By James Flint
Data. Can’t live with it, can’t live without it. We all know that we’re not supposed to share our data with just anyone. But we also know that we have share at least some of it to do almost anything related to modern life.
Rather than digging around in the recycling bin (real or virtual) for crucial documents every time we have to prove who we are, and then sending those documents off via insecure services (like email) that could risk them being copied along the way, what if we were able to store all that info for in a digital locker to which we could grant others selective access as and when required? Then we’d keep the convenience of digital but drastically reduce the erosion of our privacy that using digital services involves.
This is the idea behind the personal data account (PDA) or “data pod”, and in the last few years several outfits have emerged with the aim of making the dream a reality. Frontrunners in the space include Solid, a protocol initiated by Sir Tim Berners-Lee of World Wide Web fame, that allows anyone to create and host a data pod much like they might create and host a website, and DataSwift, a hosted PDA network built on the idea that users have exclusive access to their own data microserver.
Once you’ve got a data pod you can, in theory, store whatever you want in there, as long as it’s in a digital format: bank statements, love letters, family photos. The general idea, though, is that you’re going to store data that you might want to share, as the protocols that underpin your pod are designed to allow you to grant other people selective and restricted access to various things within it. You could share your health records with your insurer, for example, or a scan of your passport with an airline, or utility bills and financial records with a bank to get a mortgage. And you could do all of this without exposing the data concerned to the vagaries of the open Internet.
While PDAs aim to offer services beyond simple digital identity verification, digital ID is at the heart of them and is arguably the core problem that they’re trying to solve.. And there’s certainly a need for this: in the UK at least a generally accepted form of digital ID is still a long way from being a reality, even though the government has been working on it – and put hundreds of millions of pounds of funding into creating it – for the last couple of decades.
Why is this so hard to do? If we sit back in our philosophical armchair for a moment to ponder this, we soon realise that the problem is that identity is not a single thing, fixed and immutable forever, that can be serviced by an national identity number or card or profile, but a constantly evolving constellation of facts, behaviours and presumptions that morphs and changes over time. As human beings we’re constantly changing relationships, jobs, homes, countries, even genders. Any successful means of confirming digital identity needs to be able to accommodate this core fact of existence, while also accommodating the equally important but somewhat orthogonal fact that the fact that multiple aspects of any identity complex will have degrees of sensitivity and privacy that are heavily dependent on the context in which they are to be (or not to be) viewed or revealed.
So it’s all a bit tricky. Despite (or maybe because of) all that government funding and effort there were, as of October last year, “191 different ways for people to set up a variety of accounts to access different services on GOV.UK, with 44 different sign-in methods,” according to a Cabinet Office report on the matter. The big ones are HMRC’s Government Gateway (used by millions to access tax information), the NHS app (which gained a great deal of traction during the pandemic), the Department for Work & Pensions’ Confirm Your Identify, the Government Digital Service’s (GDS) Identity and Attributes Exchange, Scotland’s Digital Identity Scotland project and the Home Office’s EU Settled Status scheme.
A ten-year attempt costing £220m to bring at least some of these under a single digital ID rubric called Gov.UK Verify has recently been abandoned as a failure, mainly because it was badly designed from the start. Verify was supposed to use a “trust network” of organisations including Barclays Bank, the Post Office, Experian and others to provide a mutually enforcing web of ID collateral, but rather than following successful examples in Sweden, Finland, Norway and Denmark the UK of course knew better and tried to do things a different way. Except that it didn’t know better and things didn’t work out.
Since then Post Office has teamed up with digital ID verification company Yoti and come up with its own solution, while the Government is having another go at one login to rule them all, called – imaginatively enough – One Login. To prepare for this, last April (2021) it had another go at laying out a framework to enable digital ID interoperability between public sector bodies and industry (which is pretty much exactly what Verify was supposed to do).
Unfortunately, just as with Verify, no one much liked the new framework, largely because the new framework depends on a set of government standards called the Good Practice Guides (GPG), which – déjà-vu! – are the same standards that the now-defunct Verify was built on and which no one except Verify wants to use, because no one much likes them. Meaning the new framework isn’t that new at all.
Even the Information Commissioner’s Office (ICO) doesn’t like it: in an annex to a white paper on the subject published last year the ICO not-so gently hinted that the Government should stop trying to reinvent the wheel and instead copy what the Nordic countries have done, because – look! - they now have successful digital identity systems that have been adopted by upwards of 70% of their populations.
And yet in September last year, the Government approved budget of £400m over three years for One Login, along with a notice from Michael Gove to all departments suggesting that it will supersede all other digital identity formats and will be made mandatory for all departments.
As we noted above, PDA plaftorms are trying to solve the same kinds of issue that HM Government wants to solve. Can they succeed where it has (so far) failed and provide digital identity without compromising data privacy – which is ultimate the prize we’re all seeking?
The fact is that both approaches face much the same issues. These divide broadly into management processes and risks around governance and liability on the one hand, which governments are probably in a better position that private companies to solve, and solutions around inclusiveness and interoperability on the other, an area in which over the past few decades (in the digital realm, at least) private companies have proved more effective than public.
However, when it comes to digital identity the governance and liability pieces are so important, and the inclusiveness demands so absolute, that it would seem politically and economically unwise for single private company to be tasked with them, even if it were in the position to make that happen.
For this reason alone hybrid approaches are the most likely to gain traction in this area. And that’s the reality that we are seeing play out. The Flemish government, for example, is currently making good progress by making the Solid protocol interoperable with its existing My Citizen Profile platform, itself built according to existing Web standards, so allow users to set up and deploy PDAs if they wish. Similarly, DataSwift’s infrastructure is being used to enable data sharing for a national weight loss programme in Malaysia and financial programs in Brazil and Vietnam.
The Nordic approach preferred by the ICO was to begin with an ID system that was agreed and interoperable between the banks and broadly accepted by their customers before extending it into other commercial areas and, eventually, into government use. In this way the solution becomes familiar and even mundane to most of the population in a non-intrusive, relatively non-controversial manner before state use cases are added in.
By doing things this way the information sources and guarantors are heavily distributed among multiple trusted institutions as you go along, making the system more resilient and creating a community of stakeholders who have a vested interest in maintaining and using the it, as well as in protecting it from abuse. In addition, extensibility and interoperability is built into very DNA of the project, allowing it to adapt to new developments over time, which is surely crucial to the long term success of any such system.
The future of digital identity, therefore, would seem to have less to do with single-sources of truth – whether owned either by governments, companies or individuals – and more about building successful and trusted networks for trusted and verifiable data sharing, while designing these networks so that they are intended to expand, evolve, and extend from the get-go. And, in theory at least, this is good news for data privacy.
As privacy professionals, and indeed as armchair philosophers, what we don’t want when it comes to digital identity is single, centralised, canonical sources of supposed truth that define us in ways we may not agree with and have little recourse to change while also remaining vulnerable to compromise and abuse at vast scale. What we do want are partial, corroborated, networked guarantees of identity that pass relevant information to relevant parties in relevant circumstances, are resistant to scalable attacks, and in which we – as data subjects – have at least some kind of say and control.