile device limits the exposure of personal data to that which is appropriate to meet the check being carried out e.g. club doorman verifying an individual as being 18+ or a police officer requiring a date of birth and current address.
Right to rent checks
A landlord or letting agent is legally obliged to see original acceptable docs, review prospective tenants face-to-face and make copies of documentation. This is expensive and inefficient for all parties, and carries significant data protection risks. From a consumer standpoint it would be preferable to be able to transfer reference checks to different landlords and letting agents.
Age verification for access to age restricted online content
Support certification against PAS1296:2018 for online age checking presents a model for age verification for age-verified goods and services.
Voter registration, polling and e-voting
Digital identity and one-to-one facial recognition software can be used as a means of citizen verification for voter registration, identification at polling stations, remote e-voting and polling.
Qualification screening checks
Verify that a huge range of regulated professionals, such as doctors, dentists, accountants, security consultants, architects etc have the qualifications and specialisms that they purport to have.
Licensing checks
To work in the UK private security industry an individual must be licensed by the Security Industry Authority, a lengthy process that requires the sharing of copious amounts of personal data.
Proof of address for utility bills and banking
By providing a customer with an attribute stating that they have been a customer for a certain period of time a bank or utility company could dispense with existing slow, inconvenient and potentially fraudulent manual processes.

Personal Digital Identity, where to begin?

Lets’ start with a good old fashioned Problem Statement:

The problem of –
being required to share multiple items of personal information as a pre-condition to being granted access to resources on a website
Affects –
my ability to manage and maintain control over my personal information;
The impact of which is –
that I no longer know who has my information, what they are doing with it and how securely it is being maintained.
An ideal solution would be …
A system whereby my personal information is securely stored and decoupled from their application. This would enable me to take back control of my personal information by managing when and how third parties are able to view and use my personal information.

Now, I’ve got that off my chest, let’s have a look at an important piece of background material on the subject.

In 2005 Kim Cameron, Architect of Identity at Microsoft wrote The Laws of Identity‘, a blog in which he produced a problem statement, far more succinct than mine – “The Internet was built without a way to know who and what you are connecting to.”

Cameron argues that it’s hard to introduce an identity layer into the Internet because there is no agreement on what digital identity should be or how it should be run. This comes about because digital identity is related to context and each one of the billions of Internet users has many hundreds of reasons, or contexts, for using the Internet.

According to Cameron, the emergence of a single simplistic digital identity solution as a universal panacea is not realistic, what is needed is a unifying identity metasystem that can protect applications from the internal complexities of specific implementations and allow digital identity to become loosely coupled.

Cameron proposes 7 laws of identity:

  • User Control & Consent – technical identity systems must only reveal information identifying a user with the user’s consent.
  • Minimal disclosure for a constrained use – the solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.
  • Justifiable parties – digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
  • Directed identity – a universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
  • Pluralism of Operators & Technologies – a universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
  • Human integration – the universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
  • Consistent experience across contexts – the unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.